OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] xpath, urn:oasis:names:tc:xacml:1.0:resource:xpath

Hi Niko,

I have looked into this before and agree with your conclusions.

You are correct that resource:xpath needs to be added to XACML 2.0. This
was identified as an errata:


however, I don't think it has made it to the errata spec yet:


This should be added to the errata list.

On the second part of your question, I think the answer is in section B.6 p 129:

5036 This attribute identifies the resource to which access is requested. If an <xacml
5037 context:ResourceContent> element is provided, then the resource to which access is
5038 requested SHALL be all or a portion of the resource supplied in the <xacml
5039 context:ResourceContent> element.
5040 urn:oasis:names:tc:xacml:1.0:resource:resource-id

I interpret this to mean that the presence of this attribute combined with the
presence of the ResourceContent element makes that element the default
root xpath from which other xpaths are derived.

Note also that the example appears to have an error in the text of
the document where line 1064 should read:

 [a185] xmlns(md=http:www.med.example.com/schemas/record.xsd)xpointer

(the "http:www" looks suspicious but matches line 1053).

Note to TC:
The 2 errata here are to add resource:xpath to section B.6 and
to fix line 1064.


Niko Matsakis wrote:

I have some questions about the proper behavior of the various xpath functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath Resource attribute in particular.

It seems to be used throughout the examples in the XACML 2.0 Core specification, but I don't find any text defining its proper values.  The XACML 1.0 specification, on the other hand, includes the following: "This identifier indicates that the resource is specified by an XPath expression."  However, I am not sure what that means.  In fact, in XACML 1.0 the Attribute's value seems to be explicitly specified in the request context, but not in the XACML 2.0 spec, where it does not appear.

In general, I am a bit confused about how xpath matching is supposed to work.  The first example rule instance from the XACML 2.0 specification, for example, tests that the node(s) matching urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of /md:record, but it's unclear to me in what context these xpath expressions are evaluated.

It seems the /md:record is not intended to be evaluated in the request context, as that would yield an empty set.  That means it is either evaluate with respect to the "ResourceContent", or perhaps to an external document?  On the other hand, Appendix A.3.15 says that "the XPath epxressions in these functions are restrict to the XACML request context.  The <xacml-context:Request> element is the context node for every XPath expresion," which would seem to mean that /md:record should yield an empty set after all (as the request context's root element is a <xacml-context:Request> element).

Can anyone help clarify things for me, or point me to an explanation? Thank you very much!

For reference, here is the XACML policy fragment that invokes xpath-match:

<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-match">
       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">

The example request context is in section 4.2.2.

Thanks in advance,
Niko Matsakis

To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]