OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml-dev] Handling NotApplicable

> -----Original Message-----
> From: Seth Proctor [mailto:seth.proctor@sun.com] 
> Sent: Monday, October 04, 2004 5:33 PM
> To: Kuketayev, Argyn
> Cc: xacml-dev@lists.oasis-open.org
> Subject: Re: [xacml-dev] Handling NotApplicable


>  1. The PDP you queried doesn't have a policy covering the request,
>     there are multiple PDPs that can be queried

Since, I was planning to have just one PDP, I didn't think of this


> Basically, in most scenarios, I think it's reasonable to 
> assume that Deny and NotApplicable are basically the same to 
> the application logic. The main difference is usually in the 
> meta-data (eg, logging). For your application, it sounds like 
> you don't want to expose NotApplicable to the application, 
> and I think that's ok.

Right, I don't want to expose NotApplicable to application components.
In fact, I don't want them to know anything about XACML. The only thing
they should care is if the action is authorized.

My AuthorizationException is RuntimeException, i.e. it doesn't have to
be declared. I'm not totally sure about this yet, but that's the way it
is now. 

I think that my system should have policies for everything, and there's
just one PDP at this moment. Therefore, NotApplicable is not a good
thing, and logs an alerts for me to know that it happened.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]