OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: XPath Attribute Profile: XPath as an Identifier

Liberty's EP profile didn't restrict the XPath but stated that at a minimum it must have a "slash separated path to any depth.  The path is always anchored at the document root and may not contain any wild cards or empty nodes."  
I think we can use this restriction of xpath as an Identifier, with the addition of positional predicates.  I'll take a look at the xCap spec from IETF, thanks Arnaud Sahuguet for the reference.  It looks like XSquirrel is slightly different than what I was thinking because I really do want the specific nodes in the document (But it's good to know about it)
Other thoughts:
- "urn:xpath" as a prefix: Is it safe to just use xpath directly (name="/pp/LegalName/CommonName") or does it need to have some clarifying prefix (name="urn:some_name_clarifying_that_this_is_an_xpath_name:/pp/LegalName/CommonName").  I suppose the problem is that XPath is a uri and I'm trying to put it into a urn.
- If an xpath query results in multiple nodes in the same path, the path can be specified by an xpath identifier (restricted xpath) and the values can be placed in the multivalued <value> elements in SAML attributes.
- One thing I had wrong: Liberty queries will return the element tag specified in the XPath, instead of just than the values inside that element tag (I suggested the latter in some examples).
- If we are uncomfortable having a query for one attribute return multiple attributes, we could also restrict the query attributes to be xpath identifiers.
More exploratory examples:
Suppose some document looks like this:
      <thing name="thing3"/>
This shows how positional predicates may be needed, as well as multiple-attributes and multi-valued attributes
Query: <AttributeQuery>...<Attribute name:"/root/body/thing"/></Attributequery>
<saml:Attribute name="/root/body[1]/thing">
<saml:Attribute name="/root/body[2]/thing">
   <value><thing name="thing3"/></value>
Maybe we need text and attribute functions...
Query: <AttributeQuery>...<Attribute name:"/root/body[1]/thing[2]/text()" /></Attributequery>
<saml:Attribute name="/root/body[1]/thing[2]/text()">
Query: <AttributeQuery>...<Attribute name:"/root/body/thing/@name" /></Attributequery>
<saml:Attribute name="/root/body[2]/thing/@name">
Thanks for the feedback everyone,
- Cameron

Cameron Morris
Novell, Inc., the leading provider of Linux and identity solutions

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]