OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Paul's xpath proposal

Paul, All,

Thanks Paul for the xpath proposal write up at

http://wiki.oasis-open.org/xacml/XpathDiscussion

Permanent link to the version I am discussing in this email:

http://wiki.oasis-open.org/xacml/XpathDiscussion?action=recall&rev=1

It seems mostly good as far as I understand it and does not appear to 
have the performance issues that some of the ideas which have been 
floating around earlier.

I have a few questions:

1. Regarding the request model, you propose a new element 
Request/Content[@Category="general"]. Can't we make it 
Request/Attributes[@Category="general"]/Content instead? It would have 
the same capabilities and the benefit is that we don't need to change 
the current schema or introduce new constructs to reach the new 
<Content> element directly under the <Request> element.

2. I don't understand why the xpath-node-match, xpath-node-equal and 
xpath-node-count functions are no longer needed. The capabilities of 
these functions are very different from the capabilities of the 
attribute selector and I don't see how you could use the attribute 
selector as an alternative, even with your proposed changes.

Here is an example target with the xpath-node-equal function:

<Target>
<AnyOf>
<AllOf>
<Match
                            
MatchId="urn:oasis:names:tc:xacml:3.0:function:xpath-node-match">
<AttributeValue
                                
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                                
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">
                                md:record/md:patient_info
</AttributeValue>
<AttributeDesignator
                                
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
                                
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                                
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/>
</Match>
</AllOf>
</AnyOf>
</Target>

The target will allow any request where the resource-id is an xpath 
which selects a node within the md:record/md:patient_info element. I 
don't think you can do this with an attribute selector. An attribute 
selector retrieves a value from XML content, while xpath-node-match 
tests whether two expressions select the same nodes in the XML content.

3. I think the IncludeInResult attribute can be inherited from the 
multiple:content-selector attribute, rather than always be true.

4. Can't we do with a single URI urn:...:content-selector, rather than 
one for each category: ...:subject:content-selector, 
...:resource:content-selector? That would make it more general and the 
same mechanism would work for user/application defined categories such 
as "web-service-message", or whatever somebody might need in the future.

5. To verify that I understand you, is this what you propose?

<xs:complexType name="AttributeSelectorType">
<xs:complexContent>
<xs:extension base="xacml:ExpressionType">
<xs:attribute name="Category" type="xs:anyURI" use="required"/>
New ---> <xs:attribute name="ContextAttributeId" type="xs:anyURI" 
use="required"/>
<xs:attribute name="RequestContextPath" type="xs:string" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:attribute name="MustBePresent" type="xs:boolean" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>

Description for the new ContextAttributeId would be: The 
ContextAttributeId selects by the AttributeId an <Attribute> in the 
request context within the <Attributes> element with Category equal to 
the Category of the <AttributeSelector>. The selected <Attribute> MUST 
have datatype urn:..FIXME..:XPathExpression and contain exactly one 
value. The selected XPathExpression is applied with the <Content> 
element in the given category as the context node. The XPath expression 
must select a single node within the <Content> element. This node 
becomes the context node of the RequestContextPath xpath expression. << 
Various error conditions need to be defined as well >>


Note that I think Paul assumes that we have dropped XPathCategory 
attribute of the XPathExpression data type. That is correct if the xpath 
is to be used with the selector since in this case the path is relative 
to a context node defined by the selector. Hoever, if we would have to 
keep the xpath match functions, then the XPathExpression is still 
required since the xpath match function itself does not define a context 
node. (An alternative would be to specify the context node as another 
argument to the xpath node function, and we did in an early draft, but 
this has the problem that the xpath node match functions can no longer 
be used in a target <Match> because of the number of arguments.)

If we find that we need to keep the xpath match functions, we could make 
the XPathCategory optional.

6. I am not sure if I like the name "ContextAttributeId". I can't think 
of a good alternative though. Maybe "ContextSelectorAttribute"?

Best regards,
Erik

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]