OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

RE: [xacml] URI match function

  • 1.  RE: [xacml] URI match function

    Posted 06-15-2004 16:26 
     MHonArc v2.5.0b2 -->


















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]
    


    







    Subject: RE: [xacml] URI match function
    







    



    



Yes, I would like to discuss about this.

Best,
Michiharu



                                                                           
             Tim Moses                                                     
             <tim.moses@entrus                                             
             t.com>                                                     To 
                                       Michiharu Kudoh/Japan/IBM@IBMJP,    
             2004/06/16 00:24          "'xacml'"                           
                                       <xacml@lists.oasis-open.org>        
                                                                        cc 
                                                                           
                                                                   Subject 
                                       RE: [xacml] URI match function      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Michiharu - Thanks for your comment.

I chose the name url-match over uri-match because the function does not
address urns, only urls.

I agree with your interpretation of the function as expressed in your
table.

I agree with your idea of being able to match either all descendants or
just
children.

There appear to be a number of possible ways to achieve this, and a little
discussion would probably be worthwhile.

We could have two functions, as you propose, or we could have a new
reserved
character, as (I think) Bill is proposing.  If we expect policy writers to
use the two options interchangeably in a policy, then expressing the
distinction in the argument (i.e. using a new reserved character) seems
preferable to expressing it in the function name.

Why don't we discuss at our next focus group meeting?

All the best.  Tim.

-----Original Message-----
From: Michiharu Kudoh [mailto:KUDO@jp.ibm.com]
Sent: Thursday, June 10, 2004 9:47 AM
To: xacml
Subject: [xacml] URI match function






I have a question on url-match function proposed by Tim.
(I would prefer uri-match to url-match though)
According to his proposal, is the following correct?

1st arg           2nd arg           result
/a/b        /a/b        match
/a/b        /a          no match
/a/b/*            /a/b        no match
/a/b/*            /a/b/       match
/a/b/*            /a/b/c            match
/a/b/*            /a/b/c/d    match

IMO, /a/b/* should match only to e.g. /a/b/c and /a/b/d.

So I would like to propose another URI mapping that addresses hierarchical
structure. For example, / matches any paths such as /a, /a/b. /a matches
any
paths that starts with /a. So /a matches /a, /a/b, /a/b/c, /a/d etc. Since
the path specified as the first argument always propagates through the
hierarchy, the function might be called as "uri-match-with-propagation".

Best
Michiharu
--------------------------------------
Posted by Tim Moses

Colleagues - Here is a draft of the proposed URL-match function (with help
from JSR 115).  All the best.  Tim.

urn:oasis:names:tc:xacml:2.0:function:url-match

This function takes two arguments of type
http://www.w3.org/2001/XMLSchema#anyURI and SHALL return an
http://www.w3.org/2001/XMLSchema#boolean.   It SHALL return "True" if all
of
the following conditions hold.  Otherwise, it SHALL return "False".

1.    The scheme part of both arguments SHALL be the same and SHALL be
either "http", "https" or "file".  The scheme parts MAY be compared using
urn:oasis:names:tc:xacml:1.0:function:string-equal, once both parts have
been normalized to upper-case.
2.    The authority part of the first argument SHALL match the authority
part of the second argument by either
urn:oasis:names:tc:xacml:2.0:function:ipAddress-match or
urn:oasis:names:tc:xacml:2.0:function:dnsName-match.
3.    The path part of the first argument SHALL match the path part of the
second argument in at least one of the following ways.
3a    The path part of the first argument matches the path part of the
second argument by urn:oasis:names:tc:xacml:1.0:function:string-equal.
3b    The path part of the first argument is the string "/*".
3c    The path part of the first argument starts with "/" and ends with
"/*" and the path part of the second argument starts with the same string
as
the path part of the first argument, minus its last 2 characters, and the
next character of the path part of the second argument, if present, is "/".
3d    The path part of the first argument starts with "*." and the path
part of the second argument ends with the same string as the path part of
the first argument, minus its first 2 characters.
3e    The path part of the first argument is the special string, "/",
which matches all other paths.


To unsubscribe from this mailing list (and be removed from the roster of
the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p

hp.

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php
.




    





    







    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [List Home]


Related Content