[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] PDP Issuers re: REST Profile working draft 05
“per TCP/IP session” is fine with me. Thanks. I was concerned with the original wording for the case where there are multiple independent PEPs running in the same process. (Not an ideal design, but could
happen as a result of composing multiple largish subsystems together under one roof). This scenario would likely violate the original wording, and it could be difficult to force them all to serialize access to the PDP. With the per session wording, as long
as each player has their own connection, they continue to operate independently of each other. -Danny Danny Thorpe
Product Architect |
|
Quest Software -
Now including the people and products of BiTKOO |
www.quest.com From: Hal Lockhart [mailto:hal.lockhart@oracle.com]
I would state it as “per TCP/IP session”. But I agree. I am not sure managing a session pool is simpler, but you proposal will work. Hal From: Danny Thorpe
[mailto:Danny.Thorpe@quest.com]
>> State that when <XACMLAuthzDecisionQuery> is used, requests and responses can be correlated using Request Id and InResponseTo. State that when <Request>
is used the PEP must not send a request until the response from a previous response has been received. Can we constrain this to “within the same network connection”? If a client makes multiple connections to the PDP server and issues one request per connection,
there should be no ambiguity on the server of which response goes with which request because processing of each request should be handled within the context of the connection. And there should be no ambiguity on the client because it is issuing only one request
per connection, and the response comes back on the same connection the request was issued on. Right? -Danny Danny Thorpe
Product Architect |
|
Quest Software -
Now including the people and products of BiTKOO |
www.quest.com From:
xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of Hal Lockhart I will comment on the PDP issues here and the PAP issues separately. My two original comments have not been addressed. Use of <Request> element vs. the <XACMLAuthzDecisionQuery> element. Request/response correlation. I propose the following solutions. State explicitly that the XACML request type can include either <Request> for XACML core or <XACMLAuthzDecisionQuery> from the SAML Profile. Include normative
references to each and state that the processing and response must be as specified in the respective specification. State that when <Request> is used, the additional functionality is not available. State that when <XACMLAuthzDecisionQuery> is used, requests and responses can be correlated using Request Id and InResponseTo. State that when <Request> is
used the PEP must not send a request until the response from a previous response has been received. Hal From: Remon Sinnema
[mailto:remon.sinnema@emc.com]
Submitter's message
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]