[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [xacml] New issue: proposal for content context path
Hi Paul, Your proposal for content context path is pretty close to the Selector we actually use/need need in our use cases. To enable the full strength of this approach it might be better to have an ContentContextPath ELEMENT (as child of the Attribute selector) instead of having an ContentContextPath ATTRIBUTE. This simple change will allow to process the value of ContentContextPath with XACML functions before. Having it encoded as an XML attribute will prevent this. Further the encoding as proper XML element will also allow for an explicit AttributeValue (an XPATH attribute value) definition below the <ContentContextPath>. Apart from that I strongly support the proposed edits. Maybe an additional informational block taking about name space issues could further be added. Best regards jan > -----Ursprüngliche Nachricht----- > Von: Paul Tyson [mailto:phtyson@sbcglobal.net] > Gesendet: Freitag, 20. November 2009 03:02 > An: xacml@lists.oasis-open.org > Betreff: [xacml] New issue: proposal for content context path > > AttributeSelector as currently defined in the core specification gives an > xpath expression with a fixed context node of the <Content> element. The > xpath expression is the value of the RequestContextPath attribute. > > I propose the following changes in the core spec (cd-1 PDF): > > Replace line 2364 with: > ============================= > The <AttributeSelector> element returns a bag of values converted from a > sequence of nodes selected from a <Content> element in the request > context. > ============================= > > Delete the full sentence in lines 2366/2367: > "The <AttributeSelector> element's RequestContextPath XML attribute ...." > > Change the definition of RequestContextPath (lines 2422/2423) to: > ============================= > An XPath expression whose context node is specified by the xpath > expression in the value of the ContentContextPath attribute, or the > <Content> element of the attribute category indicated by the Category > attribute if the ContentContextPath attribute is missing or is a zero- > length string.... > ============================= > > and adding after line 2431: > > ============================ > ContentContextPath [Optional] > > An XPath expression whose context node is the <Content> element of the > attribute category indicated by the Category attribute. If this xpath > expression evaluates to a sequence of more than one node, the evaluation > of the AttributeSelector shall return Indeterminate. The node indicated > by this xpath expression SHALL be the context for the xpath expression > given by the RequestContextAttribute. > ============================= > > Appropriate changes to the schema definition of AttributeSelectorType > would also be required. > > This change is backward-compatible with existing 3.0 implementations and > policies. > > Regards, > --Paul > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]