[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [xacml] URI-match function proposal
Here is a draft of the proposed URI-match function. My motivation is to create a universal match function that satisfies our needs. The following are some proposals and ideas posted on the list: - URL-match function proposed by Tim - URI-match-with-propagation by me - ** in Ant suggested by Polar - general match function by Seth - Version number metching by Bill My observation for the requirements of the match function is the following: - We need a generic match function that works on hierarchy. - The scheme should be able to distinguish the hierarchical match from the regular expression match. - The scheme should include sub-tree match as well as single-node (file, directory etc.) match. - The scheme should support various kinds of separator for hierarchy. - The scheme should apply syntax with which many people are familiar. - The scheme should fit with our own purposes. Of course this is not complete but I believe that this covers several peoples' requirements including me. The basic idea is the following: - Match function that works on URI syntax (including URL and URN) - Pattern match character includes "*", "?", and "**" (maybe more) + "*" is used for single-node match. + "**" is used for sub-tree match (from Ant). + "?" is used for one-character match. - Hierarchical separators are "/" and ":" (or more). The following are several examples in my minds: Pattern String Match /a /a true /a/* /a false /a/* /a/b true /a/* /a/b/c false /a/** /a false /a/** /a/b true /a/** /a/b/c true /a?/* /a1/b true /a?/*.html /a1/xy.html true a:b:* a:b:c true (":" is URI's colon) a:b:** a:b:c:d true http://a.b/x/** http://a.b/x/y/z true ('*' is used in two ways: single hierarchical match e.g. /a/* and any string match e.g. /a/*.html) One problem I had in the above example is that there is no simple syntax that matches both the indicated node and its sub-tree. For example, if we need to specify a policy that matches to /a and the sub-tree, we need to specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':' indicates 'or' combination of two patterns that conflicts with patterns for the urn cases above. So the following is one of the solution for this problem: - Introduce "***" for representing both the indicated node and its sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus /a/*** matches /a, /a/b, /a/b/c etc. - In the same way, a:b:*** is a shorthand of a:b and a:b:**. Thus, urn:oasis:names:tc:xacml:*** matches urn:oasis:names:tc:xacml, urn:oasis:names:tc:xacml:1.0, urn:oasis:names:tc:xacml:2.0 etc. We might allow the following patterns that has wild cards in the middle if we could agree: /a/*/b matches /a/x/b. /a/**/b matches /a/x/y/b. Any comments are welcome. Best, Michiharu
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]