Re: [xacml-users] Third-party Pre-Fetch of authorization decision

[Seth Proctor <Seth.Proctor@sun.com>]

Hi Conor.

On May 8, 2006, at 8:23 AM, Cahill, Conor P wrote:
> I and trying to specify the use of XACML in a situation where the
> accessing party, knowing that an authrorization decision will be  
> needed
> by a PEP, requests in advance the authorization decision from the PDP
> and pushes "the decision" with the resource access request to the PEP.

You're right that this isn't covered explicitly in the spec, but it's  
definitely a supportable case, and pretty easy to do. The reason it's  
not covered in the XACML spec is because this is more a function of  
the authorization system built around XACML, and at this level (also  
where attributes are managed, PEPs are administered, policies are  
created, etc) XACML is non-specific so you can work witch whichever  
systems you have/need.

My suggestion for the easiest way to attack your problem is with  
SAML. It's designed for sending requests, getting signed responses,  
and even correlating requests and responses. It should be very easy  
to implement support for this, and as more SAML/XACML implementations  
show up, you should be able to take advantage of them.

Note that the challenge here (that I'm sure you've already thought  
of) besides signing the messages is expiration. XACML doesn't talk  
about when attributes expire, so it's somewhat hard to be precise  
about how long a decision stays valid. It's up to your system to  
track these dependencies.


seth