OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: [xacml-comment] When to obtain attributes from the PIP.


On 18 December, Wes Kubo writes: [xacml-comment] When to obtain attributes from the PIP.
 > First off, thanks for all the help that I've received on this list.
 > 
 > On to my question-> In our implementation we're finding it necessary to
 > obtain attributes about the Subject and hence are going to implement a PIP.
 > I'm having some trouble trying to figure out at which point the attributes
 > need to be obtained. I see that this was covered briefly
 > http://lists.oasis-open.org/archives/xacml/200210/msg00035.html and
 > http://lists.oasis-open.org/archives/xacml/200210/msg00035.html but possibly
 > never resolved.  I noticed that Anne proposed a section 7.x Request Context
 > but this doesn't seem to have been included in the spec. It boils down to
 > this: at which point is the PDP required to request additional/missing
 > attributes from the PIP? Are they obtained before the policy is evaluated or
 > as I believe, when required during function evaluation?

The XACML Specification deliberately does not specify when the
attributes are obtained, since different implementations may
follow different strategies.

1. An implementation MAY pre-scan a Policy for all Attributes
   that are referenced, compare that list to the list of
   Attributes supplied in the Request, and then attempt to obtain
   any possibly needed Attributes from external sources prior to
   evaluating the Policy.

   If an implementation does this, however, failure or errors in
   obtaining an Attribute MUST NOT affect the Decision that is
   returned from the Policy UNLESS the Attribute is actually
   required during the evaluation process.

   This implementation strategy is not every efficient, since not
   all Attributes will necessarily be referenced in evaluating a
   given Policy, and obtaining unnecessary Attributes may be
   expensive.

   Example: "or (attr1=val1, attr2=val2, attr3=val3)" will not
   require values for attr2 or attr3 if attr1 is found and
   matches val1, or if obtaining attr1 resulted in Indeterminate.

2. An implementation MAY wait until an Attribute is referenced
   during evaluation before attempting to obtain a value for that
   Attribute.

Anne Anderson
-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC