OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] [CR] AttributeSelectorIndirect

  • 1.  Re: [xacml] [CR] AttributeSelectorIndirect

    Posted 08-30-2002 00:13
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] [CR] AttributeSelectorIndirect


    
    Line 804-810 of draft 0.16e, there is a resource match in Example 2 Rule 1:
    
    <ResourceMatch MatchId="function:node-match">
      <ResourceAttributeDesignator AttributeId="urn:...:xpath"
        DataType="xsi:string"/>
      <AttributeValue DataType="xsi:string">/md:record</AttributeValue>
    </ResourceMatch>
    
    In the above example, the node-match function is defined as
    
    Function: node-match
    input:      xs:string, xs:string
    output:     xs:boolean
    description: receive two xpath expressions and executes xpath processor on
    both xpaths. It generates two objects (object type is defined in XPath 1.0,
    i.e. node-set, string, numeric, or boolean). When two objects have an
    intersection, then it returns true, otherwise return false.
    
    Instead of the above node-match function and the resource match
    specification, I would prefer the definition and resource match
    specification using <AttributeSelectorIndirect> below:
    
    Function: node-match
    input:      object, object
    output:     xs:boolean
    description: receive two objects. When two node-sets have an intersection,
    then it returns true, otherwise return false.
    
    <ResourceMatch MatchId="function:node-match">
      <AttributeSelectorIndirect>
        <ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
      </AttributeSelectorIndirect>
      <AttributeSelector RequestContextPath="/md:record"/>
    </ResourceMatch>
    
    Other example (not AttributeSelectorIndirect but AttributeSelector case) is
    line 825-835. The function:string-equal should be the
    function:general-string-equal because <AttributeSelector> returns an object
    data type (maybe node-set) and it is not proper to hand it to string-equal
    function.
    
    <Condition FunctionId="function:string-equal">
      <SubjectAttributeDesignatorWhere
          AttributeId="urn:...:policy-number" DataType="xsi:string"/>
      <AttributeSelector RequestContextPath="/ctx:Request/ ...
    /md:policyNumber"
          DataType="xsi:string"/>
    </Condition>
    
    [should be]
    
    <Condition FunctionId="function:general-string-equal">
      <SubjectAttributeDesignatorWhere
          AttributeId="urn:...:policy-number" DataType="xsi:string"/>
      <AttributeSelector RequestContextPath="/ctx:Request/ ...
    /md:policyNumber"
          DataType="xsi:string"/>
    </Condition>
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                                        
                          Polar Humenn                                                                                                                  
                          <polar@syr.edu>          To:       Michiharu Kudoh/Japan/IBM@IBMJP                                                            
                                                   cc:       <xacml@lists.oasis-open.org>                                                               
                          2002/08/30 03:27         Subject:  Re: [xacml] [CR] AttributeSelectorIndirect                                                 
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
    
    
    
    
    
    Michiharu,
    
    Is there a use case or example for this type of attribute selector?
    
    Cheers,
    -Polar
    
    On Thu, 29 Aug 2002, Michiharu Kudoh wrote:
    
    > Based on the discussion on Monday call, Simon and I agreed to changing
    the
    > schema to support an AttributeSelectorIndirect element to retrieve a
    XPath
    > expression from the context. I wonder whether the name of this element is
    > appropriate or not.
    >
    > <xs:complexType name="AttributeSelectorBaseType">
    >   <xs:element ref="xacml:XPathNamespace" minOccurs="0" maxOccurs
    > ="unbounded"/>
    >   <xs:attribute name="DataType" type="xs:anyURI" use="optional"/>
    >   <xs:attribute name="XPathVersion" type="xs:anyURI" use="optional"
    default
    > ="http://www.w3.org/TR/1999/Rec-xpath-19991116"/>
    > </xs:complexType>
    >
    > <xs:complexType name="AttributeSelectorType">
    >   <xs:complexContent>
    >     <xs:extension base="AttributeSelectorBaseType">
    >       <xs:attribute name="RequestContextPath" type="xs:string" use
    > ="required"/>
    >     </xs:extension>
    >   </xs:complexContent>
    > </xs:complexType>
    >
    > <xs:complexType name="AttributeSelectorIndirectType">
    >   <xs:extension base="AttributeSelectorBaseType">
    >     <xs:choice>
    >       <xs:element ref="xacml:SubjectAttributeDesignator"/>
    >       <xs:element ref="xacml:ResourceAttributeDesignator"/>
    >       <xs:element ref="xacml:ActionAttributeDesignator"/>
    >       <xs:element ref="xacml:EnvironmentAttributeDesignator"/>
    >     </xs:choice>
    >   </xs:extension>
    > </xs:complexType>
    >
    > <xs:element name="AttributeSelector" type="AttributeSelectorType"/>
    > <xs:element name="AttributeSelectorIndirect" type
    > ="AttributeSelectorIndirectType"/>
    >
    > <xs:element name="XPathNamespace" type="xacml:XPathNamespaceType"
    > substitutionGroup="xacml:AbstractDefaults"/>
    > <xs:complexType name="XPathNamespaceType">
    >   <xs:attribute name="NamespaceURI" type="xs:anyURI"/>
    >   <xs:attribute name="Prefix" type="xs:string" use="optional"/>
    > </xs:complexType>
    >
    >
    > Sample text for this element:
    >
    > 5.28. Element <AttributeSelectorIndirect>
    >
    > The <AttributeSelectorIndirect> element is a free-form pointing device
    into
    > the <xacml-context:Request> element using an attribute designator. The
    > actual xpath expression is retrieved from the context pointed by that
    > attribute designator. Other than that, the semantics is the same with
    > <AttributeSelector> element. Support for the <AttributeSelectorIndirect>
    > element is OPTIONAL.
    >
    > The <AttributeSelectorIndirect> element is of
    AttributeSelectorIndirectType
    > complex type.
    > The <AttributeSelectorIndirect> element has either one of the following
    > elements:
    >
    > SubjectAttributeDesignator
    > ResourceAttributeDesignator
    > ActionAttributeDesignator
    > EnvironmentAttributeDesignator
    >
    > Michiharu
    >
    > IBM Tokyo Research Laboratory, Internet Technology
    > Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    >
    >
    >
    >
    >
    > ----------------------------------------------------------------
    > To subscribe or unsubscribe from this elist use the subscription
    > manager: <http://lists.oasis-open.org/ob/adm.pl>
    >
    
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC