OASIS eXtensible Access Control Markup Language (XACML) TC

Back to discussions
Expand all | Collapse all

[xacml] Re: [xacml-comment] 5.31 Element

  • 1.  [xacml] Re: [xacml-comment] 5.31 Element

    Posted 12-05-2002 04:09 
     MHonArc v2.5.2 -->

















    xacml message
    







    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    







    Subject: [xacml] Re: [xacml-comment] 5.31 Element <AttributeSelector>
    







    



    
1.
I agree. We should use "context node". So the first sentence should be
"The AttributeSelector element's RequestContextPath XML attribute SHALL
contain a legal XPath expression. XPath evaluation occurs with respect to a
context node that is <xacml-context:Request> element."

2.
"... it must also match the attribute's data-type ..." I think 'it' means
the value(s) selected by XPath. For example,

<Request>
  <Subject>
    <Attribute AttributeId="...subject-id" DataType="...XMLSchema#integer">
      <AttributeValue>123</AttributeValue>
    </Attribute>
  </Subject>
  ...
</Request>

<AttributeSelector RequestContextPath="Subject/Attribute[AttributeId
= '...subject-id']/AttributeValue"/>
should return "123" that must be an integer from the DataType attribute.
When "subject-id" matches two attributes, then the both value must be
integers.

3.
I think that the following XPath returns a boolean type: boolean
("Subject/Attribute[AttributeId='...subject-id']/AttributeValue").

4.
I agree. So the first sentence should be
"If the XPath 1.0 expression evaluates to a node-set, then each node may
consist of seven kinds of nodes as defined in XPath 1.0 specification."

Best
Michiharu Kudo

IBM Tokyo Research Laboratory, Internet Technology
Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428




|---------+---------------------------->
|         |           John Merrells    |
|         |           <merrells@jiffyso|
|         |           ftware.com>      |
|         |                            |
|         |           2002/11/25 10:54 |
|         |                            |
|---------+---------------------------->
  >--------------------------------------------------------------------------------------------------------------|
  |                                                                                                              |
  |       To:       xacml-comment <xacml-comment@lists.oasis-open.org>                                           |
  |       cc:                                                                                                    |
  |       Subject:  [xacml-comment] 5.31 Element <AttributeSelector>                                             |
  |                                                                                                              |
  |                                                                                                              |
  >--------------------------------------------------------------------------------------------------------------|




1.

"The AttributeSelector element's RequestContextPath XML attribute SHALL
contain a
legal XPath expression over the <xacml-context:Request> element."

The phrase 'over the' made me think for a while. This could be made
clearer by using
the 'context node' term from the XPath specification. XPath evaluation
occurs
with respect to a context node, the context node for this XPath
expression is the
<xacml-context:Request> element.

2.

"In the case where the XPath expression matches attributes in the
request context
by AttributeId, it must also match the attribute's data-type with the
selector's DataType."

Does the 'it' above mean the XPath expression? So, it's saying that if
you write an
xpath expression to select an attribute from the context, and the
expression includes
a predicate for matching with an AttributeID, then that expression MUST
also include
a predicate that matches the selectors data type with the data type of
the selected
attribute...?

3.

"In the case of using XPath 1.0, the value of the XPath expression is
either a node-set,
string value, numeric value, or boolean value."

This may seem a quibble, and it probably is, but even though the XPath
specification
says that the result of an expression can be a primitive... I do not
believe there's any
way to form an expression that actually returns one. In my experience
all XPath 1.0
expressions return a node-set. (I'd be very interested to be corrected
on this point. I
just looked in the o'reilly xpath book and it has some examples that are
plain literal
values like, 2002, or "hello", but if you follow the grammar of the
language they're
just not valid expressions.)

4.

"If the XPath 1.0 expression evaluates to a node-set, then each node may
consist of
a string, numeric or boolean value, or a child node (i.e. structured
node).  In this case,
each node is logically converted to string data by applying the "string"
function defined
in the XPath 1.0 specification, resulting in a sequence of string data."

This is correct in spirit, but not actually correct.

In XPath 1.0 an expression evaluates to a node-set. There are seven
kinds of node
(root, element, text, attribute, namespace, processing instruction, and
comment).
The XPath specification describes a way of determining a
<b>string-value</b>
for each type of node.

John


----------------------------------------------------------------
To subscribe or unsubscribe from this elist use the subscription
manager: <http://lists.oasis-open.org/ob/adm.pl>






    





    






    


    [Date Prev]
 | [Thread Prev]
 | [Thread Next]
 | [Date Next]

--

[Date Index]
 | [Thread Index]
 | [Elist Home]
    


    
  

    


    







    Powered by eList eXpress LLC


Related Content