cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <>
Subject RE: Access control with XACML
Date Fri, 19 Dec 2003 20:46:41 GMT
My first thought would be to use the Authentication framework and have all
of this take place in the authenticator pipeline.

> -----Original Message-----
> From: Morley Howell []
> Sent: Friday, December 19, 2003 12:24 PM
> To: Cocoon Dev List
> Subject: Access control with XACML
> Hi all,
> Apologies in advance for the long message below. However, I 
> hope what I'm
> trying to do could be of some value in general.
> I need to implement access control (aka authorization) in 
> Cocoon, and I'm
> looking at the OASIS XACML standard as the basis for this.
> XACML defines a framework for submitting access control requests to a
> decision-making engine, which uses configured rules to return 
> a 'Permit' or
> 'Deny' result. Requests are submitted in XML, the rules are 
> specified in
> XML, and the decision is returned as XML. It looks something 
> like this:
>                  Rules XML
>                      |
>                      |
>                      V
> Request XML --> XACML Engine --> Response XML
> For further details, check out
> ml. There is
> also an open source Java implementation of the framework on 
> sourceforge at
> This looks like a Cocoon transformer. It would load the rules 
> on startup,
> accept the request XML on the incoming side, and spit out the engine's
> response on the other side. To use this in a pipeline, you would:
> - convert a user's request into the XACML request XML format
> - run this through the XACML transformer
> - use  the 'Permit' or 'Deny' result contained in the 
> transformer's XACML
> result output to trigger conditional logic later on in your pipeline
> I have a problem with this idea. I need to handle requests 
> where the client
> submits XML to the server. I need to apply security rules to 
> the user's XML,
> and then use it downstream. I can use a transformer to embed 
> the user's XML
> inside a XACML request. The problem is that the XACML result does not
> include the request, and so I would lose the user's XML 
> downstream of the
> XACML transformer.
> The transformer could include both the request and the result 
> in its output.
> It would have to propagate the incoming XML both to the XACML 
> engine and to
> the output of the transformer. Is this possible? How could 
> this be done?
> An alternative is to write an action, much like auth-protect in the
> authentication framework. It would be configured with a URI 
> from which it
> retrieves access control decisions. The URI could be pointed 
> to a different
> pipeline that has the XACML transformer embedded in it. Anything this
> pipeline does would not affect the XML in the calling pipeline.
> My problem is how to pass a copy of the user's XML from the 
> main pipeline to
> the access control pipeline. My other problem is that this 
> option seems more
> complex and time-consuming for a Cocoon newbie like me to tackle.
> Any help with these ideas or any alternative ideas would be greatly
> appreciated!
> Thanks,
> Morley Howell

View raw message