OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml-users] Policy with subject specific resources

On tis, 2012-02-28 at 12:49 +0000, Richard.Wilkinson@tessella.com wrote:
> I have been asked to investigate how we should implement a XACML
> policy to authorise a user to access a personal section of a web
> application, and would be grateful for comments. I am aware of the
> method described in
> http://lists.oasis-open.org/archives/xacml/200404/msg00076.html, which
> addresses the type of problem I am concerned with. It is preferred to
> not use the subject-id as part of the URL, so that the URLs cannot be
> guessed. ....

Does that mean that if you guess the right URL you can circumvent access
control? That doesn't seem very secure to me.

> Is there a better method (where "better" includes requiring less/no
> custom modification to the PDP or PEP, scaling well with number of
> users and being manageable)?
Don't you have an authenticated session or something similar with the
web app? You could save a reference to the subject-id in a cookie and
retrieve it from a Map at the server side using the session context.
Something like this:


idrefMap={{3454469,Alice},{5644648, Bob}, ....}

The communication would be something like this:

0. client ---- authenticate ----> server
1. server stores identity in idrefMap
2. server ---- cookie with idref ----> client
3. client ---- read personal page ----> server
4. (inside server) PEP --- access request ---> PDP
5. (inside server) PDP --- response ---> PEP
6. server --- access/denied ---> client

so in step 2. the PEP would build the XACML request including the

The general idea would be to generate the resource information from the
URL, the subject info from the session and the action e.g. from the http
method (put/get/update/delete).

Hope it helps,


Ludwig Seitz, PhD
Swedish Institute of Computer Science 
Ideon Science Park
Building Beta 2 3v 
Scheelevägen 17 
SE-223 70 Lund

Phone +46(0)70-349 92 51

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]