Re: [xacml-dev] [basic question] PEP recognizing authorized user.

[Uday Subbarayan <uday.subbarayan@gmail.com>]

Bill Parducci wrote:

> Uday Subbarayan wrote:
>
>> Bill,
>>     Let me make it little bit clear.
>> [1] PEP maintains a session for 30 mins
>> [2] Let's say, a user (User-A) performs an action (Action-A) on a 
>> resource (WS-A).
>> [3] PEP intercepts this request and makes a XACML request to PDP. 
>> Let's say the the response back from PDP is 'permit'.
>> [4]After 10mins, User-A again perfoms Action-A on WS-A.
>> Here, I understood from your response that whether PEP again should 
>> make a request to PDP or cache the previous result is implementation 
>> based, right ?
>
>
> yes. the problem is that a PDP can only generate a deterministic 
> answer if given ALL inputs. PEP state information has many variables 
> that are not currently considered. for example, in your explanation 
> what is a 'session'? duration of IP connection? lifetime of 
> authentication assertion on subject? arbitrary time values? in other 
> words, the PEP has many local environment variables that must be 
> considered when you start down this path.
>
> now you can say that your PEP has a very clear idea of state and that 
> is fine. there is nothing that prevents you from optimizing your 
> implementation. the XACML specification is more limited. this means 
> that you can ask if 'X can access Y for 5 minutes,' but not make any 
> assumptions (via the specification) about X being able to access Y 
> multiple times with a single request. it not that an implementation 
> cannot do this, but that the specification does not account for it.
>
> does that make sense?

YES.

>
> b
>

-- 
*****************************************************************
 Uday Subbarayan           					
 I don't blog but e-write: http://uds-web.blogspot.com		
								
*****************************************************************