OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: resource:xpath and XPathCategory

While working out what the spec says about requests for decisions on XML
resources, I found some features that appear to be underspecified.

Line numbers refer to cd-1 PDF core spec.

Item #1. XPathCategory xml attribute

This appears in the examples in the core spec, and is mentioned on line
3890.  However, it does not appear in the element description for
<AttributeValue>, nor in the xsd.

Not knowing the history of this feature, I wonder what its purpose is.
It seems the only valid values (in a request context) are identical to
the ancestor::Attributes/@Category attribute where it appears.  If it is
used in a Policy, what would be the difference between @Category and
@XPathCategory?  The revision history for wd-06 says Xpath categories
were introduced to point to a specific <Content> element, but I don't
see how a "category" value will meet this need.  Can someone who is
familiar with the history of this feature comment on it?

Item #2. urn:oasis:names:tc:xacml:1.0:resource:xpath

This appears in the examples, but not in the conformance table (10.2.6).
The brief explanation on line 5120 does not specify any datatype, nor
does it clarify how resource:xpath differs from resource:resource-id
when used for XML resources.  It does not explain the difference
between:

	(a)
Attribute[@AttributeId='resource-id'][@DataType='xpathExpression']
	(b) Attribute[@AttributeId='xpath']

The example in 4.2.2 includes both these <Attribute>s (although the
xpath has DataType=string).  But the policy only tests the
resource:xpath attribute.  It could just as well test the resource-id
attribute.

The core spec should provide better definition of the semantics and
processing expectations for resource:xpath.  Not knowing the history of
this feature, I can't make any specific suggestions at this time.

The hierarchical and multiple profiles do not mention resource:xpath.
They use resource:resource-id exclusively. I think using resource:xpath
in those profiles might help clarify some of the issues we are
discussing around identifying and testing multiple XML nodes.  

Regards,
--Paul

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]