Re: [xacml] Issue 40: <ResourceContent> element

[Anne Anderson <Anne.Anderson@sun.com>]

Hi Erik,

Erik Rissanen wrote:

> Instead I
> suggest that we place the <Content> element inside the <Attributes> element:
> 
> <Request>
> ...
> <Attributes Category=”...:resource>
> ...
> <Content>...</Content>
> </Resource>
> <Attributes Category=”...:resource>
> ...
> <Content>...</Content>
> </Resource>
> ...
> </Request>
> 
> In this case it is simpler to provide backwards compatibility.

I agree.

> 
> BTW, talking about backwards compatibility of attribute selectors,
> translating 2.0 policies into 3.0 means rewriting the xpath expressions
> in attribute selectors since the <Resource> element is now called
> <Attributes>. Are there any concerns about this? For simple expressions
> it is obvious how to do it, but what about in general?

I think it is OK.  Any complexity in the expressions would be below the 
level of /Resource <=> /Attributes
> 
> Another minor issue is that the schema which Daniel wrote earlier does
> not allow anyAttribute on the Content element, which the old one did.
> This could be a problem with backwards compatibility, so I suggest we
> allow that.

Agreed.

> 
> Finally, I think the examples in the 2.0 spec are wrong. On page 31,
> line a217 the xpath expression looks like “//xacml-context:Resource/….”
> while it on page 34, line a290 looks like “//md:record/…”. As far as I
> can tell, the latter is wrong. Right?

Yes.  The spec's normative text in Section 5.4 Element 
<AttributeSelector> explicitly says "whose context node is the 
<xacml-context:Request> element."

Thanks for your continued attention to these details!

Regards,
Anne
> 
> 
> Best regards,
> Erik
> 
> 
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA