[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Re: xpath and xacml
This is a proposal for supporting target specification using XPath
expression. <AttributeSelector> is used to specify XPath expression in the
<target> element. I am assuming that <AttributeDesignator> will be used for
the expression without XPath. Four new functions are used to compare
values.
function:general-string-equal
function:boolean
function:node-equal
function:xpath-match
<XPathVersion> element in <Defaults> element is used to specify the version
of the XPath expression used in the policy. Schema definition will be
posted by Simon.
Before describing about each function definition, I start with a couple
policy specification examples.
== EXAMPLE 1 ==
<Rule>
<Target>
<Resources MatchId="function:general-string-equal" DataType
="xs:boolean">
<AttributeSelector Designator="//c:Subject[@Category
='req']/c:SubjectId"/>
<AttributeSelector Designator="//e:employee/e:name"/>
</Resource>
</Target>
</Rule>
The above policy means general-string-equal(xpath-match(//c:Subject
[@Category='req']/c:SubjectId), xpath-match(//e:employee/e:name)).
general-string-equal is derived from the general comparison "=" defined in
XPath 2.0 that adds existential semantics to value comparisons. While
original general comparison is not aware of data type, our function is
aware of data type. That's why "string" is specified in the function name.
This means the comparison must be done in string data type.
For example, SubjectId may return a set including two items that represent
"Alice" and "Bob" and e:name may return a set including three items that
represent "Alice", "Carol" and "Dave". Since "Alice" is included in both
lists, then the general-string-equal returns true.
In the above policy, I omitted to specify namespace URI and prefix used in
the XPath for readability. It would be specified as follows:
<Rule>
<Target>
<Resources MatchId="function:general-string-equal" DataType
="xs:boolean">
<AttributeSelector xmlns:c="urn:oasis:xacml-context" Designator
="//c:Subject[@Category='req']/c:SubjectId"/>
<AttributeSelector xmlns:e="http://myNS"; Designator
="//e:employee/e:name"/>
</Resource>
</Target>
</Rule>
== EXAMPLE 2 ==
<Rule>
<Target>
<Resources MatchId="function:general-string-equal" DataType
="xs:boolean">
<AttributeSelector Designator="//c:Subject[@Category
='req']/c:SubjectId"/>
<Attribute DataType="xs:stiring">Alice</Attribute>
</Resource>
</Target>
</Rule>
The above policy means general-string-equal(xpath-match(//c:Subject
[@Category='req']/c:SubjectId), "Alice")
== EXAMPLE 3 ==
If two arguments of general-string-equal is the same, it is a possibility
to specify that by:
<Rule>
<Target>
<Resources MatchId="function:boolean" DataType="xs:boolean">
<AttributeSelector Designator="boolean(//c:Subject[@Category
='req']/c:SubjectId[.=//e:employee/e:name])"/>
</Resource>
</Target>
</Rule>
The above policy is valid when a target XML document is embedded in the
XACML request context. (We assume that each element is distinguished using
namespace). However, if two expressions refer to different XML documents,
say XACML request context and target XML document that is NOT EMBEDDED in
the context. It is impossible to specify it like the above. I omitted
DataType attribute in the AttributeSelector because its data type is always
a set
and there seems no data type that represents a set.
== EXAMPLE 4 ==
Other usage is the node comparison as I described in my XML access control
proposal. Of course, this is an analogy from a node comparison "is" defined
in [1].
<Rule>
<Target>
<Resources MatchId="function:node-equal" DataType="xs:boolean">
<AttributeSelector Designator="//c:Attribute/@value"/>
<AttributeSelector Designator="//c:Attribute/@name"/>
</Resource>
</Target>
</Rule>
----------------------
Function Definitions
----------------------
<1>. Function:general-string-equal
boolean: general-string-equal(object(*1), object)
The general-string-equal(A,B) is true for set A and B if the
string-equal(a,b) is true for some item a in A and some item b in B.
Otherwise, general-string-equal(A,B) is false. When performing string-equal
function, apply the following rules in order:
1. Simple String Atomization (SSA) is applied to each operand, resulting in
a single atomic value or an empty set for each operand.
2. If either operand is an empty set, the result is an empty set.
3. Cast each operand to xs:string
4. If the cast fails, the error value is returned.
5. The result of string-equal is true if the value of the first operand is
equal to the value of the second operand; otherwise the result of the
string-equal is false.
Simple String Atomization (SSA):
1. If the value is a single atomic value or an empty set, atomization
simply returns the value.
2. If the value is a single node, it must be an element node, attribute
node or a text node.
2.1 If the value is a text node, returns the string content of the text
node.
2.2 If the value is an attribute node, returns its string value.
2.3 If the value is an element node that does not contain element node
below, returns the string content of the text node.
2.4 If the value is an element node that contain one or more element
node below, returns error value as defined in [1]
3. If the value is not a single node, return error value as defined in [1]
Example:
<a>
<b1>January</b1>
<b1>February</b1>
<b2>
<c>January</c>
<c>March</c>
</b2>
<b3 d="February"/>
<b3 d="April"/>
</a>
A := xpath(/a/b1)
B := xpath(/a/b2/c)
C := xpath(/a/b3/@d)
D := xpath(/a/b2)
(1) general-string-equal(A,B) ==> true
(2) general-string-equal(A,C) ==> true
(3) general-string-equal(B,C) ==> false
(4) general-string-equal(A,"February") ==> true
(5) general-string-equal(A,D) ==> Error value
(1) A returns two nodes: two <b1> elements. The SSA is applied to the first
<b1> item, which returns "January". The SSA is applied to the second <b1>
item, which returns "February". B returns two nodes: two <c> elements. The
SSA is applied to the first <c> item, which returns "January". The SSA is
applied to the second <c> item, which returns "March". String casting
succeeds. Since the first value of the first operand is equal to the first
value of the second operand, general-string-equal returns true.
(2) C returns two nodes: two d attributes. The SSA is applied to each item,
which returns "February" and "March", respectively. Since the second value
of the first operand is equal to the first value of the second operand,
general-string-equal returns true.
(3) Since there is no identical value pair in the first operand and the
second operand, general-string-equal returns false.
(4) The second operand is a single atomic value "February". Since it is
equal to the second value of the first operand, general-string-equal
returns true.
(5) The second operand returns one <b2> element that contains two <c>
element. This raises error from SSA step 2.4. Therefore,
general-string-equal returns error value.
<2>. Function:boolean
boolean boolean(object)
The boolean function converts its argument to a boolean as follows:
1. a number is true if and only if it is neither positive or negative zero
nor NaN
2. a node-set is true if and only if it is non-empty
3. a string is true if and only if its length is non-zero
4. an object of a type other than the four basic types is converted to a
boolean in a way that is dependent on that type
<3>. Function:node-equal
boolean node-equal(object, object)
The result of a node-equal is defined by applying the following rules, in
order:
1. Both operands must be either a single node or an empty set; otherwise
the error value is returned.
2. If either operand is an empty set, the result of the comparison is an
empty set.
3. A comparison is true if the two operands are nodes that have the same
single node; otherwise it is false.
<4>. Function:xpath-match
object xpath-match(string)
The result of xpath-match is defined by applying the following rules, in
order:
1. Find <XPath-Version> element in <Defaults> element specified in the
rule/policyStatement/policySetStatement. Use corresponding XPath processor
to evaluate the argument.
2. Evaluate the argument and returns object.
*1 "object" type specified in each function argument is defined in [2]
[1] XQuery 1.0 and XPath 2.0 Data Model,
http://www.w3.org/TR/xquery-operators/
[2] XPath 1.0, http://www.w3.org/TR/xpath
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC