cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <Ralph.Go...@digitalinsight.com>
Subject RE: Access control with XACML
Date Fri, 19 Dec 2003 21:53:41 GMT
The authentiction pipeline returns an XML document which can be used to
determine what the error is. I just made a wiki entry in the last couple of
days that clarifies how to do that (at least, I think its clear!).

We use it to determine if the password has expired. If so a slightly
different login page is presented to allow the old and new password to be
entered. The same authentication pipeline accepts the new password and our
business tier then a) attempts to log in with the old password and gets the
password expired exception b) changes the password if the new password is
supplied and c) logs in again using the new password.

Ralph

> -----Original Message-----
> From: Morley Howell [mailto:morley@orbiscommunications.com]
> Sent: Friday, December 19, 2003 1:32 PM
> To: dev@cocoon.apache.org
> Subject: RE: Access control with XACML
> 
> 
> 
> Wouldn't this make it difficult to differentiate which one 
> failed? E.g. if
> the authentication fails, you might redirect to a login page, 
> but if access
> is denied you likely want to do something else.
> 
> > -----Original Message-----
> > From: Ralph Goers [mailto:Ralph.Goers@digitalinsight.com]
> > Sent: Friday December 19, 2003 3:47 PM
> > To: 'dev@cocoon.apache.org'
> > Subject: RE: Access control with XACML
> >
> >
> > My first thought would be to use the Authentication 
> framework and have all
> > of this take place in the authenticator pipeline.
> >
> > > -----Original Message-----
> > > From: Morley Howell [mailto:morley@orbiscommunications.com]
> > > Sent: Friday, December 19, 2003 12:24 PM
> > > To: Cocoon Dev List
> > > Subject: Access control with XACML
> > >
> > >
> > > Hi all,
> > >
> > > Apologies in advance for the long message below. However, I
> > > hope what I'm
> > > trying to do could be of some value in general.
> > >
> > > I need to implement access control (aka authorization) in
> > > Cocoon, and I'm
> > > looking at the OASIS XACML standard as the basis for this.
> > >
> > > XACML defines a framework for submitting access control 
> requests to a
> > > decision-making engine, which uses configured rules to return
> > > a 'Permit' or
> > > 'Deny' result. Requests are submitted in XML, the rules are
> > > specified in
> > > XML, and the decision is returned as XML. It looks something
> > > like this:
> > >
> > >                  Rules XML
> > >                      |
> > >                      |
> > >                      V
> > > Request XML --> XACML Engine --> Response XML
> > >
> > > For further details, check out
> > > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xac
> > > ml. There is
> > > also an open source Java implementation of the framework on
> > > sourceforge at
> > > http://sunxacml.sourceforge.net/.
> > >
> > > This looks like a Cocoon transformer. It would load the rules
> > > on startup,
> > > accept the request XML on the incoming side, and spit out 
> the engine's
> > > response on the other side. To use this in a pipeline, you would:
> > > - convert a user's request into the XACML request XML format
> > > - run this through the XACML transformer
> > > - use  the 'Permit' or 'Deny' result contained in the
> > > transformer's XACML
> > > result output to trigger conditional logic later on in 
> your pipeline
> > >
> > > I have a problem with this idea. I need to handle requests
> > > where the client
> > > submits XML to the server. I need to apply security rules to
> > > the user's XML,
> > > and then use it downstream. I can use a transformer to embed
> > > the user's XML
> > > inside a XACML request. The problem is that the XACML 
> result does not
> > > include the request, and so I would lose the user's XML
> > > downstream of the
> > > XACML transformer.
> > >
> > > The transformer could include both the request and the result
> > > in its output.
> > > It would have to propagate the incoming XML both to the XACML
> > > engine and to
> > > the output of the transformer. Is this possible? How could
> > > this be done?
> > >
> > > An alternative is to write an action, much like 
> auth-protect in the
> > > authentication framework. It would be configured with a URI
> > > from which it
> > > retrieves access control decisions. The URI could be pointed
> > > to a different
> > > pipeline that has the XACML transformer embedded in it. 
> Anything this
> > > pipeline does would not affect the XML in the calling pipeline.
> > >
> > > My problem is how to pass a copy of the user's XML from the
> > > main pipeline to
> > > the access control pipeline. My other problem is that this
> > > option seems more
> > > complex and time-consuming for a Cocoon newbie like me to tackle.
> > >
> > > Any help with these ideas or any alternative ideas would 
> be greatly
> > > appreciated!
> > >
> > > Thanks,
> > >
> > > Morley Howell
> > >
> >
> 

Mime
View raw message