[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Validating XACML policies and requests against XSD
I've noticed lately that some commercial and open source PDP engines do not validate requests and policies against XSD that is a part of XACML specification. I could see two problems related to that: 1. Each and every security auditor would say that absence of input data validation is a security breach in waiting. It's true even for 'regular' business applications. In the case of authorization systems this fact should be given even a bigger attention considering criticality of these systems. 2. It affects PDP's interoperability. Example that Hao has provided makes me thing that sunxacml disregards namespaces, it means that it won't be interoperable with any PDP engine that does the validation against XSD. Seth, please let me know if my observation is not correct. I think it should be clearly stated in the XACML specification that if a request or policy is not compliant with XSDs the process of evaluation should not even start and all invalid requests and policies should be rejected by PDP.