[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml-users] Schema to Java binding
Thanks Fatih for the info. It didn’t seem that permis is using SAML profile for XACML at this point. Maybe I should turn my question to the vendors on this mailing list (e.g. oracle, axiomatic, etc). Do you use SAML profile for XACML in your products? Thanks! ND From: Fatih Turkmen [mailto:fturkmen@gmail.com] Hi Nick, I myself haven't done it but Permis (http://sec.cs.kent.ac.uk/permis/) should have done it at a certain point. I hope this helps. -- On Sat, Jul 2, 2011 at 12:14 AM, Nick Duan <nduan@verizon.net> wrote: Thanks for all your responses. Actually I am not trying to creating Java bindings for implementing the PDP, but to create a web service to communicate with the PEP. The PDP part in our project is handled by sun’s xacml engine. That’s why I had to deal with not just XACML, but also SAML and especially SAML profile for XACML. Another particular problem I came across is the <xacml-saml:XACMLAuthzDecisionStatementType> in the SAML for XAMCL profile version 2.0. It is defined as an extension of the saml:StatementAbstractType, i.e.: <complexType name="XACMLAuthzDecisionStatementType"> <complexContent> <extension base="saml:StatementAbstractType"> <sequence> <element ref="xacml-context:Response"/> <element ref="xacml-context:Request" minOccurs="0"/> </sequence> </extension> </complexContent> </complexType> But if you look at how saml:StatementAbstractType is defined in saml assertion schema, you will find it is just a place holder, i.e. <element name="Statement" type="saml:StatementAbstractType"/> <complexType name="StatementAbstractType" abstract="true"/> I guess this is for potential substitutions for a concrete saml:Statement. But there is no such a XACMLAuthzDecisionStatement element defined in xacml-saml. My binding compiler just through errors at this point. Shouldn’t there by a concrete XACMLAuthzDecisionStatement element defined in xacml-saml to make the schema complete? Has anyone successfully used SAML profile for XACML 2.0 in their web services implementation? If yes, please help! Thanks! ND From: Oleg Gryb [mailto:oleg_gryb@yahoo.com] Yes, it's a problem and I had to struggle with it in both Java (xml beans) and in Ruby. The code looked ugly in Java and in Ruby I've ended up with manual parsing and no binding at all. The other problem that you might face: memory consumption when you serialize XML with millions of nodes to Java classes. I believe some popular PDP implementations don't even do schema validation, which is dangerous in my view. XSD is unnecessary complicated in XACML and could/should be simplified. On the other hand, the engine that don't do schema validation should be considered as non-compliant with the spec.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]