Re: [xacml-dev] [basic question] PEP recognizing authorized user.

[Bill Parducci <bparducci@gluecode.com>]

Uday Subbarayan wrote:
> Bill,
>     Let me make it little bit clear.
> [1] PEP maintains a session for 30 mins
> [2] Let's say, a user (User-A) performs an action (Action-A) on a 
> resource (WS-A).
> [3] PEP intercepts this request and makes a XACML request to PDP. Let's 
> say the the response back from PDP is 'permit'.
> [4]After 10mins, User-A again perfoms Action-A on WS-A.
> Here, I understood from your response that whether PEP again should make 
> a request to PDP or cache the previous result is implementation based, 
> right ?

yes. the problem is that a PDP can only generate a deterministic answer 
if given ALL inputs. PEP state information has many variables that are 
not currently considered. for example, in your explanation what is a 
'session'? duration of IP connection? lifetime of authentication 
assertion on subject? arbitrary time values? in other words, the PEP has 
many local environment variables that must be considered when you start 
down this path.

now you can say that your PEP has a very clear idea of state and that is 
fine. there is nothing that prevents you from optimizing your 
implementation. the XACML specification is more limited. this means that 
you can ask if 'X can access Y for 5 minutes,' but not make any 
assumptions (via the specification) about X being able to access Y 
multiple times with a single request. it not that an implementation 
cannot do this, but that the specification does not account for it.

does that make sense?

b