OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml-dev] Handling NotApplicable



On Mon, 2004-10-04 at 17:47, Kuketayev, Argyn wrote:
> Since, I was planning to have just one PDP, I didn't think of this
> possibility.

That's pretty much what I thought. And that's perfectly normal, since
most applications don't use this model (from what I've seen).

> [skip]
> 
> > Basically, in most scenarios, I think it's reasonable to 
> > assume that Deny and NotApplicable are basically the same to 
> > the application logic. The main difference is usually in the 
> > meta-data (eg, logging). For your application, it sounds like 
> > you don't want to expose NotApplicable to the application, 
> > and I think that's ok.
> > 
> 
> Right, I don't want to expose NotApplicable to application components.
> In fact, I don't want them to know anything about XACML. The only thing
> they should care is if the action is authorized.
> 
> My AuthorizationException is RuntimeException, i.e. it doesn't have to
> be declared. I'm not totally sure about this yet, but that's the way it
> is now. 
> 
> I think that my system should have policies for everything, and there's
> just one PDP at this moment. Therefore, NotApplicable is not a good
> thing, and logs an alerts for me to know that it happened.

Yup, that's what it sounded like. I think you're on the right path.


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]