xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: PDP REST Interface - proposal
- From: David Brossard <david.brossard@axiomatics.com>
- To: xacml <xacml@lists.oasis-open.org>
- Date: Fri, 20 May 2011 16:19:54 +0200
Hi all,
Following the call yesterday, I would like to kick start some discussions around the possibility around designing a standard REST interface for a PDP. The idea would be to have a PEP-PDP interaction using REST.
Original idea:
Develop a lightweight, simple PEP capable of sending authorization requests to an authorization service (the PDP). The simpler the PEP, the likelier it will be adopted by a wider crowd of developers.
Possible REST interfaces:
2 possible methods: GET and POST
- GET
- Input: Send in a URL e.g. http://foo.bar/AuthZ/?a=value&b=value2&c=value3
- Output: the decision (the whole XACML decision? simply the decision string e.g. "Permit"? an HTTP status code?)
- Pros: extremely easy to consume
- Cons: the request sent / response received are not valid XACML requests / responses.
- This means a layer on the PDP side (in the REST wrapping) needs to map from a HTTP GET parameter to a XACML attribute
- In addition, if the response is merely a status code or a String, it breaks the XACML standard in the sense that obligations / advice would be lost
- POST
- Input: the entire XACML request in its XML form
- Output: the entire XACML response in its XML form
- Pros: complies with the XACML standard
- Cons: what is the benefit other than performance? It doesn't make adoption easier
- POST using JSON
- Input: the JSON representation of a XACML request
- Output: the JSON representation of a XACML response
- Pros: all the richness of XACML. The format is JSON which developers seems to prefer.
- Cons: perhaps a bit too cumbersome.
What are your thoughts? Do you think any standardization effort / profile definition effort should be driven by a developer community willing to use authorization and which would want to sacrifice the richness of XACML for the sake of simplicity?
Cheers,
David.
--
David Brossard, M.Eng, SCEA, CSTP
Solutions Architect
+46(0)760 25 85 75
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]