[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] Multiple decision result of type xpathExpression
Hi Clement,It is an extension that could also be done in a profile of XACML 3.0.
On 6/09/2013 12:59 AM, Pellerin, Clement wrote:
On Sep 05, 2013 1:20 AM, Steven Legg wrote:
On 31/08/2013 6:04 AM, Pellerin, Clement wrote:
I'm still confused what to do when the element to test is a complex type.
For example, how can I accept an element called public knowing
it is a complex type and has no significant text value?
Let's say I'm satisfied to write the condition in XPath,
how can the boolean returned by XPath be used by the Match element?
It can't. XACML requires that the result of the XPath _expression_ is
a node-set. Anything else causes an AttributeSelector to generate an
error. Thus, there are limits to what it is possible to do with XPath
expressions in XACML.
Yes, this is what I had concluded but I was hoping to be wrong.
It would be an easy extension for XACML 4.
Instead of doing the conversion from Node to String in the AttributeSelector,
the XPath _expression_ could return a String, which could be converted to
the XACML primitive type by the new kind of AttributeSelector.
The existing conversion of nodes to strings could remain as it is and new
cases could be added for converting boolean, number and string results of
XPath expressions. An implementation that didn't support the profile would
return indeterminate errors if it encounters a boolean, number or string
instead of a node-set, which is a completely appropriate response.The Path argument of an AttributeSelector is relative to the node identified
This still leaves unanswered my opening question.
The XACML request contains a content-selector with an XPath _expression_
that is known to return a single complexType Node with no text value.
How can I write an efficient XACML _expression_ to test some condition
about that Node?
by the ContextSelectorId attribute, so you can pull out any descendant nodes
of the single complexType Node as XACML attribute values and apply tests
to them, though it does require the PEP/PIP to provide the XPath _expression_
identifying the complexType Node as the value of the ContextSelectorId attribute.
For example:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">Path="Amount/child::text()"
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"/>
<AttributeSelector
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
DataType="http://www.w3.org/2001/XMLSchema#integer"
MustBePresent="false"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">200</AttributeValue>
</Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"><Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>Path="Colour/child::text()"
<AttributeSelector
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">red</AttributeValue>
</Apply>
</Apply>
However, you are still limited to XPath expressions that identify nodes,
and there is no way to reliably apply non-trivial tests to more than
one complexType Node as part of the same individual decision request
(because ContextSelectorId attribute is explicitly required to identify one
node).
Regards,
Steven
I believe Node is not a primitive type in XACML 3, and
bag of Nodes are not supported either. This means a nodeset
can only be the result of an intermediate result within the semantics
of a built-in component like AttributeSelector or an intermediate result
of a built-in function like xpath-node-equal.
It seems hopeless to evaluate the content-selector to use the result
as the context node of another XPath _expression_.
Even writing a custom function seems difficult since it would require
the built-in behavior of AttributeSelector up to the point where the
conversion occurs.
Hopefully, I have overlooked a simple solution,
otherwise this would expose a serious lack of functionality
for such a common use case.
--
This publicly archived list offers a means to provide input to the
OASIS eXtensible Access Control Markup Language (XACML) TC.
In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.
Subscribe: xacml-comment-subscribe@lists.oasis-open.org
Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
List help: xacml-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/xacml-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]