OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-users] xpath access control

Hi Wolfgang

I think you are asking about equivalence of XPath expressions.  The
following abstract is from "Containment and equivalence for an XPath
fragment" by Miklau and Suciu (Proceedings of the 21st ACM
SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, 2002):

"XPath is a simple language for navigating an XML document and selecting
a set of element nodes. XPath expressions are used to query XML data,
describe key constraints, express transformations, and reference
elements in remote documents. This paper studies the containment and
equivalence problems for a fragment of the XPath query language, with
applications in all these contexts. In particular, we study a class of
XPath queries that contain branching, label wildcards and can express
descendant relationships between nodes. Prior work has shown that
languages which combine any two of these three features have efficient
containment algorithms. However, we show that for the combination of
features, containment is coNP-complete. We provide a sound and complete
EXPTIME algorithm for containment, and study parameterized PTIME special
cases. While we identify two parameterized classes of queries for which
containment can be decided efficiently, we also show that even with some
bounded parameters, containment is coNP-complete. In response to these
negative results, we describe a sound algorithm which is efficient for
all queries, but may return false negatives in some cases."

In short, the problem is difficult if you do not restrict the type of
XPath expressions you use!

There is also a certain amount of work in the research literature on the
use of XPath to specify regions of XML documents to which access should
be restricted according to some access control policy.  Damiani et al
have used this approach (A fine-grained access control system for XML
documents, ACM Transactions on Information and Ssytem Security, 5(2),
2002), as have Bertino et al (Specifying and enforcing access control
policies for XML document sources, WWW 2000), and me

Hope this helps.



Information Security Group
Royal Holloway, University of London

-----Original Message-----
From: Wolfgang Schreiner [mailto:wolfgang.schreiner@ec3.at] 
Sent: 30 November 2006 16:01
To: xacml-users@lists.oasis-open.org
Subject: [xacml-users] xpath access control

Hi all,

Following problem: I would like to control access to a set of XML
documents via XPath 2.0 queries. XML fragements, which are allowed to
being accessed are specified by XPath 2.0 statements as well. What I
need is a method to determine whether 2 XPath statements are
semantically equal or similar, before executing the query and having to
post-filter the result. What is the best way to achieve this? Does the
XACML xpath-node-match function solve this problem?  Is there an
implementation to it? I think the Sun implementation does not include
XPath functions?


  best regards,

  Wolfgang Schreiner, Mag. DI
  E-Commerce Competence Center (EC3)
  Donau-City Strasse 1, A - 1220 Vienna

  Tel: +43 1 522 71 71 - 14
  Fax: +43 1 522 71 71 - 71
  Web: http://www.ec3.at

To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-users-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]