OASIS eXtensible Access Control Markup Language (XACML) TC

CD-1 issue #3: dynamic RequestContextPath

  • 1.  CD-1 issue #3: dynamic RequestContextPath

    Posted 09-11-2009 13:06
    The issue number refers to the XLS-sheet found in this email:
    http://lists.oasis-open.org/archives/xacml/200909/msg00013.html
    
    The commenter proposes that the RequestContextPath of an attribute 
    selector made a child element of the attribute selector, so that the 
    xpath can be dynamically constructed using XACML expressions.
    
    Note that making this change is non-trivial because XPath expressions 
    are not simple strings. An xpath also relies on a context for namespace 
    prefix resolution, so simple string functions do not work well for 
    constructing xpath expressions. Adopting this proposal would also mean 
    that we have to design a library of xpath manipulation functions.
    
    I also have concerns about how this additional power to XACML would 
    affect how XACML can be analyzed and audited, so I would not like to 
    make this change without thinking it through carefully.
    
    I propose that we reject this proposal for XACML 3.0 since I think we 
    should wrap up 3.0 now. We can consider this for the future.
    
    Best regards,
    Erik