[xacml] URI-match function proposal

[Michiharu Kudoh <KUDO@jp.ibm.com>]

Here is a draft of the proposed URI-match function.

My motivation is to create a universal match function that satisfies our
needs. The following are some proposals and ideas posted on the list:

- URL-match function proposed by Tim
- URI-match-with-propagation by me
- ** in Ant suggested by Polar
- general match function by Seth
- Version number metching by Bill

My observation for the requirements of the match function is the following:
- We need a generic match function that works on hierarchy.
- The scheme should be able to distinguish the hierarchical match from the
regular expression match.
- The scheme should include sub-tree match as well as single-node (file,
directory etc.) match.
- The scheme should support various kinds of separator for hierarchy.
- The scheme should apply syntax with which many people are familiar.
- The scheme should fit with our own purposes.

Of course this is not complete but I believe that this covers several
peoples' requirements including me.

The basic idea is the following:
- Match function that works on URI syntax (including URL and URN)
- Pattern match character includes "*", "?", and "**" (maybe more)
  + "*" is used for single-node match.
  + "**" is used for sub-tree match (from Ant).
  + "?" is used for one-character match.
- Hierarchical separators are "/" and ":" (or more).

The following are several examples in my minds:
Pattern     String     Match
/a          /a         true
/a/*        /a         false
/a/*        /a/b       true
/a/*        /a/b/c     false
/a/**       /a         false
/a/**       /a/b       true
/a/**       /a/b/c     true
/a?/*       /a1/b      true
/a?/*.html  /a1/xy.html  true
a:b:*       a:b:c      true   (":" is URI's colon)
a:b:**      a:b:c:d    true
http://a.b/x/**  http://a.b/x/y/z  true

('*' is used in two ways: single hierarchical match e.g. /a/* and any
string match e.g. /a/*.html)

One problem I had in the above example is that there is no simple syntax
that matches both the indicated node and its sub-tree. For example, if we
need to specify a policy that matches to /a and the sub-tree, we need to
specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':'
indicates 'or' combination of two patterns that conflicts with patterns for
the urn cases above.

So the following is one of the solution for this problem:
- Introduce "***" for representing both the indicated node and its
sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus /a/***
matches /a, /a/b, /a/b/c etc.

- In the same way, a:b:*** is a shorthand of a:b and a:b:**. Thus,
urn:oasis:names:tc:xacml:*** matches urn:oasis:names:tc:xacml,
urn:oasis:names:tc:xacml:1.0, urn:oasis:names:tc:xacml:2.0 etc.

We might allow the following patterns that has wild cards in the middle if
we could agree:
/a/*/b  matches /a/x/b.
/a/**/b  matches /a/x/y/b.

Any comments are welcome.

Best,
Michiharu