Re: [xacml] resource:xpath and XPathCategory

[Erik Rissanen <erik@axiomatics.com>]

Paul,

See responses inline:

Tyson, Paul H wrote:
> While working out what the spec says about requests for decisions on XML
> resources, I found some features that appear to be underspecified.
>
> Line numbers refer to cd-1 PDF core spec.
>
> Item #1. XPathCategory xml attribute
>
> This appears in the examples in the core spec, and is mentioned on line
> 3890.  However, it does not appear in the element description for
> <AttributeValue>, nor in the xsd.
>
> Not knowing the history of this feature, I wonder what its purpose is.
> It seems the only valid values (in a request context) are identical to
> the ancestor::Attributes/@Category attribute where it appears.  If it is
> used in a Policy, what would be the difference between @Category and
> @XPathCategory?  The revision history for wd-06 says Xpath categories
> were introduced to point to a specific <Content> element, but I don't
> see how a "category" value will meet this need.  Can someone who is
> familiar with the history of this feature comment on it?
>   

<AttributeValue> is an extension point in XACML. It can contain any 
attribute or content (see the definition in the schema). The intent is 
that different data types can encode themselves freely into the 
<AttributeValue> element, without having to be listed in the XACML 
schema. The DataType attribute contains an identifier by which the 
implementation can interpret the contents of the <AttributeValue> element.

None of the 2.0 data types use any XML attributes to encode themself. 
They just put text into the element content. But the new 
xpath-expression data type in 3.0 uses an XML attribute xalled 
XPathCategory to encode a part of its content, that is, the context node 
of the xpath expression. It is documented in section A.2, page 101, line 
3890 (CD-1 PDF).

> Item #2. urn:oasis:names:tc:xacml:1.0:resource:xpath
>
> This appears in the examples, but not in the conformance table (10.2.6).
> The brief explanation on line 5120 does not specify any datatype, nor
> does it clarify how resource:xpath differs from resource:resource-id
> when used for XML resources.  It does not explain the difference
> between:
>
> 	(a)
> Attribute[@AttributeId='resource-id'][@DataType='xpathExpression']
> 	(b) Attribute[@AttributeId='xpath']
>
> The example in 4.2.2 includes both these <Attribute>s (although the
> xpath has DataType=string).  But the policy only tests the
> resource:xpath attribute.  It could just as well test the resource-id
> attribute.
>
> The core spec should provide better definition of the semantics and
> processing expectations for resource:xpath.  Not knowing the history of
> this feature, I can't make any specific suggestions at this time.
>
> The hierarchical and multiple profiles do not mention resource:xpath.
> They use resource:resource-id exclusively. I think using resource:xpath
> in those profiles might help clarify some of the issues we are
> discussing around identifying and testing multiple XML nodes.  
>   

I don't know what this is for. I can investigate, but the TC call is in 
a few minutes, so I have to do it later. I suspect that it is remnant 
from 1.0, which was superseded in 2.0 with something new, and it carried 
over to 2.0 by mistake.

Best regards,
Erik