[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 76, multiple conditions
All, Issue 76 proposes that there should be a way to write a condition on multiple elements in an XACML request. Reading the issue more carefully reveals that there are two different functional requirements. 1) To be able to specify multiple conditions on individual <Attributes> groups of which there are multiple instances in an XACML 3.0 XACML Request. For instance, the following request (in pseudo XACML): <Request> <Attributes category="intermediate-subject"> <Attribute>role=foo</Attribute> ... </Attributes> <Attributes category="intermediate-subject"> <Attribute>role=bar</Attribute> ... </Attributes> In this case it would be desirable to write a condition requiring that both of them would have the role "foo". In case of this proposed functionality, the premises are incorrect. Such a request is not a valid XACML request. Neither 2.0 or 3.0 has the concept of multiple <Attributes> elements in the same category, except in the case of the multiple resource profile, in which case it means that the PDP should do multiple individual requests. 2) To be able to specify multiple conditions on individual subtrees within an XML document. For instance (taken from the issues list on the wiki) "it may be useful to require that ALL <JobHistory> elements MUST contain both a <Salary> element with value greater than or equal to 30000 AND a <YearsHeld> element with value greater than or equal to 2." I agree that this is desirable, but I think this can already be done with xpath. Here is a rough attempt, though I doubt I got it entirely right from the syntax point of view and it doesn't handle all possible corner cases (such as missing Salary/YearsHeld elements): fn:empty(//JobHistory[Salary < 30000 or YearsHeld < 2]) I propose that issue 76 is closed with no action because it either proposes functionality which does not fit the core schema or the same thing can be achieved with the existing XPath functions. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]