Re: [xacml] default environment attributes and explicit attributes

[Seth Proctor <Seth.Proctor@sun.com>]

> Is the intent that default environment attributes should only be 
> created on an "as needed" basis?  For example, looking at the test 
> suite, default time, etc., are needed for IIA017 019 and 021.  If we 
> always add the time, then tests 016 018 and 020 fail, because the 
> request message includes a time, and the policies do 
> time-one-and-only.

Your first instinct is correct. These values are only provided as 
needed. If, for example, the current time is provided in the Request, 
then the Context Handler is not responsible for generating the value. 
See section 10.2.5 of the 2.0 specification (I think it's explained 
somewhere else too, but I don't have it in front of me right now).

You're right in your reading of the tests. If a second version of the 
current time (for example) was provided, then the one-and-only function 
would fail. This is one of the reasons we have the behavior we do. The 
more compelling reason (in my opinion) is so you can always define the 
time at the PEP if you want to override some server notion of the 
current time (for instance, offloading processing to a server in 
another timezone). Note that I raise this issue at the risk of 
re-opening an old debate, but I promise that is not my intent :)

> Are we missing something in the spec, or are the tests wrong?

Nope. Nothing is missing, and the tests are correct. The CH/PDP only 
provides the current date/time values if they're not already available.


seth