[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues
> > > Section 2.2.2 is not very clear about what precisely goes into the > > > POST request and response exchanged with a PDP, but the example > > > shows XACML <Request> and <Response> elements being sent. > > > > Yeah, I struggled with that a bit. Since the actual media type > > definitions are now outside the REST profile, I find it difficult to > > be precise. Any suggestions for improvement? > > > I don't see why you can explicitly call out schema and outermost XML > element and specifically say you must send this or can send either this > or this. > <<<< > > Hal, did you mean "cannot explicitly..." there? Yes, sorry I meant "can't". > > > >>> > > > > Since we're using POST, which is non-idempotent > > (http://tools.ietf.org/html/rfc2616#section-9.1.2), we must not use > > HTTP pipelining (http://tools.ietf.org/html/rfc2616#section-8.1.2.2). > > My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be > idempotent. As a matter of fact, we know an XACML decision request IS > idempotent. > <<< > > ?? The XACML decision request POST may be idempotent on the request > side, but not on the response side. Identical XACML requests may return > different responses if the policies in force are dependent upon time of > request or other contextual data not carried in the request that > changes between requests. Access permitted at 4:59pm, access denied at > 5:01pm. This is true, however this functionality can actually be controlled by the InputContextOnly XML attribute which appears in the <XACMLAuthzDecisionQuery>. This is another reason it might be desirable to allow the use of the Req/Resp wrappers. I still think for anything but a demo, requiring synchronous requests is a complete non-starter. hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]