On 5 June, Michiharu Kudoh writes: Re: [xacml] Request and Response Context Schemas - Take 2 > I am not clear on your sentence "If we ever expect to have multiple > resources, we need to know which actions go with which resource, and this > makes that association." Does this mean that PEP can ask PDP with more than > two or more pairs of resource and action (e.g. read a.xml and update b.xml) > per one access request? My mistake. I thought you were proposing multiple resources in your 3 Jun 2002 message titled "Observation on J2SE context proposal": > (here I am assuming that <ContextResource> and > <ContextAction> have a child element called <Resource> and <Action>, > respectively.) I think it is OK to allow just one resource. As long as we allow just one resource, then any actions are automatically associated with that resource. It is only if we decide to allow more than one resource that it becomes an issue to associate actions with a particular resource. > As far as I understand, each <Principal> consists of optional <PrincipalID> > and any number of <Attribute> that consists of optional <Holder> and one > <AttributeValue> that can contain anything in it. Is that correct? Yes. The <Attribute>s that are included in a <Principal> should not have a <Holder> element (or else, failure of Holder element to match the <Principal/NameIdentifier> element is an error). > I am > wondering whether <PrincipalID> differs from <Holder> or not. It does not. My proposed definition of Holder has type="xacml:PrincipalIDType". > Since <ContextPrincipals> allows multiple <Principal>s, I > thought that each <Principal> has different <PrincipalID> > specified by <NameIdentifier> that is equal to <Holder> (that > also consists of <NameIdentifier>) of the <Attribute>. I > would like to see XACML Context example based on your schema. Here is the previous example based on the new schema (but with only one resource. Note that the <Attribute> does not include a Holder, since the Holder is implicit from the <NameIdentifier>: <xacml:RequestContext> <xacml:ContextPrincipals> <xacml:Principal PrincipalType="j2se:RequestingUser"> <xacml:NameIdentifier Format="itu:X500DistinguishedName"> "cn=Anne,ou=SunLabs,o=Sun,c=US" </xacml:NameIdentifier> </xacml:Principal> <xacml:Principal PrincipalType="j2se:RequestingUser"> <xacml:NameIdentifier Format="ietf:RFC822Name"> "Anne.Anderson@Sun.COM" </xacml:NameIdentifier> </xacml:Principal> <xacml:Principal PrincipalType="j2se:CodeSource"> <xacml:NameIdentifier Format="ietf:URL"> "
http://java.sun.com/jdk1.4/classes" ; </xacml:NameIdentifier> <xacml:Attribute AttributeName="j2se:SignedBy"> <xacml:AttributeValue> "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US" </xacml:AttributeValue> <xacml:AttributeValue> "cn=SunSigner,o=Sun,c=US" </xacml:AttributeValue> </xacml:Attribute> </xacml:Principal> </xacml:ContextPrincipals> <xacml:ContextResource> <xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/> </xacml:ContextResource> <xacml:ContextActions> <xacml:Action> "read" </xacml:Action> </xacml:ContextActions> </xacml:RequestContext> Anne -- Anne H. Anderson Email:
Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692