MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] [CR] AttributeSelectorIndirect
Line 804-810 of draft 0.16e, there is a resource match in Example 2 Rule 1:
<ResourceMatch MatchId="function:node-match">
<ResourceAttributeDesignator AttributeId="urn:...:xpath"
DataType="xsi:string"/>
<AttributeValue DataType="xsi:string">/md:record</AttributeValue>
</ResourceMatch>
In the above example, the node-match function is defined as
Function: node-match
input: xs:string, xs:string
output: xs:boolean
description: receive two xpath expressions and executes xpath processor on
both xpaths. It generates two objects (object type is defined in XPath 1.0,
i.e. node-set, string, numeric, or boolean). When two objects have an
intersection, then it returns true, otherwise return false.
Instead of the above node-match function and the resource match
specification, I would prefer the definition and resource match
specification using <AttributeSelectorIndirect> below:
Function: node-match
input: object, object
output: xs:boolean
description: receive two objects. When two node-sets have an intersection,
then it returns true, otherwise return false.
<ResourceMatch MatchId="function:node-match">
<AttributeSelectorIndirect>
<ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
</AttributeSelectorIndirect>
<AttributeSelector RequestContextPath="/md:record"/>
</ResourceMatch>
Other example (not AttributeSelectorIndirect but AttributeSelector case) is
line 825-835. The function:string-equal should be the
function:general-string-equal because <AttributeSelector> returns an object
data type (maybe node-set) and it is not proper to hand it to string-equal
function.
<Condition FunctionId="function:string-equal">
<SubjectAttributeDesignatorWhere
AttributeId="urn:...:policy-number" DataType="xsi:string"/>
<AttributeSelector RequestContextPath="/ctx:Request/ ...
/md:policyNumber"
DataType="xsi:string"/>
</Condition>
[should be]
<Condition FunctionId="function:general-string-equal">
<SubjectAttributeDesignatorWhere
AttributeId="urn:...:policy-number" DataType="xsi:string"/>
<AttributeSelector RequestContextPath="/ctx:Request/ ...
/md:policyNumber"
DataType="xsi:string"/>
</Condition>
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Polar Humenn
<polar@syr.edu> To: Michiharu Kudoh/Japan/IBM@IBMJP
cc: <xacml@lists.oasis-open.org>
2002/08/30 03:27 Subject: Re: [xacml] [CR] AttributeSelectorIndirect
Michiharu,
Is there a use case or example for this type of attribute selector?
Cheers,
-Polar
On Thu, 29 Aug 2002, Michiharu Kudoh wrote:
> Based on the discussion on Monday call, Simon and I agreed to changing
the
> schema to support an AttributeSelectorIndirect element to retrieve a
XPath
> expression from the context. I wonder whether the name of this element is
> appropriate or not.
>
> <xs:complexType name="AttributeSelectorBaseType">
> <xs:element ref="xacml:XPathNamespace" minOccurs="0" maxOccurs
> ="unbounded"/>
> <xs:attribute name="DataType" type="xs:anyURI" use="optional"/>
> <xs:attribute name="XPathVersion" type="xs:anyURI" use="optional"
default
> ="http://www.w3.org/TR/1999/Rec-xpath-19991116"/>
> </xs:complexType>
>
> <xs:complexType name="AttributeSelectorType">
> <xs:complexContent>
> <xs:extension base="AttributeSelectorBaseType">
> <xs:attribute name="RequestContextPath" type="xs:string" use
> ="required"/>
> </xs:extension>
> </xs:complexContent>
> </xs:complexType>
>
> <xs:complexType name="AttributeSelectorIndirectType">
> <xs:extension base="AttributeSelectorBaseType">
> <xs:choice>
> <xs:element ref="xacml:SubjectAttributeDesignator"/>
> <xs:element ref="xacml:ResourceAttributeDesignator"/>
> <xs:element ref="xacml:ActionAttributeDesignator"/>
> <xs:element ref="xacml:EnvironmentAttributeDesignator"/>
> </xs:choice>
> </xs:extension>
> </xs:complexType>
>
> <xs:element name="AttributeSelector" type="AttributeSelectorType"/>
> <xs:element name="AttributeSelectorIndirect" type
> ="AttributeSelectorIndirectType"/>
>
> <xs:element name="XPathNamespace" type="xacml:XPathNamespaceType"
> substitutionGroup="xacml:AbstractDefaults"/>
> <xs:complexType name="XPathNamespaceType">
> <xs:attribute name="NamespaceURI" type="xs:anyURI"/>
> <xs:attribute name="Prefix" type="xs:string" use="optional"/>
> </xs:complexType>
>
>
> Sample text for this element:
>
> 5.28. Element <AttributeSelectorIndirect>
>
> The <AttributeSelectorIndirect> element is a free-form pointing device
into
> the <xacml-context:Request> element using an attribute designator. The
> actual xpath expression is retrieved from the context pointed by that
> attribute designator. Other than that, the semantics is the same with
> <AttributeSelector> element. Support for the <AttributeSelectorIndirect>
> element is OPTIONAL.
>
> The <AttributeSelectorIndirect> element is of
AttributeSelectorIndirectType
> complex type.
> The <AttributeSelectorIndirect> element has either one of the following
> elements:
>
> SubjectAttributeDesignator
> ResourceAttributeDesignator
> ActionAttributeDesignator
> EnvironmentAttributeDesignator
>
> Michiharu
>
> IBM Tokyo Research Laboratory, Internet Technology
> Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
>
>
>
>
>
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>
>
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC