Re: [xacml] AttributeSelector description and functional requirements

[Erik Rissanen <erik@axiomatics.com>]

Hi Paul,

Thanks for the proposal. I think your text is simpler and easier to read 
than the current one, but I am afraid that it might contain subtle 
substantiative changes. Just from a quick review I can find at least 
three substantiative changes to the current text.

1. XACML data type extensions are no longer allowed under your proposal.

Currently the spec says:

"If the DataType specified in the AttributeSelector is a primitive data 
type defined in [XF] or [XS], then the value returned by the XPath 
expression SHALL be converted to the DataType specified in the 
<AttributeSelector> using the constructor function below [XF], Section 
5, that corresponds to the DataType."

Your proposal changes this to

"Convert the text value of each selected node to the desired datatype,
as specified in the DataType attribute.  Each value shall be constructed
using the appropriate constructor function from [XF] Section 5 listed
below, corresponding to the specified datatype."

Note the difference that your proposal doesn't say "if ...". The effect 
is that the attribute selector will only work with the specified data 
types, and not with any extensions.

2. You have dropped some of the text which specified error behavior. It 
used to say 'If an error occurs when converting the values returned by 
the XPath expression to the specified DataType, then the result of the 
AttributeSelector SHALL be "Indeterminate".' I can't find the 
corresponding text in your proposal.

3. You dropped the text about inherited namespaces. Was this an 
oversight, or does your proposal fix this "automagically"?

I would prefer to keep the text unchanged, rather than make a rewrite at 
this late stage, unless there is a real error in the text.

Best regards,
Erik


On 2009-12-23 21:14, Tyson, Paul H wrote:
> These are not substantive changes.  I suggest moving most of the
> AttributeSelector evaluation description and requirements to section 7,
> leaving 5.30 with mostly syntax description.
>
> I also tried to clarify the expected processing of AttributeSelector.
>
> ======================================
> 5.30 Element<AttributeSelector>
>
> The<AttributeSelector>  element produces a bag of unnamed, uncategorized
> attribute values.  The values shall be constructed from the node(s)
> selected by applying the Xpath expression given by the element's Path
> attribute to the XML content indicated by the element's Category
> attribute.  Support for the<AttributeSelector>  element is OPTIONAL.
>
> See section 7.3 for details of AttributeSelector evaluation.
>
> [insert schema snippet here]
>
> The<AttributeSelector>  element is of AttributeSelectorType complex
> type.
>
> The<AttributeSelector>  element has the following attributes:
>
> Category [Required]
>
> 	This attribute SHALL specify the Attributes category of the
> <Content>  element containing the XML from which nodes will be selected.
> It also indicates the Attributes category containing the applicable
> ContextSelectorId Attribute, if the element includes a ContextSelectorId
> xml attribute.
>
> ContextSelectorId [Optional]
>
> 	This attribute refers to the attribute (by its AttributeId) in
> the request context in the category given by the Category attribute.
> The referenced attribute MUST have datatype
> urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression, and must select
> a single node in the<Content>  element.  The XPathCategory attribute of
> the referenced attribute MUST be equal to the Category attribute of the
> attribute selector.
>
> Path [Required]
>
> 	This attribute SHALL contain an XPath expression to be evaluated
> against the specified XML content.  See Section 7.3 for details of the
> XPath evaluation during AttributeSelector processing.
>
> DataType [Required]
>
> 	The attribute specifies the datatype of the values returned from
> the evaluation of this<AttributeSelector>  element.
>
> MustBePresent [Required]
> 	This attribute governs whether the element returns
> "Indeterminate" or an empty bag in the event the XPath expression
> selects no node.  See Section 7.3.5.  Also see Sections 7.17.2 and
> 7.17.3.
>
>
> =============================
> (new section)
> 7.3.7 AttributeSelector evaluation
>
> An AttributeSelector element will be evaluated according to the
> following processing model.
>
> NOTE: It is not necessary for an implementation to actually follow these
> steps.  It is only necessary to produce results identical to those that
> would be produced by following these steps.
>
> 1. Construct an XML data structure suitable for xpath processing from
> the<Content>  element in the Attributes category given by the Category
> attribute.  The data structure shall be constructed so that the document
> node of this structure contains a single document element which
> corresponds to the single child element of the<Content>  element.  The
> constructed data structure shall be equivalent to one that would result
> from parsing a stand-alone XML document consisting of the contents of
> the<Content>  element (including any comment and processing-instruction
> markup).  The data structure must meet the requirements of the
> applicable xpath version.
>
> 2. Select a context node for xpath processing from this data structure.
> If there is a ContextSelectorId attribute, the context node shall be the
> node selected by applying the XPath expression given in the attribute
> value of the designated Attribute (in the Attributes category given by
> the AttributeSelector Category attribute).  It shall be an error if this
> evaluation returns no node or more than one node.  If there is no
> ContextSelectorId, the document node of the data structure shall be the
> context node.
>
> 3. Evaluate the XPath expression given in the Path attribute against the
> xml data structure, using the context node selected in the previous
> step.  It shall be an error if this evaluation returns anything other
> than a sequence of nodes (possibly empty).
>
> 4. Convert the text value of each selected node to the desired datatype,
> as specified in the DataType attribute.  Each value shall be constructed
> using the appropriate constructor function from [XF] Section 5 listed
> below, corresponding to the specified datatype.
>
>    xs:string()
>    xs:boolean()
>    xs:integer()
>    xs:double()
>    xs:dateTime()
>    xs:date()
>    xs:time()
>    xs:hexBinary()
>    xs:base64Binary()
>    xs:anyURI()
>    xs:yearMonthDuration()
>    xs:dayTimeDuration()
>
> 5. Return the bag of values or, if there are no values, return the
> appropriate value as described in section 7.3.5.
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>