[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-dev] Handling NotApplicable
On Mon, 2004-10-04 at 17:47, Kuketayev, Argyn wrote: > Since, I was planning to have just one PDP, I didn't think of this > possibility. That's pretty much what I thought. And that's perfectly normal, since most applications don't use this model (from what I've seen). > [skip] > > > Basically, in most scenarios, I think it's reasonable to > > assume that Deny and NotApplicable are basically the same to > > the application logic. The main difference is usually in the > > meta-data (eg, logging). For your application, it sounds like > > you don't want to expose NotApplicable to the application, > > and I think that's ok. > > > > Right, I don't want to expose NotApplicable to application components. > In fact, I don't want them to know anything about XACML. The only thing > they should care is if the action is authorized. > > My AuthorizationException is RuntimeException, i.e. it doesn't have to > be declared. I'm not totally sure about this yet, but that's the way it > is now. > > I think that my system should have policies for everything, and there's > just one PDP at this moment. Therefore, NotApplicable is not a good > thing, and logs an alerts for me to know that it happened. Yup, that's what it sounded like. I think you're on the right path. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]