[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XML doc hierarchical resource questions
Hi, Anne, Before answering your question, I list below several cases for XML document I have in my mind. Case 1: Request includes only XPath expression as target resource-id XPath expression represents a target single node in the XML document embedded in ResourceContent. This is the simplest case. Case 2: Request includes both URI and XPath expression as target resource-id URI represents a target XML document and XPath expression represents the target single node of the said XML document. Target XML document is embedded in ResourceContent. Since it refers to a single target location (a specific node in a specific XML doc), it is in line with our assumption. One of the way to specify this is to have two resource-id with different data types. For example, <Request> ... attribute: resource-id="http://medico/record/Bert", datatype: "URI" attribute: resource-id="/md:record/md:patient", datatype:"XPath" ... </Request> Case 3: Request includes only URI as target resource-id URI represents a target XML document. This case is not element-level access request but document-level access request. ... I will summarize my requirements and post it to the list later. Best, Michiharu Anne Anderson <Anne.Anderson@Su n.COM> To XACML TC 2004/05/27 01:12 <xacml@lists.oasis-open.org> cc Please respond to Subject Anne.Anderson [xacml] XML doc hierarchical resource questions OK, you XPath expression experts! Michiharu, I hope this includes you! :-) I am comparing the XACML 1.1 example that uses XML document access in "Section 4.2.2 Example request context" to the current XACML 2.0 Hierarchical Resource draft (http://lists.oasis-open.org/archives/xacml/200405/msg00104.html). There are some significant differences. I would like feedback on whether the differences are OK. The document being accessed is: <?xml version ...?> <record xmlns="http://www.medico.com/schemas/record.xsd" ...> <patient> .... </record> 1. 1.1 includes the actual document in the ResourceContent element. 2.0 does the same. 2.0 explicitly requires this if the resource is an XML document. 2. 1.1 uses the following "resource-id" Attribute: <Attribute AttributeId="...:resource-id" DataType="...#string"> <AttributeValue> //medico.com/records/bart-simpson.xml# xmlns(md=//http:www.medico.com/schemas/record.xsd) xpointer(/md:record/md:patient/md:patientDoB) </AttributeValue> </Attribute 2.0 says to put an XPath expression that evaluates to exactly the one node being requested into the "resource-id" Attribute, and give it the new "xpath-expression" DataType (defined as "a string that is to be interpreted as an XPath expression"). A request from the PEP might include an XPath expression that evaluates to more than one requested node in the "resource-id" Attribute. The Context Handler is responsible for converting this to a series of Requests, each of which asks for exactly one node. For each Request for exactly one node, the Context Handler is responsible for constructing an XPath expression that evaluates to only that one node, and putting it into the "resource-id" Attribute for that Request. Rationale: By putting the actual XPath expression into the "resource-id" Attribute, a "resource-id" Attribute constructed by the Context Handler is treated the same as an original request for only a single node, and we have an appropriate value to put into the ResourceId field of each Response Result. 3. 1.1 uses the following "xpath" Attribute: <Attribute AttributeId="...:xpath" DataType="...#string"> <AttributeValue> xmlns(md=http:www.medico.com/schemas/record.xsd) xpointer(/md:record/md:patient/md:patientDoB) </AttributeValue> 2.0 eliminates the "xpath" Attribute, since the information is contained in the "resource-id" Attribute. 4. 1.1 uses the following "target-namespace" Attribute that is not described in Appendix "B.6 Resource Attributes": <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" DataType="...#string"> <AttributeValue> http://www.medico.com/schemas/record.xsd </AttributeValue> </Attribute> 2.0 does not specify this Attribute, since the information is contained in the "resource-id" Attribute (I think). The point is, is an XPath expression in the "...:resource-id" Attribute, using the new "xpath-expression" DataType, sufficient to contain all the information that a policy will need to apply to this particular XML document and to the Requested node? Do we need an additional Attribute to match on separately for the document's namespace? Do we need an additional Attribute to match on for the node's "identity" (even though a Context Handler will not be able to construct an "identity" if multiple nodes are requested)? Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]