OASIS eXtensible Access Control Markup Language (XACML) TC

While proofreading the latest working draft of the Entities Profile I noticed a gap in the description of the <AttributeSelector> element in the XACML core specification that is also a gap, by inheritance, in the description of the attribute-selector function in the Entities Profile. The core specification doesn't detail what the response of evaluating the <AttributeSelector> should be when either an <Attributes> element specified by the Category XML attribute doesn't exist in the request context, or such an <Attributes> element does exist but it doesn't have a <Content> child element (it being optional). Section 7.3.7, which describes attribute selector evaluation, assumes both are present as a starting point. The description of the <AttributeDesignator> element says to consider the MustBePresent XML attribute if no matching attribute is found, but the description of the <AttributeSelector> element doesn't have anything similar. Its definition of the MustBePresent XML attribute only says what to do "in the event the XPath expression selects no node". If the <Attributes> or <Content> element are absent we don't get as far as evaluating the XPath expression. Section 7.3.7 talks about constructing a stand-alone XML document from the contents of the <Content> element. We can't simply assume an empty element if it isn't actually present because the <Content> element must have a child and an XML document must have a root element. Without a valid XML document there is no context node to which to apply the XPath expression. Consistency with attribute designators would suggest deferring to the MustBePresent setting when an attribute selector doesn't find the <Attributes> element or the <Content> element (FWIW, this is what the ViewDS PDP does). Note that Section 7.3.5 says "If the attribute is missing, then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an “Indeterminate” result". The statement is bogus in the case of an attribute selector because it isn't an attribute that is missing. Whether it really meant an empty node set or something more is open to interpretation. If we can get consensus on a solution I can update the Entities Profile accordingly and we can add the equivalent to the errata for the core. Regards, Steven

For me the sensible thing is to return either empty bag or Indeterminate, based on the MustBePresent setting. Best regards, Erik On 2015-06-12 03:33, Steven Legg wrote: While proofreading the latest working draft of the Entities Profile I noticed a gap in the description of the <AttributeSelector> element in the XACML core specification that is also a gap, by inheritance, in the description of the attribute-selector function in the Entities Profile. The core specification doesn't detail what the response of evaluating the <AttributeSelector> should be when either an <Attributes> element specified by the Category XML attribute doesn't exist in the request context, or such an <Attributes> element does exist but it doesn't have a <Content> child element (it being optional). Section 7.3.7, which describes attribute selector evaluation, assumes both are present as a starting point. The description of the <AttributeDesignator> element says to consider the MustBePresent XML attribute if no matching attribute is found, but the description of the <AttributeSelector> element doesn't have anything similar. Its definition of the MustBePresent XML attribute only says what to do "in the event the XPath expression selects no node". If the <Attributes> or <Content> element are absent we don't get as far as evaluating the XPath expression. Section 7.3.7 talks about constructing a stand-alone XML document from the contents of the <Content> element. We can't simply assume an empty element if it isn't actually present because the <Content> element must have a child and an XML document must have a root element. Without a valid XML document there is no context node to which to apply the XPath expression. Consistency with attribute designators would suggest deferring to the MustBePresent setting when an attribute selector doesn't find the <Attributes> element or the <Content> element (FWIW, this is what the ViewDS PDP does). Note that Section 7.3.5 says "If the attribute is missing, then MustBePresent governs whether the attribute designator or attribute selector returns an empty bag or an “Indeterminate” result". The statement is bogus in the case of an attribute selector because it isn't an attribute that is missing. Whether it really meant an empty node set or something more is open to interpretation. If we can get consensus on a solution I can update the Entities Profile accordingly and we can add the equivalent to the errata for the core. Regards, Steven --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

+1 >
Original Message----- > From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Erik Rissanen > Sent: Friday, June 12, 2015 9:44 AM > To: xacml@lists.oasis-open.org > Subject: Re: [xacml] Attribute selector result when there is no category or content element > > For me the sensible thing is to return either empty bag or Indeterminate, based on the MustBePresent setting. > > Best regards, > Erik > > On 2015-06-12 03:33, Steven Legg wrote: > > > > While proofreading the latest working draft of the Entities Profile I > > noticed a gap in the description of the <AttributeSelector> element in > > the XACML core specification that is also a gap, by inheritance, in > > the description of the attribute-selector function in the Entities > > Profile. > > > > The core specification doesn't detail what the response of evaluating > > the <AttributeSelector> should be when either an <Attributes> element > > specified by the Category XML attribute doesn't exist in the request > > context, or such an <Attributes> element does exist but it doesn't > > have a <Content> child element (it being optional). Section 7.3.7, > > which describes attribute selector evaluation, assumes both are > > present as a starting point. > > > > The description of the <AttributeDesignator> element says to consider > > the MustBePresent XML attribute if no matching attribute is found, but > > the description of the <AttributeSelector> element doesn't have > > anything similar. Its definition of the MustBePresent XML attribute > > only says what to do "in the event the XPath expression selects no > > node". If the <Attributes> or <Content> element are absent we don't > > get as far as evaluating the XPath expression. Section 7.3.7 talks > > about constructing a stand-alone XML document from the contents of the > > <Content> element. We can't simply assume an empty element if it isn't > > actually present because the <Content> element must have a child and > > an XML document must have a root element. Without a valid XML document > > there is no context node to which to apply the XPath expression. > > > > Consistency with attribute designators would suggest deferring to the > > MustBePresent setting when an attribute selector doesn't find the > > <Attributes> element or the <Content> element (FWIW, this is what the > > ViewDS PDP does). > > Note that Section 7.3.5 says "If the attribute is missing, then > > MustBePresent governs whether the attribute designator or attribute > > selector returns an empty bag or an “Indeterminate” result". The > > statement is bogus in the case of an attribute selector because it > > isn't an attribute that is missing. > > Whether it really meant an empty node set or something more is open to > > interpretation. > > > > If we can get consensus on a solution I can update the Entities > > Profile accordingly and we can add the equivalent to the errata for the core. > > > > Regards, > > Steven > > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > > generates this mail. Follow this link to all your TCs in OASIS at: > > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in > OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

+1 >
Original Message----- > From: Erik Rissanen [ mailto:erik@axiomatics.com ] > Sent: Friday, June 12, 2015 3:44 AM > To: xacml@lists.oasis-open.org > Subject: Re: [xacml] Attribute selector result when there is no > category or content element > > For me the sensible thing is to return either empty bag or > Indeterminate, based on the MustBePresent setting. > > Best regards, > Erik > > On 2015-06-12 03:33, Steven Legg wrote: > > > > While proofreading the latest working draft of the Entities Profile I > > noticed a gap in the description of the <AttributeSelector> element > in > > the XACML core specification that is also a gap, by inheritance, in > > the description of the attribute-selector function in the Entities > > Profile. > > > > The core specification doesn't detail what the response of evaluating > > the <AttributeSelector> should be when either an <Attributes> element > > specified by the Category XML attribute doesn't exist in the request > > context, or such an <Attributes> element does exist but it doesn't > > have a <Content> child element (it being optional). Section 7.3.7, > > which describes attribute selector evaluation, assumes both are > > present as a starting point. > > > > The description of the <AttributeDesignator> element says to consider > > the MustBePresent XML attribute if no matching attribute is found, > but > > the description of the <AttributeSelector> element doesn't have > > anything similar. Its definition of the MustBePresent XML attribute > > only says what to do "in the event the XPath expression selects no > > node". If the <Attributes> or <Content> element are absent we don't > > get as far as evaluating the XPath expression. Section 7.3.7 talks > > about constructing a stand-alone XML document from the contents of > the > > <Content> element. We can't simply assume an empty element if it > isn't > > actually present because the <Content> element must have a child and > > an XML document must have a root element. Without a valid XML > document > > there is no context node to which to apply the XPath expression. > > > > Consistency with attribute designators would suggest deferring to the > > MustBePresent setting when an attribute selector doesn't find the > > <Attributes> element or the <Content> element (FWIW, this is what the > > ViewDS PDP does). > > Note that Section 7.3.5 says "If the attribute is missing, then > > MustBePresent governs whether the attribute designator or attribute > > selector returns an empty bag or an “Indeterminate” result". The > > statement is bogus in the case of an attribute selector because it > > isn't an attribute that is missing. > > Whether it really meant an empty node set or something more is open > to > > interpretation. > > > > If we can get consensus on a solution I can update the Entities > > Profile accordingly and we can add the equivalent to the errata for > the core. > > > > Regards, > > Steven > > > > --------------------------------------------------------------------- > > To unsubscribe from this mail list, you must leave the OASIS TC that > > generates this mail. Follow this link to all your TCs in OASIS at: > > https://www.oasis- > open.org/apps/org/workgroup/portal/my_workgroups.php > > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >