RE: [xacml] [xacml-users] REST Profile - PDP Issues

[Hal Lockhart <hal.lockhart@oracle.com>]

> > > Section 2.2.2 is not very clear about what precisely goes into the
> > > POST request and response exchanged with a PDP, but the example
> > > shows XACML <Request> and <Response> elements being sent.
> >
> > Yeah, I struggled with that a bit. Since the actual media type
> > definitions are now outside the REST profile, I find it difficult to
> > be precise. Any suggestions for improvement?
> >
> I don't see why you can explicitly call out schema and outermost XML
> element and specifically say you must send this or can send either this
> or this.
> <<<<
> 
> Hal, did you mean "cannot explicitly..." there?

Yes, sorry I meant "can't".

> 
> 
> >>>
> >
> > Since we're using POST, which is non-idempotent
> > (http://tools.ietf.org/html/rfc2616#section-9.1.2), we must not use
> > HTTP pipelining (http://tools.ietf.org/html/rfc2616#section-8.1.2.2).
> 
> My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be
> idempotent. As a matter of fact, we know an XACML decision request IS
> idempotent.
> <<<
> 
> ?? The XACML decision request POST may be idempotent on the request
> side, but not on the response side. Identical XACML requests may return
> different responses if the policies in force are dependent upon time of
> request or other contextual data not carried in the request that
> changes between requests.  Access permitted at 4:59pm, access denied at
> 5:01pm.

This is true, however this functionality can actually be controlled by the InputContextOnly XML attribute which appears in the <XACMLAuthzDecisionQuery>. This is another reason it might be desirable to allow the use of the Req/Resp wrappers.

I still think for anything but a demo, requiring synchronous requests is a complete non-starter.

hal