Add some mechanism to use XACML Variables in XPath expressions

[cdanger]

This would allow to use XACML variables as inputs to any XPath function / expression, which would provider simpler alternatives to certain complex ApplyExpressions.

For example, say we declare a variable classif_name:

<VariableDefinition VariableId="classif_name>...</VariableDefinition>

Then we want to use it in a XPath expression as follows:

<AttributeSelector Path="if ($classif_name = 'SECRET') then 3 else if ($classif_name = 'CONFIDENTIAL') then 2 else if ($classif_name = 'RESTRICTED ') then 1 else 0" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="true" />

The idea is to use the same variable ID in the XPath expression as the VariableDefinition.

[steven-legg]

Can we simply say that all the variables in scope of the attribute selector with names that are valid for XPath variable names, and have a compatible data-type, are available to reference in the XPath expression?

[cdanger]

Yeah, we can say that.