[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] URI-match function proposal
Hi, Bill I should have written that I am not trying to create yet another regular expression match. I just tried to create a simple but useful convention for hierarchy-wise matching. Since we are extending XACML to support hierarchical resource, I think XACML needs to show a right-focused hierarchical match solution that works on hierarchical string representation (URI syntax). Some of them have been summarized in the hierarchical resource profile document and this would be one new addition to the profile (it means OPTIONAL) Conventional regular expression standard could support our needs but the reg-exp examples somehow loses policy writer's intuition on hierarchy-wise matching (I am saying that policy writer could not write that syntax). If hierarchy-wise matching expression could be converted into reg-exp expression, it helps implementer. They don't have to implement their own code for the hierarchy-wise matching. I think we should focus on the issue of what is the right-focused hierarchy-wise matching solution to XACML users, not only from implementers' perspective. Re the syntax, I have no problem with removing '?' letter from my proposal. Hierarchy-wise matching works only at the relativeURI portion of the URI syntax and is supported only using "*", "**", and "***". "*" and "**" are borrowed from Apache ANT. Only "***" is my artifact but it is just a technical syntax sugar and useful for representing a policy in concise manner. Best, Michiharu Bill Parducci <bparducci@glueco de.com> To "'xacml'" 2004/06/24 03:55 <email@example.com> cc Subject Re: [xacml] URI-match function proposal in contrast to functions like e-mail matching where we can reference an accepted standard for format (and leave the 'proof to the reader'), i posit that what we are trying to do here is create our own version of regex matching syntax (as was the case with version). as pointed out by michiharu--things like hierarchies can be syntactically variable so the problem is unbounded without general string operators and XACML defining such operators seems a bit risky to me. maybe i am not missing something important here but we have a way to match hierarchical expressions against a filter: regexp-string-match. per the current spec, it uses the XPath/XQuery implementation of regex (extending XMLSchema's use by including things like '$' and '^') and should be able to match any hierarchy you can think of. using some of the examples on the list i came up with the following: Pattern: ^/a[^/]*$ MATCHES /a MATCHES /ab NO MATCH /a/ NO MATCH /ac/ NO MATCH /a/b/c MATCHES /askfjl28746.82347 Pattern: ^a[^:]*$ MATCHES a NO MATCH a: NO MATCH a:b MATCHES abc NO MATCH abc MATCHES abc/d Pattern: ^http:\/\/a\.b[^/]*$ MATCHES http://a.b MATCHES http://a.bclkjdslkj NO MATCH http://a.b/ NO MATCH http://a.bkljlk/ NO MATCH http://a.b/d Pattern: ^/a.*\/..*\.html[^/]*$ NO MATCH /a MATCHES /a.html MATCHES /a/y.html MATCHES /a1/y1.html NO MATCH /a1/y1.html/ Pattern: ^http:\/\/a\.b\/x\/.*$ NO MATCH http:/a NO MATCH http://a NO MATCH http://a.b NO MATCH http://a.b/x MATCHES http://a.b/x/ MATCHES http://a.b/x/kjlkj MATCHES http://a.b/x/kjlkj/klj is it me, or is this pretty straightforward? as far as i know, the expressions above conform with the XPath/XQuery use of regex. b Michiharu Kudoh wrote: > Of course this is not complete but I believe that this covers several > peoples' requirements including me. > > The basic idea is the following: > - Match function that works on URI syntax (including URL and URN) > - Pattern match character includes "*", "?", and "**" (maybe more) > + "*" is used for single-node match. > + "**" is used for sub-tree match (from Ant). > + "?" is used for one-character match. > - Hierarchical separators are "/" and ":" (or more). [...] > One problem I had in the above example is that there is no simple syntax > that matches both the indicated node and its sub-tree. For example, if we > need to specify a policy that matches to /a and the sub-tree, we need to > specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':' > indicates 'or' combination of two patterns that conflicts with patterns for > the urn cases above. > > So the following is one of the solution for this problem: > - Introduce "***" for representing both the indicated node and its > sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus /a/*** > matches /a, /a/b, /a/b/c etc. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php .