[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] RE: Context Handler
On 2011-12-19 16:11, firstname.lastname@example.org wrote:
Erik,-----Original Message----- From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Erik Rissanen Sent: Monday, December 19, 2011 4:02 PM To: Sinnema, Remon Cc: email@example.com Subject: Re: [xacml] RE: Context Handler Hi Ray, Ok, I understand, but I would say that this is a flaw in the implementation in this case.I don't think the spec is clear enough in this area. It doesn't define what exactly a PIP can and cannot do. If we make the description of the PIP clearer so that it explicitly can do more than retrieve values for attributes that are missing from the request, then I agree we don't need a REP. However, I do wonder based on what information the PDP will decide to ask the PIP for more attribute values. Or do you propose the PDP always reaches out to all PIPs? Thanks, Ray
Ray,This is easy to control through the context handler setup/config. A context handler which is configured to always invoke a particular PIP is equivalent to deploying a "REP".
The XACML architecture is intended to be an abstract view of the big picture and applicable to many diverse environments, so it intentionally leaves out many details. Making it more detailed would clutter the architecture or make it less generally applicable. There are so many things it could cover, like caching, pre-fetching, communication protocols, when to invoke which PIP, etc. I prefer to keep it simple in the spec.
Best regards, Erik