cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Morley Howell" <>
Subject Access control with XACML
Date Fri, 19 Dec 2003 20:24:10 GMT
Hi all,

Apologies in advance for the long message below. However, I hope what I'm
trying to do could be of some value in general.

I need to implement access control (aka authorization) in Cocoon, and I'm
looking at the OASIS XACML standard as the basis for this.

XACML defines a framework for submitting access control requests to a
decision-making engine, which uses configured rules to return a 'Permit' or
'Deny' result. Requests are submitted in XML, the rules are specified in
XML, and the decision is returned as XML. It looks something like this:

                 Rules XML
Request XML --> XACML Engine --> Response XML

For further details, check out There is
also an open source Java implementation of the framework on sourceforge at

This looks like a Cocoon transformer. It would load the rules on startup,
accept the request XML on the incoming side, and spit out the engine's
response on the other side. To use this in a pipeline, you would:
- convert a user's request into the XACML request XML format
- run this through the XACML transformer
- use  the 'Permit' or 'Deny' result contained in the transformer's XACML
result output to trigger conditional logic later on in your pipeline

I have a problem with this idea. I need to handle requests where the client
submits XML to the server. I need to apply security rules to the user's XML,
and then use it downstream. I can use a transformer to embed the user's XML
inside a XACML request. The problem is that the XACML result does not
include the request, and so I would lose the user's XML downstream of the
XACML transformer.

The transformer could include both the request and the result in its output.
It would have to propagate the incoming XML both to the XACML engine and to
the output of the transformer. Is this possible? How could this be done?

An alternative is to write an action, much like auth-protect in the
authentication framework. It would be configured with a URI from which it
retrieves access control decisions. The URI could be pointed to a different
pipeline that has the XACML transformer embedded in it. Anything this
pipeline does would not affect the XML in the calling pipeline.

My problem is how to pass a copy of the user's XML from the main pipeline to
the access control pipeline. My other problem is that this option seems more
complex and time-consuming for a Cocoon newbie like me to tackle.

Any help with these ideas or any alternative ideas would be greatly


Morley Howell

View raw message