OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues

Ok.  So a POST can have no side effects but return different results and still be considered idempotent. 

Thanks,

-Danny

Danny Thorpe 
Product Architect | | Quest Software - Now including the people and products of BiTKOO | www.quest.com 


-----Original Message-----
From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of remon.sinnema@emc.com
Sent: Thursday, May 17, 2012 2:10 PM
To: Danny Thorpe
Cc: xacml@lists.oasis-open.org
Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues

Danny,


> -----Original Message-----
> From: Danny Thorpe [mailto:Danny.Thorpe@quest.com]
> Sent: Thursday, May 17, 2012 8:19 PM
> To: Hal Lockhart; Sinnema, Remon; xacml@lists.oasis-open.org
> Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues
> 
> > Since we're using POST, which is non-idempotent 
> > (http://tools.ietf.org/html/rfc2616#section-9.1.2), we must not use 
> > HTTP pipelining (http://tools.ietf.org/html/rfc2616#section-8.1.2.2).
> 
> My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be 
> idempotent. As a matter of fact, we know an XACML decision request IS 
> idempotent.
> <<<
> 
> ?? The XACML decision request POST may be idempotent on the request 
> side, but not on the response side. Identical XACML requests may 
> return different responses if the policies in force are dependent upon 
> time of request or other contextual data not carried in the request 
> that changes between requests.  Access permitted at 4:59pm, access 
> denied at 5:01pm.

After re-reading, I think Hal is right. RFC 2616 defines idempotence in terms of side-effects. An access request should not have side effects, so it is idempotent, even though the response may change when the request is repeated. In fact, an access request is even safe (http://tools.ietf.org/html/rfc2616#section-9.1.1).

So that kills my argument against HTTP pipelining, and therefore Hal is probably right that we need to write something up on how to handle it.


Thanks,
Ray


---------------------------------------------------------------------
To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: xacml-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]