OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Validating XACML policies and requests against XSD

Thanks for the clarification.

I agree with you that XSDs can be checked with at the developing and  
testing time. Once XACML documents are proved to be conforming, there  
may not be a need to validate every time at runtime.

Particularly with Policies, if they are stored as non-XML once they  
are processed. (This depends on the PDP code?)

As to the Request and Response, though, the XACML system or policy  
designer may not know what they are in advance. They may be also sent  
from other systems which have different vendors etc.

In this case, if the sending systems validated them beforehand, they  
do not have to be validated again at the receiving end.

However, such cannot be guaranteed, even if they carried an additional  
Attribute that may ask for no validation to be done (can it be  
embedded with SOAP?).

What is your thought on this? Do we still leave it for the XACML  
system to be switched on or off, regardless?

By the way, this discussion is separate from the support of  
namespaces, which I know is supported in 1.1. So, you are confirming  
that the Sun XACML 2.0 engine code support those old namespaces used  
by XACML 1.1, but not the new ones used by XACML 2.0, yet. Is that  

Yoichi Takayama, PhD
Senior Research Fellow
RAMP Project
MELCOE (Macquarie E-Learning Centre of Excellence)

Phone: +61 (0)2 9850 9073
Fax: +61 (0)2 9850 6527

This message is intended for the addressee named and may contain  
confidential information.  If you are not the intended recipient,  
please delete it and notify the sender. Views expressed in this  
message are those of the individual sender, and are not necessarily  
the views of Macquarie E-Learning Centre Of Excellence (MELCOE) or  
Macquarie University.

On 14/01/2009, at 7:26 AM, Seth Proctor wrote:

> Hi Oleg (et al). I'll speak from my SunXACML experience, since I'm  
> not as
> familiar with some of the other tools out there.
> It's always been my personal opinion that libraries and other core  
> tools
> should not do schema validation by default. It's often the case that
> enbedding or calling tools will already have done validation, or will
> be generating the content, in which case enforcing validation is  
> wasted
> work.
> This said, validation should of course be supported. In the case of  
> both the process of loading a Request and a Policy is a plugin  
> point. This
> means that the author of that mechanism can choose to do validation  
> or not
> as is appropriate for their environment. The sample/default  
> implementations
> provided with the project have a property to set if you want to turn  
> on
> validation.
> In a similar vein, SunXACML (and most of the tools I write which  
> consume
> XML) assumes that the content it's handed is XML/Schema valid. In  
> other
> words, there's minimal attempt to check for possible flaws while  
> processing
> any input. Can this lead to problems? Yes. Again, I feel it's up to  
> the
> user of a library like SunXACML to decide whether the content is known
> to be valid, to enforce validation of all content, or, umm, live
> dangerously :)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]