OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [xacml] Hierarchical match






In the last TC call, I suggested to use "*" and "**" notations for matching
hierarchical resource.

Examples:
ex1: /p1/p2
ex2: /p1/p2/*
ex3: /p1/p2/**

/p1/p2 matches /p1/p2.
/p1/p2/* matches all the immediate children of /p1/p2.
/p1/p2/** matches all the descendants of /p1/p2.

Therefore,
/p1/p2/* matches /p1/p2/p3 and /p1/p2/p4 but fails to match /p1/p2 and
/p1/p2/p3/p4.
/p1/p2/** matches /p1/p2/p3 and /p1/p2/p3/p4 but fails to match /p1/p2.

The exact semantics of the above notation is represented as the equivalent
regular expression as follows:

/p1/p2       ==> ^\/p1\/p2$
/p1/p2/*   ==> ^\/p1\/p2\/[^\/]+$
/p1/p2/** ==> ^\/p1\/p2\/.+$

- Rational:
Access control policy that works on hierarchy often requires exact match,
immediate children match, and subtree match. The above notation corresponds
to each pattern. If regular expression is used, such intention would become
implicit.

Best,
Michiharu



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]