OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] New issue: new attribute ids for xml multiple decisions

After further analysis, described in [1], I revise this proposal.

1. Instead of a "resource-selector" attribute, define an additional
generic "content-selector" attribute like:


2. Instead of "authorized-resource-id", use the categorized
"content-selector" attributes proposed in [1].

When any Attributes category contains a "multiple:content-selector"
attribute, it will be expanded into multiple individual Attributes, each
with a "[category]:content-selector" attribute that selects exactly one
node in the Content of that category.  This value will be used to
evaluate the request, and will be included in the response.


[1] http://lists.oasis-open.org/archives/xacml/200911/msg00072.html

> -----Original Message-----
> From: Tyson, Paul H 
> Sent: Thursday, November 19, 2009 16:10
> Subject: [xacml] New issue: new attribute ids for xml 
> multiple decisions
> The cd-1 Multiple profile, lines 109-111, specifies that the 
> resource-id attribute in a multiple decision request shall be 
> replaced with a
> (possibly) different value when creating individual requests. 
>  The new value is the one that would be returned (if 
> IncludeInResult=true) in the result.
> There are a couple of problems with this.  First, it breaks 
> an implicit contract that prohibits the context handler from 
> changing attribute values (it can provide more values, but 
> should never change or remove values from the original 
> request context).  Second, it overloads resource-id with a 
> new meaning that is different from its initial purpose as a 
> primary identifier of a resource.  When used in a multiple 
> decision request for XML content, resource-id now means 
> something like "resource selector" in the Request, but 
> reverts to its former meaning as "primary identifier" in the Response.
> I propose that the resource-id attribute should only be used 
> as a persistent primary identifier for a singleton resource, 
> and that two new attributes be defined: one for requesting 
> decisions on multiple nodes of XML content, and another for 
> identifying those nodes in a XACML response.  The proposed 
> AttributeIds are:
> urn:oasis:names:tc:xacml:3.0:profile:multiple:xml:resource-selector
> urn:oasis:names:tc:xacml:3.0:profile:multiple:xml:authorized-r
> Sections 2.2.2 and 2.2.3 of the Multiple profile should be 
> rewritten as
> follows:
> =====================
> 2.2.2 Original request context
> The original XACML request context <Attributes> element in 
> the resource category SHALL contain a <Content> element and 
> an attribute with and AttributeId of 
> "urn:oasis:names:tc:xacml:3.0:profile:multiple:resource-select
> or" and a DataType of 
> "urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression",
> such that the <AttributeValue> of the "resource-selector" 
> attribute is an XPath expression that evaluates to a nodeset 
> that represents multiple nodes in the resource category 
> <Content> element. The <Attributes> element with the resource 
> category SHALL contain a "scope" attribute with a value of 
> "XPath-expression".
> 2.2.3 Semantics
> Such a request context SHALL be interpreted as a request for 
> authorization decisions on multiple nodes in the nodeset 
> represented by the <AttributeValue> of the 
> "resource-selector" attribute. Each such node SHALL represent 
> an Individual Resource.
> Each Individual Decision Request SHALL be identical to the 
> original request context with two exceptions: the "scope" 
> attribute SHALL NOT be present and an additional attribute 
> with AttributeId of 
> "urn:oasis:names:tc:xacml:3.0:profile:multiple:authorized-resource-id"
> SHALL be present.  The DataType of this attribute shall be 
> "urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression", and 
> the value SHALL be an XPath expression that evaluates to a 
> single node in the <Content> element. The IncludeInResult XML 
> attribute SHALL be "true".
> The content XML node selected by this Attribute SHALL be the 
> Individual Resource. If the "resource-selector" attribute in 
> the original request context contained an Issuer, the 
> "authorized-resource-id" attribute in the Individual Resource 
> Request SHALL contain the same Issuer.
> ==============================
> See these emails for previous comments on this issue:
> http://lists.oasis-open.org/archives/xacml/200910/msg00036.html
> http://lists.oasis-open.org/archives/xacml/200910/msg00052.html
> http://lists.oasis-open.org/archives/xacml/200911/msg00025.html
> Regards,
> --Paul
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS 
> TC that generates this mail.  Follow this link to all your 
> TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]