[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Attribute selector result when there is no category or content element
While proofreading the latest working draft of the Entities Profile I noticed a gap in the description of the <AttributeSelector> element in the XACML core specification that is also a gap, by inheritance, in the description of the attribute-selector function in the Entities Profile. The core specification doesn't detail what the response of evaluating the <AttributeSelector> should be when either an <Attributes> element specified by the Category XML attribute doesn't exist in the request context, or such an <Attributes> element does exist but it doesn't have a <Content> child element (it being optional). Section 7.3.7, which describes attribute selector evaluation, assumes both are present as a starting point. The description of the <AttributeDesignator> element says to consider the MustBePresent XML attribute if no matching attribute is found, but the description of the <AttributeSelector> element doesn't have anything similar. Its definition of the MustBePresent XML attribute only says what to do "in the event the XPath expression selects no node". If the <Attributes> or <Content> element are absent we don't get as far as evaluating the XPath expression. Section 7.3.7 talks about constructing a stand-alone XML document from the contents of the <Content> element. We can't simply assume an empty element if it isn't actually present because the <Content> element must have a child and an XML document must have a root element. Without a valid XML document there is no context node to which to apply the XPath expression. Consistency with attribute designators would suggest deferring to the MustBePresent setting when an attribute selector doesn't find the <Attributes> element or the <Content> element (FWIW, this is what the ViewDS PDP does). Note that Section 7.3.5 says "If the attribute is missing, then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an “Indeterminate” result". The statement is bogus in the case of an attribute selector because it isn't an attribute that is missing. Whether it really meant an empty node set or something more is open to interpretation. If we can get consensus on a solution I can update the Entities Profile accordingly and we can add the equivalent to the errata for the core. Regards, Steven
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]