OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] change request: namespaces in xpath expressions

  • 1.  Re: [xacml] change request: namespaces in xpath expressions

    Posted 09-27-2002 08:07
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] change request: namespaces in xpath expressions


    
    I understand your intention but I am not sure whether or not using standard
    XML namespace (your first proposal) is really good for our case.
    
    My opinion is that standard XML namespace (you mean xmlns:md
    ="http://www.... record.xsd", right?) should primarily mean the namespace
    for element name of the policy itself. In other words, XACML policy may
    include other namespace (currently seems not but actually we had when SAML
    schema fragment was used in our policy). I think xmlns should be used for
    that case. Since we need to determine the namespace for the value of the
    policy (not element name nor attribute name), it seems reasonable to use
    application-specific namespace designator (XPathNamespace) currently we
    have. How do you think?
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                                        
                          Simon Godik                                                                                                                   
                          <simon@godik.com>        To:       xacml@lists.oasis-open.org                                                                 
                                                   cc:                                                                                                  
                          2002/09/27 14:04         Subject:  [xacml] change request: namespaces in xpath expressions                                    
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
    
    
    
    There are several instances in the policy schema where we pass xpath
    expressions as arguments.
    1. In the case of <xacml:AttributeSelector> element RequestContextPath
    attribute contains xpath expression
    that selects xacml attribute value from the context.
    2. When xpath functions are used in the target, the value to match agains
    is xpath expression.
    When xpath functions are used in conditions they take xpath expressions as
    arguments.
    
    All examples are from section 4.2
    
    For the attribute-selector we use XPathNamespace element that maps
    namespace uri to namespace prefix
    (essentially duplicating standard xml namespace declaration)
    
    AttributeSelector:
    <AttributeSelector RequestContextPath=
        "//ctx:RequestContext/md:record/md:patient/md:policyNumber">
        <XPathNamespace NamespaceURI="urn:names:tc:xacml:1.0:context" Prefix="
    ctx"/>
        <XPathNamespace NamespaceURI="http://www.medico.com/schemas/record.xsd";
    Prefix="md"/>
    </AttributeSelector>
    
    For other uses of xpath functions we do not have special provisions for
    namespace mapping.
    Here is how xpath expression is used in the target to match request:
    
    <ResourceMatch matchId="function:xpath-match">
        <ResourceAttributeDesignator AttributeId=
            "urn:oasis:names:tc:xacml:1.0:resource:xpath"/>
        <AttributeValue>/md:record</AttributeValue>
    </ResourceMatch>
    
    In this case we rely on standard xml namespace declaration for the md
    prefix.
    
    To summarise: we use two methods to deal with the same problem: one is
    standard and one is not.
    
    Proposal:
    1. Use standard xml namespace declarations mechanism in both cases and drop
    <XPathNamespace> element.
    2. Change RequestContextType attribute of AttributeSelector to xs:string
    (it is currently xs:anyURI).
    
    Simon
    
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC