Re: [xacml] URI-match function proposal

[Michiharu Kudoh <KUDO@jp.ibm.com>]

Hi, Bill

I should have written that I am not trying to create yet another regular
expression match. I just tried to create a simple but useful convention for
hierarchy-wise matching.
Since we are extending XACML to support hierarchical resource, I think
XACML needs to show a right-focused hierarchical match solution that works
on hierarchical string representation (URI syntax). Some of them have been
summarized in the hierarchical resource profile document and this would be
one new addition to the profile (it means OPTIONAL)

Conventional regular expression standard could support our needs but the
reg-exp examples somehow loses policy writer's intuition on hierarchy-wise
matching (I am saying that policy writer could not write that syntax). If
hierarchy-wise matching expression could be converted into reg-exp
expression, it helps implementer. They don't have to implement their own
code for the hierarchy-wise matching. I think we should focus on the issue
of what is the right-focused hierarchy-wise matching solution to XACML
users, not only from implementers' perspective.

Re the syntax, I have no problem with removing '?' letter from my proposal.
Hierarchy-wise matching works only at the relativeURI portion of the URI
syntax and is supported only using "*", "**", and "***". "*" and "**" are
borrowed from Apache ANT. Only "***" is my artifact but it is just a
technical syntax sugar and useful for representing a policy in concise
manner.

Best,
Michiharu



                                                                           
             Bill Parducci                                                 
             <bparducci@glueco                                             
             de.com>                                                    To 
                                       "'xacml'"                           
             2004/06/24 03:55          <xacml@lists.oasis-open.org>        
                                                                        cc 
                                                                           
                                                                   Subject 
                                       Re: [xacml] URI-match function      
                                       proposal                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




in contrast to functions like e-mail matching where we can reference an
accepted
standard for format (and leave the 'proof to the reader'), i posit that
what we
are trying to do here is create our own version of regex matching syntax
(as was
the case with version). as pointed out by michiharu--things like
hierarchies can
be syntactically variable so the problem is unbounded without general
string
operators and XACML defining such operators seems a bit risky to me.

maybe i am not missing something important here but we have a way to match
hierarchical expressions against a filter: regexp-string-match. per the
current
spec, it uses the XPath/XQuery implementation of regex (extending
XMLSchema's
use by including things like '$' and '^') and should be able to match any
hierarchy you can think of.

using some of the examples on the list i came up with the following:

Pattern: ^/a[^/]*$
  MATCHES  /a
  MATCHES  /ab
  NO MATCH /a/
  NO MATCH /ac/
  NO MATCH /a/b/c
  MATCHES  /askfjl28746.82347

Pattern: ^a[^:]*$
  MATCHES  a
  NO MATCH a:
  NO MATCH a:b
  MATCHES  abc
  NO MATCH abc
  MATCHES  abc/d

Pattern: ^http:\/\/a\.b[^/]*$
  MATCHES  http://a.b
  MATCHES  http://a.bclkjdslkj
  NO MATCH http://a.b/
  NO MATCH http://a.bkljlk/
  NO MATCH http://a.b/d

Pattern: ^/a.*\/..*\.html[^/]*$
  NO MATCH /a
  MATCHES  /a.html
  MATCHES  /a/y.html
  MATCHES  /a1/y1.html
  NO MATCH /a1/y1.html/

Pattern: ^http:\/\/a\.b\/x\/.*$
  NO MATCH http:/a
  NO MATCH http://a
  NO MATCH http://a.b
  NO MATCH http://a.b/x
  MATCHES  http://a.b/x/
  MATCHES  http://a.b/x/kjlkj
  MATCHES  http://a.b/x/kjlkj/klj

is it me, or is this pretty straightforward? as far as i know, the
expressions
above conform with the XPath/XQuery use of regex.

b

Michiharu Kudoh wrote:

 > Of course this is not complete but I believe that this covers several
 > peoples' requirements including me.
 >
 > The basic idea is the following:
 > - Match function that works on URI syntax (including URL and URN)
 > - Pattern match character includes "*", "?", and "**" (maybe more)
 >   + "*" is used for single-node match.
 >   + "**" is used for sub-tree match (from Ant).
 >   + "?" is used for one-character match.
 > - Hierarchical separators are "/" and ":" (or more).

[...]

 > One problem I had in the above example is that there is no simple syntax
 > that matches both the indicated node and its sub-tree. For example, if
we
 > need to specify a policy that matches to /a and the sub-tree, we need to
 > specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':'
 > indicates 'or' combination of two patterns that conflicts with patterns
for
 > the urn cases above.
 >
 > So the following is one of the solution for this problem:
 > - Introduce "***" for representing both the indicated node and its
 > sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus
/a/***
 > matches /a, /a/b, /a/b/c etc.

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
.