[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Issue #4: Context Handler - Proposal
I agree with these changes. I would also add under 7.3.5 Attribute Retrieval something like: “Regardless of any dynamic modifications of the request context during policy evaluation, the PDP SHALL behave as if each bag of attribute values is fully populated in the context before it is first tested, and
is thereafter immutable during evaluation. (That is, every subsequent test of that attribute shall use the same bag of values that was initially tested.)” This seems like an obvious requirement, but I don’t see anything in the spec that requires a conformant PDP to act this way. It’s even hard to imagine such an ill-behaved context handler, but if it were especially
lazy and there were many attribute sources (perhaps even different sources could contribute to the same multi-valued attribute), it is not out of the question. Note that this statement does not impose any particular evaluation order on the policy rules, allowing for optimized policy rewrites. Nor does it rule out highly optimized attribute acquisition strategies, such
as determining early in the evaluation what subset of attributes it might need and not asking for any others. Regards, --Paul From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of remon.sinnema@emc.com All, Current text 30 Context handler 31 The system entity that converts decision requests in the native request format to the XACML 32 canonical form and converts authorization decisions in the XACML canonical form to the native 33 response format Proposal Context handler The system entity that converts decision requests in the native request format to the XACML canonical form, coordinates with Policy Information Points to add attribute values to the request context,
and converts authorization decisions in the XACML canonical form to the native response format. Current text 474 4. The context handler constructs an XACML request context and sends it to the PDP. Proposal 4. The context handler constructs an XACML request context, optionally adds attributes, and sends it to the PDP. Current text 3280 7.3.5 Attribute Retrieval 3281 The PDP SHALL request the values of attributes
in the request context from the context handler.
The 3282 PDP SHALL reference the attributes
as if they were in a physical request context document, but the 3283 context handler is responsible for obtaining and supplying the requested values by whatever means it 3284 deems appropriate. Proposal 7.3.5 Attribute Retrieval The PDP SHALL request the values of attributes
in the request context from the context handler. The context handler MAY also add attributes to the request context without the PDP requesting them.
The PDP SHALL reference the attributes
as if they were in a physical request context document, but the context handler
is responsible for obtaining and supplying the requested values by whatever means it deems appropriate, including by retrieving them from one or more Policy Information Points. Thanks, Ray |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]