Sometimes users and services need to revoke privilege assignments. Users change their minds; people leave groups, services change functionality, and so on. Even though it adds complexity, any practical delegation protocol must support revocation.
In SDM, revocability is an optional attribute of delegation. If performance is an issue, or revocation is somehow known to never ne necessary, the delegation can be made non-revocable. This facility to explicitly enable or disable revocation is again carried out using the AccessController object. The changed revocation status remains valid, until it gets changed again. The AccessController method setRevocableDelegation(true) enables delegation to be revocable until it is set otherwise.
If delegation is revocable, then the end-point (but not necessarily any of the intermediate delegates) of a chain must be able to find out. In SDM, the DelegationID and delegation server (URL) associated with certificates define the uniqueness of a delegation certificate. If the endpoint has not seen the delegation certificate earlier, it must contact the DelegationServer of the initiator and verify its validity. And if it is not a one-shot delegation (a delegation that is valid for one access request only), the end point registers itself as a DelegationRevocationListener with the initiator.
When an end-point receives a service request from a principal, its AccessController checks if the service has been delegated through the invoking principal, and if so whether the delegation is revocable. If the delegation is not revocable, it goes ahead to provide/deny access according to the delegates privileges.
But if the delegation is revocable: