[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Obligations: How can they be used?
Hi Michael. On Thu, 2004-10-28 at 08:18, XACML@arctis wrote: > When experimenting with SUN's implementation, I have problems to get the > basic idea of the structure of an obligation. The XACML1.0 standard does not > tell very much about this, and I found (at least no positive) answers in the > mailing lists. FYI, there is a discussion list specific to the SunXACML implementation, though I think you probably found it given your comment about mailing lists. I know this is a general question, but I wanted to let you know about the project-specific list, in case you hadn't found it yet.. > 1st: > I expected that an obligation can carry any internal structure like > > <Obligation ObligationId="TESTPERMIT1" FulfillOn="Permit"> > <enyryptFor>C=A, O=arctis, OU=R&D, CN=Michael Breu</enyryptFor> > </Obligation> > > However I see no way to express something like this, unless I encode it with > fairly complex AttributeAssignments. Is this right? An Obligation consists of AttributeAssignments, that's correct. But AttributeAssignments are just AttributeValues, so there's nothing too complex about that. You can put anything you like in an AttributeValue. The reason for this structure is to provide "parameters" in an Obligation. > 2nd: Is there any way to make obligations dynamic? E.g. bringing in data > from the target or the resource? > > I would like to express something like: "The response for the web service > call must be encrypted for the person that sent the call" > > e.g. > <Obligation ObligationId="TESTPERMIT2" FulfillOn="Permit"> > <AttributeAssignment AttributeId="EncryptObligation" > DataType="http://www.w3.org/2001/XMLSchema#anyURI"> > <SubjectAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/> > </AttributeAssignment> > </Obligation> > > Any ideas how to express this in a XACML policy? There are two issues. The first is where these values get resolved, and the second is the datatype. To the first point, the XACML spec is explicit that the PDP may not operate on the contents of an Obligation. So, you can write something like you've got here, but it's the PEP (or some other entity) that does the resoltion. In other words, this is not part of what the PDP does, so don't expect the Designator to get resolved for you :) To the second point, an AttributeAssignment is an AttributeValue. As such, its contents must be legal for the given datatype. What you've got above lists the datatype as a URI, but the contents of the Assignment is not a URI. You either need to make this a string, and escpae all the tags so it doesn't look like complex content, or you need to come up with some other datatype to support your content. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]