Subject: Re: [xacml-comment] Multiple decision result of type xpathExpression
Hi Clement, On 31/08/2013 6:04 AM, Pellerin, Clement wrote:
From: Steven Legg Sent: Tuesday, August 27, 2013 9:36 PM You can test whether a node is an Amount < 200 in a policy with an expression like the following: <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"/> <AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector" Path="self::Amount/child::text()" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">200</AttributeValue> </Apply> The AttributeSelector applies the Path to the node identified by the "content-selector" attribute value resulting in a text() node that it turns into an XACML integer value.This goes a long way towards my goal. It works well when the element to test is a primitive type and the value of interest is its text value. I'm still confused what to do when the element to test is a complex type. For example, how can I accept an element called public knowing it is a complex type and has no significant text value? Let's say I'm satisfied to write the condition in XPath, how can the boolean returned by XPath be used by the Match element?
It can't. XACML requires that the result of the XPath expression is a node-set. Anything else causes an AttributeSelector to generate an error. Thus, there are limits to what it is possible to do with XPath expressions in XACML. Regards, Steven
self::public does not work because the AttributeSelector will try to compute the text value of the public node. More generally, let's say I want to compute a value in XPath and make that the String value of the AttributeSelector? Maybe I'm going in the wrong direction, but my first intuition was to compute the node name of the element selected by (//*)[I] and test it in XACML, but I can't find how to do that.