[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Request and Response Context Schemas - Take 2
On 5 June, Michiharu Kudoh writes: Re: [xacml] Request and Response Context Schemas - Take 2
> I am not clear on your sentence "If we ever expect to have multiple
> resources, we need to know which actions go with which resource, and this
> makes that association." Does this mean that PEP can ask PDP with more than
> two or more pairs of resource and action (e.g. read a.xml and update b.xml)
> per one access request?
My mistake. I thought you were proposing multiple resources in
your 3 Jun 2002 message titled "Observation on J2SE context
proposal":
> (here I am assuming that <ContextResource> and
> <ContextAction> have a child element called <Resource> and <Action>,
> respectively.)
I think it is OK to allow just one resource. As long as we allow
just one resource, then any actions are automatically associated
with that resource. It is only if we decide to allow more than
one resource that it becomes an issue to associate actions with a
particular resource.
> As far as I understand, each <Principal> consists of optional <PrincipalID>
> and any number of <Attribute> that consists of optional <Holder> and one
> <AttributeValue> that can contain anything in it. Is that correct?
Yes. The <Attribute>s that are included in a <Principal> should
not have a <Holder> element (or else, failure of Holder element
to match the <Principal/NameIdentifier> element is an error).
> I am
> wondering whether <PrincipalID> differs from <Holder> or not.
It does not. My proposed definition of Holder has
type="xacml:PrincipalIDType".
> Since <ContextPrincipals> allows multiple <Principal>s, I
> thought that each <Principal> has different <PrincipalID>
> specified by <NameIdentifier> that is equal to <Holder> (that
> also consists of <NameIdentifier>) of the <Attribute>. I
> would like to see XACML Context example based on your schema.
Here is the previous example based on the new schema (but with
only one resource. Note that the <Attribute> does not include a
Holder, since the Holder is implicit from the <NameIdentifier>:
<xacml:RequestContext>
<xacml:ContextPrincipals>
<xacml:Principal PrincipalType="j2se:RequestingUser">
<xacml:NameIdentifier Format="itu:X500DistinguishedName">
"cn=Anne,ou=SunLabs,o=Sun,c=US"
</xacml:NameIdentifier>
</xacml:Principal>
<xacml:Principal PrincipalType="j2se:RequestingUser">
<xacml:NameIdentifier Format="ietf:RFC822Name">
"Anne.Anderson@Sun.COM"
</xacml:NameIdentifier>
</xacml:Principal>
<xacml:Principal PrincipalType="j2se:CodeSource">
<xacml:NameIdentifier Format="ietf:URL">
"http://java.sun.com/jdk1.4/classes";
</xacml:NameIdentifier>
<xacml:Attribute AttributeName="j2se:SignedBy">
<xacml:AttributeValue>
"cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
</xacml:AttributeValue>
<xacml:AttributeValue>
"cn=SunSigner,o=Sun,c=US"
</xacml:AttributeValue>
</xacml:Attribute>
</xacml:Principal>
</xacml:ContextPrincipals>
<xacml:ContextResource>
<xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/>
</xacml:ContextResource>
<xacml:ContextActions>
<xacml:Action>
"read"
</xacml:Action>
</xacml:ContextActions>
</xacml:RequestContext>
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC