OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Obligations: How can they be used?


I'm experimenting with XACML, especially with the obligations part.

The idea is, that access also requires additional handling, as e.g. logging
of the message, or the encryption of the response (if the policy secures a
web service).

When experimenting with SUN's implementation, I have problems to get the
basic idea of the structure of an obligation. The XACML1.0 standard does not
tell very much about this, and I found (at least no positive) answers in the
mailing lists.

Concrete I would like to solve the following two problems:

I expected that an obligation can carry any internal structure like

        <Obligation  ObligationId="TESTPERMIT1" FulfillOn="Permit">
          <enyryptFor>C=A, O=arctis, OU=R&D, CN=Michael Breu</enyryptFor>

However I see no way to express something like this, unless I encode it with
fairly complex AttributeAssignments. Is this right?

2nd: Is there any way to make obligations dynamic? E.g. bringing in data
from the target or the resource?

I would like to express something like: "The response for the web service
call must be encrypted for the person that sent the call"

  <Obligation  ObligationId="TESTPERMIT2" FulfillOn="Permit">
    <AttributeAssignment  AttributeId="EncryptObligation"

Any ideas how to express this in a XACML policy?

Best regards


Dr. Michael Breu              xacml@arctis.at
arctis Softwaretechnologie    http://www.arctis.at
Hauptstrasse 79               Tel +43-(5238) 86325
6401 Inzing                   Mobile +43 (676) 3439918

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]