OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Bindings and frameworks for PEP to PDP access

Some comments below:
> [Hal]
> I have been thinking about this, but my conclusion is that the XACML
> Request and Response Contexts do in fact specify a language independent
> API. Since the spec says that it is not required that they be
> instantiated as XML documents, that means implementations are free to
> map them (and some invocation mechanism) to the mechanisms and data
> types of Java, C++ of whatever language needs to be supported.
> I believe Prateek's motives are to provide better performance while
> retaining the interoperability of the SAML decision request protocol.
> IMO this will only be obtained by specifying language specific
> datatypes, etc. in detail.
> [\Hal]

Agreed, the objective would be to explore how XACML request/response can 
be exposed thru a performant API.
This will necessarily be language dependent.

> [Hal]
> As an additional requirement, I believe that applications per se shouldy 
> not be making calls to the PDP. I think that in ordinary cases the
> container should act as the PEP and collect the inputs and call the PDP.
> This applies whether the container is J2EE, Servlet or .Net. 
> [\Hal]
I dont believe that fine-grained authorization can be completely modeled 
at the container-level. Another way to express
this is that some applications will need to be security aware. This is 
specially the case when attributes bound to business
objects need to be taken into account when making authorization decisions.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]