[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] resource:xpath and XPathCategory
>> The core spec should provide better definition of the semantics and
>> processing expectations for resource:xpath.
I agree. I asked about this on the mailing list about a month ago and got
no response.
Regards,
Craig
---
craig forster | staff software engineer | ibm australia development labs
http://blogs.tap.ibm.com/weblogs/craigforster/
From: "Tyson, Paul H" <PTyson@bellhelicopter.textron.com>
To: <xacml@lists.oasis-open.org>
Date: 20/10/2009 06:11 AM
Subject: [xacml] resource:xpath and XPathCategory
While working out what the spec says about requests for decisions on XML
resources, I found some features that appear to be underspecified.
Line numbers refer to cd-1 PDF core spec.
Item #1. XPathCategory xml attribute
This appears in the examples in the core spec, and is mentioned on line
3890. However, it does not appear in the element description for
<AttributeValue>, nor in the xsd.
Not knowing the history of this feature, I wonder what its purpose is.
It seems the only valid values (in a request context) are identical to
the ancestor::Attributes/@Category attribute where it appears. If it is
used in a Policy, what would be the difference between @Category and
@XPathCategory? The revision history for wd-06 says Xpath categories
were introduced to point to a specific <Content> element, but I don't
see how a "category" value will meet this need. Can someone who is
familiar with the history of this feature comment on it?
Item #2. urn:oasis:names:tc:xacml:1.0:resource:xpath
This appears in the examples, but not in the conformance table (10.2.6).
The brief explanation on line 5120 does not specify any datatype, nor
does it clarify how resource:xpath differs from resource:resource-id
when used for XML resources. It does not explain the difference
between:
(a)
Attribute[@AttributeId='resource-id'][@DataType='xpathExpression']
(b) Attribute[@AttributeId='xpath']
The example in 4.2.2 includes both these <Attribute>s (although the
xpath has DataType=string). But the policy only tests the
resource:xpath attribute. It could just as well test the resource-id
attribute.
The core spec should provide better definition of the semantics and
processing expectations for resource:xpath. Not knowing the history of
this feature, I can't make any specific suggestions at this time.
The hierarchical and multiple profiles do not mention resource:xpath.
They use resource:resource-id exclusively. I think using resource:xpath
in those profiles might help clarify some of the issues we are
discussing around identifying and testing multiple XML nodes.
Regards,
--Paul
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]