[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [xacml] Making MatchId and FunctionId argument order the same
I have identified the exact changes required in order for us to make the arguments to a MatchId function appear in the same order as the arguments to a FunctionId function. I believe they are not nearly so extensive as we thought, and that we should make this change. Otherwise, we will have to live with this major, confusing inconsistency forever. In general: a. Redefine the -match functions such that the template is the second argument and the explicit value is the first argument. a. rfc822Name-match b. x500Name-match c. regexp-string-match [rename to string-regexp match] d. xpath-node-match b. Specify that Match element arguments are passed to the MatchId function in the same order in which they appear in the Match element. c. NO changes are required in the schema. d. NO changes are required in the examples, as -match functions appear only in example <Target> elements, where they are already in the new, correct order. Specific changes required: A.12.Matching elements 1. Change pdf:3538-3543 (but from new A.12 Matching elements version) from: The attribute value specified in the matching element SHALL be supplied to the MatchId function as its first argument. An element of the bag returned by the <AttributeDesignator> or <AttributeSelector> element SHALL be supplied to the MatchId function as its second argument1. The datatype of the <AttributeDesignator> or <AttributeSelector> element SHALL match the datatype of the second argument expected by the MatchId function. The datatype of the attribute value SHALL match the datatype of the first argument expected by the MatchId function. to: An element of the bag returned by the <AttributeDesignator> or <AttributeSelector> element SHALL be supplied to the MatchId function as its first argument1. The attribute value specified in the matching element SHALL be supplied to the MatchId function as its second argument. The datatype of the <AttributeDesignator> or <AttributeSelector> element SHALL match the datatype of the first argument expected by the MatchId function. The datatype of the attribute value SHALL match the datatype of the secondy argument expected by the MatchId function. 2. Change pdf:3508-3510 (but in new Appendix A.12 version) from: Otherwise, the MatchId function SHALL be applied between the explicit attribute value and each element of the bag returned from the <AttributeDesignator> or <AttributeSelector> element. to: Otherwise, the MatchId function SHALL be applied between each element of the bag returned yfrom the <AttributeDesignator> or <AttributeSelector> element and the explicit attribute value. 3. Remove footnote from new version of Appendix A.12 4. Replace pdf:3526-3529 (but in new Appendix A.12 version) from: <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">John.*</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> to: <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"/> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">John.*</AttributeValue> A.14.12 Special match functions 5. Redefine regexp-string-match: Change pdf:4250-4253 from The first argument SHALL be a regular expression and the second argument SHALL be a general string. The function specification SHALL be that of the "xf:match" function with the arguments reversed [XF Section 6.3.15.1]. to: The first argument SHALL be a general string and the second argument SHALL be a regular expression. The function specification SHALL be that of the "xf:match" function [XF Section 6.3.15.1]. 6. Redefine x500Name-match: Change pdf:4256-4258 from: It shall return "True" if and only if some terminal sequence of RDNs from the first argument matches the second argument when compared using x500Name-equal. 7. Redefine rfc822Name-match: Change pdf:4260-4282 to: This function SHALL evaluate to "True" if the first argument matches the second argument according to the following specification. An RFC822 name consists of a local-part followed by "@" followed by domain-part. The local-part is case-sensitive, while the domain-part (which is usually a DNS name) is not case-sensitive.1 This function SHALL take two arguments, the first is of type "urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" and the second is of type "http://www.w3.org/2001/XMLSchema#string" and SHALL return an "http://www.w3.org/2001/XMLSchema#boolean". The first argument contains a complete rfc822Name. The second argument is a complete or partial rfc822Name used to select appropriate values in the first argument as follows. In order to match a particular mailbox in the first argument, the second argument must specify the complete mail address to be matched. For example, if the second argument is "Anderson@sun.com", this matches a value in the first argument of "Anderson@sun.com" and "Anderson@SUN.COM", but not "Anne.Anderson@sun.com", "anderson@sun.com" or "Anderson@east.sun.com". In order to match any mail address at a particular domain in the first argument, the second argument must specify only a domain name (usually a DNS name). For example, if the second argument is "sun.com", this matches a value in the first argument of "Anderson@sun.com? or "Baxter@SUN.COM", but not "Anderson@east.sun.com". In order to match any mail address in a particular domain in the first argument, the second argument must specify the desired domain-part with a leading ".". For example, if the second argument is ".east.sun.com", this matches a value in the first argument of "Anderson@east.sun.com" and "anne.anderson@ISRG.EAST.SUN.COM" but not "Anderson@sun.com". 8. Change A.14.13 pdf:4303-4313 from: xpath-node-match This function SHALL take two "http://www.w3.org/2001/XMLSchema#string" arguments, which SHALL be interpreted as XPath expressions and SHALL return an "http://www.w3.org/2001/XMLSchema#boolean". This function SHALL first extend the first argument to match an XML document in a hierarchical fashion. If a is an XPath expression and it is specified as the first argument, it SHALL be interpreted to mean match the set of nodes specified by the enhanced XPath expression "a | a//* | a//@*". In other words, the expression a SHALL match all elements and attributes below the element specified by a. This function SHALL evaluate to "True" if any XML node that matches the enhanced XPath expression is equal according to "op:node-equal" [XQO] to any XML node from the node-set matched by the second argument. to: xpath-node-match This function SHALL take two "http://www.w3.org/2001/XMLSchema#string" arguments, which SHALL be interpreted as XPath expressions and SHALL return an "http://www.w3.org/2001/XMLSchema#boolean". This function SHALL first extend the second argument to match an XML document in a hierarchical fashion. If 'a' is an XPath expression and it is specified as the second argument, it SHALL be interpreted to mean match the set of nodes specified by the enhanced XPath expression "a | a//* | a//@*". In other words, the expression a SHALL match all elements and attributes below the element specified by 'a'. This function SHALL evaluate to "True" if any XML node that matches the enhanced XPath expression is equal according to "op:node-equal" [XQO] to any XML node from the node-set matched by the first argument. 9. Throughout the specification, change "regexp-string-match" to "string-regexp-match" 10. Many conformance tests will need to be changed, as they often use -match functions in Apply elements. I can make these in one day, however, and I believe the effort is justified. Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC