Re: AW: [xacml] CD-1 issue #11: strictness of xpath definition

[Ludwig Seitz <ludwig@axiomatics.com>]

On Thu, 2009-09-17 at 19:20 +0200, Jan Herrmann wrote:

> 
> resource one:
> 
> <foo:Book>
> 
> where foo is bound to xmlns:foo="example.com/nsA"
> 
>  
> 
> and the second resource looks like:
> 
> <foo:Book>
> 
> where foo is bound to xmlns:foo="example.com/nsB"
> 
>  
> 
> Having a rule pointing to /foo:Book through an Attribute selector or
> an XPATH Matching function will cause the rule to get applied in both
> cases. Here it becomes clear that the problem is independent of the
> discussion whether string matching on xpath expressions should be
> supported or not. 

Sorry for being petty here, but your statement is incorrect. When using
XACML 3.0 functions related to XPath you MUST include namespace
definition(s), or they won't match anything at all (at least if you use
a namespace aware parser in your implementation).

The standard mentions this several times, check e.g. page 105 line 4192
or page 154 line 1408. 

I don't blame you for missing this, since it is not made explicit enough
for my taste. For example the section about AttributeSelectors (page 59
section 5.30) doesn't mention it at all. I also believe there should be
some statement about this in the section dealing with Expression
evaluation (page 80 section 7.4).

Regards,

Ludwig Seitz



-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |

This is a digitally signed message part