[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Validating XACML policies and requests against XSD
Hi,
I also wonder why sunxacml implementation does not support xml schema with naming space in xacml policies.
Best Regard
hao
--- On Tue, 1/13/09, Oleg Gryb <oleg_gryb@yahoo.com> wrote:
> From: Oleg Gryb <oleg_gryb@yahoo.com>
> Subject: [xacml-users] Validating XACML policies and requests against XSD
> To: xacml-users@lists.oasis-open.org, xacml-comments@lists.oasis-open.org
> Date: Tuesday, January 13, 2009, 11:39 AM
> I've noticed lately that some commercial and open source
> PDP engines do not validate requests and policies against
> XSD that is a part of XACML specification. I could see two
> problems related to that:
>
> 1. Each and every security auditor would say that absence
> of input data validation is a security breach in waiting.
> It's true even for 'regular' business
> applications. In the case of authorization systems this fact
> should be given even a bigger attention considering
> criticality of these systems.
>
> 2. It affects PDP's interoperability. Example that Hao
> has provided makes me thing that sunxacml disregards
> namespaces, it means that it won't be interoperable with
> any PDP engine that does the validation against XSD. Seth,
> please let me know if my observation is not correct.
>
> I think it should be clearly stated in the XACML
> specification that if a request or policy is not compliant
> with XSDs the process of evaluation should not even start
> and all invalid requests and policies should be rejected by
> PDP.
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> xacml-users-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail:
> xacml-users-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]