[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [xacml] J2SE Use Cases
For a long time, I have been thinking about how to represent the Java permissions model in an external policy language (e.g. XACML) and I really do not know how to do it. Perhaps a beeter way of describing my thoughts is that I do not clearly understand what part of the problem we can solve and what part we can not.
The problem as I see it is that Java permissions classes encapsulate the processing used to match Required permissions against Granted permissions. This processing is crucial to policy evaluation in all but the most trivial cases. For example, it is used to expand wildcards in file I/O permissions. It could also be used to implement a clearance/label type model.
Since the implies method is written in Java, the permission matching semantics are essentiall open ended. How should XACML treat this situation?
1. Keep track of permissions by name only and ignore the implies semantics?
2. Express the implies semantics in XACML in place of the Java permission classes?
3. Duplicate the semantics in XACML and keep the two in sync somehow?
4. Some other approach?
If I am completely misunderstanding this, I hope some one will please explain it to me.
Hal
> -----Original Message-----
> From: Sekhar Vajjhala - Sun Microsystems
> [mailto:sekhar.vajjhala@sun.com]
> Sent: Monday, December 17, 2001 12:39 PM
> To: xacml@lists.oasis-open.org
> Subject: [xacml] J2SE Use Cases
>
>
> Attached is the J2SE Use Case. I did not have time to complete it
> by COB Friday.
>
> --
> Sekhar
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC