0

I have a web application in which I am giving role based data access to the user,I use the concept of XACML based reverse querying, i.e

"A user want to access resource xyz, so under what condition he is allowed to do so?"

So, my question is how feasible it will be if I do not filter the data based on the policy in the server, instead push all data along with the policy to the client and let client handle the filtering the data, I wanted to do this because my server is a cloud based server and I do not want to put any computational overload in it, so wanted to know is their any drawback if I go with such approach?

Phalguni Mukherjee
  • 623
  • 3
  • 11
  • 29

2 Answers2

2

Your approach is not feasible to work in a distributed environment , as you mention your application is cloud based it means you are following the distributed architecture. In that case its highly wrong way to put all the decision on the client side . Let Server do the work of server handling Client request and serve accordingly.

Drawbacks:

  1. Your Client is overloaded.
  2. No separation of PEP and PDP in your case.
  3. Policies should be stored in the Policy Store , you are storing all the stuff in Client side.
  4. As you mention if you do not filter the data based on the policy then their is no use of using XACML 3.0.
Utsav
  • 1,593
  • 4
  • 22
  • 46
1
  1. It is not really secure at all
  2. More traffic on the wire
  3. More logic on the client, so in case of updates you will need update many clients instead single server in cloud.
Mike Chaliy
  • 25,801
  • 18
  • 67
  • 105
  • my PDP will be with the server only I want to shift my PEP to the client also my policy is very static and would not change over time – Phalguni Mukherjee Feb 20 '14 at 06:17
  • 1
    Yes you can separate PDP and PEP. You can add PEP along with the application so that from the application side using PEP you can make xacml request to PDP. – Utsav Mar 05 '14 at 17:54