[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Issue for Errata: XPathCategory attribute not in schema or spec + other related issues
Yes, Steven is right. XPathCategory uses the <AttributeValue> schema extension point for any XML attribute. Best regards, Erik On 05/01/2013 03:38 AM, Steven Legg wrote: > > Hi Rich, > > On 1/05/2013 9:41 AM, rich levinson wrote: >> The XPathCategory attribute, described in: >> >> * section 5.30, line 2489, >> * Appendix A.2, line 4052 >> >> which also shows up in examples: >> >> * 4.2.2 Example RequestContext, line 967, >> * 4.2.4.1 Rule 1, line 1089, >> * 4.2.4.2 Rule 2, line 1253, >> * 4.2.4.3 Rule 3, line 1418, >> * 4.2.4.4 Rule 4, line 1588 >> >> does not appear in any of the schema descriptions in the spec, nor in >> the xsd, itself. >> >> Based on the text of Appendix A.2 XPathExpression, lines 4050-4053: >> >> "... When the value is encoded in an <AttributeValue> element, >> the namespace context is given by the <AttributeValue> element >> and an XML attribute called XPathCategory gives the category >> of the <Content> element where the expression applies. ..." >> >> and the fact that the XPathCategory shows up in AttributeValue >> elements in the examples, it would seem that AttributeValue might >> need to have the XPathCategory xml attribute defined for it as >> an optional attribute. > > It would be nice, but it isn't necessary. The XML Schema definition of > AttributeValueType includes this line: > > <xs:anyAttribute namespace="##any" processContents="lax"/> > > which means that an <AttributeValue> with an XPathCategory XML > attribute is > schema valid. > >> >> One other related issue has to do with the description of the >> ContextSelectorId >> attribute that refers to XPathCategory (lines 2485-2490): >> >> "ContextSelectorId [Optional] >> This attribute refers to the attribute (by its AttributeId) in >> the request context >> in the category given by the Category attribute. >> The referenced attribute MUST have data type >> urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression, >> and must select a single node in the <Content> element. >> The XPathCategory attribute of the referenced attribute MUST be >> equal to >> the Category attribute of the attribute selector." >> >> The last sentence of the above description sounds like XPathCategory >> is an attribute of the <Attribute> element, as opposed to the >> <AttributeValue> >> element. > > I took this to be an error because AttributeValueType allows the > XPathCategory > XML attribute, but AttributeType doesn't. The preceding sentence is > also wrong > in that AttributeType doesn't allow a DataType XML Attribute. The > referenced > attribute is also effectively restricted to a single value. The last two > sentences should read something like this: > > "The referenced attribute MUST have a single attribute value. That > attribute > value MUST have data type > urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression, > and must select a single node in the <Content> element. The > XPathCategory > XML attribute of the attribute value MUST be equal to the > Category attribute > of the attribute selector." > > Mind you, I'd still be happy if the referenced attribute were allowed > to have > multiple values that collectively select more than one node in the > <Content> element. > >> >> A second related issue also has to do with the above >> ContextSelectorId text, except >> that the issue is implicit by the examples, where in the example >> rules, the construct >> used is an AttributeDesignator in a <Match> element, as opposed to an >> AttributeSelector. >> >> Despite the fact that the AttributeDesignator construct is not >> defined in the spec >> for XPathExpression, its use in the examples appears logical and I >> would suggest >> adding an explanation that when an AttributeDesignator contains an >> XPathExpression DataType, that the associated AttributeValue in the >> Match >> element can have an XPathCategory specifying which Attributes element >> the >> Content is that the value should be selected from. > > Whether or not an AttributeValue with the xpathExpression data type is > appropriate > in a Match element is determined by the MatchId, not the > AttributeDesignator. As > it happens, the only standard XPath functions that are eligible to be > used in a Match > take a pair of xpathExpression arguments, so either the > AttributeDesignator and > AttributeValue both have xpathExpression as the DataType or neither > does. However, > other functions could conceivably be defined that allow > xpathExpression to be > mixed with other data types. > > Regards, > Steven > >> >> Thanks, >> Rich >> > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]