Hi Niko,
I have looked into this before and agree with your conclusions.
You are correct that resource:xpath needs to be added to XACML 2.0. This
was identified as an errata:
http://lists.oasis-open.org/archives/xacml/200702/msg00001.html
however, I don't think it has made it to the errata spec yet:
http://www.oasis-open.org/committees/download.php/24815/access_control-xacml-2.0-core-spec-os-errata.doc
This should be added to the errata list.
On the second part of your question, I think the answer is in section
B.6 p 129:
5036 This attribute identifies the resource to which access is
requested. If an <xacml
5037 context:ResourceContent> element is provided, then the resource
to which access is
5038 requested SHALL be all or a portion of the resource supplied in
the <xacml
5039 context:ResourceContent> element.
5040 urn:oasis:names:tc:xacml:1.0:resource:resource-id
I interpret this to mean that the presence of this attribute combined
with the
presence of the ResourceContent element makes that element the default
root xpath from which other xpaths are derived.
Note also that the example appears to have an error in the text of
the document where line 1064 should read:
[a185] xmlns(md=http:www.med.example.com/schemas/record.xsd)xpointer
(the "http:www" looks suspicious but matches line 1053).
Note to TC:
The 2 errata here are to add resource:xpath to section B.6 and
to fix line 1064.
Thanks,
Rich
Niko Matsakis wrote:
Hello,
I have some questions about the proper behavior of the various xpath
functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath Resource
attribute in particular.
It seems to be used throughout the examples in the XACML 2.0 Core
specification, but I don't find any text defining its proper values.
The XACML 1.0 specification, on the other hand, includes the following:
"This identifier indicates that the resource is specified by an XPath
expression." However, I am not sure what that means. In fact, in
XACML 1.0 the Attribute's value seems to be explicitly specified in the
request context, but not in the XACML 2.0 spec, where it does not
appear.
In general, I am a bit confused about how xpath matching is supposed to
work. The first example rule instance from the XACML 2.0
specification, for example, tests that the node(s) matching
urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of /md:record,
but it's unclear to me in what context these xpath expressions are
evaluated.
It seems the /md:record is not intended to be evaluated in the request
context, as that would yield an empty set. That means it is either
evaluate with respect to the "ResourceContent", or perhaps to an
external document? On the other hand, Appendix A.3.15 says that "the
XPath epxressions in these functions are restrict to the XACML request
context. The <xacml-context:Request> element is the context node
for every XPath expresion," which would seem to mean that /md:record
should yield an empty set after all (as the request context's root
element is a <xacml-context:Request> element).
Can anyone help clarify things for me, or point me to an explanation?
Thank you very much!
For reference, here is the XACML policy fragment that invokes
xpath-match:
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
/md:record
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
The example request context is in section 4.2.2.
Thanks in advance,
Niko Matsakis
---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
|