In this paper we present query filtering techniques based on bottom-up tree automata for XML access control. In our authorization model (RXACL), RDF statements are used to represent security objects and to express the security policy. Our model allows to express and enforce access control on XML trees and their associations. We propose a query-filtering technique that evaluate XML queries to detect disclosure of association-level security objects. A query Q discloses a security object o iff the (tree) automata corresponding to o accepts Q. We show that our schema-level method detects all possible disclosures, i.e., it is complete.