11 messages in org.oasis-open.lists.xacmlRE: [xacml] [xacml-users] REST Profil...| From | Sent On | Attachments |
|---|---|---|
| Hal Lockhart | May 16, 2012 2:25 pm | |
| remo...@emc.com | May 16, 2012 3:01 pm | |
| Hal Lockhart | May 17, 2012 7:41 am | |
| Danny Thorpe | May 17, 2012 11:18 am | |
| remo...@emc.com | May 17, 2012 2:09 pm | |
| Danny Thorpe | May 17, 2012 2:13 pm | |
| remo...@emc.com | May 17, 2012 2:21 pm | |
| remo...@emc.com | May 18, 2012 6:27 am | |
| Danny Thorpe | May 18, 2012 9:30 am | |
| Hal Lockhart | May 29, 2012 12:25 pm | |
| Hal Lockhart | May 29, 2012 1:01 pm |
| Subject: | RE: [xacml] [xacml-users] REST Profile - PDP Issues | |
|---|---|---|
| From: | Danny Thorpe (Dann...@quest.com) | |
| Date: | May 17, 2012 11:18:16 am | |
| List: | org.oasis-open.lists.xacml | |
-----Original Message-----
From: xac...@lists.oasis-open.org [mailto:xac...@lists.oasis-open.org] On Behalf
Of Hal Lockhart
Sent: Thursday, May 17, 2012 7:42 AM
To: remo...@emc.com; xac...@lists.oasis-open.org
Subject: RE: [xacml] [xacml-users] REST Profile - PDP Issues
Section 2.2.2 is not very clear about what precisely goes into the POST request and response exchanged with a PDP, but the example shows XACML <Request> and <Response> elements being sent.
Yeah, I struggled with that a bit. Since the actual media type definitions are now outside the REST profile, I find it difficult to be precise. Any suggestions for improvement?
I don't see why you can explicitly call out schema and outermost XML element and
specifically say you must send this or can send either this or this.
<<<<
Hal, did you mean "cannot explicitly..." there?
Since we're using POST, which is non-idempotent (http://tools.ietf.org/html/rfc2616#section-9.1.2), we must not use HTTP pipelining (http://tools.ietf.org/html/rfc2616#section-8.1.2.2).
My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be idempotent. As
a matter of fact, we know an XACML decision request IS idempotent.
<<<
?? The XACML decision request POST may be idempotent on the request side, but
not on the response side. Identical XACML requests may return different
responses if the policies in force are dependent upon time of request or other
contextual data not carried in the request that changes between requests.
Access permitted at 4:59pm, access denied at 5:01pm.
-Danny