[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-dev] Re: [xacml-users] XACML 2.0 Conformance Tests Questions
On Fri, Apr 25, 2008 at 10:07:23AM -0700, Oleg Gryb wrote: > [...] > To summarize: I think it's a good idea to get all > attributes resolved before request hits a PDP. The problem is that this is an impossible task. In all but the most closed and limited systems, it's a very hard task (in general) to know all attributes that will be useful for a given request. How do you know all attributes associated with the given user? How do you know what policies will apply to the request, which policies will be referenced as part of evaluation, and therefore which attribute values will be needed? Note that evaluation-time attribute resolution does not lock the PDP into using any specific set of PIPs. On the contrary, the model is designed to support arbitrary attribute resolution, but at a central point, rather than making each PEP responsible for this task. If you look (for example) at the SunXACML codebase, you'll see a generic plugin mechanism which allows for evaluation-time resolution of attribute values from an arbitrary PIP. If you want your PDP to be limited to using the attribute values supplied in an XACML Request instance, that's ok. To pass the test in question you'll have to decide how to provide the needed value (perhaps by including it in the request, or by wedging in some other mechanism). Understand, however, that you're missing a fundemental piece of the model. This is a long-standing and very powerful aspsect of the model that *everyone* takes advantage of in running systems. seth
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]