RE: [xacml] URI match function

[Tim Moses <tim.moses@entrust.com>]

Rich - See below a revised version of the function definition.  As currently
specified (see clause 3 "at least one of"), the function would not allow
wild-cards in the middle.  This is a restriction inherited from JSR115.  Of
course, this could be changed.  Are you advocating for such a change?
Obviously, the cost is increased complexity.  All the best.  Tim.


Here is the revised definition ...

urn:oasis:names:tc:xacml:2.0:function:url-subtree-match

This function takes two arguments of type
http://www.w3.org/2001/XMLSchema#anyURI and SHALL return an
http://www.w3.org/2001/XMLSchema#boolean.  The first argument SHALL contain
zero or one "*" characters, representing a wild-card.  The second argument
SHALL contain zero "*" characters.  System components that construct URLs or
URL fragments containing the "*" character, which may be used as input to
this function, SHOULD use the escape sequence "%2A" instead.

The function SHALL return "True" if all of the following conditions hold.
Otherwise, it SHALL return "False".  

1.	The scheme part of both arguments SHALL be the same and SHALL be
either "http", "https" or "file".  The scheme parts MAY be compared using
urn:oasis:names:tc:xacml:1.0:function:string-equal, once both parts have
been normalized to upper-case.
2.	The authority part of the first argument SHALL match the authority
part of the second argument.  If the first character of the authority part
is a number, then the part contains an IP address (and optionally a port
range), and the urn:oasis:names:tc:xacml:2.0:function:ipAddress-match
function SHALL be used.  Otherwise, the part contains a host name (and
optionally a port range), and the
urn:oasis:names:tc:xacml:2.0:function:dnsName-match function SHALL be used.
3.	The path part of the first argument SHALL match the path part of the
second argument in at least one of the following ways.
3a	The path part of the first argument matches the path part of the
second argument by urn:oasis:names:tc:xacml:1.0:function:string-equal.
3b	The path part of the first argument is the string "/*".
3c	The path part of the first argument starts with "/" and ends with
"/*" and the path part of the second argument starts with the same string as
the path part of the first argument, minus its last 2 characters, and the
next character of the path part of the second argument, if present, is "/".
3d	The path part of the first argument starts with "*." and the path
part of the second argument ends with the same string as the path part of
the first argument, minus its first 2 characters.
3e	The path part of the first argument is the special string, "/",
which matches all other paths.


-----Original Message-----
From: Rich Salz [mailto:rsalz@datapower.com] 
Sent: Wednesday, June 16, 2004 7:10 PM
To: Tim Moses
Cc: 'Michiharu Kudoh'; 'xacml'
Subject: RE: [xacml] URI match function


> url-branch-match?


how about subtree instead of branch?  might be possible to have
	/foo/**/*.html
match all static web pages, e.g.

--
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview      http://www.datapower.com/xmldev/xmlsecurity.html


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p
hp.