[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] Multiple Request Subject elements
On 16 December, Wes Kubo writes: [xacml-comment] Multiple Request Subject elements > From reading the spec I'm unclear as to whether every Subject (if more than > one is specified) in the request must have a match in the policy (Target or > Rule/Target) for the Target to be applicable in terms of the Subject. It was > my gut feeling that the answer is yes, but looking at test IIB028 would lead > my to believe otherwise. It seems to me that this could lead to problems > with security. Can anyone shed some light on this issue? Short answer: there CAN be Subjects in a Request that do not have a match in the Target of an applicable policy. Longer answer: A Request provides various bits of information about the context in which an authorization decision request is being made. A Policy states which information must be provided in order for an authorization decision to be made. If a particular Subject, or particular Attributes of a particular Subject, are required in order to render an authorization decision, then the Policy will include those. Otherwise, the Policy will not include them. There are no problems with security because, if a particular Subject IS NOT relevant to the authorization decision, then the Policy WILL NOT reference that Subject. If a particular Subject IS relevant to the authorization decision, then the Policy WILL reference it. As one way of explaining this, consider the typical state of affairs in any existing authorization decision system (for example, UNIX Access Control Lists). Such systems may depend on knowing the user's identity or the user's group memberships, but such systems don't even know how to express other Subjects involved in the Request, such as: o the application through which the request is being made, o the identity of the machine from which the request is being made, o the signers of the code in the application that generated the request, o etc. XACML's ability to specify multiple Subjects allows a Policy to be more fine-grained, but does not eliminate any security that existed in previous systems. Does this answer your question? Anne Anderson -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC