OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] URI-match function proposal

in contrast to functions like e-mail matching where we can reference an accepted 
standard for format (and leave the 'proof to the reader'), i posit that what we 
are trying to do here is create our own version of regex matching syntax (as was 
the case with version). as pointed out by michiharu--things like hierarchies can 
be syntactically variable so the problem is unbounded without general string 
operators and XACML defining such operators seems a bit risky to me.

maybe i am not missing something important here but we have a way to match 
hierarchical expressions against a filter: regexp-string-match. per the current 
spec, it uses the XPath/XQuery implementation of regex (extending XMLSchema's 
use by including things like '$' and '^') and should be able to match any 
hierarchy you can think of.

using some of the examples on the list i came up with the following:

Pattern: ^/a[^/]*$
  MATCHES  /ab
  NO MATCH /a/
  NO MATCH /ac/
  NO MATCH /a/b/c
  MATCHES  /askfjl28746.82347

Pattern: ^a[^:]*$
  NO MATCH a:b
  MATCHES  abc
  NO MATCH abc
  MATCHES  abc/d

Pattern: ^http:\/\/a\.b[^/]*$
  MATCHES  http://a.b
  MATCHES  http://a.bclkjdslkj
  NO MATCH http://a.b/
  NO MATCH http://a.bkljlk/
  NO MATCH http://a.b/d

Pattern: ^/a.*\/..*\.html[^/]*$
  MATCHES  /a.html
  MATCHES  /a/y.html
  MATCHES  /a1/y1.html
  NO MATCH /a1/y1.html/

Pattern: ^http:\/\/a\.b\/x\/.*$
  NO MATCH http:/a
  NO MATCH http://a
  NO MATCH http://a.b
  NO MATCH http://a.b/x
  MATCHES  http://a.b/x/
  MATCHES  http://a.b/x/kjlkj
  MATCHES  http://a.b/x/kjlkj/klj

is it me, or is this pretty straightforward? as far as i know, the expressions 
above conform with the XPath/XQuery use of regex.


Michiharu Kudoh wrote:

 > Of course this is not complete but I believe that this covers several
 > peoples' requirements including me.
 > The basic idea is the following:
 > - Match function that works on URI syntax (including URL and URN)
 > - Pattern match character includes "*", "?", and "**" (maybe more)
 >   + "*" is used for single-node match.
 >   + "**" is used for sub-tree match (from Ant).
 >   + "?" is used for one-character match.
 > - Hierarchical separators are "/" and ":" (or more).


 > One problem I had in the above example is that there is no simple syntax
 > that matches both the indicated node and its sub-tree. For example, if we
 > need to specify a policy that matches to /a and the sub-tree, we need to
 > specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':'
 > indicates 'or' combination of two patterns that conflicts with patterns for
 > the urn cases above.
 > So the following is one of the solution for this problem:
 > - Introduce "***" for representing both the indicated node and its
 > sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus /a/***
 > matches /a, /a/b, /a/b/c etc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]