[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] New issue: new attribute ids for xml multiple decisions
After further analysis, described in [1], I revise this proposal. 1. Instead of a "resource-selector" attribute, define an additional generic "content-selector" attribute like: urn:oasis:names:tc:xacml:3.0:profile:multiple:content-selector 2. Instead of "authorized-resource-id", use the categorized "content-selector" attributes proposed in [1]. When any Attributes category contains a "multiple:content-selector" attribute, it will be expanded into multiple individual Attributes, each with a "[category]:content-selector" attribute that selects exactly one node in the Content of that category. This value will be used to evaluate the request, and will be included in the response. Regards, --Paul [1] http://lists.oasis-open.org/archives/xacml/200911/msg00072.html > -----Original Message----- > From: Tyson, Paul H > Sent: Thursday, November 19, 2009 16:10 > To: XACML TC > Subject: [xacml] New issue: new attribute ids for xml > multiple decisions > > The cd-1 Multiple profile, lines 109-111, specifies that the > resource-id attribute in a multiple decision request shall be > replaced with a > (possibly) different value when creating individual requests. > The new value is the one that would be returned (if > IncludeInResult=true) in the result. > > There are a couple of problems with this. First, it breaks > an implicit contract that prohibits the context handler from > changing attribute values (it can provide more values, but > should never change or remove values from the original > request context). Second, it overloads resource-id with a > new meaning that is different from its initial purpose as a > primary identifier of a resource. When used in a multiple > decision request for XML content, resource-id now means > something like "resource selector" in the Request, but > reverts to its former meaning as "primary identifier" in the Response. > > I propose that the resource-id attribute should only be used > as a persistent primary identifier for a singleton resource, > and that two new attributes be defined: one for requesting > decisions on multiple nodes of XML content, and another for > identifying those nodes in a XACML response. The proposed > AttributeIds are: > > urn:oasis:names:tc:xacml:3.0:profile:multiple:xml:resource-selector > urn:oasis:names:tc:xacml:3.0:profile:multiple:xml:authorized-r esource-id > > Sections 2.2.2 and 2.2.3 of the Multiple profile should be > rewritten as > follows: > > ===================== > 2.2.2 Original request context > > The original XACML request context <Attributes> element in > the resource category SHALL contain a <Content> element and > an attribute with and AttributeId of > "urn:oasis:names:tc:xacml:3.0:profile:multiple:resource-select > or" and a DataType of > "urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression", > such that the <AttributeValue> of the "resource-selector" > attribute is an XPath expression that evaluates to a nodeset > that represents multiple nodes in the resource category > <Content> element. The <Attributes> element with the resource > category SHALL contain a "scope" attribute with a value of > "XPath-expression". > > 2.2.3 Semantics > > Such a request context SHALL be interpreted as a request for > authorization decisions on multiple nodes in the nodeset > represented by the <AttributeValue> of the > "resource-selector" attribute. Each such node SHALL represent > an Individual Resource. > > Each Individual Decision Request SHALL be identical to the > original request context with two exceptions: the "scope" > attribute SHALL NOT be present and an additional attribute > with AttributeId of > "urn:oasis:names:tc:xacml:3.0:profile:multiple:authorized-resource-id" > SHALL be present. The DataType of this attribute shall be > "urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression", and > the value SHALL be an XPath expression that evaluates to a > single node in the <Content> element. The IncludeInResult XML > attribute SHALL be "true". > The content XML node selected by this Attribute SHALL be the > Individual Resource. If the "resource-selector" attribute in > the original request context contained an Issuer, the > "authorized-resource-id" attribute in the Individual Resource > Request SHALL contain the same Issuer. > ============================== > > See these emails for previous comments on this issue: > > http://lists.oasis-open.org/archives/xacml/200910/msg00036.html > http://lists.oasis-open.org/archives/xacml/200910/msg00052.html > http://lists.oasis-open.org/archives/xacml/200911/msg00025.html > > Regards, > --Paul > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS > TC that generates this mail. Follow this link to all your > TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]