[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] [basic question] PEP recognizing authorized user.
Bill Parducci wrote: > Uday Subbarayan wrote: > >> Bill, >> Let me make it little bit clear. >> [1] PEP maintains a session for 30 mins >> [2] Let's say, a user (User-A) performs an action (Action-A) on a >> resource (WS-A). >> [3] PEP intercepts this request and makes a XACML request to PDP. >> Let's say the the response back from PDP is 'permit'. >> [4]After 10mins, User-A again perfoms Action-A on WS-A. >> Here, I understood from your response that whether PEP again should >> make a request to PDP or cache the previous result is implementation >> based, right ? > > > yes. the problem is that a PDP can only generate a deterministic > answer if given ALL inputs. PEP state information has many variables > that are not currently considered. for example, in your explanation > what is a 'session'? duration of IP connection? lifetime of > authentication assertion on subject? arbitrary time values? in other > words, the PEP has many local environment variables that must be > considered when you start down this path. > > now you can say that your PEP has a very clear idea of state and that > is fine. there is nothing that prevents you from optimizing your > implementation. the XACML specification is more limited. this means > that you can ask if 'X can access Y for 5 minutes,' but not make any > assumptions (via the specification) about X being able to access Y > multiple times with a single request. it not that an implementation > cannot do this, but that the specification does not account for it. > > does that make sense? YES. > > b > -- ***************************************************************** Uday Subbarayan I don't blog but e-write: http://uds-web.blogspot.com *****************************************************************
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]