OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  [xacml] XPath Subset

    Posted 07-18-2002 02:04
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] XPath Subset


    This is just an initial proposal of the XPath subset definition for XACML
    policy specification. Since XACML policy specification needs predicate
    expressions, it is obvious that the selector XPath subset used in the XML
    Schema is not sufficient.
    
    Michiharu
    
    =======================================================
    Proposal of XPath Subset Definitions for XACML policy specification
    
    1) Overview of XPath subset
    
    List of supported features:
    1. Node test and step qualifier that refers to element and attribute
    2. Abbreviated syntax
    3. Namespace
    4. Axes of child, descendant, parent, self and attribute
    5. Minimum set for operators, and, equality and inequality
    6. Wildcard
    7. Literal and number
    
    List of unsupported features (not complete list)
    1. Function
    2. Unabbreviated syntax
    3. Position
    4. Variables
    5. Mathematical operators such as plus, minus...
    6. Logical operators such as or
    7. Comment and processing instructions
    
    2) EBNF Notation
    (this is subject to change)
    
    LocationPath         ::= RelativeLocationPath
                           | AbsoluteLocationPath
    AbsoluteLocationPath ::= '/' RelativeLocationPath?
                           | '//' RelativeLocationPath
    RelativeLocationPath ::= Step
                           | RelativeLocationPath '/' Step
                           | RelativeLocationPath '//' Step
    Step                 ::= AxisSpecifier NodeTest Predicate*
                           | AbbreviatedStep
    AbbreviatedStep      ::= '.' | '..'
    AxisSpecifier        ::= '@'?
    
    NodeTest             ::= NameTest | NodeType '(' ')'
    NameTest             ::= '*' | NCName ':' '*' | QName
    NodeType             ::= 'text' | 'node'
    
    Predicate            ::= '[' PredicateExpr ']'
    PredicateExpr        ::= Expr
    
    Expr                 ::= AndExpr
    AndExpr              ::= RelationalExpr
                           | AndExpr 'and' RelationalExpr
    RelationalExpr       ::= LocationPath Operator LocationPath
                           | LocationPath Operator PrimaryExpr
    Operator             ::= '=' | '!='
    PrimaryExpr          ::= Literal | Number
    Literal              ::= '"' [^"]* '"'
                           | "'" [^']* "'"
    Number               ::= Digits ('.' Digits?)?
                           | '.' Digits
    Digits               ::= [0-9]+
    
    (*) For NCName and QName, refer to http://www.w3.org/TR/REC-xml-names/
    
    3) Example XPath expressions
    
    a) Examples without namespace
    1. /Request/Subjects/SubjectId[@Format='SerialNumber']
    2. /Request/Resources/ResourceSpecifier/@ResourceURI
    3. /Request/Resources/ResourceAttribute/AttributeMetaData[@Name
    ='Root']/../AttributeValue
    4. /Request/Action[@Namespace='XMLAccessControl']
    
    b) Examples with namespace prefix without fixing namespace URI
    1. /xctx:Request/xctx:Subjects/xctx:SubjectId[@Format='SerialNumber']
    2. /xctx:Request/xctx:Resources/xctx:ResourceSpecifier/@ResourceURI
    3.
    /xctx:Request/xctx:Resources/xctx:ResourceAttribute/xctx:AttributeMetaData
    [@Name='Root']/../xctx:AttributeValue
    4. /xctx:Request/xctx:Action[@Namespace='XMLAccessControl']
    
    4) Issues
    4.1 Namespace: strict or simpler
    XPath specification of b) is not a strict way to specify XPath with
    namespaces. The strict XPath expression is to use two functions
    (namespace-uri() and local-name()) so that we don't have to worry about
    consistent prefix definitions in the XACML request context. If we choose
    the strict syntax, we have to add function call in addition to the above
    subset definition. The following show the strict syntax:
    
    b') Examples with namespace URI
    1. /*[namespace-uri()="urn:oasis:names:tc:xacml:0.15h:context" and
    local-name()='Request']/*[namespace-uri()
    ="urn:oasis:names:tc:xacml:0.15h:context" local-name()
    ='Subjects']/*[namespace-uri()="urn:oasis:names:tc:xacml:0.15h:context" and
    local-name()='SubjectId' and @Format='SerialNumber']
    2. /*[namespace-uri()="urn:oasis:names:tc:xacml:0.15h:context" local-name()
    ='Request']/*[namespace-uri()="urn:oasis:names:tc:xacml:0.15h:context"
    local-name()='Resources']/*[namespace-uri()
    ="urn:oasis:names:tc:xacml:0.15h:context"and local-name()
    ='ResourceSpecifier']/@ResourceURI
    3. /*[namespace-uri()="urn:oasis:names:tc:xacml:0.15h:context" and
    local-name()='Request']/*[namespace-uri()
    ="urn:oasis:names:tc:xacml:0.15h:context"  and local-name()
    ='Resources']/*[local-name()='ResourceAttribute']/*[namespace-uri()
    ="urn:oasis:names:tc:xacml:0.15h:context"  and local-name
    ='AttributeMetaData' and @Name='Root']/../*[local-name()='AttributeValue']
    4. /*[namespace-uri()="urn:oasis:names:tc:xacml:0.15h:context" and
    local-name()='Request']/*[namespace-uri()
    ="urn:oasis:names:tc:xacml:0.15h:context" and local-name()='Action' and
    @Namespace='XMLAccessControl']
    
    4.2 Difference between XPath 1.0 and 2.0
    To indicate the version number, we need to specify that information in the
    policy. An issue is where to write, at each XPath specification or at a
    bigger portion of the policy (e.g. Rule and PolicyStatement).
    
    4.3 Difference between XPath 1.0 operator and XACML operator
    The semantics of the equality operator in XPath 1.0 is a little different
    from the equality operator that is currently proposed to XACML because
    XACML operators aim to be in line with the XPath 2.0 semantics. Is this
    acceptable?
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC