|Subject:||Re: [xacml] Separating request and content|
|From:||Anne Anderson (Anne...@sun.com)|
|Date:||Jul 19, 2006 12:01:00 pm|
I have added this as Issue#40 to the Issues list (http://wiki.oasis-open.org/xacml/IssuesList), and I suggest we discuss it along with Issue#3 (generalizing Attribute categories), to which it is related.
Daniel Engovatov wrote On 07/19/06 14:21,:
When looking at the request schema I could not find a good place for the existing ResourceContent context element. Adding schema restrictions for a particular context attribute category seems to be not a very elegant solution.In any case - existing way to provide an arbitrary XML context document inside an element of "any" type does not seem to be optimal.
What I want to suggest, and to discuss tomorrow:
1. Modify XACML processing model to allow a single arbitrary XML document to be submitted along with the Request in an implementation defined way. 2. Modify the AttributeSelectorType and add an optional "ContentURI" attribute, of type xs:anyURI with a default value of urn:oasis:names:tc:xacml:3.0:requesturn 3. This attribute will be used in the following way 1. It identifies document node for the path expression in AttributeSelector 2. Default value is the URI for the request document - default behavior would be exactly as it is now 3. If an additional document is present in the request this URI resolves to that document, so the path expression in the selector applies to it.
i. In this case you can not use the AttributeSelector to select individual attribute values, but that would be redundant to AttributeDesignator anyway. An alternative would be to have two reserved URI - for the request, and for the submitted document.
4. If any other URI is used in the policy, it should be resolved in an implementation dependent way. That may allow to use an AttributeSelector to extract values from different documents.
So the main point is to replace the existing ResourceContent with a separate document, and to allow AttributeSelector to identify document uri, with default behavior remaining the same it is now.
Could this be added to tomorrow's agenda?
_______________________________________________________________________ Notice: This email message, together with any attachments, may contain information of BEA Systems, Inc., its subsidiaries and affiliated entities, that may be confidential, proprietary, copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named in this message. If you are not the intended recipient, and have received this message in error, please immediately return this by email and then delete it.
-- Anne H. Anderson Email: Anne...@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692