OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] Context attribute clarification

  • 1.  Re: [xacml] Context attribute clarification

    Posted 03-04-2004 03:42
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: Re: [xacml] Context attribute clarification


    
    > I think you are saying that, as far as the PDP is concerned, anything
    > between <AttributeValue> tags is a single attribute (including any xml
    > attribute of the <AttributeValue> element, itself).  Whether the attribute
    > is primitive or structured, it is the associated function that should
    > validate the contents.  In the structured case, it will need some private
    > way of locating the schema, given the DataType URI.
    
    Exactly. Thus, in the example you provided, the two AttributeValue 
    elements resulted in two values, even if they contained complex content. 
    I think that the spec is pretty clear on this point, but maybe we need 
    to add some clarifying language?
    
    > An attribute value that is an unencapsulated sequence of elements is valid
    > according to this definition.  But, if we expect the function to
    > schema-validate, doesn't this introduce a problem, because such a sequence
    > is anonymous?  
    
    I don't think this is a problem. If I define a new datatype that 
    contains mixed content, then I'm free to define any number of ways to 
    validate that content (through schemas or other mechanisms)...also, 
    there is no anonymity, since the DataType XML attribute identifies the 
    type. It's never going to be possible for a standard PDP to do 
    validation unless it has custom functionality installed to support the 
    datatype and validation, so I don't see any reason to define a standard 
    mechanism that may or may not be useful only for custom functionality. 
    Or am I missing the point here? (my brain is a little frazzled right now)
    
    > My understanding is that the anyAttribute declaration does not REQUIRE the
    > <AttributeValue> element to have an atribute, but it MAY have one or more.
    
    Absolutely correct.
    
    
    seth
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]