Re: [xacml-dev] one question regarding AttributeSelector XACML Element

[Seth Proctor <Seth.Proctor@Sun.COM>]

On Thu, 2004-11-18 at 02:43, Muhammad Masoom Alam wrote:
> I have a confusion regarding the use of AttributeSelector's attribute
> RequestContextPath . As the XACML specificaiton says that 
> An Xpath expression whose context node isthe XACML-context:Request
> element .

That's correct. All XPath expressions are relative to the "notional"
Request element. This means that all values are associated with the
request.

> Now if 
> 
>   1.. I want to read the data which is in XML format , but not from
>       inside the request as specified under Request-Context but from a
>       file which is located outside. is this possible with current XACML,
>       if yes , then whether this RequestContextPath is not misleading ??

Well, there are two ways of approaching this. One is to put the contents
of the document somewhere in the Request, either in the ResourceContent
(if it's the document you're trying to access) or somewhere else. Then
you can use the default XPath query mechanism to pull values from the
document.

The second is to do exactly as you say: query the file when needed. Is
this misleading? Maybe. But think about how you access other attributes.
You can ask for an attribute (for example) in the Subject section of the
Request, and if it's not in the original Request, then the Context
Handler is free to go off and find the attribute somewhere else. It's
not that the attribute must have been part of some original XML
document, it's that conceptually, from the view of the PDP, this is an
attribute associated with the Subject in the context of the Request.

Does that help? FYI, you can implement this using the SunXACML system,
but you'll need to use a new custom AttributeFinderModule since the
SelectorModule provided with the code will only retrieve attributes
based on the original Request document.


seth