[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [xacml] Category vs XPathCategory
Hi Erik, thanks for this clear presentation of the issue. If I may add two remarks/questions: 1: If the AttributeSelector would have it's RequestContextPath Attribute as Child element, this sort of special treatment (i.e. the Category Attribute within the AttributeSelector) could be avoided. You could simply use the <AttributeValue> approach: e.g.: <AttributeSelector xmlns:si="http://example.com/subject-inf" MustBePresent="true" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" xmlns:si="http://example.com/subject-inf"> si:SubjectInfo/si:Clearance/text() </AttributeValue> </AttributeSelector> Such an approach will unify the both cases. Further this will allow for many other things (think e.g. of the discussion on Selector(condad(resource-id, /anyOffset)) 2: out of curiosity. What is the advantage to split the semantic of the selector's pointer in two parts? Currently the source nodes are identified by: a) the Category Attribute (sets the context node) and b) the xpath expression under the RequestContextPath Attribute Why is the context node not always the root node of the decision request i.e. /Request? Best regards jan PS: I have pretty busy times at the moment so I didn't have time yet to review your proposal on the "running XPath in reverse" approach. I will try to follow your thoughts asap. ________________________________________ Jan Herrmann Dipl.-Inform., Dipl.-Geogr. wissenschaftlicher Mitarbeiter Technische Universität München Institut für Informatik Lehrstuhl für Angewandte Informatik / Kooperative Systeme Boltzmannstr. 3 85748 Garching Tel: +49 (0)89 289-18692 Fax: +49 (0)89 289-18657 www11.informatik.tu-muenchen.de ________________________________________ > -----Ursprüngliche Nachricht----- > Von: Erik Rissanen [mailto:erik@axiomatics.com] > Gesendet: Donnerstag, 29. Oktober 2009 16:47 > An: XACML TC > Betreff: [xacml] Category vs XPathCategory > > All, > > During the call today, I promised to post an explanation between the > "Category" and "XPathCategory" XML attributes. Both attributes are used > to indicate the context node of an xpath expression. The difference is > that in XACML there are two ways in which an XPath expression can occur: > in an <AttributeSelector> or in the new xpathExpression data type. The > two attributes go with the two different ways. The details are below. > > "Category" is an attribute of <AttributeSelector> > > <xs:element name="AttributeSelector" > type="xacml:AttributeSelectorType" substitutionGroup="xacml:Expression"/> > <xs:complexType name="AttributeSelectorType"> > <xs:complexContent> > <xs:extension base="xacml:ExpressionType"> > <xs:attribute name="Category" type="xs:anyURI" > use="required"/> > <xs:attribute name="RequestContextPath" type="xs:string" > use="required"/> > <xs:attribute name="DataType" type="xs:anyURI" > use="required"/> > <xs:attribute name="MustBePresent" type="xs:boolean" > use="required"/> > </xs:extension> > </xs:complexContent> > </xs:complexType> > > This attribute is used to define which <Content> element is the context > node of the xpath expression in the selector. > > Here is an example of an attribute selector: > > <Match > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string">A</AttributeValue> > <AttributeSelector > xmlns:si="http://example.com/subject-inf" > > Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > RequestContextPath="si:SubjectInfo/si:Clearance/text()" > MustBePresent="true" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > > The above match will test whether the si:SubjectInfo/si:Clearance > element in the subject <Content> element contains the string value "A". > > XPathCategory is an attribute of an <AttributeValue> which contains an > xpath expression value. > > <xs:element name="AttributeValue" type="xacml:AttributeValueType" > substitutionGroup="xacml:Expression"/> > <xs:complexType name="AttributeValueType" mixed="true"> > <xs:complexContent mixed="true"> > <xs:extension base="xacml:ExpressionType"> > <xs:sequence> > <xs:any namespace="##any" processContents="lax" > minOccurs="0" maxOccurs="unbounded"/> > </xs:sequence> > <xs:attribute name="DataType" type="xs:anyURI" > use="required"/> > <xs:anyAttribute namespace="##any" processContents="lax"/> > </xs:extension> > </xs:complexContent> > </xs:complexType> > > Notice how the <AttributeValue> can contain any XML attributes or any > content for encoding of data type values. The 3.0 xpath expression data > type is the only standard XACML datatype which uses an XML attribute to > encode part of its value. The XPathCategory defines the category of the > <Content> element which is the context node for the xpath expression in > the <AttributeValue> element. > > Here is an example of an xpath expression data type value: > > <Match > MatchId="urn:oasis:names:tc:xacml:3.0:function:xpath-node-match"> > <AttributeValue > DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" > > XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> > md:record/md:patient_info/md:name > </AttributeValue> > <AttributeDesignator > Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/> > </Match> > > The above expression will test whether the resource id is an xpath > expression which points within the subtree under > md:record/md:patient_info/md:name in the resource category <Content> > element. > > Best regards, > Erik > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]