OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-dev] [basic question] PEP recognizing authorized user.

     Let me make it little bit clear.
[1] PEP maintains a session for 30 mins
[2] Let's say, a user (User-A) performs an action (Action-A) on a 
resource (WS-A).
[3] PEP intercepts this request and makes a XACML request to PDP. Let's 
say the the response back from PDP is 'permit'.
[4]After 10mins, User-A again perfoms Action-A on WS-A.
Here, I understood from your response that whether PEP again should make 
a request to PDP or cache the previous result is implementation based, 
right ?


Bill Parducci wrote:

> Uday Subbarayan wrote:
>> 2nd time, when the same user performs the same action on the 
>> webservice, this time PEP should recognize previous step and should 
>> just forward to webservice.
>> (it should NOT again make a XACML request to PDP).
> i am not comfortable with the assertion that a PEP should not 
> re-request authorization. there are instances where this is desirable, 
> particularly since 'previous step' can mean many things.
> to date PEP state has not been considered so caching/TTL issues have 
> largely been considered implementation based. ask a question, get an 
> answer. that said, one guess that one could ask the question, 'can 
> subject access resource for 5 minutes?'
> b

 Uday Subbarayan           					
 I don't blog but e-write: http://uds-web.blogspot.com		

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]