OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] re: Attribute Selector example

  • 1.  [xacml] re: Attribute Selector example

    Posted 08-25-2002 00:47
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] re: Attribute Selector example


    Michiharu,
     
    I see that you want to compute the node-set of xpath expression specified in
    the request-context before passing it to the node-match function.
     
    Of course, something like that could be accomplished in the condition
    with 'xpath-expr' function:
    <Apply FunctionId="function:node-match">
        <Apply FunctionId="function:xpath-expr">
            <ResourceAttributeDesignator
                AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
                DataType="xs:string"/>
        </Apply>
        <AttributeSelector RequestContextPath="..."/>
    </Apply>
     
    You want to do the same thing in the target.
     
    I'm not completely sold on your syntax for AttributeSelector. I'd prefer this extension:
    <AttributeSelector indirect="true"> (or IndirectAttributeSelector)
        <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
            DataType="xsi:string"/>
    </AttributeSelector>
     
    Better yet to relax 'match' element to allow 'apply' children.
     
    Another approach:
    I think that complication is in 'node-match' function definition that takes --results--
    of xpath expression. That forces you to produce this result, so you
    need additional semantics in attribute-selector.
     
    Consider different function that takes --xpath-expressions-- as arguments
    (as in examples in section 3). Than you do not have to produce node sets
    before calling this function and no change in schema is needed.
     
    Suppose that node-match-1 has exact same semantics as node-match but
    take 2 xpath expressions: xpath-expr-request and xpath-expr-rule:
    node-match-1(xpath-expr-req, xpath-expr-rule).
     
    You can use it in the target:
    <ResourceMatch MatchId="function:node-match-1">
        <ResourceAttributeDesignator
            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
            DataType="xsi:string"/>
        <AttributeValue DataType="xsi:string">//md:record</AttributeValue>
    </ResourceMatch>
     
    Simon
     


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC