[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-comment] RE: Attribute Array in JSON Request
Hi David,
On 9/03/2018 2:39 AM, David Brossard wrote:
Hi,
This is really cool, thanks. Feedback for me is that the MDP behavior in my profile is unclear. Essentially, to create an MDP, you would either do "AccessSubject": [ ..., ...] or a mix of "AccessSubject and "Category". But then we fall back on the previous point of feedback: that we don't make properties interchangeably objects or arrays.
I was expecting AccessSubject to become exclusively an array, even if it is an
array of one object. Since we have somewhere else to put multiple instances of the
same category we could also make AccessSubject exclusively an object (if we retain
it at all).
FWIW, I parse all the categories into one list and decide from that whether I have
a request for multiple decisions. It doesn't matter if the subjects came from
"Category", or an "AccessSubject" object, or an "AccessSubject" array, or a mix.
I'll strive to be on the next call so we can discuss things.
Note that the next meeting changes over to the usual "summer" time slot.
Regards,
Steven
Thanks,
David.
On Thu, Mar 8, 2018 at 6:02 AM, DANGERVILLE Cyril <cyril.dangerville@thalesgroup.com <mailto:cyril.dangerville@thalesgroup.com >> wrote:
Regarding the example, all I could find about MDP – besides MultiRequests - is:____
__ __
/the optional default objects (based on section 4.2.2.1) can also be an array instead of single-valued in order to cater for multiple decision requests as defined in *[XACMLMDP] <http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/cos01 >*///xacml-json-http-v1.0-cos01. html#_Normative_References ____/
__ __
But I’m not sure what it means. Does it mean that you can have something like the following for MDP ?____
__ __
“AccessSubject”: [____
“Attribute”: […],____
“Attribute”: […],____
…____
]____
__ __
As for the JSON schema, I just wrote it by hand Land used a Java library to make sure it is valid and works. I’ve been waiting for the JSON Profile to be finalized before making it official, in case there are new changes following the review period (which I hope there will be). Anyway, I can share what we have for now. You can find the *draft* on AuthzForce’s github :____
https://github.com/authzforce/xacml-json-model/tree/develop/ <https://github.com/authzforcesrc/main/resources/org/ow2/aut hzforce/xacml/json/model /xacml-json-model/tree/ >____develop/src/main/resources/ org/ow2/authzforce/xacml/json/ model
__ __
Beware of a few things:____
__-__It is split in 3 schemas: common.schema (common to Requests and Responses), Request.schema (for Request only) and Response.schema (for Response only)____
__-__I tried to keep it simple for our needs, so it does not support Default Category objects actually, only the generic Category one (but it is possible to support both with json schema).____
__-__It is written according to *draft 06 of JSON schema*. Yes, JSON schema is still a draft spec and, since I wrote this 3 months ago, the draft 07 has come out. There are still many issues to be fixed on this spec: https://github.com/json-schema-org/json-schema-spec/issues <https://github.com/json-schema-org/json-schema-spec/issues >____
__ __
Regards,____
Cyril____
__ __
*From:*David Brossard [mailto:david.brossard@axiomatics.com <mailto:david.brossard@axiomatics.com >]
*Sent:* mercredi 7 mars 2018 15:41
*To:* DANGERVILLE Cyril
*Cc:* xacml-comment@lists.oasis-open.org <mailto:xacml-comment@lists.oasis-open.org >
*Subject:* Re: [xacml-comment] RE: Attribute Array in JSON Request____
__ __
Hi,____
__ __
I understand your point. At that rate, though, you could argue we should have stuck with XML :-) Yes it is true that programs will send the requests and that developers will write those programs one-off. My experience is that there are a lot of developers out there that just give up at the first sign of the slightest bit of complexity. I want to make XACML as simple as possible. Note BTW that what I am doing here in the JSON profile is something we had in XACML 2.0: resource-specific elements. In XACML 3.0, we went down the path of generalization. I love the idea of generalization but how often do customers use a category other than the 4 standard ones? In my experience, rarely.____
__ __
The example you mention is quite clearly an MDP. I think it's stated in the profile. Is it not?____
__ __
Our concern – I mean my team’s – is more about safety/security. When the syntax allows two ways of writing the same thing, or one generic way with some exceptions, it makes validation trickier and more error-prone. (I wrote a JSON schema for the JSON Profile and this makes quite a difference in complexity.) ____
__ __
Your previous argument can be used here: you wrote the validation. It was a one-off effort. It's done.____
__ __
Re. the JSON schema, how did you do that? Would you be willing to share it with us? The schema could become the normative form.____
__ __
Thanks,____
David.____
--
David Brossard
VP of Customer Relations
+1 312 774-9163
+1 502 922 6538
+46(0)760 25 85 75
Axiomatics | 525 W. Monroe Suite 2310 | Chicago 60661 <https://maps.google.com/?q=525+W.+Monroe+Suite+2310+%7C+Chi >cago+60661&entry=gmail&source= g
Support: https://support.axiomatics.com <https://support.axiomatics.com/ >
Web: http://www.axiomatics.com <http://www.axiomatics.com/>
Axiomatics Blog <http://www.axiomatics.com/blog/ > | Events <http://www.axiomatics.com/events.html > | Resources, Webinars & Whitepapers <http://www.axiomatics.com/resources.html >
Connect with us on LinkedIn <http://www.linkedin.com/companies/536082 > | Twitter <http://twitter.com/axiomatics> | Google + <https://plus.google.com/u/1/b /101496487994084529291/ > | Facebook <https://www.facebook.com/axiomatics > | YouTube <http://www.youtube.com/user/axiomaticsab >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]