OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] URI-match function proposal

Hi, Bill

I should have written that I am not trying to create yet another regular
expression match. I just tried to create a simple but useful convention for
hierarchy-wise matching.
Since we are extending XACML to support hierarchical resource, I think
XACML needs to show a right-focused hierarchical match solution that works
on hierarchical string representation (URI syntax). Some of them have been
summarized in the hierarchical resource profile document and this would be
one new addition to the profile (it means OPTIONAL)

Conventional regular expression standard could support our needs but the
reg-exp examples somehow loses policy writer's intuition on hierarchy-wise
matching (I am saying that policy writer could not write that syntax). If
hierarchy-wise matching expression could be converted into reg-exp
expression, it helps implementer. They don't have to implement their own
code for the hierarchy-wise matching. I think we should focus on the issue
of what is the right-focused hierarchy-wise matching solution to XACML
users, not only from implementers' perspective.

Re the syntax, I have no problem with removing '?' letter from my proposal.
Hierarchy-wise matching works only at the relativeURI portion of the URI
syntax and is supported only using "*", "**", and "***". "*" and "**" are
borrowed from Apache ANT. Only "***" is my artifact but it is just a
technical syntax sugar and useful for representing a policy in concise


             Bill Parducci                                                 
             de.com>                                                    To 
             2004/06/24 03:55          <xacml@lists.oasis-open.org>        
                                       Re: [xacml] URI-match function      

in contrast to functions like e-mail matching where we can reference an
standard for format (and leave the 'proof to the reader'), i posit that
what we
are trying to do here is create our own version of regex matching syntax
(as was
the case with version). as pointed out by michiharu--things like
hierarchies can
be syntactically variable so the problem is unbounded without general
operators and XACML defining such operators seems a bit risky to me.

maybe i am not missing something important here but we have a way to match
hierarchical expressions against a filter: regexp-string-match. per the
spec, it uses the XPath/XQuery implementation of regex (extending
use by including things like '$' and '^') and should be able to match any
hierarchy you can think of.

using some of the examples on the list i came up with the following:

Pattern: ^/a[^/]*$
  MATCHES  /ab
  NO MATCH /a/
  NO MATCH /ac/
  NO MATCH /a/b/c
  MATCHES  /askfjl28746.82347

Pattern: ^a[^:]*$
  NO MATCH a:b
  MATCHES  abc
  NO MATCH abc
  MATCHES  abc/d

Pattern: ^http:\/\/a\.b[^/]*$
  MATCHES  http://a.b
  MATCHES  http://a.bclkjdslkj
  NO MATCH http://a.b/
  NO MATCH http://a.bkljlk/
  NO MATCH http://a.b/d

Pattern: ^/a.*\/..*\.html[^/]*$
  MATCHES  /a.html
  MATCHES  /a/y.html
  MATCHES  /a1/y1.html
  NO MATCH /a1/y1.html/

Pattern: ^http:\/\/a\.b\/x\/.*$
  NO MATCH http:/a
  NO MATCH http://a
  NO MATCH http://a.b
  NO MATCH http://a.b/x
  MATCHES  http://a.b/x/
  MATCHES  http://a.b/x/kjlkj
  MATCHES  http://a.b/x/kjlkj/klj

is it me, or is this pretty straightforward? as far as i know, the
above conform with the XPath/XQuery use of regex.


Michiharu Kudoh wrote:

 > Of course this is not complete but I believe that this covers several
 > peoples' requirements including me.
 > The basic idea is the following:
 > - Match function that works on URI syntax (including URL and URN)
 > - Pattern match character includes "*", "?", and "**" (maybe more)
 >   + "*" is used for single-node match.
 >   + "**" is used for sub-tree match (from Ant).
 >   + "?" is used for one-character match.
 > - Hierarchical separators are "/" and ":" (or more).


 > One problem I had in the above example is that there is no simple syntax
 > that matches both the indicated node and its sub-tree. For example, if
 > need to specify a policy that matches to /a and the sub-tree, we need to
 > specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':'
 > indicates 'or' combination of two patterns that conflicts with patterns
 > the urn cases above.
 > So the following is one of the solution for this problem:
 > - Introduce "***" for representing both the indicated node and its
 > sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus
 > matches /a, /a/b, /a/b/c etc.

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]