[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] AttributeSelector - Missing Attribute
Hi Michael. On Fri, 2005-06-10 at 20:48, MICHAEL MENDONCA wrote: > If I used an XPath expression in an AttributeSelector, that was not > available in the request context - resource content, would the PDP > return "Indeterminate" or "Not Applicable"?? What the PDP returns is based on the whole of the policy, its combining algorithms, and what is wrapped around your AttributeSelector. A better question to ask is: "what would the AttributeSelector return?" (maybe this is what you were asking?) If the expression is unresolvable [1], then then behavior is based on the MustBePresent XML attribute. If it's false (the default), then the selector simply returns an empty bag. If it's true, then this is an Indeterminate case. This result is then handled by the logic around your selector. > Is it possible to use the following : > > <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than"> > <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer";>0</AttributeValue> > <AttributeSelector RequestContextPath="count(//gml:position)" DataType="http://www.w3.org/2001/XMLSchema#integer"/> > </ResourceMatch> > > in the policy target to check if there are elements of a certain type > in the request before looking for them in that policies rules? Ah, this question has two answers :) The first answer is that while the XPath expression may be valid (I'm not an XPath hacker, so I'll leave that discussion for someone else) I don't think you can use it the way you're trying to. The XACML spec requires that the expression resolves a set of text, attribute, processing, or comment nodes, and that each of these be converted to an XACML AttributeValue using a standard construction (see the XACML spec for details). Could someone on this list who's more of an XPath expert comment? Now to the second part. The question I have is what exactly you're trying to do. If you just want to make sure some tree exists in your applicability check, then you can use the MustBePresent attribute, and just take care to have an applicable policy at the same level if you don't want a final result of Indeterminate. Alternately, you could use one of the standard XPath functions that lets you count elements. seth [1] By which I mean what you're asking. Namely, that the attributes weren't available. If an error occurs, then the result is always Indeterminate.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]