OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] XACML Resource Element


I am fairly new to the list so excuse me if this topic has already been
raised.

I am very interested in knowing if anyone has considered normative profile
mapping for Java2 permissions or the J2EE/JACC security models as well?

IMHO, Java2 permissions don't fit the XACML model cleanly since it usually
involves permissions restricting a codeBase and not a Subject / user.
Thoughts?

Jeff

----- Original Message ----- 
From: "Daniel Engovatov" <dengovatov@bea.com>
To: <marchadr@wellsfargo.com>; <Seth.Proctor@sun.com>
Cc: <xacml-users@lists.oasis-open.org>
Sent: Wednesday, September 21, 2005 1:17 PM
Subject: RE: [xacml-users] XACML Resource Element


It absolutely makes sense.  That is the reason XACML resource concept
was designed to be so flexible.

All is needed is a normative profile for mapping some other
specification resource into XACML space.   Since WS-Resource developers
are intimately familiar with the structure that they need to present for
authorization decisions, perhaps they may suggest such a mapping?

It, preferably, should be a strictly defined collection of named
attributes of the XACML types, or, optionally, an XML document that can
included in request.  Note that XML document support is optional in
XACML and puts the burden of extracting the relevant values on the
policy writer.  It would be nice to do that for them.

Daniel;

-----Original Message-----
From: marchadr@wellsfargo.com [mailto:marchadr@wellsfargo.com]
Sent: Wednesday, September 21, 2005 9:12 AM
To: Seth.Proctor@sun.com; Daniel Engovatov
Cc: marchadr@wellsfargo.com; xacml-users@lists.oasis-open.org
Subject: RE: [xacml-users] XACML Resource Element

Here is what seems to be happening:

Some specifications are using a resource to define parts of their
specifications.
It would be nice to have the mapping of a XACML resource to a
WS-Resource since a authorization filter could be thrown on top of the
specifications using the WS-Resource with relative ease.

For instance I am a service provider providing WS-Notifications or
something else.
I want to add policy enforcement based on my resource definitions.
I look at products that support XACML and throw that in front of my
service provider to check the WS-Resource to retrieve groups and
policies for the specific resource based on the service client
definitions.

Does this make sense?

- Dan

-----Original Message-----
From: Seth Proctor [mailto:Seth.Proctor@sun.com]
Sent: Tuesday, September 20, 2005 5:44 PM
To: Daniel Engovatov
Cc: marchadr@wellsfargo.com; xacml-users@lists.oasis-open.org
Subject: Re: [xacml-users] XACML Resource Element



On Sep 20, 2005, at 8:40 PM, Daniel Engovatov wrote:
> WS-Resource can be expressed as an XACML resource.   XACML resource
> is a
> more generic concept.  What we may want is to develop a profile for
> normative mapping.

Umm, yeah. What Daniel said :)


seth


---------------------------------------------------------------------
This publicly archived list supports open discussion on using the
XACML OASIS Standard. To minimize spam in the archives, you
must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/xacml-users/
Committee homepage: http://www.oasis-open.org/committees/xacml/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]