[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] resource:xpath and XPathCategory
Paul, See responses inline: Tyson, Paul H wrote: > While working out what the spec says about requests for decisions on XML > resources, I found some features that appear to be underspecified. > > Line numbers refer to cd-1 PDF core spec. > > Item #1. XPathCategory xml attribute > > This appears in the examples in the core spec, and is mentioned on line > 3890. However, it does not appear in the element description for > <AttributeValue>, nor in the xsd. > > Not knowing the history of this feature, I wonder what its purpose is. > It seems the only valid values (in a request context) are identical to > the ancestor::Attributes/@Category attribute where it appears. If it is > used in a Policy, what would be the difference between @Category and > @XPathCategory? The revision history for wd-06 says Xpath categories > were introduced to point to a specific <Content> element, but I don't > see how a "category" value will meet this need. Can someone who is > familiar with the history of this feature comment on it? > <AttributeValue> is an extension point in XACML. It can contain any attribute or content (see the definition in the schema). The intent is that different data types can encode themselves freely into the <AttributeValue> element, without having to be listed in the XACML schema. The DataType attribute contains an identifier by which the implementation can interpret the contents of the <AttributeValue> element. None of the 2.0 data types use any XML attributes to encode themself. They just put text into the element content. But the new xpath-expression data type in 3.0 uses an XML attribute xalled XPathCategory to encode a part of its content, that is, the context node of the xpath expression. It is documented in section A.2, page 101, line 3890 (CD-1 PDF). > Item #2. urn:oasis:names:tc:xacml:1.0:resource:xpath > > This appears in the examples, but not in the conformance table (10.2.6). > The brief explanation on line 5120 does not specify any datatype, nor > does it clarify how resource:xpath differs from resource:resource-id > when used for XML resources. It does not explain the difference > between: > > (a) > Attribute[@AttributeId='resource-id'][@DataType='xpathExpression'] > (b) Attribute[@AttributeId='xpath'] > > The example in 4.2.2 includes both these <Attribute>s (although the > xpath has DataType=string). But the policy only tests the > resource:xpath attribute. It could just as well test the resource-id > attribute. > > The core spec should provide better definition of the semantics and > processing expectations for resource:xpath. Not knowing the history of > this feature, I can't make any specific suggestions at this time. > > The hierarchical and multiple profiles do not mention resource:xpath. > They use resource:resource-id exclusively. I think using resource:xpath > in those profiles might help clarify some of the issues we are > discussing around identifying and testing multiple XML nodes. > I don't know what this is for. I can investigate, but the TC call is in a few minutes, so I have to do it later. I suspect that it is remnant from 1.0, which was superseded in 2.0 with something new, and it carried over to 2.0 by mistake. Best regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]