[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] [CR] 0047:Function specification for XPath handler
I propose to add the following two functions. Both are XPath related functions. I attached modified policy specification of Example 1 and 2 (might have mistakes). This proposal has been also agreed by Simon. [A] Request of function additions: - function:xpath-equal comparison on two DOM nodes - function:xpath-match hierarchical comparison on two DOM nodes [B] Function description: - function:xpath-equal: This function takes two arguments, the first of "xs:string" and the second of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath expressions defined in XPath 1.0 specification [1]. This functions returns true if a set of DOM nodes obtained by applying the first XPath expression on the XACML Request Context includes at least one DOM node that is also obtained by applying the second XPath expression on the XACML Request Context. If the first XPath or the second XPath do not return DOM node set, this function returns false. When XPath expression includes one or more namespace prefix, then it is resolved using XPathNamespace element specified in corresponding Policy element or PolicySet element. For example, the following expression shall return true: <Apply FunctionId="function:xpath-equal"> <AttributeValue>/Request/Subject/Attribute[@AttributeId ="role"]/AttributeValue</AttributeValue> <AttributeValue>/Request/Subject/Attribute[@AttributeId ="role"]/AttributeValue</AttributeValue> </Apply> - function:xpath-match: This function takes two arguments, the first of "xs:string" and the second of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath expressions defined in XPath 1.0 specification [1]. This function first extends the first argument to support pseudo hierarchical access control on XML document structure. If "a" is an element node and it is specified as the first argument, the function replace it with "a | a//* | a//@*" meaning that all the element and attributes below the specified element "a". If "a" is an attribute node, then the function does not modify the first argument. Then this function internally calls xpath-equal function and return the identical return value. For example, the following expression shall return true when "urn:...:xpath" attribute returns a md:patient element that is below a md:record element: <Apply FunctionId="function:xpath-match"> <AttributeValue>//md:record</AttributeValue> <Apply FunctionId="function:string-one-and-only> <ResourceAttributeDesignator AttributeId="urn:...:xpath"/> </Apply> </Apply> The above function is internally replaced by: <Apply FunctionId="function:xpath-equal"> <AttributeValue>//md:record | //md:record//* | //md:record//@*</AttributeValue> <Apply FunctionId="function:string-one-and-only> <ResourceAttributeDesignator AttributeId="urn:...:xpath"/> </Apply> </Apply> [C] Modified policy examples: (Besides this proposal, I removed DataType attribute and inserted string-one-and-only function in several places) (See attached file: XACML-SimplePolicy.txt)(See attached file: XACML-Rule2.txt)(See attached file: XACML-Rule3.txt)(See attached file: XACML-rule4.txt)(See attached file: XACML-Rule1.txt) [1] XPath 1.0, http://www.w3.org/TR/xpath Michiharu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Attachment:
XACML-SimplePolicy.txt
Description: Binary data
Attachment:
XACML-Rule2.txt
Description: Binary data
Attachment:
XACML-Rule3.txt
Description: Binary data
Attachment:
XACML-rule4.txt
Description: Binary data
Attachment:
XACML-Rule1.txt
Description: Binary data
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC