OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
  • 1.  XACML REST profile --

    Posted 05-22-2012 16:11

    Hi all,

    In the latest working draft, the example around deleting a policy starts with this returned from GET /authorization/policies:

    HTTP/1.0 200 OK
    Content-Type: application/atom+xml
    Content-Length: <nnnn>

    <feed xmlns=”http://www.w3.org/2005/Atom”>
      <author>example.com</author>
      <id>pap</id>
      <link rel="self" href= >
      <title>Access Control Policies</title>
      <updated>Thu, 3 May 2012 21:36:24 GMT</updated>
      <entry>
        <id>urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1</id>
        <title>Medi Corp access control policy</title>
        <link rel="alternate" href= >
         <content type="application/xacml+xml" src= >
        <summary>Medi Corp access control policy</summary>
      <entry>
      <!-- More entries -->
    </feed>

    Then the instructions "The client looks up the entry with the id that matches the policy’s PolicyId" followed by a DELETE request to /authorization/policies/1.

    This doesn't appear to line up with the example. When constructing the URL, should implementers build a URL based on the <id> of the entrry, or should they follow the <content> link of the entry? In this example, it appears the DELETE request was based on the <content> link not by building a URI based on the <id>.

    Regards,
    Craig

    -------
    craig forster technical lead, tivoli security policy manager
    cforster@us.ibm.com
    -------


  • 2.  RE: [xacml] XACML REST profile --

    Posted 05-22-2012 17:44




    I think how the XACML Policy Id value is mapped onto a REST URI corresponding to the policy document should be left up to the service implementer.
     
    When submitting a DELETE operation, clients should use the content URI.  Clients should not be responsible for (and should be discouraged from) composing the
    policy ID into a URI, since that mapping is determined by the service implementer and may vary from vendor to vendor.
     
    -Danny
     

    Danny Thorpe

    Product Architect

    Quest Software -
    Now including the people and products of BiTKOO
    www.quest.com


     


    From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
    On Behalf Of Craig R Forster
    Sent: Tuesday, May 22, 2012 9:11 AM
    To: xacml@lists.oasis-open.org
    Subject: [xacml] XACML REST profile -- <content> vs <id>


     
    Hi all,

    In the latest working draft, the example around deleting a policy starts with this returned from GET /authorization/policies:
    HTTP/1.0 200 OK
    Content-Type: application/atom+xml
    Content-Length: <nnnn>

    <feed xmlns=” http://www.w3.org/2005/Atom ”>
      <author>example.com</author>
      <id>pap</id>
      <link rel="self" href= >
      <title>Access Control Policies</title>
      <updated>Thu, 3 May 2012 21:36:24 GMT</updated>
      <entry>
        <id>urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1</id>
        <title>Medi Corp access control policy</title>
        <link rel="alternate" href= >
         <content type="application/xacml+xml" src= >
        <summary>Medi Corp access control policy</summary>
      <entry>
      <!-- More entries -->
    </feed>

    Then the instructions "The client looks up the entry with the id that matches the policy’s PolicyId" followed by a DELETE request to /authorization/policies/1.

    This doesn't appear to line up with the example. When constructing the URL, should implementers build a URL based on the <id> of the entrry, or should they follow the <content> link of the entry? In this example, it appears the DELETE request was based on the
    <content> link not by building a URI based on the <id>.

    Regards,
    Craig

    -------
    craig forster technical lead, tivoli security policy manager
    cforster@us.ibm.com
    -------






  • 3.  RE: [xacml] XACML REST profile --

    Posted 05-22-2012 18:54




    Upon reading the draft text more closely in light of Craig’s question/comment, I think I see the disconnect.
     
    In the preface for section 2.4.2 Delete All Versions of a Policy, add:
     
    Assume a policy admin user instructs the client application to delete all versions of the policy having policy ID <12345>.
     
    <current steps to get entry point, get PAP list of policies>
     
    The app searches the ATOM list for an entry whose <ID> matches the policy ID <12345> of the policy to be deleted.  The app issues a DELETE request for the content
    URI of that matching entry.
     
     
     

    Danny Thorpe

    Product Architect

    Quest Software -
    Now including the people and products of BiTKOO
    www.quest.com

     


    From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
    On Behalf Of Danny Thorpe
    Sent: Tuesday, May 22, 2012 10:44 AM
    To: Craig R Forster; xacml@lists.oasis-open.org
    Subject: RE: [xacml] XACML REST profile -- <content> vs <id>


     
    I think how the XACML Policy Id value is mapped onto a REST URI corresponding to the policy document should be left up to the service implementer.
     
    When submitting a DELETE operation, clients should use the content URI.  Clients should not be responsible for (and should be discouraged from) composing the
    policy ID into a URI, since that mapping is determined by the service implementer and may vary from vendor to vendor.
     
    -Danny
     

    Danny Thorpe

    Product Architect

    Quest Software -
    Now including the people and products of BiTKOO
    www.quest.com

     


    From:
    xacml@lists.oasis-open.org
    [mailto:xacml@lists.oasis-open.org] On Behalf Of Craig R Forster
    Sent: Tuesday, May 22, 2012 9:11 AM
    To: xacml@lists.oasis-open.org
    Subject: [xacml] XACML REST profile -- <content> vs <id>


     
    Hi all,

    In the latest working draft, the example around deleting a policy starts with this returned from GET /authorization/policies:
    HTTP/1.0 200 OK
    Content-Type: application/atom+xml
    Content-Length: <nnnn>

    <feed xmlns=” http://www.w3.org/2005/Atom ”>
      <author>example.com</author>
      <id>pap</id>
      <link rel="self" href= >
      <title>Access Control Policies</title>
      <updated>Thu, 3 May 2012 21:36:24 GMT</updated>
      <entry>
        <id>urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1</id>
        <title>Medi Corp access control policy</title>
        <link rel="alternate" href= >
         <content type="application/xacml+xml" src= >
        <summary>Medi Corp access control policy</summary>
      <entry>
      <!-- More entries -->
    </feed>

    Then the instructions "The client looks up the entry with the id that matches the policy’s PolicyId" followed by a DELETE request to /authorization/policies/1.

    This doesn't appear to line up with the example. When constructing the URL, should implementers build a URL based on the <id> of the entrry, or should they follow the <content> link of the entry? In this example, it appears the DELETE request was based on the
    <content> link not by building a URI based on the <id>.

    Regards,
    Craig

    -------
    craig forster technical lead, tivoli security policy manager
    cforster@us.ibm.com
    -------






  • 4.  RE: [xacml] XACML REST profile --

    Posted 05-23-2012 07:33
    Danny, Craig, I'll update the document along the lines suggested by Danny to make this clearer. Thanks, Ray From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Danny Thorpe Sent: Tuesday, May 22, 2012 8:54 PM To: Danny Thorpe; Craig R Forster; xacml@lists.oasis-open.org Subject: RE: [xacml] XACML REST profile -- <content> vs <id> Upon reading the draft text more closely in light of Craig’s question/comment, I think I see the disconnect. In the preface for section 2.4.2 Delete All Versions of a Policy, add: Assume a policy admin user instructs the client application to delete all versions of the policy having policy ID <12345>. <current steps to get entry point, get PAP list of policies> The app searches the ATOM list for an entry whose <ID> matches the policy ID <12345> of the policy to be deleted.  The app issues a DELETE request for the content URI of that matching entry. Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Danny Thorpe Sent: Tuesday, May 22, 2012 10:44 AM To: Craig R Forster; xacml@lists.oasis-open.org Subject: RE: [xacml] XACML REST profile -- <content> vs <id> I think how the XACML Policy Id value is mapped onto a REST URI corresponding to the policy document should be left up to the service implementer. When submitting a DELETE operation, clients should use the content URI.  Clients should not be responsible for (and should be discouraged from) composing the policy ID into a URI, since that mapping is determined by the service implementer and may vary from vendor to vendor. -Danny Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com From: xacml@lists.oasis-open.org [ mailto:xacml@lists.oasis-open.org ] On Behalf Of Craig R Forster Sent: Tuesday, May 22, 2012 9:11 AM To: xacml@lists.oasis-open.org Subject: [xacml] XACML REST profile -- <content> vs <id> Hi all, In the latest working draft, the example around deleting a policy starts with this returned from GET /authorization/policies: HTTP/1.0 200 OK Content-Type: application/atom+xml Content-Length: <nnnn> <feed xmlns=” http://www.w3.org/2005/Atom” ;>   <author>example.com</author>   <id>pap</id>   <link rel="self" href="/authorization/policies"/>   <title>Access Control Policies</title>   <updated>Thu, 3 May 2012 21:36:24 GMT</updated>   <entry>     <id>urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1</id>     <title>Medi Corp access control policy</title>     <link rel="alternate" href="/authorization/policies/1"/>     <content type="application/xacml+xml" src="/authorization/policies/1"/>     <summary>Medi Corp access control policy</summary>   <entry>   <!-- More entries --> </feed> Then the instructions "The client looks up the entry with the id that matches the policy’s PolicyId" followed by a DELETE request to /authorization/policies/1. This doesn't appear to line up with the example. When constructing the URL, should implementers build a URL based on the <id> of the entrry, or should they follow the <content> link of the entry? In this example, it appears the DELETE request was based on the <content> link not by building a URI based on the <id>. Regards, Craig ------- craig forster technical lead, tivoli security policy manager cforster@us.ibm.com -------