OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] XPath/AttributeSelector question



Thanks for your comments on this issue! A few comments/questions:

On Thu, 2004-05-06 at 21:00, Satoshi Hada wrote:
> >> the term "context node" this means not only that the 
> >> Request element is the root of the XPath query, but that the
> Request 
> >> element also provides all namespace information. Is this correct?
> 
> I don't think the term has some implication about how or where we need
> to provide namespace-related information, 
> in particular, where we specify the required PREFIX-to-URI mapping
> (But I may be wrong).

Ok. Since I didn't see any text elsewhere in the specification about
namespace mapping, I wasn't sure if the intent of the term "context
node" was to define the mapping or not. Thanks.

> Please see the mails with the title "Test cases for Attribute
> Selector" for related discussion.
> http://lists.oasis-open.org/archives/xacml-comment/200303/maillist.html

Right, this raises a similar question to mine, but it doesn't lead to a
resolution. Has this issue been discussed in the TC before? Was there
concensus on namespace resolution? I think it would be a good idea to
make this clearer in 2.0 so there's no ambiguity about namespace
handling.

> I have two comments on this issue.
> 
> (A)
> Personally, I feel the namespace information (xmlns attributes)
> required to resolve an XPath expression 
> should be provided in policies but not in request contexts since
> attribute selectors (and XPath expressions) are specified in policies 
> but not in request contexts. If a policy specifies an XPath expression
> (e.g. /md:record) in an attribute selector but 
> provides no namespace information (no "xmlns:md" attribute), then I
> think the policy is ambiguous by itself.

That sounds fine to me. The problem I was having is that I don't see
anything in the specification that makes this clear. Am I just missing
that text? :) If not, I think it would be a good idea to clarify this in
XACML 2.0.

> (B)
> There is no reason why we must use the same namespace prefix to
> represent a namespace URI
> in policies and request contexts.
> Take for example the IIF007 testcase. The policy and request use the
> same prefix "md".
> However, I believe that it should work even if the policy and reqeust
> use two different prefixes:
> 1) In IIIF007Policy.xml, replace the prefix "md" with a different one
> (e.g. "medical"), but
> 2) In IIIF007Request.xml, leave the prefix "md" as it is.
> Note that the two prefixes still represent the same URI.
> In this case, information required to resolve the "medical" prefix
> should be provided in IIIF007Policy.xml
> and information required to resolve the "md" prefix should be provided
> in IIIF007Request.xml

I agree. This makes complete sense, especially given your comment A
above.

> From my perspective, IIIF002Request.xml does not need to have the
> "xmlns:md" attribute since 
> it does not use the prefix "md" in it (even though IIIF002Policy.xml
> uses it).

Agreed.


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]