OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

REST Profile Entry Point Functionality

  • 1.  REST Profile Entry Point Functionality

    Posted 08-21-2017 03:58
    In order to use the JSON profile one must also implement the REST profile. In seeking to progress the JSON profile to OASIS standard we should also consider progressing the REST profile. The entry point functionality (Section 2.2.1) in the REST profile is mandatory to implement according to the conformance clauses, yet the profile seems to be leaving the format of the response to a request to GET the entry point information almost completely at the discretion of the implementer. The profile provides some suggestions and also has an example that is yet another format. The example also claims to follow an expired Internet-Draft, but is actually different. Ray did say he would align the profile with the eventual approved RFC (see https://lists.oasis-open.org/archives/xacml/201305/msg00031.html ) but work on this Internet-Draft appears to have been abandoned. Although an example and an expired Internet-Draft would normally count as non-normative, the implementer has apparently been given a free choice and might choose to implement either format anyway. Thus it would seem unlikely that two independent implementations would implement the entry point information the same way, which makes me question the point of making the entry point functionality mandatory, or even having it at all. For the record, ViewDS implements the entry point representation in an earlier draft of the REST profile, which is different again from the above possibilities. On my current reading of the profile I don't think that stops me issuing a Statement of Use, though it would be largely meaningless as far as the entry point is concerned. There's a number of approaches we could take: 1) don't worry about it, 2) clean up the profile and nominate a mandatory to implement format, 3) clean up the profile and make the entry point functionality optional, or 4) remove the entry point functionality from the profile. Regards, Steven