[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Third-party Pre-Fetch of authorization decision
Hi Conor. On May 8, 2006, at 8:23 AM, Cahill, Conor P wrote: > I and trying to specify the use of XACML in a situation where the > accessing party, knowing that an authrorization decision will be > needed > by a PEP, requests in advance the authorization decision from the PDP > and pushes "the decision" with the resource access request to the PEP. You're right that this isn't covered explicitly in the spec, but it's definitely a supportable case, and pretty easy to do. The reason it's not covered in the XACML spec is because this is more a function of the authorization system built around XACML, and at this level (also where attributes are managed, PEPs are administered, policies are created, etc) XACML is non-specific so you can work witch whichever systems you have/need. My suggestion for the easiest way to attack your problem is with SAML. It's designed for sending requests, getting signed responses, and even correlating requests and responses. It should be very easy to implement support for this, and as more SAML/XACML implementations show up, you should be able to take advantage of them. Note that the challenge here (that I'm sure you've already thought of) besides signing the messages is expiration. XACML doesn't talk about when attributes expire, so it's somewhat hard to be precise about how long a decision stays valid. It's up to your system to track these dependencies. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]