OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] Multiple Request Subject elements

On 16 December, Wes Kubo writes: [xacml-comment] Multiple Request Subject elements
 > From reading the spec I'm unclear as to whether every Subject (if more than
 > one is specified) in the request must have a match in the policy (Target or
 > Rule/Target) for the Target to be applicable in terms of the Subject. It was
 > my gut feeling that the answer is yes, but looking at test IIB028 would lead
 > my to believe otherwise. It seems to me that this could lead to problems
 > with security. Can anyone shed some light on this issue?

Short answer: there CAN be Subjects in a Request that do not have
a match in the Target of an applicable policy.

Longer answer:

A Request provides various bits of information about the context
in which an authorization decision request is being made.  A
Policy states which information must be provided in order for an
authorization decision to be made.  If a particular Subject, or
particular Attributes of a particular Subject, are required in
order to render an authorization decision, then the Policy will
include those.  Otherwise, the Policy will not include them.

There are no problems with security because, if a particular
Subject IS NOT relevant to the authorization decision, then the
Policy WILL NOT reference that Subject.  If a particular Subject
IS relevant to the authorization decision, then the Policy WILL
reference it.

As one way of explaining this, consider the typical state of
affairs in any existing authorization decision system (for
example, UNIX Access Control Lists).  Such systems may depend on
knowing the user's identity or the user's group memberships, but
such systems don't even know how to express other Subjects
involved in the Request, such as:
 o the application through which the request is being made,
 o the identity of the machine from which the request is being
 o the signers of the code in the application that generated the
 o etc.

XACML's ability to specify multiple Subjects allows a Policy to
be more fine-grained, but does not eliminate any security that
existed in previous systems.

Does this answer your question?

Anne Anderson
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC