[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Handling NotApplicable
> -----Original Message----- > From: Seth Proctor [mailto:seth.proctor@sun.com] > Sent: Monday, October 04, 2004 5:33 PM > To: Kuketayev, Argyn > Cc: xacml-dev@lists.oasis-open.org > Subject: Re: [xacml-dev] Handling NotApplicable [skip] > 1. The PDP you queried doesn't have a policy covering the request, but > there are multiple PDPs that can be queried Since, I was planning to have just one PDP, I didn't think of this possibility. [skip] > Basically, in most scenarios, I think it's reasonable to > assume that Deny and NotApplicable are basically the same to > the application logic. The main difference is usually in the > meta-data (eg, logging). For your application, it sounds like > you don't want to expose NotApplicable to the application, > and I think that's ok. > > Right, I don't want to expose NotApplicable to application components. In fact, I don't want them to know anything about XACML. The only thing they should care is if the action is authorized. My AuthorizationException is RuntimeException, i.e. it doesn't have to be declared. I'm not totally sure about this yet, but that's the way it is now. I think that my system should have policies for everything, and there's just one PDP at this moment. Therefore, NotApplicable is not a good thing, and logs an alerts for me to know that it happened. Thanks, Argyn
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]