Re: [xacml-dev] xpath, urn:oasis:names:tc:xacml:1.0:resource:xpath

[Rich Levinson <rich.levinson@oracle.com>]

Hi Niko,

The TC is preparing the core errata for publication and the pointer
I gave you is the current state, and the issues from this email should
be discussed and included as appropriate, and I agree that B.6 and
A.3.15 leave one a bit unsure as to what is the real situation, and all
this should be part of resolving the issue.

On your xpath questions, I am not an expert on xpath and do not
know the answer about xpointer, but will also bring this to attention
of TC, and the terminology re: "root" I was just using loosely, so
you are probably correct that "context" is the correct term as
to where the xpath starts within the document.

    Thanks,
    Rich

Niko Matsakis wrote:
> First, thank you for your quick response!
>
>> You are correct that resource:xpath needs to be added to XACML 2.0. This
>> was identified as an errata:
>>
>>     http://lists.oasis-open.org/archives/xacml/200702/msg00001.html
>
> Ok, that's good to know.  I did indeed check the errata list before 
> posting, but I only saw an errata for the SAML
>
> However, let me pose one additional question: in xacml 1.0, for 
> example, the resource:xpath attribute in the example context has the 
> value xmlns(md=...) xpointer(/md:record/md:patient/md:patientDoB).  
> This is clearly not an xpath expression, but an xpointer one.  Does 
> this mean that the XACML processor must also support xpointer?
>
> I see that the XACML specifications (both 1.0 and 2.0) seem to use 
> XPath/Xpointer interchangeably, even writing "XPath/Xpointer" on 
> occasion.
>
>> On the second part of your question, I think the answer is in section 
>> B.6 p 129:
>>
>> 5036 This attribute identifies the resource to which access is 
>> requested. If an <xacml
>> 5037 context:ResourceContent> element is provided, then the resource 
>> to which access is
>> 5038 requested SHALL be all or a portion of the resource supplied in 
>> the <xacml
>> 5039 context:ResourceContent> element.
>> 5040 urn:oasis:names:tc:xacml:1.0:resource:resource-id
>>
>> I interpret this to mean that the presence of this attribute combined 
>> with the
>> presence of the ResourceContent element makes that element the default
>> root xpath from which other xpaths are derived.
>
> While I agree that this interpretation helps the examples to make 
> sense, I would not say it is exactly crystal clear from the text you 
> quoted.  Furthermore, the text in the xpath section (A.3.15) clearly 
> states "The <Request> element is the context node for every XPath 
> expression," which seems like a contradiction.  So, if your 
> interpretation is correct, I think an errata is definitely warranted.
>
> I would also say that making the Resource element the "root" of the 
> xpath evaluation  --- as opposed to the context node --- is a fairly 
> involved transformation, as it involves creating (at least 
> conceptually) a separate XML document from the <RequestContent> 
> element [along with any inherited namespaces, etc].  Otherwise, as I 
> read the specification, the xpath expression normally ranges over the 
> complete request document.
>
>
> regards,
>
> Niko Matsakis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
>