Luchesar V. ILIEV wrote on 06/18/2010 02:17 PM:
> Actually, a compromise that I see is to be able to ask not for single
> resource/URI but for a list of resources/URIs -- with specific
> token/user -- and then get in response only those URIs to which the
> user has specific access (most likely GET, in certain cases probably
> also POST). However, I'm not quite sure whether OpenSSO is able to do
> this.
>

 From my discussion on the OpenSSO mailing list, I learned that OpenSSO 
policy service is designed as an evaluation service:
It evaluates the policy in the context of an evaluation request. Because 
policies can have plugin to handle Subject, Resources and
conditions, you have to evaluate the policy on every possible URL in 
order to determine all resources.

But currently I am still involved in the discussion - there might come 
up other aspects.

Andreas