Xacml request context allows for multiple subjects.
Each subject block is identified with the subject-category.
Subject-category identifies different 'actors':
access-subject, codesource, etc.
Category of 'access-subject' is requestor's
identity.
There are use cases, such as 'integrated login'
where multiple auth mechanisms are integrated.
Sun solves this with 'pluggable auth module'
framework (pam). Pam allows for multiple
authentication protocols to be configured per
application.
This shows that xacml context may contain multiple
subject blocks with the same category
of 'access-subject': separate block per
authentication protocol.
Subject blocks are accessed with
subject-attribute-designators.
Assumpsion: subject block is uniquely
addressed by subject-category
and authentication protocol.
Proposal.
Drop DataType attribue of the
<xacml-context:AttributeType>.
Extend xacml:subject-attribute-designator with
subject-category, and protocol attributes:
<complexType name
SubjectAttributeDesignatorType>
<attribute name="AttributeId"
type="xs:string" use="required"/>
<attribute name="Issuer"
type="xs:anyURI" use="optional"/>
<attribute
name="SubjectCategory" type="xs:string" use="optional"/>
<-- new
<attribute
name="Protocol" type="xs:anyURI" use="optional"/> <--
new
</complexType>
example 1.1 - match 'group' attribute of a
subject authenticated with kerberos:
subject-match match-id="string-equal"
subj-attr-desig attr-id="group"
issuer="some-issuer" subj-cat="access-subject"
protocol="kerb"
attr-value admin
example 1.2 - match 'subject-id' attribute of a
subject authenticated with kerb:
subject-match
match-id="rfc822Name-match"
subj-attr-desig
attr-id="subject-id" subj-cat="access-subject" protocol="kerb"
Note that in example 1.2 subject block is
identified by the protocol (kerb), not by the name format.
Simon
|