OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

[xacml] Updated XACML Conformance Test Suite

  • 1.  [xacml] Updated XACML Conformance Test Suite

    Posted 03-11-2003 19:10 
    I have sent Michiharu Kudo an updated XACML Conformance Test
suite to be posted to the XACML TC web site.

This update to the XACML Conformance Test suite contains all
changes requested on the xacml-comment@lists.oasis-open.org
mailing list in messages up to and including
http://lists.oasis-open.org/archives/xacml-comment/200303/msg00016.html

a) Added tests III.A Obligations.  Contributed by Satoshi
   Hada <SATOSHIH@jp.ibm.com> in 
   http://lists.oasis-open.org/archives/xacml-comment/200303/msg00010.html

b) Replaced the six policy files for III.F Attribute Selector as
   requested by Satoshi Hada <SATOSHIH@jp.ibm.com> in
   http://lists.oasis-open.org/archives/xacml-comment/200303/msg00012.html

   "I want to replace the six policy files for III F attribute selectors.
     I've added the namespace declaration to each file.
     xmlns:md="http://www.medico.com/schemas/record";"

c) Replaced IIIF002Request.xml as requested by John Merrells in
   http://lists.oasis-open.org/archives/xacml-comment/200303/msg00013.html

   Satoshi Hada> In IIF002Request.xml, the namespace prefix "md" is not used at all.
   Why do you think you need it?

   John Merrells> Hmm - yeah, but there's a problem here.

   I use the document element of the request as the context node for
   executing the XPath expression... The expression includes references
   to the 'md' namespace and the request document element doesn't
   define it so my XPath processor complained. I'd assumed that the
   XPath expression was written within the context of the request...
   since it makes no sense within the context of the policy.

   If the namespace isn't defined in the request then I don't know if
   my XPath expression is invalid, or the request is invalid.

   It appears that you're writing the XPath expression with the context
   of the Policy... so the only thing I could do is copy all the policy
   namespace definitions to the request before processing the XPath.

   BUT... that's making the big assumption that the namepaces
   definitions can be merged without any redefinitions or collisions.

   So I guess I need to take the namespace references in the policy
   XPath expression and map those onto uri's... then look those uri's
   up in the request namespace definitions to get the prefix that's used
   in the request... then i can rewrite the XPath expression so that it
   can be executed within the context of the request.

   ...yuck.

   Satoshi Hada>
   >> I'd assumed that the
   >> XPath expression was written within the context of the request...

   Okay, I agree that some PDP implementation may assume so.

All changes have been marked EXPERIMENTAL.

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>




Related Content