Details

      Description

      The request is to add the XACML PDP interface to Shiro. This would be another way to get an authorization decision result.

        Activity

        Hide
        Warren Strange added a comment -

        Hi Les,

        I didn't file the bug but have a couple of comments.

        XACML support could mean a lot of things, but some possible features could be things like:

        • Support expressing Shiro policies in XACML
        • Integrate Shiro with a XACML PDP - so that runtime decisions are made by the PDP (and maybe cached by Shiro?)
        • Support more "XACML"ish features in the API. For example, XACML has Obligations
          (allow this operation, but you must log the result, etc..).

        Whether or not these are actually useful features, I can not say

        I think most of the XACML use cases are outside the bounds of a single application (e.g. Enterprises wanting
        to administer policy in a central location). Whether or not this makes sense for Shiro is an open question.

        I can see Obligations as being an interesting feature for the API - but am not sure how you would make it sufficiently generic.

        Show
        Warren Strange added a comment - Hi Les, I didn't file the bug but have a couple of comments. XACML support could mean a lot of things, but some possible features could be things like: Support expressing Shiro policies in XACML Integrate Shiro with a XACML PDP - so that runtime decisions are made by the PDP (and maybe cached by Shiro?) Support more "XACML"ish features in the API. For example, XACML has Obligations (allow this operation, but you must log the result, etc..). Whether or not these are actually useful features, I can not say I think most of the XACML use cases are outside the bounds of a single application (e.g. Enterprises wanting to administer policy in a central location). Whether or not this makes sense for Shiro is an open question. I can see Obligations as being an interesting feature for the API - but am not sure how you would make it sufficiently generic.
        Hide
        Les Hazlewood added a comment -

        Hi Michael,

        What does this mean exactly? Would this translate into implementing a specific programming API? Or providing a URL endpoint? A little context or use case explanation would be helpful.

        Thanks,

        Les

        Show
        Les Hazlewood added a comment - Hi Michael, What does this mean exactly? Would this translate into implementing a specific programming API? Or providing a URL endpoint? A little context or use case explanation would be helpful. Thanks, Les

          People

          • Assignee:
            Unassigned
            Reporter:
            Michael Fiedler
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development