OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Attribute selector result when there is no category or content element

While proofreading the latest working draft of the Entities Profile I noticed
a gap in the description of the <AttributeSelector> element in the XACML core
specification that is also a gap, by inheritance, in the description of the
attribute-selector function in the Entities Profile.

The core specification doesn't detail what the response of evaluating the
<AttributeSelector> should be when either an <Attributes> element specified
by the Category XML attribute doesn't exist in the request context, or such
an <Attributes> element does exist but it doesn't have a <Content> child
element (it being optional). Section 7.3.7, which describes attribute selector
evaluation, assumes both are present as a starting point.

The description of the <AttributeDesignator> element says to consider the
MustBePresent XML attribute if no matching attribute is found, but the
description of the <AttributeSelector> element doesn't have anything
similar. Its definition of the MustBePresent XML attribute only says what
to do "in the event the XPath expression selects no node". If the <Attributes>
or <Content> element are absent we don't get as far as evaluating the
XPath expression. Section 7.3.7 talks about constructing a stand-alone XML
document from the contents of the <Content> element. We can't simply assume
an empty element if it isn't actually present because the <Content> element
must have a child and an XML document must have a root element. Without a
valid XML document there is no context node to which to apply the XPath

Consistency with attribute designators would suggest deferring to the
MustBePresent setting when an attribute selector doesn't find the <Attributes>
element or the <Content> element (FWIW, this is what the ViewDS PDP does).
Note that Section 7.3.5 says "If the attribute is missing, then MustBePresent
governs whether the attribute designator or attribute selector returns an
empty bag or an “Indeterminate” result". The statement is bogus in the
case of an attribute selector because it isn't an attribute that is missing.
Whether it really meant an empty node set or something more is open to

If we can get consensus on a solution I can update the Entities Profile
accordingly and we can add the equivalent to the errata for the core.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]