OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Updating XACML 2.0 conformance tests to meet errata


Hi Rich,

I agree with the first change, but not the second.

For the "xpath-node-equal" function, the order should be irrelevant.  If
any of the nodes in the set returned by the first argument match any of the
nodes returned in the second set then the function is true; the "any of"
condition is for both sets.

For the "xpath-node-match" function, the order is important as we're
checking equality for the nodes in the first set AND any of their children.
The description given in the spec indicates that the first set is the "big"
set, and we want to see if any of the individual nodes returned in the
second set match ANY of the nodes in the first set including children.

These semantics appear to be followed by the conformance tests, so I'm not
sure what change would be made?

Take test IIIG005:

<Condition>
      <Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:xpath-node-match">
            <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>

//*[local-name()='Resource'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']
            </AttributeValue>
            <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
//*[local-name()='Subject'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']/*[local-name()='Attribute'][namespace-uri()='urn:oasis:names:tc:xacml:2.0:context:schema:os']
            </AttributeValue>
      </Apply>
</Condition>

From my reading, this is stating that if any of the <Attribute> elements in
the <Subject> (the second statement) are equal to the <Resource> element(s)
or any of it's children (the first statement) then return true.  This is
not true for the request given, so the expected result is NotApplicable.

If my understanding is right, then the specification and the conformance
tests are in alignment and no change needs to be made.

Regards,
Craig

---------------------------------------------------------------
Craig Forster
Software Engineer
IBM Australia Development Labs
Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
Blog == http://blogs.tap.ibm.com/weblogs/craigforster/
---------------------------------------------------------------


                                                                                                                                  
  From:       "Rich.Levinson" <rich.levinson@oracle.com>                                                                          
                                                                                                                                  
  To:         Craig Forster/Australia/IBM@IBMAU                                                                                   
                                                                                                                                  
  Cc:         XACML TC <xacml@lists.oasis-open.org>                                                                               
                                                                                                                                  
  Date:       02/05/2008 12:23                                                                                                    
                                                                                                                                  
  Subject:    Re: [xacml] Updating XACML 2.0 conformance tests to meet errata                                                     
                                                                                                                                  





Hi Craig,

Since you are looking at the conformance tests, I was wondering if you
could check out this request that came in the comments list - see attached
email.

The first suggestion looks like a simple errata fix, but I looked at the
2nd
and it has to do with the order of the arguments. It wasn't clear to me
that
the order was wrong (i.e. the writer says that first and second should be
switched in core spec based on what he sees in conf tests.)

In any event, only suggesting if you have time and are already familiar
with the tests the writer is referring to, i.e. quick check if writer is
correct
and core spec needs errata, and if so we can submit as issue to handle
by editors.

    Thanks,
    Rich

Craig Forster wrote:
      Hi all,

      I've gone ahead and updated the conformance tests for the
      dayTimeDuration
      and yearMonthDuration DataType changes ONLY.  The attached
      .ziparchive file
      includes only the files that have changed.

      (See attached file: conformance-updates.ziparchive)

      Here is a list of the changed files:

         conformance/policy/IIC102Policy.xml
         conformance/policy/IIC103Policy.xml
         conformance/policy/IIC104Policy.xml
         conformance/policy/IIC105Policy.xml
         conformance/policy/IIC106Policy.xml
         conformance/policy/IIC107Policy.xml
         conformance/policy/IIC150Policy.xml
         conformance/policy/IIC151Policy.xml
         conformance/policy/IIC152Policy.xml
         conformance/policy/IIC153Policy.xml
         conformance/policy/IIC154Policy.xml
         conformance/policy/IIC155Policy.xml
         conformance/policy/IIC156Policy.xml
         conformance/policy/IIC157Policy.xml
         conformance/policy/IIC231Policy.xml
         conformance/policy/IIC232Policy.xml
         conformance/request/IIC150Request.xml
         conformance/request/IIC151Request.xml
         conformance/request/IIC152Request.xml
         conformance/request/IIC153Request.xml
         conformance/request/IIC154Request.xml
         conformance/request/IIC155Request.xml
         conformance/request/IIC156Request.xml
         conformance/request/IIC157Request.xml
         conformance/request/IIC231Request.xml
         conformance/request/IIC232Request.xml

      Regards,
      Craig

      ---------------------------------------------------------------
      Craig Forster
      Software Engineer
      IBM Australia Development Labs
      Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
      Blog == http://blogs.tap.ibm.com/weblogs/craigforster/
      ---------------------------------------------------------------



        From:       Craig Forster/Australia/IBM@IBMAU


        To:         XACML TC <xacml@lists.oasis-open.org>


        Date:       01/05/2008 09:58


        Subject:    [xacml] Updating XACML 2.0 conformance tests to meet
      errata






      Hi all,

      Are there any plans to update the XACML 2.0 conformance test suite to
      meet
      the errata?

      The primary issue that I'm seeing is the change of the
      dayTimeDuration and
      yearMonthDuration DataType URIs, for example from
      "http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration";
       to
      "urn:oasis:names:tc:xacml:2.0:data-type:dayTimeDuration".  These URI
      changes cause 16 of the conformance tests to fail.

      If the TC approves, I'm more than happy to update the conformance
      tests
      myself.

      Regards,
      Craig

      ---------------------------------------------------------------
      Craig Forster
      Software Engineer
      IBM Australia Development Labs
      Argus == https://w3.webahead.ibm.com/w3ki/display/commonauthz/Home
      Blog == http://blogs.tap.ibm.com/weblogs/craigforster/
      ---------------------------------------------------------------


      ---------------------------------------------------------------------
      To unsubscribe from this mail list, you must leave the OASIS TC that
      generates this mail.  You may a link to this group and all your TCs
      in
      OASIS
      at:
      https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php





      ---------------------------------------------------------------------
      To unsubscribe from this mail list, you must leave the OASIS TC that
      generates this mail.  You may a link to this group and all your TCs
      in OASIS
      at:
      https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


----- Message from Oleg Gryb <oleg_gryb@yahoo.com> on Sun, 27 Apr 2008
23:04:48 -0700 (PDT) -----
                                                
      To: xacml-comment@lists.oasis-open.org    
                                                
 Subject: [xacml-comment] XACML 2.0:            
          Discrepancies                         
                                                


Please take a look, I think it needs to be fixed in
errata ...

1.Page 70:
“urn:oasis:names:tc:xacml:2.0:resource:resource-id”

Everywhere else the URI for resource-id is:
urn:oasis:names:tc:xacml:1.0:resource:resource-id

2. Please also check the definitions of
xpath-node-equal and xpath-node-match functions at
page 126. I got an impression from examples and
conformance tests that the "first" and "second"
arguments are swithced. The correct description for
xpath-node-equal:

This function SHALL take two
“http://www.w3.org/2001/XMLSchema#string” arguments,
which SHALL be interpreted as XPath expressions, and
SHALL return an
“http://www.w3.org/2001/XMLSchema#boolean”. The
function SHALL return "True" if any
of the XML nodes in the node-set matched by the SECOND
argument equals, according to the
“op:node-equal” function [XF Section 13.1.6], any of
the XML nodes in the node-set
matched by the FIRST argument.




____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile.  Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

--
This publicly archived list offers a means to provide input to the
OASIS eXtensible Access Control Markup Language (XACML) TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: xacml-comment-subscribe@lists.oasis-open.org
Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
List help: xacml-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/xacml-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]