OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] XPath/AttributeSelector question

  • 1.  Re: [xacml] XPath/AttributeSelector question

    Posted 05-10-2004 16:47
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [xacml] XPath/AttributeSelector question


    
    Thanks for your comments on this issue! A few comments/questions:
    
    On Thu, 2004-05-06 at 21:00, Satoshi Hada wrote:
    > >> the term "context node" this means not only that the 
    > >> Request element is the root of the XPath query, but that the
    > Request 
    > >> element also provides all namespace information. Is this correct?
    > 
    > I don't think the term has some implication about how or where we need
    > to provide namespace-related information, 
    > in particular, where we specify the required PREFIX-to-URI mapping
    > (But I may be wrong).
    
    Ok. Since I didn't see any text elsewhere in the specification about
    namespace mapping, I wasn't sure if the intent of the term "context
    node" was to define the mapping or not. Thanks.
    
    > Please see the mails with the title "Test cases for Attribute
    > Selector" for related discussion.
    > http://lists.oasis-open.org/archives/xacml-comment/200303/maillist.html
    
    Right, this raises a similar question to mine, but it doesn't lead to a
    resolution. Has this issue been discussed in the TC before? Was there
    concensus on namespace resolution? I think it would be a good idea to
    make this clearer in 2.0 so there's no ambiguity about namespace
    handling.
    
    > I have two comments on this issue.
    > 
    > (A)
    > Personally, I feel the namespace information (xmlns attributes)
    > required to resolve an XPath expression 
    > should be provided in policies but not in request contexts since
    > attribute selectors (and XPath expressions) are specified in policies 
    > but not in request contexts. If a policy specifies an XPath expression
    > (e.g. /md:record) in an attribute selector but 
    > provides no namespace information (no "xmlns:md" attribute), then I
    > think the policy is ambiguous by itself.
    
    That sounds fine to me. The problem I was having is that I don't see
    anything in the specification that makes this clear. Am I just missing
    that text? :) If not, I think it would be a good idea to clarify this in
    XACML 2.0.
    
    > (B)
    > There is no reason why we must use the same namespace prefix to
    > represent a namespace URI
    > in policies and request contexts.
    > Take for example the IIF007 testcase. The policy and request use the
    > same prefix "md".
    > However, I believe that it should work even if the policy and reqeust
    > use two different prefixes:
    > 1) In IIIF007Policy.xml, replace the prefix "md" with a different one
    > (e.g. "medical"), but
    > 2) In IIIF007Request.xml, leave the prefix "md" as it is.
    > Note that the two prefixes still represent the same URI.
    > In this case, information required to resolve the "medical" prefix
    > should be provided in IIIF007Policy.xml
    > and information required to resolve the "md" prefix should be provided
    > in IIIF007Request.xml
    
    I agree. This makes complete sense, especially given your comment A
    above.
    
    > From my perspective, IIIF002Request.xml does not need to have the
    > "xmlns:md" attribute since 
    > it does not use the prefix "md" in it (even though IIIF002Policy.xml
    > uses it).
    
    Agreed.
    
    
    seth
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]