OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

[xacml-users] REST Profile - PDP Issues

  • 1.  [xacml-users] REST Profile - PDP Issues

    Posted 05-16-2012 21:26
    I have a number of different kinds of comments about the REST Profile and Media types which will post separately to allow the discussion to take place in distinct threads. Section 2.2.2 is not very clear about what precisely goes into the POST request and response exchanged with a PDP, but the example shows XACML <Request> and <Response> elements being sent. (Minor point: it is customary to use a namespace qualified name and define the namespace tags near the beginning of the doc. Specifications frequently reference several XML schemas and they could contain the same element names. In particular, common words like Request and Response are likely to appear in many schemas.) However, the current, SOAP-based wire protocol which is specified in section 4 of the SAML Profile of XACML wraps the request in a XACMLAuthzDecisionQuery request and the response is wrapped in an Assertion and XACMLAuthzDecisionQuery response. These wrappers add complexity, but provide a number of useful capabilities. I would suggest reviewing these to determine if any this functionality would be of value in this profile. One feature I believe is required is Request/Response correlation. The SAML-derived request/response solve this problem by means of the ID and InResponseTo XML Attributes. Assuming HTTP 1.1 may be used and considering that a typical PEP is a multithreaded server, the possibility of having more than one request outstanding at the same time arises. Therefore it becomes necessary to figure out what request the PDP has said to Permit. This could be done by means of the IncludeInResponse feature, but that involves additional transmission and processing overhead. If your intention is to set a limit of one outstanding request per TCP session, then that should be stated explicitly. IMO the SAML InResponseTo scheme or something equivalent to it is the easiest way to solve the problem. For the record, the Request includes: Issuer Signature ID Version Issue Instant Destination Consent Processing Flags InputContextOnly ReturnContext CombinePolicies AdditionalAttributes Policy PolicySet ReferencedPolicies AdditionalAttributes AssignedAttributes Holders HolderAttributes Much of this applies only to the Admin Profile, which we could choose not to support in this protocol, but I would like an explicit decision to that effect. The Assertion includes: Issuer Signature ID Version Issue Instant Validity Period The Response includes: Issuer Signature ID InResponseTo Version Issue Instant Destination Consent Status (covered by the HTTP Status Code) Hal --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-users-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-users-help@lists.oasis-open.org


  • 2.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-16-2012 22:02
    Hal, >


  • 3.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-17-2012 14:42
    > > Section 2.2.2 is not very clear about what precisely goes into the > > POST request and response exchanged with a PDP, but the example shows > > XACML <Request> and <Response> elements being sent. > > Yeah, I struggled with that a bit. Since the actual media type > definitions are now outside the REST profile, I find it difficult to be > precise. Any suggestions for improvement? > I don't see why you can explicitly call out schema and outermost XML element and specifically say you must send this or can send either this or this. > > > (Minor point: it is customary to use a namespace qualified name and > > define the namespace tags near the beginning of the doc. > > Specifications frequently reference several XML schemas and they > could > > contain the same element names. In particular, common words like > > Request and Response are likely to appear in many schemas.) > > Not all formats have the concept of namespaces (e.g. JSON), so in the > interest of being neutral in terms of representation, I felt I couldn't > use namespaces here. I used wording like "XACML request" to address > this issue. Does that sound reasonable? I was thinking primarily of the examples here. <Request> is potentially ambiguous. <xs:request> with a suitable definition of xs, is not. I would still like to hear from others as to whether we need any of the other features provided by the wrappers. > > > However, the current, SOAP-based wire protocol which is specified in > > section 4 of the SAML Profile of XACML wraps the request in a > > XACMLAuthzDecisionQuery request and the response is wrapped in an > > Assertion and XACMLAuthzDecisionQuery response. These wrappers add > > complexity, but provide a number of useful capabilities. I would > > suggest reviewing these to determine if any this functionality would > > be of value in this profile. > > > > One feature I believe is required is Request/Response correlation. > The > > SAML-derived request/response solve this problem by means of the ID > > and InResponseTo XML Attributes. > > > > Assuming HTTP 1.1 may be used and considering that a typical PEP is a > > multithreaded server, the possibility of having more than one request > > outstanding at the same time arises. Therefore it becomes necessary > to > > figure out what request the PDP has said to Permit. > > Since we're using POST, which is non-idempotent > ( http://tools.ietf.org/html/rfc2616#section-9.1.2 ), we must not use > HTTP pipelining ( http://tools.ietf.org/html/rfc2616#section-8.1.2.2 ). My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be idempotent. As a matter of fact, we know an XACML decision request IS idempotent. > So a request will always have to wait for the response and thus there > can be no confusion as to which response belongs to which request. Or > am I missing something? I don't see how this restriction could be acceptable in a production environment. Managing a large connection pool and scheduling requests onto available connections is complicated and may have its own performance implications. Making every request wait in line is unacceptable. Remember the DPD server may go off and do things that take a "long" time, like fetching attribute values from other repositories. I would like to hear what others think. Hal


  • 4.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-17-2012 18:19



  • 5.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-17-2012 21:10
    Danny, >


  • 6.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-17-2012 21:14
    Ok. So a POST can have no side effects but return different results and still be considered idempotent. Thanks, -Danny Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com


  • 7.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-29-2012 19:26
    > > > Section 2.2.2 is not very clear about what precisely goes into the > > > POST request and response exchanged with a PDP, but the example > > > shows XACML <Request> and <Response> elements being sent. > > > > Yeah, I struggled with that a bit. Since the actual media type > > definitions are now outside the REST profile, I find it difficult to > > be precise. Any suggestions for improvement? > > > I don't see why you can explicitly call out schema and outermost XML > element and specifically say you must send this or can send either this > or this. > <<<< > > Hal, did you mean "cannot explicitly..." there? Yes, sorry I meant "can't". > > > >>> > > > > Since we're using POST, which is non-idempotent > > ( http://tools.ietf.org/html/rfc2616#section-9.1.2 ), we must not use > > HTTP pipelining ( http://tools.ietf.org/html/rfc2616#section-8.1.2.2 ). > > My reading of rfc 2616 - 9.1.2 is that POST is not REQUIRED to be > idempotent. As a matter of fact, we know an XACML decision request IS > idempotent. > <<< > > ?? The XACML decision request POST may be idempotent on the request > side, but not on the response side. Identical XACML requests may return > different responses if the policies in force are dependent upon time of > request or other contextual data not carried in the request that > changes between requests. Access permitted at 4:59pm, access denied at > 5:01pm. This is true, however this functionality can actually be controlled by the InputContextOnly XML attribute which appears in the <XACMLAuthzDecisionQuery>. This is another reason it might be desirable to allow the use of the Req/Resp wrappers. I still think for anything but a demo, requiring synchronous requests is a complete non-starter. hal


  • 8.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-17-2012 21:23
    Hal, >


  • 9.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-29-2012 20:03
    > > I was thinking primarily of the examples here. <Request> is > > potentially ambiguous. <xs:request> with a suitable definition of xs, > is not. > > The example reads: > > <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> > <!-- XACML request --> > </Request> > > I do use a (default) namespace here, so I don't see how <Request> can > be ambiguous. Good point. This is mainly a style issue. I guess I am still stuck in the past where we had distinct Schemas for the Policies and the Protocols. Hal


  • 10.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-18-2012 13:28
    Hal, TC, >


  • 11.  RE: [xacml] [xacml-users] REST Profile - PDP Issues

    Posted 05-18-2012 16:32
    XACML already has a request/response correlation mechanism in the IncludeInResult attribute of the Attribute element. Granted, this isn't as succinct as requiring unique message ids and InResponseTo headers, but if an application is running into confusion over which response is for which request, it seems to me that the application can turn on IncludeInResult for request Attributes sufficiently specific to perform response correlation. For that matter, the application could simplify correlation by embedding a client-generated token unique within the client's scope as an <Attribute IncludeInResult="true"> in the request. The attribute is of no interest to the PDP. It exists solely to simplify response correlation back at the client. Given that an application can embed a "message id" of its own design as an attribute in the XACML request and receive it back in the response, is it really necessary to add correlation complexity at the protocol level? -Danny Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com