Re: [xacml-dev] Multi-Message Exchange Examples

[MICHAEL MENDONCA <mikemen@shaw.ca>]

Hi Seth,

I am trying to use XACML together with OGC filter grammar. One of the use cases is "No two features of the same type must intersect". This is a data integrity constraint, but I am trying to see if it is possible to handle this use case via XACML. I am hoping to use OGC Filter grammar in an extension function. Is is possible to call another API in an extension function? In order to filter the data and find out if an inserted feature (which will be the resource), I need the geometric property of the feature and the corresponding geometry for that geometric property. 

Hence, when a request comes in, where  a feature has to be inserted I would need to do the following: 

 - Match it against the insert feature policy
 - Insert feature policy provdies the missing attributes (geometric property, geometry)
 - Context handler finds the geometric properties of the feature and includes it as part of the new request in the attribute: geometric property
 - Context handler resolves the geometry from the request and puts it in the attribute: geometry
 
Point is, if there are many geometric properties, then each geometric property has to match against a certain geometry. Eg - 

Geometric Property X: Geomerty X
Geometric Property Y: Geometry Y

I planned to have one attribute id - geomprop (Geometric Property) and many attribute values for that attribute. Then another attribute id - geom (Geometry) and many attribute values for that attribute and then match each attribute value of 
geomprop with geom. Is this possible?

Is there any other way to have a pair of attributes where one attribute id goes together with another attribute id? Is it wise to use data integrity constraints using XACML or should XACML be stricly used for access control?

Thanks in advance,
Michael


----- Original Message -----
From: Seth Proctor <Seth.Proctor@Sun.COM>
Date: Monday, October 25, 2004 11:54 am
Subject: Re: [xacml-dev] Multi-Message Exchange Examples

> 
> Hi Michael.
> 
> On Fri, 2004-10-15 at 01:35, MICHAEL MENDONCA wrote:
> > I need to be able to do a multi-message exchange between the PDP and
> > the PEP. Is there any example out there showing how this is 
> done? I know
> > that with the SAML profile for XACML you are able to do this and 
> I know
> > that this functionality already exists in XACML 2.0. It's just that
> > examples work much better for me to understand this!
> 
> I don't know of any examples. Like you say, there are facilities 
> in SAML
> and XACML 2.0 to do this, but since those are still working 
> through the
> standards process, I don't know if anyone has implemented support just
> yet. Therefore, not many examples. Are you looking for a specific
> scenario, or just a general example of how to use one of these new
> systems?
> 
> > I need to query the context handler from a policy for an 
> attribute based
> > on the request. After getting the attribute from the context 
> handler, I
> > need to use that attribute value in an attribute selector to 
> pull some
> > information out of the resource content. I want to know if this is
> > possible?
> 
> No, it is not. Your policy can certainly invoke the Context 
> Handler when
> it asks for an attribute value, and the Context Handler can use other
> attributes to resolve the required attribute (my SunXACML system
> provides this in its finder classes, and I'm sure other 
> implementationsalso provide something like this). You cannot, 
> however, use the value as
> part of your XPath query in an AttributeSelector. Sorry. To do this,
> you'll need to write a new function that takes as arguments the XPath
> expression and the value you want to include in the query.
> 
> 
> seth
> 
>