OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] Attribute selector result when there is no category or content element


+1

> -----Original Message-----
> From: Erik Rissanen [mailto:erik@axiomatics.com]
> Sent: Friday, June 12, 2015 3:44 AM
> To: xacml@lists.oasis-open.org
> Subject: Re: [xacml] Attribute selector result when there is no
> category or content element
> 
> For me the sensible thing is to return either empty bag or
> Indeterminate, based on the MustBePresent setting.
> 
> Best regards,
> Erik
> 
> On 2015-06-12 03:33, Steven Legg wrote:
> >
> > While proofreading the latest working draft of the Entities Profile I
> > noticed a gap in the description of the <AttributeSelector> element
> in
> > the XACML core specification that is also a gap, by inheritance, in
> > the description of the attribute-selector function in the Entities
> > Profile.
> >
> > The core specification doesn't detail what the response of evaluating
> > the <AttributeSelector> should be when either an <Attributes> element
> > specified by the Category XML attribute doesn't exist in the request
> > context, or such an <Attributes> element does exist but it doesn't
> > have a <Content> child element (it being optional). Section 7.3.7,
> > which describes attribute selector evaluation, assumes both are
> > present as a starting point.
> >
> > The description of the <AttributeDesignator> element says to consider
> > the MustBePresent XML attribute if no matching attribute is found,
> but
> > the description of the <AttributeSelector> element doesn't have
> > anything similar. Its definition of the MustBePresent XML attribute
> > only says what to do "in the event the XPath expression selects no
> > node". If the <Attributes> or <Content> element are absent we don't
> > get as far as evaluating the XPath expression. Section 7.3.7 talks
> > about constructing a stand-alone XML document from the contents of
> the
> > <Content> element. We can't simply assume an empty element if it
> isn't
> > actually present because the <Content> element must have a child and
> > an XML document must have a root element. Without a valid XML
> document
> > there is no context node to which to apply the XPath expression.
> >
> > Consistency with attribute designators would suggest deferring to the
> > MustBePresent setting when an attribute selector doesn't find the
> > <Attributes> element or the <Content> element (FWIW, this is what the
> > ViewDS PDP does).
> > Note that Section 7.3.5 says "If the attribute is missing, then
> > MustBePresent governs whether the attribute designator or attribute
> > selector returns an empty bag or an “Indeterminate” result". The
> > statement is bogus in the case of an attribute selector because it
> > isn't an attribute that is missing.
> > Whether it really meant an empty node set or something more is open
> to
> > interpretation.
> >
> > If we can get consensus on a solution I can update the Entities
> > Profile accordingly and we can add the equivalent to the errata for
> the core.
> >
> > Regards,
> > Steven
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this mail list, you must leave the OASIS TC that
> > generates this mail.  Follow this link to all your TCs in OASIS at:
> > https://www.oasis-
> open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]