Re: [xacml-dev] Multi-Message Exchange Examples

[Seth Proctor <Seth.Proctor@Sun.COM>]

Hi Michael.

On Fri, 2004-10-15 at 01:35, MICHAEL MENDONCA wrote:
> I need to be able to do a multi-message exchange between the PDP and
> the PEP. Is there any example out there showing how this is done? I know
> that with the SAML profile for XACML you are able to do this and I know
> that this functionality already exists in XACML 2.0. It's just that
> examples work much better for me to understand this!

I don't know of any examples. Like you say, there are facilities in SAML
and XACML 2.0 to do this, but since those are still working through the
standards process, I don't know if anyone has implemented support just
yet. Therefore, not many examples. Are you looking for a specific
scenario, or just a general example of how to use one of these new
systems?

> I need to query the context handler from a policy for an attribute based
> on the request. After getting the attribute from the context handler, I
> need to use that attribute value in an attribute selector to pull some
> information out of the resource content. I want to know if this is
> possible?

No, it is not. Your policy can certainly invoke the Context Handler when
it asks for an attribute value, and the Context Handler can use other
attributes to resolve the required attribute (my SunXACML system
provides this in its finder classes, and I'm sure other implementations
also provide something like this). You cannot, however, use the value as
part of your XPath query in an AttributeSelector. Sorry. To do this,
you'll need to write a new function that takes as arguments the XPath
expression and the value you want to include in the query.


seth