OASIS eXtensible Access Control Markup Language (XACML) TC

Hello,

I have some questions about the proper behavior of the various xpath
functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath
Resource attribute in particular.

It seems to be used throughout the examples in the XACML 2.0 Core
specification, but I don't find any text defining its proper values.
The XACML 1.0 specification, on the other hand, includes the
following: "This identifier indicates that the resource is specified
by an XPath expression." However, I am not sure what that means. In
fact, in XACML 1.0 the Attribute's value seems to be explicitly
specified in the request context, but not in the XACML 2.0 spec,
where it does not appear.

In general, I am a bit confused about how xpath matching is supposed
to work. The first example rule instance from the XACML 2.0
specification, for example, tests that the node(s) matching
urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of /
md:record, but it's unclear to me in what context these xpath
expressions are evaluated.

It seems the /md:record is not intended to be evaluated in the
request context, as that would yield an empty set. That means it is
either evaluate with respect to the "ResourceContent", or perhaps to
an external document? On the other hand, Appendix A.3.15 says that
"the XPath epxressions in these functions are restrict to the XACML
request context. The <xacml-context:Request> element is the context
node for every XPath expresion," which would seem to mean that /
md:record should yield an empty set after all (as the request
context's root element is a <xacml-context:Request> element).

Can anyone help clarify things for me, or point me to an explanation?
Thank you very much!

For reference, here is the XACML policy fragment that invokes xpath-
match:

> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-
> match">
> <AttributeValue DataType="http://www.w3.org/2001/
> XMLSchema#string">
> /md:record
> </AttributeValue>
> <ResourceAttributeDesignator
> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> </ResourceMatch>

The example request context is in section 4.2.2.


Thanks in advance,
Niko Matsakis

Hi Niko,

I have looked into this before and agree with your conclusions.

You are correct that resource:xpath needs to be added to XACML 2.0. This
was identified as an errata:

http://lists.oasis-open.org/archives/xacml/200702/msg00001.html

however, I don't think it has made it to the errata spec yet:


http://www.oasis-open.org/committees/download.php/24815/access_control-xacml-2.0-core-spec-os-errata.doc

This should be added to the errata list.

On the second part of your question, I think the answer is in section
B.6 p 129:

5036 This attribute identifies the resource to which access is
requested. If an <xacml
5037 context:ResourceContent> element is provided, then the resource to
which access is
5038 requested SHALL be all or a portion of the resource supplied in the
<xacml
5039 context:ResourceContent> element.
5040 *urn:oasis:names:tc:xacml:1.0:resource:resource-id*

I interpret this to mean that the presence of this attribute combined
with the
presence of the ResourceContent element makes that element the default
root xpath from which other xpaths are derived.

Note also that the example appears to have an error in the text of
the document where line 1064 should read:

[a185] xmlns(md=http:www.med.example.com/schemas/record.xsd)xpointer

(the "http:www" looks suspicious but matches line 1053).

Note to TC:
The 2 errata here are to add resource:xpath to section B.6 and
to fix line 1064.

Thanks,
Rich


Niko Matsakis wrote:
> Hello,
>
> I have some questions about the proper behavior of the various xpath
> functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath
> Resource attribute in particular.
>
> It seems to be used throughout the examples in the XACML 2.0 Core
> specification, but I don't find any text defining its proper values.
> The XACML 1.0 specification, on the other hand, includes the
> following: "This identifier indicates that the resource is specified
> by an XPath expression." However, I am not sure what that means. In
> fact, in XACML 1.0 the Attribute's value seems to be explicitly
> specified in the request context, but not in the XACML 2.0 spec, where
> it does not appear.
>
> In general, I am a bit confused about how xpath matching is supposed
> to work. The first example rule instance from the XACML 2.0
> specification, for example, tests that the node(s) matching
> urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of
> /md:record, but it's unclear to me in what context these xpath
> expressions are evaluated.
>
> It seems the /md:record is not intended to be evaluated in the request
> context, as that would yield an empty set. That means it is either
> evaluate with respect to the "ResourceContent", or perhaps to an
> external document? On the other hand, Appendix A.3.15 says that "the
> XPath epxressions in these functions are restrict to the XACML request
> context. The <xacml-context:Request> element is the context node for
> every XPath expresion," which would seem to mean that /md:record
> should yield an empty set after all (as the request context's root
> element is a <xacml-context:Request> element).
>
> Can anyone help clarify things for me, or point me to an explanation?
> Thank you very much!
>
> For reference, here is the XACML policy fragment that invokes
> xpath-match:
>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-match">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string">
>> /md:record
>> </AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>
> The example request context is in section 4.2.2.
>
>
> Thanks in advance,
> Niko Matsakis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
>

  


Hi Niko,


I have looked into this before and agree with your conclusions.


You are correct that resource:xpath needs to be added to XACML 2.0. This

was identified as an errata:


    http://lists.oasis-open.org/archives/xacml/200702/msg00001.html


however, I don't think it has made it to the errata spec yet:


   
http://www.oasis-open.org/committees/download.php/24815/access_control-xacml-2.0-core-spec-os-errata.doc


This should be added to the errata list.


On the second part of your question, I think the answer is in section
B.6 p 129:


5036 This attribute identifies the resource to which access is
requested. If an <xacml

5037 context:ResourceContent> element is provided, then the resource
to which access is

5038 requested SHALL be all or a portion of the resource supplied in
the <xacml

5039 context:ResourceContent> element.

5040 urn:oasis:names:tc:xacml:1.0:resource:resource-id


I interpret this to mean that the presence of this attribute combined
with the

presence of the ResourceContent element makes that element the default

root xpath from which other xpaths are derived.


Note also that the example appears to have an error in the text of

the document where line 1064 should read:


 [a185] xmlns(md=http:www.med.example.com/schemas/record.xsd)xpointer


(the "http:www" looks suspicious but matches line 1053).


Note to TC:

The 2 errata here are to add resource:xpath to section B.6 and

to fix line 1064.


    Thanks,

    Rich



Niko Matsakis wrote:
A6D827E5-7E0D-402B-BDE3-3C87376F7E02@alum.mit.edu" type="cite">Hello,


I have some questions about the proper behavior of the various xpath
functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath Resource
attribute in particular.


It seems to be used throughout the examples in the XACML 2.0 Core
specification, but I don't find any text defining its proper values. 
The XACML 1.0 specification, on the other hand, includes the following:
"This identifier indicates that the resource is specified by an XPath
expression."  However, I am not sure what that means.  In fact, in
XACML 1.0 the Attribute's value seems to be explicitly specified in the
request context, but not in the XACML 2.0 spec, where it does not
appear.


In general, I am a bit confused about how xpath matching is supposed to
work.  The first example rule instance from the XACML 2.0
specification, for example, tests that the node(s) matching
urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of /md:record,
but it's unclear to me in what context these xpath expressions are
evaluated.


It seems the /md:record is not intended to be evaluated in the request
context, as that would yield an empty set.  That means it is either
evaluate with respect to the "ResourceContent", or perhaps to an
external document?  On the other hand, Appendix A.3.15 says that "the
XPath epxressions in these functions are restrict to the XACML request
context.  The <xacml-context:Request> element is the context node
for every XPath expresion," which would seem to mean that /md:record
should yield an empty set after all (as the request context's root
element is a <xacml-context:Request> element).


Can anyone help clarify things for me, or point me to an explanation?
Thank you very much!


For reference, here is the XACML policy fragment that invokes
xpath-match:


  
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-match">

       <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">

        /md:record

       </AttributeValue>

       <ResourceAttributeDesignator

        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"

        DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ResourceMatch>

  


The example request context is in section 4.2.2.



Thanks in advance,

Niko Matsakis


---------------------------------------------------------------------

To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org

For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org

First, thank you for your quick response!

> You are correct that resource:xpath needs to be added to XACML 2.0.
> This
> was identified as an errata:
>
> http://lists.oasis-open.org/archives/xacml/200702/msg00001.html

Ok, that's good to know. I did indeed check the errata list before
posting, but I only saw an errata for the SAML

However, let me pose one additional question: in xacml 1.0, for
example, the resource:xpath attribute in the example context has the
value xmlns(md=...) xpointer(/md:record/md:patient/md:patientDoB).
This is clearly not an xpath expression, but an xpointer one. Does
this mean that the XACML processor must also support xpointer?

I see that the XACML specifications (both 1.0 and 2.0) seem to use
XPath/Xpointer interchangeably, even writing "XPath/Xpointer" on
occasion.

> On the second part of your question, I think the answer is in
> section B.6 p 129:
>
> 5036 This attribute identifies the resource to which access is
> requested. If an <xacml
> 5037 context:ResourceContent> element is provided, then the
> resource to which access is
> 5038 requested SHALL be all or a portion of the resource supplied
> in the <xacml
> 5039 context:ResourceContent> element.
> 5040 urn:oasis:names:tc:xacml:1.0:resource:resource-id
>
> I interpret this to mean that the presence of this attribute
> combined with the
> presence of the ResourceContent element makes that element the default
> root xpath from which other xpaths are derived.

While I agree that this interpretation helps the examples to make
sense, I would not say it is exactly crystal clear from the text you
quoted. Furthermore, the text in the xpath section (A.3.15) clearly
states "The <Request> element is the context node for every XPath
expression," which seems like a contradiction. So, if your
interpretation is correct, I think an errata is definitely warranted.

I would also say that making the Resource element the "root" of the
xpath evaluation --- as opposed to the context node --- is a fairly
involved transformation, as it involves creating (at least
conceptually) a separate XML document from the <RequestContent>
element [along with any inherited namespaces, etc]. Otherwise, as I
read the specification, the xpath expression normally ranges over the
complete request document.


regards,

Niko Matsakis

Hi Niko,

The TC is preparing the core errata for publication and the pointer
I gave you is the current state, and the issues from this email should
be discussed and included as appropriate, and I agree that B.6 and
A.3.15 leave one a bit unsure as to what is the real situation, and all
this should be part of resolving the issue.

On your xpath questions, I am not an expert on xpath and do not
know the answer about xpointer, but will also bring this to attention
of TC, and the terminology re: "root" I was just using loosely, so
you are probably correct that "context" is the correct term as
to where the xpath starts within the document.

Thanks,
Rich

Niko Matsakis wrote:
> First, thank you for your quick response!
>
>> You are correct that resource:xpath needs to be added to XACML 2.0. This
>> was identified as an errata:
>>
>> http://lists.oasis-open.org/archives/xacml/200702/msg00001.html
>
> Ok, that's good to know. I did indeed check the errata list before
> posting, but I only saw an errata for the SAML
>
> However, let me pose one additional question: in xacml 1.0, for
> example, the resource:xpath attribute in the example context has the
> value xmlns(md=...) xpointer(/md:record/md:patient/md:patientDoB).
> This is clearly not an xpath expression, but an xpointer one. Does
> this mean that the XACML processor must also support xpointer?
>
> I see that the XACML specifications (both 1.0 and 2.0) seem to use
> XPath/Xpointer interchangeably, even writing "XPath/Xpointer" on
> occasion.
>
>> On the second part of your question, I think the answer is in section
>> B.6 p 129:
>>
>> 5036 This attribute identifies the resource to which access is
>> requested. If an <xacml
>> 5037 context:ResourceContent> element is provided, then the resource
>> to which access is
>> 5038 requested SHALL be all or a portion of the resource supplied in
>> the <xacml
>> 5039 context:ResourceContent> element.
>> 5040 urn:oasis:names:tc:xacml:1.0:resource:resource-id
>>
>> I interpret this to mean that the presence of this attribute combined
>> with the
>> presence of the ResourceContent element makes that element the default
>> root xpath from which other xpaths are derived.
>
> While I agree that this interpretation helps the examples to make
> sense, I would not say it is exactly crystal clear from the text you
> quoted. Furthermore, the text in the xpath section (A.3.15) clearly
> states "The <Request> element is the context node for every XPath
> expression," which seems like a contradiction. So, if your
> interpretation is correct, I think an errata is definitely warranted.
>
> I would also say that making the Resource element the "root" of the
> xpath evaluation --- as opposed to the context node --- is a fairly
> involved transformation, as it involves creating (at least
> conceptually) a separate XML document from the <RequestContent>
> element [along with any inherited namespaces, etc]. Otherwise, as I
> read the specification, the xpath expression normally ranges over the
> complete request document.
>
>
> regards,
>
> Niko Matsakis
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
>

Hi Niko,

The TC is preparing the core errata for publication and the pointer
I gave you is the current state, and the issues from this email should
be discussed and included as appropriate, and I agree that B.6 and
A.3.15 leave one a bit unsure as to what is the real situation, and all
this should be part of resolving the issue.

On your xpath questions, I am not an expert on xpath and do not
know the answer about xpointer, but will also bring this to attention
of TC, and the terminology re: "root" I was just using loosely, so
you are probably correct that "context" is the correct term as
to where the xpath starts within the document.

    Thanks,
    Rich

Niko Matsakis wrote:
> First, thank you for your quick response!
>
>> You are correct that resource:xpath needs to be added to XACML 2.0. This
>> was identified as an errata:
>>
>>     http://lists.oasis-open.org/archives/xacml/200702/msg00001.html
>
> Ok, that's good to know.  I did indeed check the errata list before 
> posting, but I only saw an errata for the SAML
>
> However, let me pose one additional question: in xacml 1.0, for 
> example, the resource:xpath attribute in the example context has the 
> value xmlns(md=...) xpointer(/md:record/md:patient/md:patientDoB).  
> This is clearly not an xpath expression, but an xpointer one.  Does 
> this mean that the XACML processor must also support xpointer?
>
> I see that the XACML specifications (both 1.0 and 2.0) seem to use 
> XPath/Xpointer interchangeably, even writing "XPath/Xpointer" on 
> occasion.
>
>> On the second part of your question, I think the answer is in section 
>> B.6 p 129:
>>
>> 5036 This attribute identifies the resource to which access is 
>> requested. If an 

> On your xpath questions, I am not an expert on xpath and do not
> know the answer about xpointer, but will also bring this to attention
> of TC, and the terminology re: "root" I was just using loosely, so
> you are probably correct that "context" is the correct term as
> to where the xpath starts within the document.

Ok, I appreciate that. The only thing is that, whether or not you
were using the term "root" strictly, it is required for the example
to be correct, as the xpath in the example is "/md:record", as
opposed to "md:record".


regards,

Niko Matsakis

Hi Niko,

I have submitted part of your issue to the TC (that resource:xpath is
missing from 2.0 spec).

The 2nd part of your issue is regarding the context node and how it is
used in the examples.
I have reviewed this somewhat and would like to zero in on what the
exact changes to the
spec might be needed.

First, let's assume the context node is xacml-context:Request as stated
in sec A.3.15 lines
4907-4908. i.e. "//xacml-context:Request" - do you agree? (If not,
please specify.)

Now, looking at the specific ResourceMatch fragment you cite below from
section 4.2.4.1
Rule 1 lines 1166[a241]-1174[a247], my interpretation is that argument 1
is "/md:record",
which would translate to "//xacml-context:Request/md:record". Agree?

If so, then I agree that this would return an empty node-set, since what
we want is:
"//xacml-context:Request/xacml-context:Resource/xacml-context:ResourceContent/md:record"
Agree?

If so, then if we were to change "/md:record" to "//md:record" then I
think this would
return what I suggested we want just above for arg 1. Agree?

Now for arg 2, my assumption is that the resource:xpath, which we can
probably
assume is either the default context node "//xacml-context:Request" or
"//xacml-context:Request/xacml-context:Resource/xacml-context:ResourceContent",
either one of which is ancestor to //md:record, and thus would result in
successful
match. Agree?

If we agree to here, then I think 2 things would be needed to correct
this situation
in the spec:

1. we would need to change "/md:record" to "//md:record"

2. we would need to specify what the identifier resource:xpath really
means:
i.e. does it mean the "//xacml-context:Request" node, or the

"//xacml-context:Request/xacml-context:Resource/xacml-context:ResourceContent"
node. Agree?

If so, then I suggest that we take it to mean the latter, which I think
is the intent of
section B.6 lines 5041-5046, which I believe is an identifier for a
namespace, which should
match the namespace of the child of the ResourceContent node. (ex. lines
1157[a233]-
1165[a240])

In fact, if we did that, i.e. specify that "resource:xpath" effectively
sets the
ResourceContextPath to
"//xacml-context:Request/xacml-context:Resource/xacml-context:ResourceContent",
then I think "/md:record" would be correct and we would not have to do
#1 above
to make the example correct. Agree?

Well, that's a lot of things to "Agree?" to, but hopefully it provides a
context
for addressing this issue.

Thanks,
Rich





Niko Matsakis wrote:
> Hello,
>
> I have some questions about the proper behavior of the various xpath
> functions, and the urn:oasis:names:tc:xacml:1.0:resource:xpath
> Resource attribute in particular.
>
> It seems to be used throughout the examples in the XACML 2.0 Core
> specification, but I don't find any text defining its proper values.
> The XACML 1.0 specification, on the other hand, includes the
> following: "This identifier indicates that the resource is specified
> by an XPath expression." However, I am not sure what that means. In
> fact, in XACML 1.0 the Attribute's value seems to be explicitly
> specified in the request context, but not in the XACML 2.0 spec, where
> it does not appear.
>
> In general, I am a bit confused about how xpath matching is supposed
> to work. The first example rule instance from the XACML 2.0
> specification, for example, tests that the node(s) matching
> urn:oasis:names:tc:xacml:1.0:resource:xpath are a subset of
> /md:record, but it's unclear to me in what context these xpath
> expressions are evaluated.
>
> It seems the /md:record is not intended to be evaluated in the request
> context, as that would yield an empty set. That means it is either
> evaluate with respect to the "ResourceContent", or perhaps to an
> external document? On the other hand, Appendix A.3.15 says that "the
> XPath epxressions in these functions are restrict to the XACML request
> context. The <xacml-context:Request> element is the context node for
> every XPath expresion," which would seem to mean that /md:record
> should yield an empty set after all (as the request context's root
> element is a <xacml-context:Request> element).
>
> Can anyone help clarify things for me, or point me to an explanation?
> Thank you very much!
>
> For reference, here is the XACML policy fragment that invokes
> xpath-match:
>
>> <ResourceMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:xpath-match">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string">
>> /md:record
>> </AttributeValue>
>> <ResourceAttributeDesignator
>> AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>> </ResourceMatch>
>
> The example request context is in section 4.2.2.
>
>
> Thanks in advance,
> Niko Matsakis
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xacml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: xacml-dev-help@lists.oasis-open.org
>

I think there is some confusion about the leading "//" and "/"
operators in xpath:

"//foo" searches the entire document for all <foo> elements
"/foo" only returns the outer-most element

Note that in xpath, the "root node" of the document is NOT the outer-
most element; instead, it is a fictitious node, of which all the "top
matter" of an XML document is considered a child. In other words:



<foo>
<bar/>
</foo>

would create an xpath tree like:

/
processing-instruction: pi
comment: "comment"
element: "foo"
element "bar"

The "/" indicates the root node. So, in an xpath expression, "/foo"
indicates all children of the root node which are elements named "foo".

The xpath *context* node is denoted by a ".", but this is typically
implicit. i.e., "foo" is short for "./foo" (which itself is short
for "./child::foo"). Likewise, ".//foo" selects all nodes underneath
the current node that are an element named "foo".

Note also that xpath expressions are not (typically, anyway) combined
by string concatenation, but instead by using relative paths as shown
above.

> First, let's assume the context node is xacml-context:Request as
> stated in sec A.3.15 lines
> 4907-4908. i.e. "//xacml-context:Request" - do you agree? (If not,
> please specify.)

No, I think the context node would be "/xacml-context:Request".
Actually, the two are mostly equivalent, unless you have a document
like:

<xacml-context:Request>
<xacml-context:Resource>
<xacml-context:ResourceContent>
<xacml-context:Request/> <-- a second Request element!

In this case, //xacml-context:Request, which selects all Request
elements in the document, would return a nodeset with 2 elements in
it, but only one is expected.

> Now, looking at the specific ResourceMatch fragment you cite below
> from section 4.2.4.1
> Rule 1 lines 1166[a241]-1174[a247], my interpretation is that
> argument 1 is "/md:record",
> which would translate to "//xacml-context:Request/md:record". Agree?

No. Using a node as the context for an xpath expression simply
indicates what nodeset is returned by ".". This affects relative
xpath expressions, like "md:record". The leading "/" in "/
md:record", similar to an absolute path in a file system, is always
relative to the root of the document, regardless of the context.

In my answers to the rest of your questions, I will assume that
instead of "/md:record" you had written "md:record".

> If so, then I agree that this would return an empty node-set, since
> what we want is:
> "//xacml-context:Request/xacml-context:Resource/xacml-
> context:ResourceContent/md:record"
> Agree?

Agreed. If the context-node were the Request, then we would need:

"/Request/Resource/ResourceContent/md:record" (xacml-context's omitted)

so the ResourceMatch from section 4.2.4.1 would need to be "xacml-
context:Resource/xacml-context:ResourceContent/md:record".

> If so, then if we were to change "/md:record" to "//md:record" then
> I think this would
> return what I suggested we want just above for arg 1. Agree?

Yes, although it might also return more.

> Now for arg 2, my assumption is that the resource:xpath, which we
> can probably
> assume is either the default context node "//xacml-context:Request" or
> "//xacml-context:Request/xacml-context:Resource/xacml-
> context:ResourceContent",
> either one of which is ancestor to //md:record, and thus would
> result in successful
> match. Agree?

Agreed, but (as explained above) it is not relevant whether or not
they are an ancestor to md:record. This is because the leading "//"
does not take into account the xpath context. However, to get the
meaning that you intended, you would need to do ".//md:record" (note
the leading ".").

> If we agree to here, then I think 2 things would be needed to
> correct this situation
> in the spec:
>
> 1. we would need to change "/md:record" to "//md:record"

Agreed, this does return the right result, although it entails a
search of the entire document.

> 2. we would need to specify what the identifier resource:xpath
> really means:
> i.e. does it mean the "//xacml-context:Request" node, or the
> "//xacml-context:Request/xacml-context:Resource/xacml-
> context:ResourceContent"
> node. Agree?

Agreed.

> If so, then I suggest that we take it to mean the latter, which I
> think is the intent of
> section B.6 lines 5041-5046, which I believe is an identifier for a
> namespace, which should
> match the namespace of the child of the ResourceContent node. (ex.
> lines 1157[a233]-
> 1165[a240])

So, resource:target-namespace clearly indicates the expected
namespace of the child of the ResourceContent node. Furthermore,
lines 5041-5046 make it clear that the XACML PDP MUST confirm that
this attribute is correct (* see below). However, there is nothing
in that text that indicates to me that the presence of this attribute
in the request affects the xpath context node.

In fact, if I think about it a bit more, it seems strange to me that
the *request* should be able to affect the context node for xpath
expressions. Even though xacml assumes that the requests are from a
trusted source, but it still seems like a recipe for confusion and
possible bugs in the policy.

For example, if an xpath expression were used in a policy which did
not anticipate the possible presence of a ResourceContent element, it
might accidentally return Permit or Fail for a request that did
include a ResourceContent element (and resource:target-namespace
attribute), because the xpath is now evaluated relative to the
ResourceContent instead of the Request element that the policy was
expecting.

> In fact, if we did that, i.e. specify that "resource:xpath"
> effectively sets the
> ResourceContextPath to "//xacml-context:Request/xacml-
> context:Resource/xacml-context:ResourceContent",
> then I think "/md:record" would be correct and we would not have to
> do #1 above
> to make the example correct. Agree?

Agreed except that, as explained above, "/md:record" is not correct.
However, a plain "md:record" would be.

I hope this e-mail is clear. In order not to confuse the discussion,
I am sending a separate e-mail with some questions regarding Resource
attributes that were raised as I read through the spec, preparing the
answers to this mail.



regards,

Niko Matsakis