[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Category vs XPathCategory
All,
During the call today, I promised to post an explanation between the
"Category" and "XPathCategory" XML attributes. Both attributes are used
to indicate the context node of an xpath expression. The difference is
that in XACML there are two ways in which an XPath expression can occur:
in an <AttributeSelector> or in the new xpathExpression data type. The
two attributes go with the two different ways. The details are below.
"Category" is an attribute of <AttributeSelector>
<xs:element name="AttributeSelector"
type="xacml:AttributeSelectorType" substitutionGroup="xacml:Expression"/>
<xs:complexType name="AttributeSelectorType">
<xs:complexContent>
<xs:extension base="xacml:ExpressionType">
<xs:attribute name="Category" type="xs:anyURI"
use="required"/>
<xs:attribute name="RequestContextPath" type="xs:string"
use="required"/>
<xs:attribute name="DataType" type="xs:anyURI"
use="required"/>
<xs:attribute name="MustBePresent" type="xs:boolean"
use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
This attribute is used to define which <Content> element is the context
node of the xpath expression in the selector.
Here is an example of an attribute selector:
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>A</AttributeValue>
<AttributeSelector
xmlns:si="http://example.com/subject-inf";
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
RequestContextPath="si:SubjectInfo/si:Clearance/text()"
MustBePresent="true"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
The above match will test whether the si:SubjectInfo/si:Clearance
element in the subject <Content> element contains the string value "A".
XPathCategory is an attribute of an <AttributeValue> which contains an
xpath expression value.
<xs:element name="AttributeValue" type="xacml:AttributeValueType"
substitutionGroup="xacml:Expression"/>
<xs:complexType name="AttributeValueType" mixed="true">
<xs:complexContent mixed="true">
<xs:extension base="xacml:ExpressionType">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="DataType" type="xs:anyURI"
use="required"/>
<xs:anyAttribute namespace="##any" processContents="lax"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
Notice how the <AttributeValue> can contain any XML attributes or any
content for encoding of data type values. The 3.0 xpath expression data
type is the only standard XACML datatype which uses an XML attribute to
encode part of its value. The XPathCategory defines the category of the
<Content> element which is the context node for the xpath expression in
the <AttributeValue> element.
Here is an example of an xpath expression data type value:
<Match
MatchId="urn:oasis:names:tc:xacml:3.0:function:xpath-node-match">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
md:record/md:patient_info/md:name
</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/>
</Match>
The above expression will test whether the resource id is an xpath
expression which points within the subtree under
md:record/md:patient_info/md:name in the resource category <Content>
element.
Best regards,
Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]