MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: [xacml] URI-match function proposal
Here is a draft of the proposed URI-match function.
My motivation is to create a universal match function that satisfies our
needs. The following are some proposals and ideas posted on the list:
- URL-match function proposed by Tim
- URI-match-with-propagation by me
- ** in Ant suggested by Polar
- general match function by Seth
- Version number metching by Bill
My observation for the requirements of the match function is the following:
- We need a generic match function that works on hierarchy.
- The scheme should be able to distinguish the hierarchical match from the
regular expression match.
- The scheme should include sub-tree match as well as single-node (file,
directory etc.) match.
- The scheme should support various kinds of separator for hierarchy.
- The scheme should apply syntax with which many people are familiar.
- The scheme should fit with our own purposes.
Of course this is not complete but I believe that this covers several
peoples' requirements including me.
The basic idea is the following:
- Match function that works on URI syntax (including URL and URN)
- Pattern match character includes "*", "?", and "**" (maybe more)
+ "*" is used for single-node match.
+ "**" is used for sub-tree match (from Ant).
+ "?" is used for one-character match.
- Hierarchical separators are "/" and ":" (or more).
The following are several examples in my minds:
Pattern String Match
/a /a true
/a/* /a false
/a/* /a/b true
/a/* /a/b/c false
/a/** /a false
/a/** /a/b true
/a/** /a/b/c true
/a?/* /a1/b true
/a?/*.html /a1/xy.html true
a:b:* a:b:c true (":" is URI's colon)
a:b:** a:b:c:d true
http://a.b/x/** http://a.b/x/y/z true
('*' is used in two ways: single hierarchical match e.g. /a/* and any
string match e.g. /a/*.html)
One problem I had in the above example is that there is no simple syntax
that matches both the indicated node and its sub-tree. For example, if we
need to specify a policy that matches to /a and the sub-tree, we need to
specify two patterns i.e. /a and /a/**. JSR115 uses /a:/a** where ':'
indicates 'or' combination of two patterns that conflicts with patterns for
the urn cases above.
So the following is one of the solution for this problem:
- Introduce "***" for representing both the indicated node and its
sub-tree. For example, /a/*** is a shorthand of /a and /a/**. Thus /a/***
matches /a, /a/b, /a/b/c etc.
- In the same way, a:b:*** is a shorthand of a:b and a:b:**. Thus,
urn:oasis:names:tc:xacml:*** matches urn:oasis:names:tc:xacml,
urn:oasis:names:tc:xacml:1.0, urn:oasis:names:tc:xacml:2.0 etc.
We might allow the following patterns that has wild cards in the middle if
we could agree:
/a/*/b matches /a/x/b.
/a/**/b matches /a/x/y/b.
Any comments are welcome.
Best,
Michiharu
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]