|
Hi,
I've a few comments/questions regarding to XACML. If this is the
wrong mailing list, let me know.
- The most XACML-Implementations, that I saw, integrated the
PIP's into the PDP. I think that is no good solution, but the
devs had not choice:
On the one hand the meaning of the context handler isn't really
described as importent as I guess it is. On the other hand there
is no XML/JSON-specification how to request a PIP. So when PDP
and PEP/context handler are on two machines, then the PIP has to
be on the the PDP machine and cannot be on a third machine (e.g.
as microservice).
Why is there no detailed PIP definition?
- It's not really clear defined what's the recommended way to
retreive missing attributes in XACML. PIP's or Response Status
Detail?
- I think it would be usefull, if an AttributeDesignator has an
optional "_expression_" and "expressionType" attribute, so PIP's
could use them for SQL-queries or Spring _expression_ Language
etc.
- Why are VariableDefinitions only for policies and not
policySets?
thank you and best regards
Benedict
|