Use cases for the REST profile for XACML v3.0
POST a XACML Request (in XML) to a PDP and receive a XACML Response. This would provide a simple means to test PDPs, verify policy evaluation, and compare implementations. Performance and scalability tests could be scripted using command-line tools such as wget or curl.
GET a XACML Policy or PolicySet from a PAP using a predictable URI formed with the PolicyId or PolicySetId (such as http://example.com/pap-service/policies/ExportPolicy).
Requirements for the REST profile for XACML v3.0
- Allow access to PDP
- Allow access to PAP
- Low complexity/high performance access over HTTP
Use HTTP's uniform interface
- Allow multiple representations for requests and responses, at least
- XACML XML Request/Response independent of SOAP or SAML envelope.
- XACML elements with attributes to be rendered in JSON as objects with properties
- XML content artifacts may remain in the JSON representation - Resource Content, for example should remain XML to preserve XPATH query semantics
- The PDP is not required to understand JSON - the JSON request can be transformed into XACML XML or equivalent internal representation by the REST service endpoint before passing it to the PDP for processing. The PDP response can be transformed to JSON for return to client.
Support asynchronous completion callback patterns. JSONP and/or JSON-RPC are candidates . This will also solve domain of origin restrictions for browser apps.
Define media types for these representations, to be standardized with IANA
Allow linking from one resource to another, e.g. from a PolicySet to the policy identified by a PolicyIdReference
- Single fixed entry point to service, sub-services can be discovered through links