cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <Ralph.Go...@digitalinsight.com>
Subject RE: Access control with XACML
Date Fri, 19 Dec 2003 22:39:43 GMT
I am using JAAS so I check permissions after login using a
PermissionSelector. I would think you could do something similar.

On successful login you can either save an object in the session or save xml
access controls in the authentication session-context.  If you save your
access controls in the session-context you can use the session context input
module to get to them from the sitemap.

Ralph

> -----Original Message-----
> From: Morley Howell [mailto:morley@orbiscommunications.com]
> Sent: Friday, December 19, 2003 2:36 PM
> To: dev@cocoon.apache.org
> Subject: RE: Access control with XACML
> 
> 
> 
> I checked out your wiki entry, and it was clear to me, thanks! :)
> 
> If a user has already been authenticated against a handler, does the
> auth-protect action re-execute the handler's authentication 
> pipeline? If it
> doesn't, this would be a problem, since I need to re-execute 
> the access
> control checks for each resource the user accesses, even if 
> they're already
> logged in.
> 
> > -----Original Message-----
> > From: Ralph Goers [mailto:Ralph.Goers@digitalinsight.com]
> > Sent: Friday December 19, 2003 4:54 PM
> > To: 'dev@cocoon.apache.org'
> > Subject: RE: Access control with XACML
> >
> >
> > The authentiction pipeline returns an XML document which 
> can be used to
> > determine what the error is. I just made a wiki entry in the last
> > couple of
> > days that clarifies how to do that (at least, I think its clear!).
> >
> > We use it to determine if the password has expired. If so a slightly
> > different login page is presented to allow the old and new 
> password to be
> > entered. The same authentication pipeline accepts the new 
> password and our
> > business tier then a) attempts to log in with the old password
> > and gets the
> > password expired exception b) changes the password if the 
> new password is
> > supplied and c) logs in again using the new password.
> >
> > Ralph
> >
> > > -----Original Message-----
> > > From: Morley Howell [mailto:morley@orbiscommunications.com]
> > > Sent: Friday, December 19, 2003 1:32 PM
> > > To: dev@cocoon.apache.org
> > > Subject: RE: Access control with XACML
> > >
> > >
> > >
> > > Wouldn't this make it difficult to differentiate which one
> > > failed? E.g. if
> > > the authentication fails, you might redirect to a login page,
> > > but if access
> > > is denied you likely want to do something else.
> > >
> > > > -----Original Message-----
> > > > From: Ralph Goers [mailto:Ralph.Goers@digitalinsight.com]
> > > > Sent: Friday December 19, 2003 3:47 PM
> > > > To: 'dev@cocoon.apache.org'
> > > > Subject: RE: Access control with XACML
> > > >
> > > >
> > > > My first thought would be to use the Authentication
> > > framework and have all
> > > > of this take place in the authenticator pipeline.
> > > >
> > > > > -----Original Message-----
> > > > > From: Morley Howell [mailto:morley@orbiscommunications.com]
> > > > > Sent: Friday, December 19, 2003 12:24 PM
> > > > > To: Cocoon Dev List
> > > > > Subject: Access control with XACML
> > > > >
> > > > >
> > > > > Hi all,
> > > > >
> > > > > Apologies in advance for the long message below. However, I
> > > > > hope what I'm
> > > > > trying to do could be of some value in general.
> > > > >
> > > > > I need to implement access control (aka authorization) in
> > > > > Cocoon, and I'm
> > > > > looking at the OASIS XACML standard as the basis for this.
> > > > >
> > > > > XACML defines a framework for submitting access control
> > > requests to a
> > > > > decision-making engine, which uses configured rules to return
> > > > > a 'Permit' or
> > > > > 'Deny' result. Requests are submitted in XML, the rules are
> > > > > specified in
> > > > > XML, and the decision is returned as XML. It looks something
> > > > > like this:
> > > > >
> > > > >                  Rules XML
> > > > >                      |
> > > > >                      |
> > > > >                      V
> > > > > Request XML --> XACML Engine --> Response XML
> > > > >
> > > > > For further details, check out
> > > > > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xac
> > > > > ml. There is
> > > > > also an open source Java implementation of the framework on
> > > > > sourceforge at
> > > > > http://sunxacml.sourceforge.net/.
> > > > >
> > > > > This looks like a Cocoon transformer. It would load the rules
> > > > > on startup,
> > > > > accept the request XML on the incoming side, and spit out
> > > the engine's
> > > > > response on the other side. To use this in a 
> pipeline, you would:
> > > > > - convert a user's request into the XACML request XML format
> > > > > - run this through the XACML transformer
> > > > > - use  the 'Permit' or 'Deny' result contained in the
> > > > > transformer's XACML
> > > > > result output to trigger conditional logic later on in
> > > your pipeline
> > > > >
> > > > > I have a problem with this idea. I need to handle requests
> > > > > where the client
> > > > > submits XML to the server. I need to apply security rules to
> > > > > the user's XML,
> > > > > and then use it downstream. I can use a transformer to embed
> > > > > the user's XML
> > > > > inside a XACML request. The problem is that the XACML
> > > result does not
> > > > > include the request, and so I would lose the user's XML
> > > > > downstream of the
> > > > > XACML transformer.
> > > > >
> > > > > The transformer could include both the request and the result
> > > > > in its output.
> > > > > It would have to propagate the incoming XML both to the XACML
> > > > > engine and to
> > > > > the output of the transformer. Is this possible? How could
> > > > > this be done?
> > > > >
> > > > > An alternative is to write an action, much like
> > > auth-protect in the
> > > > > authentication framework. It would be configured with a URI
> > > > > from which it
> > > > > retrieves access control decisions. The URI could be pointed
> > > > > to a different
> > > > > pipeline that has the XACML transformer embedded in it.
> > > Anything this
> > > > > pipeline does would not affect the XML in the calling 
> pipeline.
> > > > >
> > > > > My problem is how to pass a copy of the user's XML from the
> > > > > main pipeline to
> > > > > the access control pipeline. My other problem is that this
> > > > > option seems more
> > > > > complex and time-consuming for a Cocoon newbie like 
> me to tackle.
> > > > >
> > > > > Any help with these ideas or any alternative ideas would
> > > be greatly
> > > > > appreciated!
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Morley Howell
> > > > >
> > > >
> > >
> >
> 

Mime
View raw message