Re: [xacml-users] xpath access control

[Wolfgang Schreiner <wolfgang.schreiner@ec3.at>]

Thank you Jason for your reply.
I did some research in the last hours and think it is not really
possible to perfrom authorization checks on ad-hoc queries while
supporting full XPath syntax. Seems we have to agree on some tradeoffs
in this case. In the application setting I am working on, I'm fine with
using some predefined query patterns anyway. Since I'm currently dealing
with XACML I thought there would be some generic solution to the problem.

Also thanks for the paper reference.
Best regards


Crampton Jason schrieb:
> Hi Wolfgang
>
> I think you are asking about equivalence of XPath expressions.  The
> following abstract is from "Containment and equivalence for an XPath
> fragment" by Miklau and Suciu (Proceedings of the 21st ACM
> SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, 2002):
>
> "XPath is a simple language for navigating an XML document and selecting
> a set of element nodes. XPath expressions are used to query XML data,
> describe key constraints, express transformations, and reference
> elements in remote documents. This paper studies the containment and
> equivalence problems for a fragment of the XPath query language, with
> applications in all these contexts. In particular, we study a class of
> XPath queries that contain branching, label wildcards and can express
> descendant relationships between nodes. Prior work has shown that
> languages which combine any two of these three features have efficient
> containment algorithms. However, we show that for the combination of
> features, containment is coNP-complete. We provide a sound and complete
> EXPTIME algorithm for containment, and study parameterized PTIME special
> cases. While we identify two parameterized classes of queries for which
> containment can be decided efficiently, we also show that even with some
> bounded parameters, containment is coNP-complete. In response to these
> negative results, we describe a sound algorithm which is efficient for
> all queries, but may return false negatives in some cases."
>
> In short, the problem is difficult if you do not restrict the type of
> XPath expressions you use!
>
> There is also a certain amount of work in the research literature on the
> use of XPath to specify regions of XML documents to which access should
> be restricted according to some access control policy.  Damiani et al
> have used this approach (A fine-grained access control system for XML
> documents, ACM Transactions on Information and Ssytem Security, 5(2),
> 2002), as have Bertino et al (Specifying and enforcing access control
> policies for XML document sources, WWW 2000), and me
> (http://www.isg.rhul.ac.uk/~jason/Pubs/sws04.pdf).
>
> Hope this helps.
>
> Regards
>
>
> Jason
>
> ------------------------------------
> Information Security Group
> Royal Holloway, University of London
> http://www.isg.rhul.ac.uk/~jason 
> ------------------------------------
>
> -----Original Message-----
> From: Wolfgang Schreiner [mailto:wolfgang.schreiner@ec3.at] 
> Sent: 30 November 2006 16:01
> To: xacml-users@lists.oasis-open.org
> Subject: [xacml-users] xpath access control
>
> Hi all,
>
> Following problem: I would like to control access to a set of XML
> documents via XPath 2.0 queries. XML fragements, which are allowed to
> being accessed are specified by XPath 2.0 statements as well. What I
> need is a method to determine whether 2 XPath statements are
> semantically equal or similar, before executing the query and having to
> post-filter the result. What is the best way to achieve this? Does the
> XACML xpath-node-match function solve this problem?  Is there an
> implementation to it? I think the Sun implementation does not include
> XPath functions?
>
>   

-- 

  best regards,

  Wolfgang Schreiner, Mag. DI
  E-Commerce Competence Center (EC3)
  Donau-City Strasse 1, A - 1220 Vienna

  Tel: +43 1 522 71 71 - 14
  Fax: +43 1 522 71 71 - 71
  Web: http://www.ec3.at