[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposal for changed context node for xpaths in 3.0
All,
At the previous TC call I promised to write up a concrete proposal for
changing the context node of xpaths in XACML 3.0. This (long) email
provides such a proposal and explains the benefits.
I do not propose any changes for the XACML 2.0 errata, since this change
would break many 2.0 policies. 3.0 would not lose any functionality
which is available in 2.0, but policies have to be expressed slightly
differently.
The motivation for the change is to allow for some kinds of
optimizations which are possible when xpaths and attribute designators
are separate and when xpaths are categorized (by attribute category) so
the PDP can say something about where in the request context the xpath
could apply. See the end of this email for a discussion of these
optimizations.
I would also like to include some normative text which restricts the
form of the xpath. I want to prevent that xpaths may "climb" outside the
<Content> element. There are two reasons for this.
First, if we do not restrict the xpath, the context node does not matter
much since the xpath could still be used to refer to anywhere in the
resource content and we have not gained anything.
Second, I don't want policy writers to make any assumptions about the
context in which the XACML request might be in. For instance, if the
request is enveloped in an SAML assertion, the root element of the
document is not the XACML <Request> element, and absolute xpaths will
give different results than if the <Request> element would have been the
root element. One way for an implementation to solve this would be to
copy the whole <Request> into its own document so the <Request> is
always the document element, but this costs CPU cycles. I would like to
avoid this, so we should write the spec so it is clear that PDP don't
need to do this.
I propose the following changes (references to wd 5 of the 3.0 core spec):
---8<--- Begin proposal
Section 5.29 Element <AttributeSelector>:
-> Add a new XML attribute to the <AttributeSelector> element:
Category [Required]
This attribute SHALL specify the attribute category of the <Content>
element where the xpath is applied.
-> Change the description of the RequestContextPath xml attribute. It is
currently:
RequestContextPath [Required]
An XPath expression whose context node is the <Request> element.
There SHALL be no restriction on the XPath syntax. See also Section 5.4.
It should be changed to:
RequestContextPath [Required]
An XPath expression whose context node is the <Content> element of
the attribute category indicated by the Category attribute. There SHALL
be no restriction on the XPath syntax, but the XPath MUST NOT refer to
or traverse any content outside the <Content> element in any way. See
also Section 5.4.
Section 7.2.1 Structured attributes
This section currently contains these two alternatives for using
structures types:
2. An <AttributeSelector> element MAY be used to select the contents
of a leaf sub-element of the structured data-type by means of an XPath
expression. That value MAY then be compared using one of the supported
XACML functions appropriate for its primitive data-type. This method
requires support by the PDP for the optional XPath expressions feature.
3. An <AttributeSelector> element MAY be used to select any node in
the structured data-type by means of an XPath expression. This node MAY
then be compared using one of the XPath-based functions described in
Section A.3. This method requires support by the PDP for the optional
XPath expressions and XPath functions features.
-> Change the beginning of both these these paragraphs to the following:
"The structured attribute MAY be made available in the <Content> element
of the appropriate attribute category and "...
Section A.3.14 XPath-based functions
-> For each of the three xpath based functions, add one additional
argument of type anyURI. The following text explains this argument:
"This argument indicates the attribute category of the <Content> element
where the xpath expression(s) are applied."
-> In the first paragraph of section A.3.14 replace "The <Request>
element is the context node for every XPath expression" with "Each
function takes an attribute category as an argument. The <Content>
element in that attribute category is the context node of the xpath
expressions."
-> At the end of the first paragraph of section A.3.14 write: "The
xpaths MUST NOT refer to or traverse any content outside the <Content>
element in any way."
-> Allow <Content> in the <PolicyIssuer> element. This is needed to
allow for structured attributes with attribute selectors on delegates.
Currently it is like this:
<xs:element name="PolicyIssuer" type="xacml:PolicyIssuerType"/>
<xs:complexType name="PolicyIssuerType">
<xs:sequence>
<xs:element ref="xacml:Attribute" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
There is no <Content> element in there, although the policy issuer
essentially is a special category of request attributes. It should be
like this:
<xs:element name="PolicyIssuer" type="xacml:PolicyIssuerType"/>
<xs:complexType name="PolicyIssuerType">
<xs:sequence>
<xs:element ref="xacml:Content" minOccurs="0"/>
<xs:element ref="xacml:Attribute" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
The descriptive text for the new <Content> element will refer to the
same place as the description of the <Attributes> element.
-> Also update the examples accordingly: use relative xpaths from the
<Content> element and add the Category attribute in attribute selectors.
-> Also update the context node of the xpath based functionality in the
multiple and hierarchical resource profiles. I have not looked into the
details yet, but from my memory of the profiles, the changes should be
just to change the context node in a couple of places and insert the
text which restricts the xpath to the content element.
---8<--- End proposal
The following is not intended as part of the spec document, but explains
how 3.0 will retain the equivalent functionality as XACML 2.0. (I have
extracted the text from a previous email I sent on the topic.)
Assume that someone has defined a structured attribute type describing a
book, and we have a request like this:
<Request>
<Attributes Category="resource">
<Attribute AttributeId="resource-id" DataType="book">
<AttributeValue>
<Book><Title>This is the title</Title><ISBN>123456</ISBN></Book>
</AttributeValue>
</Attribute>
</Attributes>
...
</Request>
Currently an attribute selector can refer to the isbn number like this:
<AttributeSelector
RequestContextPath="Attributes[@Category="resource"/Attribute[@AttributeId="resource-id"]/AttributeValue/Book/ISBN/text()"/>
(The path is paraphrased and not strictly correct xpath, but you get the
idea.)
Now assume that we do not allow reference to the <Attribute> element
with the attribute selector and make the <Content> the context node. It
would no longer be possible to access the isbn number of the book with
an attribute selector. However, the same effect can be achieved by
rewriting the policy and the request.
The alternative is to place the structured data type in the <Content>
element (note that the <Content> element is available in all categories,
not just the resource, in 3.0):
<Request>
<Attributes Category="resource">
<Content>
<Attribute AttributeId="resource-id" DataType="book">
<AttributeValue>
<Book><Title>This is the title</Title><ISBN>123456</ISBN></Book>
</AttributeValue>
</Attribute>
</Content>
</Attributes>
...
</Request>
This can the be referenced by an attribute selector. And since the XML
is the same, no loss of functionality occurs.
Of course it will still be possible to define and implement custom
functions which can be used via attribute designators, as can be done in
2.0.
The text below gives some more detail about the optimizations which have
difficulties because of the current behavior. At least the following
problems with optimizations occur currently:
- Parsing the request context into a some form of optimized/indexed form
for attribute designators is possible, but because the xpath can refer
to anything in the request XML, the request has to be also retained in
XML form unless a custom xpath implementation is used.
This is an issue if the context handler finds attributes from an
external source. In this case either the request XML has to be updated
with any attribute which the context handler could possibly find as soon
as we reach the first xpath function, or we ignore this. If we do the
updating, then this is a performance issue. If we ignore the problem,
the behavior of the xpath functions becomes implementation specific.
(Unless the spec explicitly says that this is how it should be like,
that is, only the initial XML can be referenced with xpaths. I haven't
searched the spec for it, but I don't recall ever seeing a statement
like that. If it says so, let me know.)
- A special case of the above is that administrative requests have to be
constructed in XML form during reduction.
- Partial evaluation becomes less useful since no xpath based function
can be evaluated partially currently.
However, if xpaths would be restricted to the <Content> elements and all
xpath functions would have an explicit marker for the category, we could
introduce partial evaluation of xpath functions at the category
granularity. (For instance, if an xpath refers to the subject and the
subject is part of the partial request, then we can run that xpath, but
if the xpath refers to the resource and the resource is not in the
partial request, we cannot run that xpath.)
I think partial evaluation is a very useful function and I think it is
worth making the spec so it can be implemented efficiently.
- The multiple resource profile becames more complex and less efficient
to implement.
The multiple resource profile has a form of multiple request with
repeated <Attributes> elements, like this:
<Request>
<Attributes Category="Subject"> Alice </Attributes>
<Attributes Category="Resource"> A </Attributes>
<Attributes Category="Resource"> B </Attributes>
<Attributes Category="Resource"> C </Attributes>
<Attributes Category="Resource"> D </Attributes>
</Request>
This is the same as running four separate requests for the four
resources, with Alice as the subject in all these requests.
If xpaths can only refer to inside the <Content> in the <Attributes>
element, each Attributes element can be parsed individually into the
processing form of the implementation and these objects can be combined
individually into individual requests.
If xpaths can refer to anywhere in the request, for each individual
request, we have to construct a brand new XML representation as well.
There is a similar issue in the "scope" based multiple resource profile.
In this case the resource-id attribute of the initial request has to be
replaced with another resource-id for the individual requests. This can
probably be done fairly efficiently by just changing the id in the
internal representation in the PDP when running the individual requests.
With wide open xpaths, the XML representation has to be changed as well.
Well, maybe this is not a big deal? Changing this value in a DOM is
probably not very inefficient. But modifying the DOM could introduce
synchronization issues in a concurrent implementation, or the whole DOM
would have to be replicated, which would be inefficient.
Then there is a really obscure problem, which I am not sure we should
worry about. This is not really an optimization problem, but more a
matter of details in conformance to the spec. The multiple resource
profile describes that new requests are to be generated based on the
original multiple request. This raises the issue of how whitespace in
the new request relates to the whitespace in the original request. (The
same issue occurs in generation of administrative requests during
reduction as well.) I don't think anyone of us thinks of whitespace as
being significant in XACML, but it is significant in xpath, so in the
strict sense, since we use xpath, there is an ambiguity here. But then
it would be pretty stupid to write an XACML policy with an xpath which
refers to whitespace. :-) If we restrict xpaths to the inside of the
content element, we don't need to worry about whitespace since we would
never modify or generate the content element in the PDP processing.
(Personally, it just bugs me that when I implement the spec, there is
this ambiguity in there. :-))
Best regards,
Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]