OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml-users] XACML with posted XML request for OGC Web Processing Service


Hi,

I wouldn't necessarily see this as an abuse of the ResourceContent element.

The spec at http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf says very little about the appropriate use of that element. (line 2959)

I see the element as a means of sending a XACML document which may represent a resource or part of a resource (e.g. an entire medical record expressed as XML or only that XML section that deals with terminal illnesses). The same would apply in your case.

I don't see why you consider the content in your case to not be the resource (or a part describing the resource). If it is part of the decision process you want to make, then you can include it there.

Note though that attribute selectors are not possibly the easiest thing to use - it requires policy authors to know XML and XPath fairly well. What you could do is have a PEP do the XML manipulation using XPath and convert the output of the XPath on the XML content to proper attributes in a XACML request which would then be compared to attribute designators in a XACML policy.

By the way, the fact the PEP uses the XACML-SAML profile is orthogonal to your challenge here.

I hope this helps,
David.

On Wed, Dec 21, 2011 at 8:01 PM, <Richard.Wilkinson@tessella.com> wrote:
We want to protect an OGC Web Processing Service using XACML 2.0 policies. WPS executes requests
contained in an input XML document which is sent as post data. Authorization may depend on
parameters containined in that documents. One approach would be for the PEP to create a SAML request
using the XAML-SAML profile. The WPS request document could be embedded in a ResourceContent
element. AttributeSelectors could be used to select parameters in the WPS document, such as the
source of the data to be processed by the service, which are used to make authorization decisions.

Since the XML fragment contained in the ResourceContent is not actually the content of a resource,
is this an abuse of the element? Is there a better way of representing the WPS data in XACML?

This message is commercial in confidence and may be privileged. It is intended for the
addressee(s) only. Access to this message by anyone else is unauthorized and strictly prohibited.
If you have received this message in error, please inform the sender immediately. Please note that
messages sent or received by the Tessella e-mail system may be monitored and stored in an
information retrieval system.



--------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org



--
David Brossard, M.Eng, SCEA, CSTP
VP Product Marketing & Customer Relations
Axiomatics AB
Skeppsbron 40
S-111 30 Stockholm, Sweden
http://www.linkedin.com/companies/536082
http://www.axiomatics.com
http://twitter.com/axiomatics



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]