[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Obligations: How can they be used?
Hello,
I'm experimenting with XACML, especially with the obligations part.
The idea is, that access also requires additional handling, as e.g. logging
of the message, or the encryption of the response (if the policy secures a
web service).
When experimenting with SUN's implementation, I have problems to get the
basic idea of the structure of an obligation. The XACML1.0 standard does not
tell very much about this, and I found (at least no positive) answers in the
mailing lists.
Concrete I would like to solve the following two problems:
1st:
I expected that an obligation can carry any internal structure like
<Obligation ObligationId="TESTPERMIT1" FulfillOn="Permit">
<enyryptFor>C=A, O=arctis, OU=R&D, CN=Michael Breu</enyryptFor>
</Obligation>
However I see no way to express something like this, unless I encode it with
fairly complex AttributeAssignments. Is this right?
2nd: Is there any way to make obligations dynamic? E.g. bringing in data
from the target or the resource?
I would like to express something like: "The response for the web service
call must be encrypted for the person that sent the call"
e.g.
<Obligation ObligationId="TESTPERMIT2" FulfillOn="Permit">
<AttributeAssignment AttributeId="EncryptObligation"
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</AttributeAssignment>
</Obligation>
Any ideas how to express this in a XACML policy?
Best regards
Michael
____________________________________________________________
Dr. Michael Breu xacml@arctis.at
arctis Softwaretechnologie http://www.arctis.at
Hauptstrasse 79 Tel +43-(5238) 86325
6401 Inzing Mobile +43 (676) 3439918
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]