authorization - How does a XACML PEP interact with a context? -


my question has role , purpose of xacml context handler. if understand oasis xacml3.0 spec properly, pep intercepts request resource or access client app uses context handler create native xacml context object suitable pdp process. in design, have context handler global class methods create request objects , parse xml results. envision class looking this:

public static class contexthandler {     public static bool createpolicy(policytype policyname)     {         // serialize policytype xml document      }      public static policytype loadpolicy(string policyname)     {         // 1. load policy db, filesystem...         // 2. hydrate/deserialize xacml policy object         // 3. return policytype object     }      public static requesttype buildrequest(         dictionary<string, string> subjects,         dictionary<string, string> resources,         dictionary<string, string> actions,         dictionary<string, string> environment)     {                     // 1. create attributestype collection, populate subjects, resource...         // 2. populate requesttype object         // 3. return request      } }

the objects requesttype, attributestype , others part of xacml context.

is correct approach context handler class or have missed point of context handler?

thanks lot!

in complete xacml 2.0/3.0 implementation, real central node or bottle-neck of authorization process context handler component, neither pep nor pdp. suggested dataf-flow in official documentation shows that.

so, think first question "for simplicity's sake, approach stick context handler component inside component?" yes. , "if yes, best place pep or pdp?" well, think depends own real scenario.

in generic simple scenario, example when don't need pip, suggest stick context handler in pep domain did. , many reasons:

  • you may have many peps, not single 1 only, should achieve decoupling between peps , pdp
  • every pep knows own particular authorization request specifications, it's able convert native requests standard xacml requests , viceversa
  • you obtain central , standard pdp not affected specific pep logic, neither pep dependencies (i.e. third party libraries), neither pep code management (i.e. changes authorization request specifications, bug fixes, new deploys, etc.)

in more complex scenario, maybe authorization requests not contain information pdp needs reach decision. in case, pdp need ask information context handler, , context handler must able access pip component retrieve user-resources-environment values. because pip usually access centralized resources, usually centralized service. pdp usually centralized service, usually pdp , pip in same domain.

in scenario, may tempted stick context handler pdp component. if so, need deal other problems because loose decoupling , features listed above in simple scenario. moreover, following xacml specifications expect standard pdp able talk through xacml messages but, if put context handler directly there, pdp start talking pep native language.


Comments

Post a Comment

Popular posts from this blog

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more

php - Controller/JToolBar not working in Joomla 2.5 -

relevant code: jtoolbarhelper::custom('savecategories', 'save', '', 'save', false, false); ... <input type="hidden" name="controller" value="easyblogcontroller"> according can dig docs , own previous questions, should call savecategories() function in easyblogcontroller . i've tried setting value easyblog , easyblog.php (file name) current easyblogcontroller (class name). clicking on save button refreshes page. not redirect, echo or var_dump test code put in savecategories() function. var_dump ing jrequest::getvar('controller') , 'task' return correct values. creating controller object , using $controller->execute('task'); works. the values going depend on location of controller trying call, , have couple options here. typically there controller in base folder of component (likely components/com_easyblog) in file called controller.php , class name inside ...
Read more