MHonArc v2.5.0b2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [xacml] default environment attributes and explicit attributes
> Is the intent that default environment attributes should only be
> created on an "as needed" basis? For example, looking at the test
> suite, default time, etc., are needed for IIA017 019 and 021. If we
> always add the time, then tests 016 018 and 020 fail, because the
> request message includes a time, and the policies do
> time-one-and-only.
Your first instinct is correct. These values are only provided as
needed. If, for example, the current time is provided in the Request,
then the Context Handler is not responsible for generating the value.
See section 10.2.5 of the 2.0 specification (I think it's explained
somewhere else too, but I don't have it in front of me right now).
You're right in your reading of the tests. If a second version of the
current time (for example) was provided, then the one-and-only function
would fail. This is one of the reasons we have the behavior we do. The
more compelling reason (in my opinion) is so you can always define the
time at the PEP if you want to override some server notion of the
current time (for instance, offloading processing to a server in
another timezone). Note that I raise this issue at the risk of
re-opening an old debate, but I promise that is not my intent :)
> Are we missing something in the spec, or are the tests wrong?
Nope. Nothing is missing, and the tests are correct. The CH/PDP only
provides the current date/time values if they're not already available.
seth
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]