[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Attribute selector result when there is no category or content element
+1 > -----Original Message----- > From: Erik Rissanen [mailto:erik@axiomatics.com] > Sent: Friday, June 12, 2015 3:44 AM > To: xacml@lists.oasis-open.org > Subject: Re: [xacml] Attribute selector result when there is no > category or content element > > For me the sensible thing is to return either empty bag or > Indeterminate, based on the MustBePresent setting. > > Best regards, > Erik > > On 2015-06-12 03:33, Steven Legg wrote: > > > > While proofreading the latest working draft of the Entities Profile I > > noticed a gap in the description of the <AttributeSelector> element > in > > the XACML core specification that is also a gap, by inheritance, in > > the description of the attribute-selector function in the Entities > > Profile. > > > > The core specification doesn't detail what the response of evaluating > > the <AttributeSelector> should be when either an <Attributes> element > > specified by the Category XML attribute doesn't exist in the request > > context, or such an <Attributes> element does exist but it doesn't > > have a <Content> child element (it being optional). Section 7.3.7, > > which describes attribute selector evaluation, assumes both are > > present as a starting point. > > > > The description of the <AttributeDesignator> element says to consider > > the MustBePresent XML attribute if no matching attribute is found, > but > > the description of the <AttributeSelector> element doesn't have > > anything similar. Its definition of the MustBePresent XML attribute > > only says what to do "in the event the XPath expression selects no > > node". If the <Attributes> or <Content> element are absent we don't > > get as far as evaluating the XPath expression. Section 7.3.7 talks > > about constructing a stand-alone XML document from the contents of > the > > <Content> element. We can't simply assume an empty element if it > isn't > > actually present because the <Content> element must have a child and > > an XML document must have a root element. Without a valid XML > document > > there is no context node to which to apply the XPath expression. > > > > Consistency with attribute designators would suggest deferring to the > > MustBePresent setting when an attribute selector doesn't find the > > <Attributes> element or the <Content> element (FWIW, this is what the > > ViewDS PDP does). > > Note that Section 7.3.5 says "If the attribute is missing, then > > MustBePresent governs whether the attribute designator or attribute > > selector returns an empty bag or an “Indeterminate” result". The > > statement is bogus in the case of an attribute selector because it > > isn't an attribute that is missing. > > Whether it really meant an empty node set or something more is open > to > > interpretation. > > > > If we can get consensus on a solution I can update the Entities > > Profile accordingly and we can add the equivalent to the errata for > the core. > > > > Regards, > > Steven > > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > > generates this mail. Follow this link to all your TCs in OASIS at: > > https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]