Subject: RE: [xacml-comment] Multiple decision result of type xpathExpression
I'm really struggling to write a non-trivial Policy to authorize my Multiple Decision Request. Let's assume I want to authorize every element for XML filtering. The XPath expression I will use to select the nodes will be //* This will expand into multiple individual requests of the form <AttributeValue DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression" XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">(//*)[N]</AttributeValue> The goal is to retrieve that node and test some condition about it. I don't have specific needs, I'm just trying to test my implementation. I believe the functions are strongly typed in XACML. The only standard functions that take an xpathExpression as argument are xpath-node-count, xpath-node-equal and xpath-node-match. It appears I have to exit the XACML language and write my whole condition in the XPath expression of xpath-node-equal or xpath-node-match. Is that the intention of XACML? Suppose I want to permit elements called Amount if the text value is less than 200. I can call xpath-node-equal with the XPath expression //Amount[text() < 200] but it is expensive to discover all the elements that pass the test to check if the current element is one of them. It would make more sense to retrieve the current element by evaluating (//*)[N] and testing the node name and text value in XACML. Unfortunately, I don't think XACML has the Node DataType. If I could make the XPath context node be (//*)[N] itself, then I could write self::Amount[text()<200] which is already a lot more efficient. Any guidance or pointers to real-world examples would be appreciated.