[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Attribute selector result when there is no category or content element
Best regards, Erik On 2015-06-12 03:33, Steven Legg wrote:
While proofreading the latest working draft of the Entities Profile I noticed a gap in the description of the <AttributeSelector> element in the XACML core specification that is also a gap, by inheritance, in the description of theattribute-selector function in the Entities Profile. The core specification doesn't detail what the response of evaluating the<AttributeSelector> should be when either an <Attributes> element specified by the Category XML attribute doesn't exist in the request context, or suchan <Attributes> element does exist but it doesn't have a <Content> childelement (it being optional). Section 7.3.7, which describes attribute selectorevaluation, assumes both are present as a starting point. The description of the <AttributeDesignator> element says to consider the MustBePresent XML attribute if no matching attribute is found, but the description of the <AttributeSelector> element doesn't have anything similar. Its definition of the MustBePresent XML attribute only says whatto do "in the event the XPath expression selects no node". If the <Attributes>or <Content> element are absent we don't get as far as evaluating theXPath expression. Section 7.3.7 talks about constructing a stand-alone XML document from the contents of the <Content> element. We can't simply assume an empty element if it isn't actually present because the <Content> elementmust have a child and an XML document must have a root element. Without a valid XML document there is no context node to which to apply the XPath expression. Consistency with attribute designators would suggest deferring to theMustBePresent setting when an attribute selector doesn't find the <Attributes> element or the <Content> element (FWIW, this is what the ViewDS PDP does). Note that Section 7.3.5 says "If the attribute is missing, then MustBePresentgoverns whether the attribute designator or attribute selector returns an empty bag or an “Indeterminate” result". The statement is bogus in thecase of an attribute selector because it isn't an attribute that is missing.Whether it really meant an empty node set or something more is open to interpretation. If we can get consensus on a solution I can update the Entities Profile accordingly and we can add the equivalent to the errata for the core. Regards, Steven ---------------------------------------------------------------------To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]