2010/9/29 Daniel-Constantin Mierla <miconda(a)gmail.com>om>:
i understand
that oma resource lists stored in xcap server can contain
references to external lists stored somewhere else. xcap server should
thus be able to follow those references, not just store xml docs.
to understand that xcap server has to fetch the RL from other servers?
Yes, it could.
IMO,
this might be a security issue
IMHO in XCAP all is a security issue. pres-rules and resource-lists
document contain absolute HTTP uris refering ot other documents of
subnodes in other documents (in same or different XCAP server). If you
decide (the provider) to change the domain or migrate from HTTP to
HTTPS, then all the documents get corrupted.
Anyhow, might be different that thought, since maybe
you refer to RLS
implementation and not xcap server:
http://kamailio.org/docs/modules/stable/modules_k/rls.html
As I said, in OMA specs pres-rules contains absolute HTTP links to
<list> elements in resource-lists document. Here is a OMA pres-rules
document (extracted from
OMA-WP-PRS_1_1_Implementation_Guidelines-20081209-A.pdf):
<?xml version="1.0" encoding="UTF-8"?>
<cr:ruleset
xmlns:ocp="urn:oma:xml:xdm:common-policy"
xmlns:pr="urn:ietf:params:xml:ns:pres-rules"
xmlns:cr="urn:ietf:params:xml:ns:common-policy">
<!-- This rule describes that the Presentity has access to her/his own
Presence Information -->
<cr:rule id="wp_prs_allow_own">
<cr:conditions>
<cr:identity>
<cr:one id="sip:joe@example.com"/>
</cr:identity>
</cr:conditions>
<cr:actions>
<pr:sub-handling>allow</pr:sub-handling>
</cr:actions>
<cr:transformations>
<pr:provide-services>
<pr:all-services/>
</pr:provide-services>
<pr:provide-persons>
<pr:all-persons/>
</pr:provide-persons>
<pr:provide-devices>
<pr:all-devices/>
</pr:provide-devices>
<pr:provide-all-attributes/>
</cr:transformations>
</cr:rule>
<!-- This rule describes how an anonymous Watcher’s request shall be handled -->
<cr:rule id="wp_prs_block_anonymous">
<cr:conditions>
<ocp:anonymous-request/>
</cr:conditions>
<cr:actions>
<pr:sub-handling>block</pr:sub-handling>
</cr:actions>
</cr:rule>
<!-- This rule describes that a request from a Watcher not listed in
any other rule is to be
confirmed. -->
<cr:rule id="wp_prs_unlisted">
<cr:conditions>
<ocp:other-identity/>
</cr:conditions>
<cr:actions>
<pr:sub-handling>confirm </pr:sub-handling>
</cr:actions>
</cr:rule>
<!-- This rule describes that a Watcher is granted access to all
Presence Information if its user
URI is included in the “oma_grantedcontacts” URI List in Shared XDMS-->
<cr:rule id="wp_prs_grantedcontacts">
<cr:conditions>
<ocp:external-list>
<ocp:entry
anc="http://xcap.example.org/resource-lists/users/
sip:joe@example.org/index/~~/resource-lists/list%5B@name=%22oma_grantedcontacts%22%5D"/>
</ocp:external-list>
</cr:conditions>
<cr:actions>
<pr:sub-handling>allow</pr:sub-handling>
</cr:actions>
<cr:transformations>
<pr:provide-services>
<pr:all-services/>
</pr:provide-services>
<pr:provide-persons>
<pr:all-persons/>
</pr:provide-persons>
<pr:provide-devices>
<pr:all-devices/>
</pr:provide-devices>
<pr:provide-all-attributes/>
</cr:transformations>
</cr:rule>
<!-- This rule describes that a Watcher is blocked from accessing all
Presence Information if its
user URI is included in the oma_blockedcontacts list. -->
<cr:rule id="wp_prs_blockedcontacts">
<cr:conditions>
<ocp:external-list>
<ocp:entry
anc="http://xcap.example.org/resource-lists/users/
sip:joe@example.org/index/~~/resource-lists/list%5B@name=%22oma_blockedcontacts%22%5D"/>
</ocp:external-list>
</cr:conditions>
<cr:actions>
<pr:sub-handling>block </pr:sub-handling>
</cr:actions>
</cr:rule>
<!--This rule describes that a single user is granted access to a
certain set of Presence
Information -->
<cr:rule id="wp_prs_allow_one_1">
<cr:conditions>
<cr:identity>
<cr:one id="sip:bob@example.com "/>
</cr:identity>
</cr:conditions>
<cr:actions>
<pr:sub-handling>allow</pr:sub-handling>
</cr:actions>
<cr:transformations>
<pr:provide-persons>
<pr:all-persons/>
</pr:provide-persons>
<pr:provide-activities>true</pr:provide-activities>
</cr:transformations>
</cr:rule>
<!--This rule describes that users on a single list in Shared XDMS is
granted access to a certain
set of Presence Information. -->
<cr:rule id="wp_prs_allow_onelist_1">
<cr:conditions>
<ocp:external-list>
<ocp:entry
anc="http://xcap.example.org/resource-lists/users/
sip:joe@example.org/index/~~/resource-lists/list% 5B@name=% 22list-e% 22% 5D"/>
</ocp:external-list>
</cr:conditions>
<cr:actions>
<pr:sub-handling>allow</pr:sub-handling>
</cr:actions>
<cr:transformations>
<pr:provide-persons>
<pr:all-persons/>
</pr:provide-persons>
<pr:provide-status-icon>true</pr:provide-status-icon>
</cr:transformations>
</cr:rule>
<!--This rule describes that a single user is ‘polite-block’ed from
accessing any Presence
Information. -->
<cr:rule id="wp_prs_one_1">
<cr:conditions>
<cr:identity>
<cr:one id="sip:jason@example.com"/>
</cr:identity>
</cr:conditions>
<cr:actions>
<pr:sub-handling>polite-block</pr:sub-handling>
</cr:actions>
<cr:transformations/>
</cr:rule>
<!--This rule describes that users on a single list in Shared XDMS is
‘polite-block’ed from
accessing any Presence Information. -->
<cr:rule id="wp_prs_onelist_1">
<cr:conditions>
<ocp:external-list>
<ocp:entry
anc="http://xcap.example.org/resource-lists/users/
sip:joe@example.org/index/~~/resource-lists/list%5B@name=%22list-c%22%5D"/>
</ocp:external-list>
</cr:conditions>
<cr:actions>
<pr:sub-handling>polite-block</pr:sub-handling>
</cr:actions>
<cr:transformations/>
</cr:rule>
</cr:ruleset>
On another hand, pres-rules is about the rules to
allow watchers and
manipulate presence information. But maybe in oma this document can have
external references as well.
Yes it has.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>