[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] URI match function
Rich - See below a revised version of the function definition. As currently specified (see clause 3 "at least one of"), the function would not allow wild-cards in the middle. This is a restriction inherited from JSR115. Of course, this could be changed. Are you advocating for such a change? Obviously, the cost is increased complexity. All the best. Tim. Here is the revised definition ... urn:oasis:names:tc:xacml:2.0:function:url-subtree-match This function takes two arguments of type http://www.w3.org/2001/XMLSchema#anyURI and SHALL return an http://www.w3.org/2001/XMLSchema#boolean. The first argument SHALL contain zero or one "*" characters, representing a wild-card. The second argument SHALL contain zero "*" characters. System components that construct URLs or URL fragments containing the "*" character, which may be used as input to this function, SHOULD use the escape sequence "%2A" instead. The function SHALL return "True" if all of the following conditions hold. Otherwise, it SHALL return "False". 1. The scheme part of both arguments SHALL be the same and SHALL be either "http", "https" or "file". The scheme parts MAY be compared using urn:oasis:names:tc:xacml:1.0:function:string-equal, once both parts have been normalized to upper-case. 2. The authority part of the first argument SHALL match the authority part of the second argument. If the first character of the authority part is a number, then the part contains an IP address (and optionally a port range), and the urn:oasis:names:tc:xacml:2.0:function:ipAddress-match function SHALL be used. Otherwise, the part contains a host name (and optionally a port range), and the urn:oasis:names:tc:xacml:2.0:function:dnsName-match function SHALL be used. 3. The path part of the first argument SHALL match the path part of the second argument in at least one of the following ways. 3a The path part of the first argument matches the path part of the second argument by urn:oasis:names:tc:xacml:1.0:function:string-equal. 3b The path part of the first argument is the string "/*". 3c The path part of the first argument starts with "/" and ends with "/*" and the path part of the second argument starts with the same string as the path part of the first argument, minus its last 2 characters, and the next character of the path part of the second argument, if present, is "/". 3d The path part of the first argument starts with "*." and the path part of the second argument ends with the same string as the path part of the first argument, minus its first 2 characters. 3e The path part of the first argument is the special string, "/", which matches all other paths. -----Original Message----- From: Rich Salz [mailto:rsalz@datapower.com] Sent: Wednesday, June 16, 2004 7:10 PM To: Tim Moses Cc: 'Michiharu Kudoh'; 'xacml' Subject: RE: [xacml] URI match function > url-branch-match? how about subtree instead of branch? might be possible to have /foo/**/*.html match all static web pages, e.g. -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p hp.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]