OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml] [CR] 0047:Function specification for XPath handler


To all,

Michiharu's proposal on his issue CR 0047.

It seems that the types of the functions Michiharu is proposing are

  xs:string -> xs:string -> xs:boolean.

which does work in the type system. Good.

However, the name and its semantics of xpath-equal I think is a bit
misleading.  Michiharu's proposal says that, of the node-set returned from
the first xpath expression, only a single node must be "equal" to at least
one node from the node-set returned from the second xpath expression.

This seems to not be an 'equality" predicate, but more of a non-null set
intersection predicate. I suggest the name
"function:xpath-dom-non-null-intersection" for this function. However, the
specification of this function will have to reference an "equality"
predicate for all DOM nodes, or define one for all DOM nodes. Is this sort
of thing referenced in XPATH?

The second function is merely syntactic sugar on a single argument. There
is nothing really procedural about it.  I'm fine with the functionality
(albeit changing the name), but my question is: if you have an equivalent
function that only requires one argument to be transformed into an
expression that you can explicitly rewrite anyway, then do we really need
it?

Cheers,
-Polar

On Thu, 19 Sep 2002, Michiharu Kudoh wrote:

> I propose to add the following two functions. Both are XPath related
> functions. I attached modified policy specification of Example 1 and 2
> (might have mistakes). This proposal has been also agreed by Simon.
>
> [A] Request of function additions:
>
> - function:xpath-equal    comparison on two DOM nodes
> - function:xpath-match   hierarchical comparison on two DOM nodes
>
>
> [B] Function description:
>
> - function:xpath-equal:
> This function takes two arguments, the first of "xs:string" and the second
> of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath
> expressions defined in XPath 1.0 specification [1]. This functions returns
> true if a set of DOM nodes obtained by applying the first XPath expression
> on the XACML Request Context includes at least one DOM node that is also
> obtained by applying the second XPath expression on the XACML Request
> Context. If the first XPath or the second XPath do not return DOM node set,
> this function returns false. When XPath expression includes one or more
> namespace prefix, then it is resolved using XPathNamespace element
> specified in corresponding Policy element or PolicySet element.
>
> For example, the following expression shall return true:
> <Apply FunctionId="function:xpath-equal">
>   <AttributeValue>/Request/Subject/Attribute[@AttributeId
> ="role"]/AttributeValue</AttributeValue>
>   <AttributeValue>/Request/Subject/Attribute[@AttributeId
> ="role"]/AttributeValue</AttributeValue>
> </Apply>
>
> - function:xpath-match:
> This function takes two arguments, the first of "xs:string" and the second
> of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath
> expressions defined in XPath 1.0 specification [1]. This function first
> extends the first argument to support pseudo hierarchical access control on
> XML document structure. If "a" is an element node and it is specified as
> the first argument, the function replace it with "a | a//* | a//@*" meaning
> that all the element and attributes below the specified element "a". If "a"
> is an attribute node, then the function does not modify the first argument.
> Then this function internally calls xpath-equal function and return the
> identical return value.
>
> For example, the following expression shall return true when
> "urn:...:xpath" attribute returns a md:patient element that is below a
> md:record element:
> <Apply FunctionId="function:xpath-match">
>   <AttributeValue>//md:record</AttributeValue>
>   <Apply FunctionId="function:string-one-and-only>
>     <ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
>   </Apply>
> </Apply>
>
> The above function is internally replaced by:
>
> <Apply FunctionId="function:xpath-equal">
>   <AttributeValue>//md:record | //md:record//* |
> //md:record//@*</AttributeValue>
>   <Apply FunctionId="function:string-one-and-only>
>     <ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
>   </Apply>
> </Apply>
>
>
> [C] Modified policy examples:
>
> (Besides this proposal, I removed DataType attribute and inserted
> string-one-and-only function in several places)
>
> (See attached file: XACML-SimplePolicy.txt)(See attached file:
> XACML-Rule2.txt)(See attached file: XACML-Rule3.txt)(See attached file:
> XACML-rule4.txt)(See attached file: XACML-Rule1.txt)
>
> [1] XPath 1.0, http://www.w3.org/TR/xpath
>
> Michiharu Kudo
>
> IBM Tokyo Research Laboratory, Internet Technology
> Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC