OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues

Hal, TC,

> -----Original Message-----
> From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On
> Behalf Of Hal Lockhart
> Sent: Wednesday, May 16, 2012 11:26 PM
> To: xacml@lists.oasis-open.org
> Subject: [xacml] [xacml-users] REST Profile - PDP Issues
> One feature I believe is required is Request/Response correlation. The
> SAML-derived request/response solve this problem by means of the ID and
> InResponseTo XML Attributes.
> Assuming HTTP 1.1 may be used and considering that a typical PEP is a
> multithreaded server, the possibility of having more than one request
> outstanding at the same time arises. Therefore it becomes necessary to
> figure out what request the PDP has said to Permit.
> This could be done by means of the IncludeInResponse feature, but that
> involves additional transmission and processing overhead. If your
> intention is to set a limit of one outstanding request per TCP session,
> then that should be stated explicitly. IMO the SAML InResponseTo scheme
> or something equivalent to it is the easiest way to solve the problem.

I've looked at HTTP pipelining in more detail. RFC 2617 states that the responses must be send back in the order that the requests arrived:
So for HTTP pipelining, there doesn't seem to be an issue of correlating request and response.

If there are other scenarios where this really is an issue, then we could add custom HTTP headers that correspond to the ID and InResponseTo SAML attributes.

I wonder if this is a common enough use case to warrant standardization in the REST profile? What do people think?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]