[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML
You are trying to mix context information provided using an XML document and provided as name/value pairs. This is not a good idea, as those two representations are not completely compatible - XPath 2.0 data model sequence does not have the same semantics as an XACML bag. You can not really use an unordered bag sequence within an XPath predicate expression. You either need to extract necessary attribute from your source document outside of the realm of XACML and populate your context, or you can construct resource XML representation that includes all the information that you need to use using some XML data aggregation and transformation engine, such as XQuery or XLST based one. Daniel; -----Original Message----- From: Muhammad Masoom Alam [mailto:Muhammad.email@example.com] Sent: Friday, December 10, 2004 1:48 AM To: diego gonzalez; firstname.lastname@example.org Cc: email@example.com Subject: Re: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML Ok i agreed what u r saying can u plz have a look on the following rule case : suppose i have a rule " A Physician is allowed to check the record of Patient X , if an only if he is the Primary care physician of patient X now Xpath would b /Physician/PhyID = PhysicianID // I also wanted to check whether he is a valid physician or not. AND /Physician/patients/patID = patientID of patient X // for the checking whether Physician is the primary care physician of the Patient X or not. This kind of Xpath is not correct as the 2nd condition can be true for any Physician who is taking care of the Patient X in addition to Primary care Physician can we introduce some context information like this Note: where subjectID is the ID of the caller. "/Hosptial/Physician[phyID='subjectID']/patients/patID/text()" Regards Muhammad. ----- Original Message ----- From: "diego gonzalez" <firstname.lastname@example.org> To: <email@example.com> Cc: <firstname.lastname@example.org> Sent: Thursday, December 09, 2004 5:01 PM Subject: RE: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML Totally agree with this. In fact when Xpath is used within the Rules or Conditions it's implemented as a function. I think there is some overlaping between RequestContext and the xpath related function, because both supports searching elements using Xpath, but I don't see this very confusing. In fact it also allows more information by the time of processing the policy and also is easy to create context bound xpath. Regards, DiegoG -----Original Message----- From: Daniel Engovatov [mailto:email@example.com] Sent: Wednesday, December 08, 2004 5:48 PM To: Muhammad Masoom Alam; firstname.lastname@example.org Cc: Seth Proctor; email@example.com Subject: [xacml-dev] RE: [sunxacml-discuss] RE: Use of Xquery with XACML If you want to extend XACML functions to use XQuery, you will have to do it yourself. There is no direct mapping, as XQuery/XPath data model is not directly compatible with XACML data model. This is done on purpose as XACML Data model is designed to accommodate a broader ranger of data sources then XML. If you write a custom function that does XQuery or XLST transformation to return XACML attribute value to be used in a rule, you can pass the actual query code as a string literal attribute. You will also need to address how do you provide prolog data and XQuery context, but this is completely outside of XACML implementation. Daniel; -----Original Message----- From: Muhammad Masoom Alam [mailto:Muhammad.firstname.lastname@example.org] Sent: Wednesday, December 08, 2004 11:14 AM To: Daniel Engovatov; email@example.com Cc: Seth Proctor; firstname.lastname@example.org Subject: Re: [sunxacml-discuss] RE: Use of Xquery with XACML Dear , and if the authorization system(PDP) itself wants to use Xquery to make a decision for a resource (XML data / or any resource) , where this Xquery is going to be stored, how Authorization System is going to reference this Xquery as currently there is no support for Xquery and very limited support for Xpath as well. Regards Muhammad.