[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Obligations: How can they be used?
Hello, I'm experimenting with XACML, especially with the obligations part. The idea is, that access also requires additional handling, as e.g. logging of the message, or the encryption of the response (if the policy secures a web service). When experimenting with SUN's implementation, I have problems to get the basic idea of the structure of an obligation. The XACML1.0 standard does not tell very much about this, and I found (at least no positive) answers in the mailing lists. Concrete I would like to solve the following two problems: 1st: I expected that an obligation can carry any internal structure like <Obligation ObligationId="TESTPERMIT1" FulfillOn="Permit"> <enyryptFor>C=A, O=arctis, OU=R&D, CN=Michael Breu</enyryptFor> </Obligation> However I see no way to express something like this, unless I encode it with fairly complex AttributeAssignments. Is this right? 2nd: Is there any way to make obligations dynamic? E.g. bringing in data from the target or the resource? I would like to express something like: "The response for the web service call must be encrypted for the person that sent the call" e.g. <Obligation ObligationId="TESTPERMIT2" FulfillOn="Permit"> <AttributeAssignment AttributeId="EncryptObligation" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/> </AttributeAssignment> </Obligation> Any ideas how to express this in a XACML policy? Best regards Michael ____________________________________________________________ Dr. Michael Breu xacml@arctis.at arctis Softwaretechnologie http://www.arctis.at Hauptstrasse 79 Tel +43-(5238) 86325 6401 Inzing Mobile +43 (676) 3439918
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]