[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Single request to query multiple resources withmultiple actions on each resource
Thanks for all the replies. Can anyone provide an example of a <MultiRequest> request and response, it would be a great help to understand the functionality. Is there a test case for this already? Please see comments inline. Andy Bailey On Tue, 2009-09-22 at 12:31 -0700, Yoichi Takayama wrote: > Hi > > With a casual inspection, I agree with Oleg that, I don't see any > mention of XACML profile which will allow the use of multiple Actions > in the Request. > > With <MultiRequest> defined in xacml-3.0-multiple-v1-spec-cd-1-en.pdf > (this profile was out since XACML 2.0), you can specify multiple > Resources. A <MultiRequest> generates multiple <Request>s for the > multiple Resources automatically and a PDP returns multiple > <Response>s; that is, a Response each for each Resource. > > The XACML Core is clear that you can make a Request with multiple > Subjects and only one Action and one Resource (except where the > optional Multiple Resource Profile is implemented). > > Although XACML 3.0 allows you to define multiple Action Attributes in > the request, I can interpret that this means the Action has all those > Attributes (i.e. that means "AND" logic), but the Action is still only > one Action. (If one can define multiple action-id Attributes there, I > am not sure what that means). > > So, I can't see how to define multiple Actions against multiple > Resources and generate the requests for all possible combinations and > get all Responses for them automatically. It doesnt have to be automatic, theres no problem generating the cartesian product in software, I wanted to avoid all the round trips of multiple single requests to the server. > Besides, then, how do you know what the combinations were??? I can see > that the Multiple Resource <Response>s will be marked with the > Resource IDs or attributes that were in the requests, but no mention > of any Action ID or Action Attributes. The Attribute element has a new attribute IncludeInResult can be set to true, I imagine that would apply to the Action Attributes as well, please can someone clarify how this works. > > I hope that this is correct. Anyone, please correct if this is wrong. > > Yoichi > > > > On 22/09/2009, at 9:51 AM, Oleg Gryb wrote: > > > Andy, > > > > You can use multiple resources in a request and will get multiple > > decisions (one for each resource) in a response, but I'm not aware > > about a mechanism in XACML 2.0 that would allow to use different > > actions for each resource. > > > > Please also notice that XACMLight doesn't use sun-xacml library and > > is an independent implementation. > > > > I also think that sun-xacml's 2.0 implementation doesn't support > > multiple resources in a request and multiple decisions in a response > > at all (Seth, please let me know if this changed). > > > > Thanks, > > Oleg. > > > > --- On Tue, 9/22/09, Ludwig Seitz <ludwig@axiomatics.com> wrote: > > > >> From: Ludwig Seitz <ludwig@axiomatics.com> > >> Subject: Re: [xacml-users] Single request to query multiple > >> resources with multiple actions on each resource > >> To: "Andy Bailey" <andy@hazlorealidad.com> > >> Cc: "xacml-users" <xacml-users@lists.oasis-open.org> > >> Date: Tuesday, September 22, 2009, 10:17 AM > >> On Tue, 2009-09-22 at 08:47 -0500, > >> Andy Bailey wrote: > >>> Hello, > >>> > >>> This is my first post on the mailing list and I only > >> discovered xacml > >>> this week, so please be tolerant if I ask questions > >> with obvious > >>> answers. > >>> > >>> I have searched through the xacml 2.0 spec for the > >> capabilities to do > >>> the following: > >> > >> As far as I know what you are trying to do is not possible > >> with > >> XACML 2.0 and the 2.0 Multiple Resource profile. > >> > >> What you would need is XACML 3.0 and the corresponding > >> Multiple > >> Resources profile. There you can do exactly what you where > >> describing > >> (i.e. multiple Resource elements _and_ multiple Action > >> elements in a > >> Request). > >> > >> As XACML 3.0 isn't finalized yet, there are not many > >> implementations > >> available. > >> > >> > >> Now for the shameless plug: > >> > >> AFAIK we (Axiomatics) are currently the only providers of > >> an XACML 3.0 > >> implementation (including the Multiple Resource Profile for > >> 3.0). > >> > >> Hope it helps, > >> > >> Ludwig Seitz > >> > >> > >> -- > >> Ludwig Seitz, PhD > >> | Axiomatics AB > >> Training & Development > >> | Electrum 223 > >> Phone: +46 (0)760 44 22 91 > >> | S-164 40 Kista, Sweden > >> Mail: ludwig@axiomatics.com | > >> > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org > > For additional commands, e-mail: xacml-users-help@lists.oasis-open.org > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]