RE: [security-services] XPath issues and resolutions

["Cameron Morris" <cmorris@novell.com>]

>>>"Scott Cantor" <cantor.2@osu.edu> 05/13/05 11:47 am >>>
>I guess my thoughts are that we may need to say *something* more than just
>"the DocumentType and the NameID determine the document". It seems like this
>maps naturally to cases in which the document type is a "service
>identifier". Then you're looking up the service location for a given subject
>to locate the document, which maps to Liberty well, and I assume would work
>with UDDI (if not, well, something's wrong with UDDI). Actually using
>examples for this might be useful (it is a profile, after all, so being
>specific is good).

Yes, as I see it the attribute authority would do the following for an attributeQuery:

1) lookup of the service document using the nameID and the documentType (using UDDI, Liberty Disco, or whatever)

2) get the document (using the WSDL published in UDDI or using the Liberty Web services framework)

3) apply the xpath and return the value in an assertion

 

>I guess I'm wondering if there isn't value in the case of "here's the

>resource into which the XPath references", particularly in the query side,

>since presumably the requester might be asking about a resource the AA has

>access to but it doesn't. Is there any support for adding a profile-specific

>Resource attribute to the <Attribute> element for saying "the XPath applies

>to this resource specifically"?

 

I'm struggling with a use-case for this.  If an explicit document reference is also user specific how can we publish this document as an assertable attribute in metadata?  Or on the other hand, if the explicit document applies to all users, then what does it mean to query part of the document for a particular user?  Would it imply accessing the document with the users assigned rights?  Or maybe it is simply a document that applies to all users.

 

- Cameron