OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

XML doc hierarchical resource questions

  • 1.  XML doc hierarchical resource questions

    Posted 05-26-2004 16:07
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: XML doc hierarchical resource questions


    OK, you XPath expression experts!  Michiharu, I hope this
    includes you! :-)
    
    I am comparing the XACML 1.1 example that uses XML document
    access in "Section 4.2.2 Example request context" to the current
    XACML 2.0 Hierarchical Resource draft
    (http://lists.oasis-open.org/archives/xacml/200405/msg00104.html).
    
    There are some significant differences.  I would like feedback on
    whether the differences are OK.
    
    The document being accessed is:
    
      <?xml version ...?>
      <record xmlns="http://www.medico.com/schemas/record.xsd"; ...>
         <patient>
         ....
      </record>
    
    1. 1.1 includes the actual document in the ResourceContent
       element.  2.0 does the same.  2.0 explicitly requires this if
       the resource is an XML document.
    
    2. 1.1 uses the following "resource-id" Attribute:
    
       <Attribute AttributeId="...:resource-id"
                  DataType="...#string">
         <AttributeValue>
            //medico.com/records/bart-simpson.xml#
              xmlns(md=//http:www.medico.com/schemas/record.xsd)
              xpointer(/md:record/md:patient/md:patientDoB)
         </AttributeValue>
       </Attribute
    
       2.0 says to put an XPath expression that evaluates to exactly
       the one node being requested into the "resource-id" Attribute,
       and give it the new "xpath-expression" DataType (defined as "a
       string that is to be interpreted as an XPath expression").
    
       A request from the PEP might include an XPath expression that
       evaluates to more than one requested node in the "resource-id"
       Attribute.  The Context Handler is responsible for converting
       this to a series of Requests, each of which asks for exactly
       one node.  For each Request for exactly one node, the Context
       Handler is responsible for constructing an XPath expression
       that evaluates to only that one node, and putting it into the
       "resource-id" Attribute for that Request.
    
       Rationale:
    
       By putting the actual XPath expression into the "resource-id"
       Attribute, a "resource-id" Attribute constructed by the
       Context Handler is treated the same as an original request for
       only a single node, and we have an appropriate value to put
       into the ResourceId field of each Response Result.
    
    3. 1.1 uses the following "xpath" Attribute:
    
       <Attribute AttributeId="...:xpath"
                  DataType="...#string">
          <AttributeValue>
            xmlns(md=http:www.medico.com/schemas/record.xsd)
            xpointer(/md:record/md:patient/md:patientDoB)
          </AttributeValue>
    
       2.0 eliminates the "xpath" Attribute, since the information is
       contained in the "resource-id" Attribute.
    
    4. 1.1 uses the following "target-namespace" Attribute that is
       not described in Appendix "B.6 Resource Attributes":
    
       <Attribute
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace"
            DataType="...#string">
         <AttributeValue>
            http://www.medico.com/schemas/record.xsd
         </AttributeValue>
       </Attribute>
    
       2.0 does not specify this Attribute, since the information is
       contained in the "resource-id" Attribute (I think).
    
    The point is, is an XPath expression in the "...:resource-id"
    Attribute, using the new "xpath-expression" DataType, sufficient
    to contain all the information that a policy will need to apply
    to this particular XML document and to the Requested node?  Do we
    need an additional Attribute to match on separately for the
    document's namespace?  Do we need an additional Attribute to
    match on for the node's "identity" (even though a Context Handler
    will not be able to construct an "identity" if multiple nodes are
    requested)?
    
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]