OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] [CR] Additional Functions

  • 1.  [xacml] [CR] Additional Functions

    Posted 08-24-2002 05:43
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] [CR] Additional Functions


    I propose to include the following functions (all relevant to XPath) in the
    spec as non-mandatory to implement functions. The original proposal (a
    little different from this proposal) was posted on 29th July and it
    described more in detail.
    http://lists.oasis-open.org/archives/xacml/200207/msg00162.html
    
    function:general-string-equal xs:boolean  object(*1)  object            A
    = B
    function:node-boolean         xs:boolean  object
    function:node-match           xs:boolean  object            object
    
    ========================
    (*1) "object" type is defined in Introduction section of [2] as:
    
    "... object, which has one of the following four basic types:
    node-set (an unordered collection of nodes without duplicates)
    boolean (true or false)
    number (a floating-point number)
    string (a sequence of UCS characters)"
    
    [1] XQuery 1.0 and XPath 2.0 Data Model,
    http://www.w3.org/TR/xquery-operators/
    [2] XPath 1.0, http://www.w3.org/TR/xpath
    
    We here assume that boolean is xs:boolean, number is xs:decimal and string
    is xs:string.
    ========================
    
    ----------------------
        Function Definitions
    ----------------------
    
    <1>. Function:general-string-equal
    
    boolean: general-string-equal(object, object)
    
    The general-string-equal(A,B) is true for set A and B if the
    string-equal(a,b) is true for some item a in A and some item b in B.
    Otherwise, general-string-equal(A,B) is false. When performing the
    string-equal function, apply the following rules in order:
    
    1. Simple String Atomization (SSA) is applied to each operand, resulting in
    a single atomic value or an empty set for each operand.
    2. If either operand is an empty set, the result is an empty set.
    3. Cast each operand to xs:string
    4. If the cast fails, the error value is returned.
    5. The result of string-equal is true if the value of the first operand is
    equal to the value of the second operand; otherwise the result of the
    string-equal is false.
    
    Simple String Atomization (SSA):
    
    1. If the value is a single atomic value or an empty set, atomization
    simply returns the value.
    2. If the value is a single node, it must be an element node, attribute
    node or a text node.
      2.1  If the value is a text node, returns the string content of the text
    node.
      2.2  If the value is an attribute node, returns its string value.
      2.3  If the value is an element node that does not contain element node
    below, returns the string content of the text node.
      2.4  If the value is an element node that contain one or more element
    node below, returns error value as defined in [1]
    3. If the value is not a single node, return error value as defined in [1]
    
    Example:
    <a>
      <b1>January</b1>
      <b1>February</b1>
      <b2>
        <c>January</c>
        <c>March</c>
      </b2>
      <b3 d="February"/>
      <b3 d="April"/>
    </a>
    
    A := "/a/b1"
    B := "/a/b2/c"
    C := "/a/b3/@d"
    D := "/a/b2"
    
    (1) general-string-equal(A,B) ==> true
    (2) general-string-equal(A,C) ==> true
    (3) general-string-equal(B,C) ==> false
    (4) general-string-equal(A,"February") ==> true
    (5) general-string-equal(A,D) ==> Error value
    
    (1) A returns two nodes: two <b1> elements. The SSA is applied to the first
    <b1> item, which returns "January". The SSA is applied to the second <b1>
    item, which returns "February". B returns two nodes: two <c> elements. The
    SSA is applied to the first <c> item, which returns "January". The SSA is
    applied to the second <c> item, which returns "March". String casting
    succeeds. Since the first value of the first operand is equal to the first
    value of the second operand, general-string-equal returns true.
    (2) C returns two nodes: two d attributes. The SSA is applied to each item,
    which returns "February" and "March", respectively. Since the second value
    of the first operand is equal to the first value of the second operand,
    general-string-equal returns true.
    (3) Since there is no identical value pair in the first operand and the
    second operand, general-string-equal returns false.
    (4) The second operand is a single atomic value "February". Since it is
    equal to the second value of the first operand, general-string-equal
    returns true.
    (5) The second operand returns one <b2> element that contains two <c>
    element. This raises error from SSA step 2.4. Therefore,
    general-string-equal returns error value.
    
    An example specification for case (1):
    <Rule>
      <Target>
        <Resources MatchId="function:general-string-equal" DataType
    ="xs:boolean">
          <AttributeSelector RequestContextPath="/a/b1"/>
          <AttributeSelector RequestContextPath="/a/b2/c"/>
        </Resource>
      </Target>
    </Rule>
    
    <2>. Function:node-boolean
    
    boolean node-boolean(object)
    
    The node-boolean function converts its argument to a boolean as follows:
    1. a number is true if and only if it is neither positive or negative zero
    nor NaN
    2. a node-set is true if and only if it is non-empty
    3. a string is true if and only if its length is non-zero
    4. an object of a type other than the four basic types is converted to a
    boolean in a way that is dependent on that type
    
    An example specification for the case (1) is:
    <Rule>
      <Target>
        <Resources MatchId="function:node-boolean" DataType="xs:boolean">
          <AttributeSelector RequestContextPath="/a/b1[ . = /a/b2/c])"/>
        </Resource>
      </Target>
    </Rule>
    
    <3>. Function:node-match
    
    boolean node-match(object, object)
    
    The result of a node-match is defined by applying the following rules, in
    order:
    1. Both operands must be either a single node or an empty set; otherwise
    the error value is returned.
    2. If either operand is an empty set, the result of the comparison is an
    empty set.
    3. A comparison is true if the two operands are nodes that have the same
    single node; otherwise it is false.
    
    An example specification is:
    <Rule>
      <Target>
        <Resources MatchId="function:node-match" DataType="xs:boolean">
          <AttributeSelector RequestContextPath="//b1"/>
          <AttributeSelector RequestContextPath="/a/b1"/>
        </Resource>
      </Target>
    </Rule>
    If "//b1" and "/a/b1" contains one or more intersection node, then the
    node-match function returns true, otherwise returns false.
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC