MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: [xacml] [CR] 0047:Function specification for XPath handler
I propose to add the following two functions. Both are XPath related
functions. I attached modified policy specification of Example 1 and 2
(might have mistakes). This proposal has been also agreed by Simon.
[A] Request of function additions:
- function:xpath-equal comparison on two DOM nodes
- function:xpath-match hierarchical comparison on two DOM nodes
[B] Function description:
- function:xpath-equal:
This function takes two arguments, the first of "xs:string" and the second
of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath
expressions defined in XPath 1.0 specification [1]. This functions returns
true if a set of DOM nodes obtained by applying the first XPath expression
on the XACML Request Context includes at least one DOM node that is also
obtained by applying the second XPath expression on the XACML Request
Context. If the first XPath or the second XPath do not return DOM node set,
this function returns false. When XPath expression includes one or more
namespace prefix, then it is resolved using XPathNamespace element
specified in corresponding Policy element or PolicySet element.
For example, the following expression shall return true:
<Apply FunctionId="function:xpath-equal">
<AttributeValue>/Request/Subject/Attribute[@AttributeId
="role"]/AttributeValue</AttributeValue>
<AttributeValue>/Request/Subject/Attribute[@AttributeId
="role"]/AttributeValue</AttributeValue>
</Apply>
- function:xpath-match:
This function takes two arguments, the first of "xs:string" and the second
of "xs:string" and returns an "xs:boolean". Both arguments are valid XPath
expressions defined in XPath 1.0 specification [1]. This function first
extends the first argument to support pseudo hierarchical access control on
XML document structure. If "a" is an element node and it is specified as
the first argument, the function replace it with "a | a//* | a//@*" meaning
that all the element and attributes below the specified element "a". If "a"
is an attribute node, then the function does not modify the first argument.
Then this function internally calls xpath-equal function and return the
identical return value.
For example, the following expression shall return true when
"urn:...:xpath" attribute returns a md:patient element that is below a
md:record element:
<Apply FunctionId="function:xpath-match">
<AttributeValue>//md:record</AttributeValue>
<Apply FunctionId="function:string-one-and-only>
<ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
</Apply>
</Apply>
The above function is internally replaced by:
<Apply FunctionId="function:xpath-equal">
<AttributeValue>//md:record | //md:record//* |
//md:record//@*</AttributeValue>
<Apply FunctionId="function:string-one-and-only>
<ResourceAttributeDesignator AttributeId="urn:...:xpath"/>
</Apply>
</Apply>
[C] Modified policy examples:
(Besides this proposal, I removed DataType attribute and inserted
string-one-and-only function in several places)
(See attached file: XACML-SimplePolicy.txt)(See attached file:
XACML-Rule2.txt)(See attached file: XACML-Rule3.txt)(See attached file:
XACML-rule4.txt)(See attached file: XACML-Rule1.txt)
[1] XPath 1.0, http://www.w3.org/TR/xpath
Michiharu Kudo
IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428
Attachment:
XACML-SimplePolicy.txt
Description: Binary data
Attachment:
XACML-Rule2.txt
Description: Binary data
Attachment:
XACML-Rule3.txt
Description: Binary data
Attachment:
XACML-rule4.txt
Description: Binary data
Attachment:
XACML-Rule1.txt
Description: Binary data
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC