OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

Re: XACML's limitations in the access control for XML documents usecase - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

  • 1.  Re: XACML's limitations in the access control for XML documents usecase - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 09-28-2009 07:47
    Hi Rich,
    
    Some of the reasons why an XPath approach could be better are:
    
    1. XPath contains many functions and other capabilities, which might not 
    be as easily available in the URI based approach.
    
    2. The TC would avoid the effort to define the URI approach. We would 
    need to improve the xpath approach instead, but I suspect that the 
    effort is smaller since we can reuse so much from xpath, compared with a 
    wholly new URI based approach.
    
    3. It is likely that an XML resource is already available in XML form, 
    so an xpath implimentation can be applied to it directly, while the URI 
    approach requires a transformation, which could degrade performance.
    
    Note that it is not true that the whole XML has to be repeated for each 
    resource since multiple 


  • 2.  Re: [xacml] Re: XACML's limitations in the access control for XMLdocuments use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpathdefinition

    Posted 09-28-2009 20:41
    Hi Erik,
    
    The intent of the proposal is not to replace or be better than XPath, 
    but to be an "alternative representation" for node identification as 
    described in section 2.0 of the profile, which if we included in the 
    profile as suggested in section 2.2.1, presumably would then be a 
    "recommended alternative representation".
    
    The reason for the suggestion was to address the requirements specified 
    in issue 11, which contained a recommended syntax that did not 
    incorporate namespaces. By using the Clark notation for the namespaces, 
    the syntax in issue 11 can be directly incorporated to the URI scheme as 
    described in the proposal.
    
    Once the syntax is in place then the same kinds of regexp-scoped 
    Policy's can be written for XML nodes as for file system and URL resources.
    
    Assuming the syntax and proposal is correct, it may be a useful 
    alternative representation in some situations, particularly where it may 
    be an objective to identify all resources w URIs, and/or where the mixed 
    XACML/XPATH syntax is a concern wrt Policy specification.
    
        Thanks,  
        Rich
    
    
    Erik Rissanen wrote:
    > Hi Rich,
    >
    > Some of the reasons why an XPath approach could be better are:
    >
    > 1. XPath contains many functions and other capabilities, which might 
    > not be as easily available in the URI based approach.
    >
    > 2. The TC would avoid the effort to define the URI approach. We would 
    > need to improve the xpath approach instead, but I suspect that the 
    > effort is smaller since we can reuse so much from xpath, compared with 
    > a wholly new URI based approach.
    >
    > 3. It is likely that an XML resource is already available in XML form, 
    > so an xpath implimentation can be applied to it directly, while the 
    > URI approach requires a transformation, which could degrade performance.
    >
    > Note that it is not true that the whole XML has to be repeated for 
    > each resource since multiple 


  • 3.  AW: [xacml] Re: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 10-01-2009 12:04
    Hi Rich,
    
    I highly agree with what you said in this mail. It seems that your use case
    goes a bit further then the one I am thinking of. Let me try to identify the
    common and varying parts of our use cases.
    
    If I understand you correctly you are not only thinking about how the
    resource-id values of the individual decision requests in the xml use case
    have to look like. You are further having the file system and URL resource
    use case in mind. This is something I have never thought about so far.
    
    Further it seems that you are trying to represent the whole resource through
    and only through URIs in one decision request. That’s also somehow different
    to the use case I have in mind, as in my scenario the resource (the xml doc)
    is always included under 


  • 4.  RE: [xacml] Re: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 10-01-2009 13:07
    No one has produced an actual use case that requires regexp on xpath resource-ids to solve. I am not inclined to jump to this sort of solution.  I have a lot of experience writing xpath expressions for xslt transformations, so I am skeptical when anyone suggests  additional functionality is required in this area, that is not already provided by well-established standards.
    
    I still plan to start some wiki pages on these topics, but I want to introduce some other aspects of this discussion.
    
    1. Part of the problem is that XACML overloads the concept of "resource-id" when it can be used actually as a "resource-selector" in multi-resource request for XML resources.  This causes the actual resource-id that is used during evaluation to be different than the initial resource-id (it has been "expanded" to describe the exact node).  I believe this is a defect in the specification, which should be remedied in any case.  You face this problem when you want to write (as Jan does) rules involving the string value of the resource-id.  (I still don't understand the motivation for writing these sorts of rules, but that's a different matter.)
    
    2. Related to the above point, there seems to be a gap in the current multi-resource specification, because it is not clear how the response identifies the xml node for each decision.  If PEP asks for decisions on "//*[@id=('foo','bar','baz')]"  (i.e., elements whose id attribute is 'foo', 'bar', or 'baz'), what should be the respective values of the resource-ids in the response?  They could be "//*[@id='foo']", "//*[@id='bar']", "//*[@id='baz']".  Or they could be "/chapter[1]/section[3]/para[1]", "/chapter[2]", "/chapter[2]/section[1]/fig[1]".  Assuming the PEP has xpath processing capabilities, it really shouldn't matter.  But the XACML spec should at least say something like "the returned resource-id shall be an xpath expression which, when evaluated against the original xml content, returns exactly (and only) the node on which the decision was issued".
    
    3.  Much of this discussion centers around the conceptual model of multi-resource requests.  The spec says these are to be treated as a series of individual requests, and describes the required context of each derived request.  This model is normative only in concept, not for implementation--that is, a PDP must issue decisions as if this model had been followed.  The MR spec says "This Profile does NOT REQUIRE that the implementation of the evaluation of a request for access to multiple resources conform to the preceding model or that actual Individual Resource Requests be constructed." (section 2)  Therefore, the behavior of any rule evaluation that depends on a particular implementation of multi-resource requests is out of scope (and unspecified).  I believe the discussion of xpath resource-id rules falls into this category.  (I also believe the model of multi-resource decision evaluation needs to be defined better.)
    
    --Paul
    
    
    > 


  • 5.  Re: [xacml] Re: XACML's limitations in the access control for XMLdocuments use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpathdefinition

    Posted 10-01-2009 13:42
    Hi Paul,
    
    See some comments inline.
    
    Best regards,
    Erik
    
    Tyson, Paul H wrote:
    > No one has produced an actual use case that requires regexp on xpath resource-ids to solve. I am not inclined to jump to this sort of solution.  I have a lot of experience writing xpath expressions for xslt transformations, so I am skeptical when anyone suggests  additional functionality is required in this area, that is not already provided by well-established standards.
    >
    > I still plan to start some wiki pages on these topics, but I want to introduce some other aspects of this discussion.
    >
    > 1. Part of the problem is that XACML overloads the concept of "resource-id" when it can be used actually as a "resource-selector" in multi-resource request for XML resources.  This causes the actual resource-id that is used during evaluation to be different than the initial resource-id (it has been "expanded" to describe the exact node).  I believe this is a defect in the specification, which should be remedied in any case.  You face this problem when you want to write (as Jan does) rules involving the string value of the resource-id.  (I still don't understand the motivation for writing these sorts of rules, but that's a different matter.)
    >   
    
    Yes, I agree. If I understand you correctly, this is the exact same 
    issue I am thinking of when I say that the multiple resource profile 
    "breaks the XACML assumption that the 


  • 6.  Re: [xacml] Re: XACML's limitations in the access control for XMLdocuments use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpathdefinition

    Posted 10-06-2009 01:04
    
    
      
      
    
    
    Hi Erik, Paul, Jan,

    There has been good discussion in the last 6 emails:
    http://lists.oasis-open.org/archives/xacml/200910/msg00005.html
    http://lists.oasis-open.org/archives/xacml/200910/msg00004.html
    http://lists.oasis-open.org/archives/xacml/200910/msg00003.html
    http://lists.oasis-open.org/archives/xacml/200910/msg00002.html
    http://lists.oasis-open.org/archives/xacml/200910/msg00001.html
    http://lists.oasis-open.org/archives/xacml/200910/msg00000.html

    Reviewing them all has led me to step back a bit and try to see a larger scope thru which all the details might be systematically viewed. I will try to present the larger scope that has helped me view these issues and then try to address a couple of the issues within that context.

    Starting with the Multiple Resource Profile, I see 4 basic "hierarchical use cases", which involve "hierarchical node identification", which I think can reduced to 2 "hierarchical use cases", which may then be viewed as applying to xml and non-xml resources.

    The 4 use cases I see in the Multiple Profile are the following (Note: the top node of the hierarchies involved in these use cases is generally the node identified by the " 'resource-id' attribute in the original request context", a phrase that appears on lines 111,115,143, 145. I think the term "original resource-id" can be used to distinguish this resource-id from the generated individual resource-ids that appear in the individual requests. Also, the original resource-id is used, as one of the individual requests as well.):
    1. resource:scope="Immediate" covered by section 2.3. This use case is essentially a "single" resource request and is relatively uninteresting (in the context of the hierarchical node-naming discussion), except for the fact that the individual "resource-id" attribute may be considered to be essentially the same as the "original resource-id" attribute. Also, section 2.3 covers the multiple single request use case, which is essentially non-hierarchical in nature and simply a list of resources
    2. resource:scope="Children" covered by sections 2.1 and 2.2, and consists essentially of sending a set of individual requests, which are each identified by "resource-id", where the "parent" or "original resource-id" is one request and each child of this parent has a "generated resource-id" to identify it. Also, all these resource-id's may appear in the individual Result elements that are returned and thus represents a tangible entity that needs to be explicitly implemented, because it can actually appear as a specific return element as an identifier of the explicit resource to which the Result applies.
    3. resource:scope="Descendants" also covered by sections 2.1 and 2.2, and represents the node identified by the "original resource-id" plus all the element and attribute descendants of the original resource-id node. Therefore, this use case requires the generation of a tangible resource-id for every element and attribute in a hierarchical resource including and below the element identified by the original resource-id. Again, these may be tangible return values, and therefore need to have a specific syntax and literal representation.
    4. resource:scope="EntireHierarchy" covered by sections 3.1 and 3.2. This use case is essentially the same as resource:scope="Descendants" except only one Result element is generated, and is therefore relatively uninteresting from a "hierarchical naming perspective".
    The point of the above is to call attention to the two primary use cases: resource:scope="Children" and resource:scope="Descendants" that involve the issue of naming of nodes in a hierarchy. In this context, I note the following characteristics that I think may be of general interest:
    • Because the resource:scope="Descendants" use case requires the ability to provide a tangible unique identifier to every node in an XML document, if the original resource-id refers to the top node of that document, there is an implicit requirement to have an explicit name for every element in the hierarchy.
    • There appears to be no explicit "need" to send the actual XML document along with the Request, because all that is explicitly required is the resource-id Attribute. The only need for the XML document would be to look at additional attributes that may be in that document, but those attributes are outside the scope of anything in the Multiple Profile itself.
      • Assuming the above point is acknowledged, it can also be pointed out that while there may be policies written that use additional attributes, there is no reason to think that any, or all of those attributes necessarily would be found in the XML document.
      • Therefore, if agreement exists on the above 2 points, one might also be able to say that there really is no reason to restrict the attributes for the policies to be attributes that can be accessed specifically by the XPath mechanism, and therefore no real "reason" to restrict the node identification to be an XPath syntax as opposed to any other syntax.
    • What these points are getting at is the notion that within the multiple and hierarchical resource profiles there is an explicit need to define an explicit syntax for identifying the nodes in a hierarchy, be it and xml document or a non-xml document, but there is not explicit need that this syntax should be explicitly XPath.
    Given all the above I think it is also fair to say that XPath does not even provide a syntax for explicit node-naming, although one can specify a syntax for node naming using namespace prefixes in the path, however, the XML document which has the resolution of those namespace prefixes in xmlns attributes will need to accompany the request in order to resolve the resource-id to a tangible value that can be included in an IncludeInResult return attribute.

    Granted that in a totally self-contained XPath environment, one might be able to exist without ever explicitly naming a node outside of the presence of the XML document itself, or the document schema, it appears to me, at least, that such a situation kind of "bakes in" one specific technology that will be required to be used to identify these resources. This seems to me to be ok for specific implementations, but it also appears to me to be at odds with the spirit of the core XACML spec which states (lines 2659-2664):
    "5.42 Element <Request>
    The <Request> element is an abstraction layer used by the policy language. For simplicity of expression, this document describes policy evaluation in terms of operations on the context. However a conforming PDP is not required to actually instantiate the context in the form of an XML document. But, any system conforming to the XACML specification MUST produce exactly the same authorization decisions as if all the inputs had been transformed into the form of an <Request> element."
    In summary, I believe the above considerations indicate that there is nothing of functional substance in the Multiple or Hierarchical Resource profiles that really require the presence of the XML document in the Request element, and that all the capabilities can be implemented without XPath or the XML document, and that therefore, restricting functional capabilities, such as node-naming to be represented in an explicitly XML-XPath dependent manner, while providing no alternatives is unnecessarily restricting the implementation technology to a specific form of resource representation.

    i.e. the point I am trying to make is that while I have no objection to XPath methods being included as representative of a way to implement the functionality of the profiles, I do not agree that these methods are necessarily sufficient in and of themselves to represent the functional capabilities of these profiles. And for the node-naming problem, in particular, I think that the XPath syntax provides only a technology-specific way of representing the node names and that therefore an alternative string representation that is not technology-dependent is effectively required as an alternative. In addition, I also believe that the suggestion I made using URI syntax or something equivalent, meets the requirements and is transformable to XPath syntax if necessary for implementation purposes.

    Comments and suggestions welcome, and I realize that I may have overlooked aspects of the problem, which might alter these conclusions, but would request that those oversights or mistakes be pointed out for consideration.

        Thanks,
        Rich



    Erik Rissanen wrote:
    4AC4B1B1.7050605@axiomatics.com" type="cite">Hi Paul,

    See some comments inline.

    Best regards,
    Erik

    Tyson, Paul H wrote:
    No one has produced an actual use case that requires regexp on xpath resource-ids to solve. I am not inclined to jump to this sort of solution.  I have a lot of experience writing xpath expressions for xslt transformations, so I am skeptical when anyone suggests  additional functionality is required in this area, that is not already provided by well-established standards.

    I still plan to start some wiki pages on these topics, but I want to introduce some other aspects of this discussion.

    1. Part of the problem is that XACML overloads the concept of "resource-id" when it can be used actually as a "resource-selector" in multi-resource request for XML resources.  This causes the actual resource-id that is used during evaluation to be different than the initial resource-id (it has been "expanded" to describe the exact node).  I believe this is a defect in the specification, which should be remedied in any case.  You face this problem when you want to write (as Jan does) rules involving the string value of the resource-id.  (I still don't understand the motivation for writing these sorts of rules, but that's a different matter.)
     

    Yes, I agree. If I understand you correctly, this is the exact same issue I am thinking of when I say that the multiple resource profile "breaks the XACML assumption that the <Request> describes a single attempted access to a single resource".

    2. Related to the above point, there seems to be a gap in the current multi-resource specification, because it is not clear how the response identifies the xml node for each decision.  If PEP asks for decisions on "//*[@id=('foo','bar','baz')]"  (i.e., elements whose id attribute is 'foo', 'bar', or 'baz'), what should be the respective values of the resource-ids in the response?  They could be "//*[@id='foo']", "//*[@id='bar']", "//*[@id='baz']".  Or they could be "/chapter[1]/section[3]/para[1]", "/chapter[2]", "/chapter[2]/section[1]/fig[1]".  Assuming the PEP has xpath processing capabilities, it really shouldn't matter.  But the XACML spec should at least say something like "the returned resource-id shall be an xpath expression which, when evaluated against the original xml content, returns exactly (and only) the node on which the decision was issued".
     

    This behavior is already required by the current specification, but could perhaps be stated more explicitly. The PDP will return the resource-id attribute specified in the individual request if the "IncludeInResult" attribute has been set to "true". And the multiple resource profile already requires that for each individual request the resource-id must consist of an XPath expression which matches exactly one node. The combined effect of this is the behavior you describe above.

    3.  Much of this discussion centers around the conceptual model of multi-resource requests.  The spec says these are to be treated as a series of individual requests, and describes the required context of each derived request.  This model is normative only in concept, not for implementation--that is, a PDP must issue decisions as if this model had been followed.  The MR spec says "This Profile does NOT REQUIRE that the implementation of the evaluation of a request for access to multiple resources conform to the preceding model or that actual Individual Resource Requests be constructed." (section 2)  Therefore, the behavior of any rule evaluation that depends on a particular implementation of multi-resource requests is out of scope (and unspecified).  I believe the discussion of xpath resource-id rules falls into this category.  (I also believe the model of multi-resource decision evaluation needs to be defined better.)
     

    Sorry, but I don't understand this point. But I do think it is relevant to discuss whether the spec can be implemented in any efficient manner, and this can affect what the specification should be like.

    --Paul


     


    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
     



    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 7.  Re: [xacml] Re: XACML's limitations in the access control for XMLdocuments use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpathdefinition

    Posted 10-08-2009 07:58
    Hi Rich,
    
    If I understand you correctly, the essence of your email is that you say 
    that a hierarchical resource could be described in some other manner 
    than an XML document, so use of XML in the request or XPath in the 
    policies are not required.
    
    Well, maybe so, but if one does not use XML for the hierarchy, one has 
    to use something else somewhere else, and you leave this question 
    completely open. So you are really proposing yet another brand new 
    scheme for doing hierarchies and multiple requests. This could be 
    interesting in its own right, but there are many people who wish to use 
    XML for their resources since it is convenient. And these users do want 
    to look up additional attributes in the XML. This discussion started 
    because users of XACML saw limitations in XACML's capabilities with 
    regard to XML resources.
    
    So, I think we should make a clear distinction between:
    
    1. How to improve XACML when the user is in fact using XML for resources 
    and does want to look up attributes of the individual resources in the XML.
    
    2. How to define other schemes for multiple requests and hierarchies.
    
    One could also discuss the various merits of different schemes, but a 
    strong point of the XML scheme is that XML is a standardized capability 
    which does not require any custom capabilities in the PEP or context 
    handler. The URI scheme leaves the whole issue of defining, storing and 
    transmitting the hierarchy unspecified, so it would not work out of box 
    on a standard XACML implementation.
    
    Best regards,
    Erik
    
    
    Rich.Levinson wrote:
    > Hi Erik, Paul, Jan,
    >
    > There has been good discussion in the last 6 emails:
    > http://lists.oasis-open.org/archives/xacml/200910/msg00005.html
    > http://lists.oasis-open.org/archives/xacml/200910/msg00004.html
    > http://lists.oasis-open.org/archives/xacml/200910/msg00003.html
    > http://lists.oasis-open.org/archives/xacml/200910/msg00002.html
    > http://lists.oasis-open.org/archives/xacml/200910/msg00001.html
    > http://lists.oasis-open.org/archives/xacml/200910/msg00000.html
    >
    > Reviewing them all has led me to step back a bit and try to see a 
    > larger scope thru which all the details might be systematically 
    > viewed. I will try to present the larger scope that has helped me view 
    > these issues and then try to address a couple of the issues within 
    > that context.
    >
    > Starting with the Multiple Resource Profile, I see 4 basic 
    > "hierarchical use cases", which involve "hierarchical node 
    > identification", which I think can reduced to 2 "hierarchical use 
    > cases", which may then be viewed as applying to xml and non-xml resources.
    >
    > The 4 use cases I see in the Multiple Profile are the following (Note: 
    > the top node of the hierarchies involved in these use cases is 
    > generally the node identified by the " 'resource-id' attribute in the 
    > original request context", a phrase that appears on lines 111,115,143, 
    > 145. I think the term "original resource-id" can be used to 
    > distinguish this resource-id from the generated individual 
    > resource-ids that appear in the individual requests. Also, the 
    > original resource-id is used, as one of the individual requests as well.):
    >
    >    1. resource:scope="Immediate" covered by section 2.3. This use case
    >       is essentially a "single" resource request and is relatively
    >       uninteresting (in the context of the hierarchical node-naming
    >       discussion), except for the fact that the individual
    >       "resource-id" attribute may be considered to be essentially the
    >       same as the "original resource-id" attribute. Also, section 2.3
    >       covers the multiple single request use case, which is
    >       essentially non-hierarchical in nature and simply a list of
    >       resources
    >    2. resource:scope="Children" covered by sections 2.1 and 2.2, and
    >       consists essentially of sending a set of individual requests,
    >       which are each identified by "resource-id", where the "parent"
    >       or "original resource-id" is one request and each child of this
    >       parent has a "generated resource-id" to identify it. Also, all
    >       these resource-id's may appear in the individual Result elements
    >       that are returned and thus represents a tangible entity that
    >       needs to be explicitly implemented, because it can actually
    >       appear as a specific return element as an identifier of the
    >       explicit resource to which the Result applies.
    >    3. resource:scope="Descendants" also covered by sections 2.1 and
    >       2.2, and represents the node identified by the "original
    >       resource-id" plus all the element and attribute descendants of
    >       the original resource-id node. Therefore, this use case requires
    >       the generation of a tangible resource-id for every element and
    >       attribute in a hierarchical resource including and below the
    >       element identified by the original resource-id. Again, these may
    >       be tangible return values, and therefore need to have a specific
    >       syntax and literal representation.
    >    4. resource:scope="EntireHierarchy" covered by sections 3.1 and
    >       3.2. This use case is essentially the same as
    >       resource:scope="Descendants" except only one Result element is
    >       generated, and is therefore relatively uninteresting from a
    >       "hierarchical naming perspective".
    >
    > The point of the above is to call attention to the two primary use 
    > cases: resource:scope="Children" and resource:scope="Descendants" that 
    > involve the issue of naming of nodes in a hierarchy. In this context, 
    > I note the following characteristics that I think may be of general 
    > interest:
    >
    >     * Because the resource:scope="Descendants" use case requires the
    >       ability to provide a tangible unique identifier to every node in
    >       an XML document, if the original resource-id refers to the top
    >       node of that document, there is an implicit requirement to have
    >       an explicit name for every element in the hierarchy.
    >     * There appears to be no explicit "need" to send the actual XML
    >       document along with the Request, because all that is explicitly
    >       required is the resource-id Attribute. The only need for the XML
    >       document would be to look at additional attributes that may be
    >       in that document, but those attributes are outside the scope of
    >       anything in the Multiple Profile itself.
    >           o Assuming the above point is acknowledged, it can also be
    >             pointed out that while there may be policies written that
    >             use additional attributes, there is no reason to think
    >             that any, or all of those attributes necessarily would be
    >             found in the XML document.
    >           o Therefore, if agreement exists on the above 2 points, one
    >             might also be able to say that there really is no reason
    >             to restrict the attributes for the policies to be
    >             attributes that can be accessed specifically by the XPath
    >             mechanism, and therefore no real "reason" to restrict the
    >             node identification to be an XPath syntax as opposed to
    >             any other syntax.
    >     * What these points are getting at is the notion that within the
    >       multiple and hierarchical resource profiles there is an explicit
    >       need to define an explicit syntax for identifying the nodes in a
    >       hierarchy, be it and xml document or a non-xml document, but
    >       there is not explicit need that this syntax should be explicitly
    >       XPath.
    >
    > Given all the above I think it is also fair to say that XPath does not 
    > even provide a syntax for explicit node-naming, although one can 
    > specify a syntax for node naming using namespace prefixes in the path, 
    > however, the XML document which has the resolution of those namespace 
    > prefixes in xmlns attributes will need to accompany the request in 
    > order to resolve the resource-id to a tangible value that can be 
    > included in an IncludeInResult return attribute.
    >
    > Granted that in a totally self-contained XPath environment, one might 
    > be able to exist without ever explicitly naming a node outside of the 
    > presence of the XML document itself, or the document schema, it 
    > appears to me, at least, that such a situation kind of "bakes in" one 
    > specific technology that will be required to be used to identify these 
    > resources. This seems to me to be ok for specific implementations, but 
    > it also appears to me to be at odds with the spirit of the core XACML 
    > spec which states (lines 2659-2664):
    >
    >     "5.42 Element 


  • 8.  Re: [xacml] Re: XACML's limitations in the access control for XMLdocuments use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpathdefinition

    Posted 10-01-2009 13:18
    Hi Rich,
    
    Still, it should cover something which the xpath approach does not 
    cover, or do something better. Could you elaborate what it does beyond 
    xpath? So far I have only seen examples of how the URI approach can 
    replicate the xpath approach.
    
    Best regards,
    Erik
    
    
    
    Rich.Levinson wrote:
    > Hi Erik,
    >
    > The intent of the proposal is not to replace or be better than XPath, 
    > but to be an "alternative representation" for node identification as 
    > described in section 2.0 of the profile, which if we included in the 
    > profile as suggested in section 2.2.1, presumably would then be a 
    > "recommended alternative representation".
    >
    > The reason for the suggestion was to address the requirements 
    > specified in issue 11, which contained a recommended syntax that did 
    > not incorporate namespaces. By using the Clark notation for the 
    > namespaces, the syntax in issue 11 can be directly incorporated to the 
    > URI scheme as described in the proposal.
    >
    > Once the syntax is in place then the same kinds of regexp-scoped 
    > Policy's can be written for XML nodes as for file system and URL 
    > resources.
    >
    > Assuming the syntax and proposal is correct, it may be a useful 
    > alternative representation in some situations, particularly where it 
    > may be an objective to identify all resources w URIs, and/or where the 
    > mixed XACML/XPATH syntax is a concern wrt Policy specification.
    >
    >    Thanks,     Rich
    >
    >
    > Erik Rissanen wrote:
    >> Hi Rich,
    >>
    >> Some of the reasons why an XPath approach could be better are:
    >>
    >> 1. XPath contains many functions and other capabilities, which might 
    >> not be as easily available in the URI based approach.
    >>
    >> 2. The TC would avoid the effort to define the URI approach. We would 
    >> need to improve the xpath approach instead, but I suspect that the 
    >> effort is smaller since we can reuse so much from xpath, compared 
    >> with a wholly new URI based approach.
    >>
    >> 3. It is likely that an XML resource is already available in XML 
    >> form, so an xpath implimentation can be applied to it directly, while 
    >> the URI approach requires a transformation, which could degrade 
    >> performance.
    >>
    >> Note that it is not true that the whole XML has to be repeated for 
    >> each resource since multiple 


  • 9.  AW: [xacml] Re: XACML's limitations in the access control for XML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpath definition

    Posted 10-01-2009 09:01
    Hi Erik, Rich, all
    
    below you find a summary of the discussion on "xpath vs. reg-exp-match for
    resource-id evaluations" so far (from my point of view) and some further
    comments. I hope that helps to clarify where we are.
    
    Baseline:
    An individual decision request's resource-id attribute is an XPath
    expression that points to exactly one node in the xml resource (i.e. a
    multiple and hierarchically organised resource)
    
    Open Question:
    How two define the part of a rule that matches this resource-id attribute.
    
    Possible approaches:
    Approach 1: 
    Use the XPath-node-XXX functions 
    (e.g. xpath-node-equal(resource-id, /objects/book)
    
    Approach 2: 
    Use the reg-exp-string function
    (e.g. reg-exp-string-match(resource-id, /objects\[\d+\]/book\[\d+\]))
    
    Evaluation:
    - both approaches can offer the same functionality
    
    I hope so far we all agree. 
    
    Now let's come to the pros and cons of each approach:
    
    Let's start with Approach 2 (i.e. the reg-exp-string function based option):
     
    A reason why the reg-expr-match approach could be better:
    
    It is very simple and most importantly it can be evaluated very fast and
    just on the two arguments - the string representing one node and a
    corresponding regular expression. There is no need to do go through the xml
    resource itself while evaluation.
    In contrast, if you use the XPath approach the two XPath arguments of the
    xpath node-match functions have to be evaluated against the xml resource
    (e.g. a DOM representation in memory). This disadvantage becomes even more
    serious if you take into account, that your multiple resource (e.g. an xml
    doc) consists of n individual resources/nodes and thus you have to evaluate
    n xpath node-match functions. In short a processing overhead that occurs
    when using the XPath approach occurs n times.
    
    On the other side the disadvantage of the reg-expr-match approach is that it
    doesn't deal with the namespace definition behind the prefixes explicitly.
    Thus, in case you have the following situation something unintended could
    occur:
    
    - Two xml schemas, that describe the xml resource, use the same
    elementNodeName for the complexTypes (e.g. 


  • 10.  Re: AW: [xacml] Re: XACML's limitations in the access control forXML documents use case - AW: AW: [xacml] CD-1 issue #11: strictness of xpathdefinition

    Posted 10-01-2009 13:32
    Hi All,
    
    See responses inline.
    
    Jan Herrmann wrote:
    > Hi Erik, Rich, all
    >
    > below you find a summary of the discussion on "xpath vs. reg-exp-match for
    > resource-id evaluations" so far (from my point of view) and some further
    > comments. I hope that helps to clarify where we are.
    >
    > Baseline:
    > An individual decision request's resource-id attribute is an XPath
    > expression that points to exactly one node in the xml resource (i.e. a
    > multiple and hierarchically organised resource)
    >
    > Open Question:
    > How two define the part of a rule that matches this resource-id attribute.
    >
    > Possible approaches:
    > Approach 1: 
    > Use the XPath-node-XXX functions 
    > (e.g. xpath-node-equal(resource-id, /objects/book)
    >
    > Approach 2: 
    > Use the reg-exp-string function
    > (e.g. reg-exp-string-match(resource-id, /objects\[\d+\]/book\[\d+\]))
    >
    > Evaluation:
    > - both approaches can offer the same functionality
    >   
    
    Only if we fix the normalization problem of the regexp case.
    
    > I hope so far we all agree. 
    >
    > Now let's come to the pros and cons of each approach:
    >
    > Let's start with Approach 2 (i.e. the reg-exp-string function based option):
    >  
    > A reason why the reg-expr-match approach could be better:
    >
    > It is very simple and most importantly it can be evaluated very fast and
    > just on the two arguments - the string representing one node and a
    > corresponding regular expression. There is no need to do go through the xml
    > resource itself while evaluation.
    > In contrast, if you use the XPath approach the two XPath arguments of the
    > xpath node-match functions have to be evaluated against the xml resource
    > (e.g. a DOM representation in memory). This disadvantage becomes even more
    > serious if you take into account, that your multiple resource (e.g. an xml
    > doc) consists of n individual resources/nodes and thus you have to evaluate
    > n xpath node-match functions. In short a processing overhead that occurs
    > when using the XPath approach occurs n times.
    >
    > On the other side the disadvantage of the reg-expr-match approach is that it
    > doesn't deal with the namespace definition behind the prefixes explicitly.
    > Thus, in case you have the following situation something unintended could
    > occur:
    >
    > - Two xml schemas, that describe the xml resource, use the same
    > elementNodeName for the complexTypes (e.g.