OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: authorizatoin query refinment proposal


Title: authorizatoin query refinment proposal

ACTION: Simon: write a concrete proposal that outlines the change to the
nature of the authorization query.

Sometimes we need to answer the following atzn query:
Can I get access to this resource and if yes, what are the values of related parameters?

To accomplish this I suggest extending Actions element to contain ParameterizedAction elements
in addition to currently defined Action elements

Here is how autzn query looks like now:
<AuthorizationQuery Resource="tradingDesk">
        <Subject>...</Subject>
        <Actions namespace="ns"/>
                <Action>sell</Action>
        </Actions>
        <Evidence>...</Evidence>
</AuthorizationQuery>

Here how parametirized actions look like in the request:
<Actions namespace="ns">
        <ParametirizedAction>
                <Action>sell</Action>
                <Parameter ParameterName="stockSymbol" />
                <Parameter ParameterName="numberOfShares" />
        </ParametirizedAction>
</Actions>

Here how parameterized actions look like in response:
<Actions namespaces="ns">
        <ParametirizedAction>
                <Action>sell</Action>
                <Parameter ParameterName="stockSymbol">
                        <ParameterValue>msft</ParameterValue>
                </Parameter>
                <Parameter ParameterName="numberOfShares">
                        <ParameterValue>72</ParameterValue>
                </Parameter>
        </ParametirizedAction>
</Actions>

We should be able to combine simple actions and parameterized actions in the single query-response.

Proposed Schema: (You will notice that Parameter element resembles already defined Attribute element. I think that Attribute

name in this context can lead to confusion)

        <complexType name="ActionsType">
                <sequence>
                        <element ref="saml:Action" maxOccurs="unbounded"/>
                        <element ref="saml:ParameterizedAction" minOccurs="0" maxOccurs="unbounded"/>
                </sequence>
                <attribute name="Namespace" type="anyURI" use="optional"/>
        </complexType>

        <element name="ParameterizedAction" type="saml:ParametirizedActionType"/>

        <complexType name="ParameterizedActionType">
                <element ref="saml:Action"/>
                <element ref="saml:Parameter">
        </complexType>

        <element name="Parameter" type="saml:ParameterType"/>
        <complexType name="ParameterType">
                <sequence>
                        <element ref="saml:ParameterValue" minOccurs="0" maxOccurs="unbounded"/>
                </sequence>
                <attribute name="ParameterName" type="string">
        </complexType>

        <element name="ParameterValue" type="saml:ParameterValueType"/>
        <complexType name="ParameterValueType">
                <sequence>
                        <any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/>
                </sequence>
        </complexType>

Simon Godik
Crosslogix, inc



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC