[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] [basic question] PEP recognizing authorized user.
Bill,
Let me make it little bit clear.
[1] PEP maintains a session for 30 mins
[2] Let's say, a user (User-A) performs an action (Action-A) on a
resource (WS-A).
[3] PEP intercepts this request and makes a XACML request to PDP. Let's
say the the response back from PDP is 'permit'.
[4]After 10mins, User-A again perfoms Action-A on WS-A.
Here, I understood from your response that whether PEP again should make
a request to PDP or cache the previous result is implementation based,
right ?
Thanks,
Uday.
Bill Parducci wrote:
> Uday Subbarayan wrote:
>
>> 2nd time, when the same user performs the same action on the
>> webservice, this time PEP should recognize previous step and should
>> just forward to webservice.
>> (it should NOT again make a XACML request to PDP).
>
>
> i am not comfortable with the assertion that a PEP should not
> re-request authorization. there are instances where this is desirable,
> particularly since 'previous step' can mean many things.
>
> to date PEP state has not been considered so caching/TTL issues have
> largely been considered implementation based. ask a question, get an
> answer. that said, one guess that one could ask the question, 'can
> subject access resource for 5 minutes?'
>
> b
>
--
*****************************************************************
Uday Subbarayan
I don't blog but e-write: http://uds-web.blogspot.com
*****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]