OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Re: xpath and xacml

  • 1.  [xacml] Re: xpath and xacml

    Posted 07-29-2002 09:02
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: [xacml] Re: xpath and xacml


    This is a proposal for supporting target specification using XPath
    expression. <AttributeSelector> is used to specify XPath expression in the
    <target> element. I am assuming that <AttributeDesignator> will be used for
    the expression without XPath. Four new functions are used to compare
    values.
    
    function:general-string-equal
    function:boolean
    function:node-equal
    function:xpath-match
    
    <XPathVersion> element in <Defaults> element is used to specify the version
    of the XPath expression used in the policy. Schema definition will be
    posted by Simon.
    
    Before describing about each function definition, I start with a couple
    policy specification examples.
    
    == EXAMPLE 1 ==
    
    <Rule>
      <Target>
        <Resources MatchId="function:general-string-equal" DataType
    ="xs:boolean">
          <AttributeSelector Designator="//c:Subject[@Category
    ='req']/c:SubjectId"/>
          <AttributeSelector Designator="//e:employee/e:name"/>
        </Resource>
      </Target>
    </Rule>
    
    The above policy means general-string-equal(xpath-match(//c:Subject
    [@Category='req']/c:SubjectId), xpath-match(//e:employee/e:name)).
    
    general-string-equal is derived from the general comparison "=" defined in
    XPath 2.0 that adds existential semantics to value comparisons. While
    original general comparison is not aware of data type, our function is
    aware of data type. That's why "string" is specified in the function name.
    This means the comparison must be done in string data type.
    
    For example, SubjectId may return a set including two items that represent
    "Alice" and "Bob" and e:name may return a set including three items that
    represent "Alice", "Carol" and "Dave". Since "Alice" is included in both
    lists, then the general-string-equal returns true.
    
    In the above policy, I omitted to specify namespace URI and prefix used in
    the XPath for readability. It would be specified as follows:
    <Rule>
      <Target>
        <Resources MatchId="function:general-string-equal" DataType
    ="xs:boolean">
          <AttributeSelector xmlns:c="urn:oasis:xacml-context" Designator
    ="//c:Subject[@Category='req']/c:SubjectId"/>
          <AttributeSelector xmlns:e="http://myNS"; Designator
    ="//e:employee/e:name"/>
        </Resource>
      </Target>
    </Rule>
    
    == EXAMPLE 2 ==
    
    <Rule>
      <Target>
        <Resources MatchId="function:general-string-equal" DataType
    ="xs:boolean">
          <AttributeSelector Designator="//c:Subject[@Category
    ='req']/c:SubjectId"/>
          <Attribute DataType="xs:stiring">Alice</Attribute>
        </Resource>
      </Target>
    </Rule>
    
    The above policy means general-string-equal(xpath-match(//c:Subject
    [@Category='req']/c:SubjectId), "Alice")
    
    == EXAMPLE 3 ==
    
    If two arguments of general-string-equal is the same, it is a possibility
    to specify that by:
    
    <Rule>
      <Target>
        <Resources MatchId="function:boolean" DataType="xs:boolean">
          <AttributeSelector Designator="boolean(//c:Subject[@Category
    ='req']/c:SubjectId[.=//e:employee/e:name])"/>
        </Resource>
      </Target>
    </Rule>
    
    The above policy is valid when a target XML document is embedded in the
    XACML request context. (We assume that each element is distinguished using
    namespace). However, if two expressions refer to different XML documents,
    say XACML request context and target XML document that is NOT EMBEDDED in
    the context. It is impossible to specify it like the above. I omitted
    DataType attribute in the AttributeSelector because its data type is always
    a set
    and there seems no data type that represents a set.
    
    == EXAMPLE 4 ==
    
    Other usage is the node comparison as I described in my XML access control
    proposal. Of course, this is an analogy from a node comparison "is" defined
    in [1].
    
    <Rule>
      <Target>
        <Resources MatchId="function:node-equal" DataType="xs:boolean">
          <AttributeSelector Designator="//c:Attribute/@value"/>
          <AttributeSelector Designator="//c:Attribute/@name"/>
        </Resource>
      </Target>
    </Rule>
    
    ----------------------
        Function Definitions
    ----------------------
    
    <1>. Function:general-string-equal
    
    boolean: general-string-equal(object(*1), object)
    
    The general-string-equal(A,B) is true for set A and B if the
    string-equal(a,b) is true for some item a in A and some item b in B.
    Otherwise, general-string-equal(A,B) is false. When performing string-equal
    function, apply the following rules in order:
    
    1. Simple String Atomization (SSA) is applied to each operand, resulting in
    a single atomic value or an empty set for each operand.
    2. If either operand is an empty set, the result is an empty set.
    3. Cast each operand to xs:string
    4. If the cast fails, the error value is returned.
    5. The result of string-equal is true if the value of the first operand is
    equal to the value of the second operand; otherwise the result of the
    string-equal is false.
    
    Simple String Atomization (SSA):
    
    1. If the value is a single atomic value or an empty set, atomization
    simply returns the value.
    2. If the value is a single node, it must be an element node, attribute
    node or a text node.
      2.1  If the value is a text node, returns the string content of the text
    node.
      2.2  If the value is an attribute node, returns its string value.
      2.3  If the value is an element node that does not contain element node
    below, returns the string content of the text node.
      2.4  If the value is an element node that contain one or more element
    node below, returns error value as defined in [1]
    3. If the value is not a single node, return error value as defined in [1]
    
    Example:
    <a>
      <b1>January</b1>
      <b1>February</b1>
      <b2>
        <c>January</c>
        <c>March</c>
      </b2>
      <b3 d="February"/>
      <b3 d="April"/>
    </a>
    
    A := xpath(/a/b1)
    B := xpath(/a/b2/c)
    C := xpath(/a/b3/@d)
    D := xpath(/a/b2)
    
    (1) general-string-equal(A,B) ==> true
    (2) general-string-equal(A,C) ==> true
    (3) general-string-equal(B,C) ==> false
    (4) general-string-equal(A,"February") ==> true
    (5) general-string-equal(A,D) ==> Error value
    
    (1) A returns two nodes: two <b1> elements. The SSA is applied to the first
    <b1> item, which returns "January". The SSA is applied to the second <b1>
    item, which returns "February". B returns two nodes: two <c> elements. The
    SSA is applied to the first <c> item, which returns "January". The SSA is
    applied to the second <c> item, which returns "March". String casting
    succeeds. Since the first value of the first operand is equal to the first
    value of the second operand, general-string-equal returns true.
    
    (2) C returns two nodes: two d attributes. The SSA is applied to each item,
    which returns "February" and "March", respectively. Since the second value
    of the first operand is equal to the first value of the second operand,
    general-string-equal returns true.
    
    (3) Since there is no identical value pair in the first operand and the
    second operand, general-string-equal returns false.
    
    (4) The second operand is a single atomic value "February". Since it is
    equal to the second value of the first operand, general-string-equal
    returns true.
    
    (5) The second operand returns one <b2> element that contains two <c>
    element. This raises error from SSA step 2.4. Therefore,
    general-string-equal returns error value.
    
    
    <2>. Function:boolean
    
    boolean boolean(object)
    
    The boolean function converts its argument to a boolean as follows:
    1. a number is true if and only if it is neither positive or negative zero
    nor NaN
    2. a node-set is true if and only if it is non-empty
    3. a string is true if and only if its length is non-zero
    4. an object of a type other than the four basic types is converted to a
    boolean in a way that is dependent on that type
    
    
    <3>. Function:node-equal
    
    boolean node-equal(object, object)
    
    The result of a node-equal is defined by applying the following rules, in
    order:
    1. Both operands must be either a single node or an empty set; otherwise
    the error value is returned.
    2. If either operand is an empty set, the result of the comparison is an
    empty set.
    3. A comparison is true if the two operands are nodes that have the same
    single node; otherwise it is false.
    
    
    <4>. Function:xpath-match
    
    object xpath-match(string)
    
    The result of xpath-match is defined by applying the following rules, in
    order:
    1. Find <XPath-Version> element in <Defaults> element specified in the
    rule/policyStatement/policySetStatement. Use corresponding XPath processor
    to evaluate the argument.
    2. Evaluate the argument and returns object.
    
    
    *1 "object" type specified in each function argument is defined in [2]
    [1] XQuery 1.0 and XPath 2.0 Data Model,
    http://www.w3.org/TR/xquery-operators/
    [2] XPath 1.0, http://www.w3.org/TR/xpath
    
    Michiharu Kudo
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC