[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Concrete Proposal of ConditionReference (#7)
We do state that function (and by extension condition) evaluation should have no side effects, so given the same context it will always evaluate to the same value, but we indeed never stated that the context shall remain the same during evaluation. It is, naturally, the same, if it is provided by request document, but XACML is not limited to only using context data from the request document. If I remember correctly, that was one of the reasons we adopted unordered bags as data model, and did not introduce any functions that rely on order of elements within a bag to remain the same even within the same rule. On the other hand - references to an expression is a good opportunity to get around negative aspects of such flexibility: when you DO want to ensure that a particular expression is evaluated to the same value in different parts of the policy. That would be independent of what happens to the virtual context, which is not under control of the policy. So, this proposal indeed changes how the policy will be evaluated, compared to our current model, but that may be not a bad thing. Daniel;
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]