[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XML doc hierarchical resource questions
Hi, Anne,
Before answering your question, I list below several cases for XML document
I have in my mind.
Case 1: Request includes only XPath expression as target resource-id
XPath expression represents a target single node in the XML document
embedded in ResourceContent.
This is the simplest case.
Case 2: Request includes both URI and XPath expression as target
resource-id
URI represents a target XML document and XPath expression represents the
target single node of the said XML document.
Target XML document is embedded in ResourceContent.
Since it refers to a single target location (a specific node in a specific
XML doc), it is in line with our assumption.
One of the way to specify this is to have two resource-id with different
data types. For example,
<Request>
...
attribute: resource-id="http://medico/record/Bert";, datatype: "URI"
attribute: resource-id="/md:record/md:patient", datatype:"XPath"
...
</Request>
Case 3: Request includes only URI as target resource-id
URI represents a target XML document. This case is not element-level access
request but document-level access request.
...
I will summarize my requirements and post it to the list later.
Best,
Michiharu
Anne Anderson
<Anne.Anderson@Su
n.COM> To
XACML TC
2004/05/27 01:12 <xacml@lists.oasis-open.org>
cc
Please respond to Subject
Anne.Anderson [xacml] XML doc hierarchical
resource questions
OK, you XPath expression experts! Michiharu, I hope this
includes you! :-)
I am comparing the XACML 1.1 example that uses XML document
access in "Section 4.2.2 Example request context" to the current
XACML 2.0 Hierarchical Resource draft
(http://lists.oasis-open.org/archives/xacml/200405/msg00104.html).
There are some significant differences. I would like feedback on
whether the differences are OK.
The document being accessed is:
<?xml version ...?>
<record xmlns="http://www.medico.com/schemas/record.xsd"; ...>
<patient>
....
</record>
1. 1.1 includes the actual document in the ResourceContent
element. 2.0 does the same. 2.0 explicitly requires this if
the resource is an XML document.
2. 1.1 uses the following "resource-id" Attribute:
<Attribute AttributeId="...:resource-id"
DataType="...#string">
<AttributeValue>
//medico.com/records/bart-simpson.xml#
xmlns(md=//http:www.medico.com/schemas/record.xsd)
xpointer(/md:record/md:patient/md:patientDoB)
</AttributeValue>
</Attribute
2.0 says to put an XPath expression that evaluates to exactly
the one node being requested into the "resource-id" Attribute,
and give it the new "xpath-expression" DataType (defined as "a
string that is to be interpreted as an XPath expression").
A request from the PEP might include an XPath expression that
evaluates to more than one requested node in the "resource-id"
Attribute. The Context Handler is responsible for converting
this to a series of Requests, each of which asks for exactly
one node. For each Request for exactly one node, the Context
Handler is responsible for constructing an XPath expression
that evaluates to only that one node, and putting it into the
"resource-id" Attribute for that Request.
Rationale:
By putting the actual XPath expression into the "resource-id"
Attribute, a "resource-id" Attribute constructed by the
Context Handler is treated the same as an original request for
only a single node, and we have an appropriate value to put
into the ResourceId field of each Response Result.
3. 1.1 uses the following "xpath" Attribute:
<Attribute AttributeId="...:xpath"
DataType="...#string">
<AttributeValue>
xmlns(md=http:www.medico.com/schemas/record.xsd)
xpointer(/md:record/md:patient/md:patientDoB)
</AttributeValue>
2.0 eliminates the "xpath" Attribute, since the information is
contained in the "resource-id" Attribute.
4. 1.1 uses the following "target-namespace" Attribute that is
not described in Appendix "B.6 Resource Attributes":
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace"
DataType="...#string">
<AttributeValue>
http://www.medico.com/schemas/record.xsd
</AttributeValue>
</Attribute>
2.0 does not specify this Attribute, since the information is
contained in the "resource-id" Attribute (I think).
The point is, is an XPath expression in the "...:resource-id"
Attribute, using the new "xpath-expression" DataType, sufficient
to contain all the information that a policy will need to apply
to this particular XML document and to the Requested node? Do we
need an additional Attribute to match on separately for the
document's namespace? Do we need an additional Attribute to
match on for the node's "identity" (even though a Context Handler
will not be able to construct an "identity" if multiple nodes are
requested)?
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]