RE: [xacml] [xacml-users] REST Profile - PDP Issues

[<remon.sinnema@emc.com>]

Danny,


> -----Original Message-----
> From: Danny Thorpe [mailto:Danny.Thorpe@quest.com]
> Sent: Thursday, May 17, 2012 8:19 PM
> To: Hal Lockhart; Sinnema, Remon; xacml@lists.oasis-open.org
> Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues
> 
> > Since we're using POST, which is non-idempotent
> > (http://tools.ietf.org/html/rfc2616#section-9.1.2), we must not use
> > HTTP pipelining (http://tools.ietf.org/html/rfc2616#section-8.1.2.2).
> 
> My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be
> idempotent. As a matter of fact, we know an XACML decision request IS
> idempotent.
> <<<
> 
> ?? The XACML decision request POST may be idempotent on the request
> side, but not on the response side. Identical XACML requests may return
> different responses if the policies in force are dependent upon time of
> request or other contextual data not carried in the request that
> changes between requests.  Access permitted at 4:59pm, access denied at
> 5:01pm.

After re-reading, I think Hal is right. RFC 2616 defines idempotence in terms of side-effects. An access request should not have side effects, so it is idempotent, even though the response may change when the request is repeated. In fact, an access request is even safe (http://tools.ietf.org/html/rfc2616#section-9.1.1).

So that kills my argument against HTTP pipelining, and therefore Hal is probably right that we need to write something up on how to handle it.


Thanks,
Ray