cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Morley Howell" <mor...@orbiscommunications.com>
Subject RE: Access control with XACML
Date Fri, 19 Dec 2003 21:32:01 GMT

Wouldn't this make it difficult to differentiate which one failed? E.g. if
the authentication fails, you might redirect to a login page, but if access
is denied you likely want to do something else.

> -----Original Message-----
> From: Ralph Goers [mailto:Ralph.Goers@digitalinsight.com]
> Sent: Friday December 19, 2003 3:47 PM
> To: 'dev@cocoon.apache.org'
> Subject: RE: Access control with XACML
>
>
> My first thought would be to use the Authentication framework and have all
> of this take place in the authenticator pipeline.
>
> > -----Original Message-----
> > From: Morley Howell [mailto:morley@orbiscommunications.com]
> > Sent: Friday, December 19, 2003 12:24 PM
> > To: Cocoon Dev List
> > Subject: Access control with XACML
> >
> >
> > Hi all,
> >
> > Apologies in advance for the long message below. However, I
> > hope what I'm
> > trying to do could be of some value in general.
> >
> > I need to implement access control (aka authorization) in
> > Cocoon, and I'm
> > looking at the OASIS XACML standard as the basis for this.
> >
> > XACML defines a framework for submitting access control requests to a
> > decision-making engine, which uses configured rules to return
> > a 'Permit' or
> > 'Deny' result. Requests are submitted in XML, the rules are
> > specified in
> > XML, and the decision is returned as XML. It looks something
> > like this:
> >
> >                  Rules XML
> >                      |
> >                      |
> >                      V
> > Request XML --> XACML Engine --> Response XML
> >
> > For further details, check out
> > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xac
> > ml. There is
> > also an open source Java implementation of the framework on
> > sourceforge at
> > http://sunxacml.sourceforge.net/.
> >
> > This looks like a Cocoon transformer. It would load the rules
> > on startup,
> > accept the request XML on the incoming side, and spit out the engine's
> > response on the other side. To use this in a pipeline, you would:
> > - convert a user's request into the XACML request XML format
> > - run this through the XACML transformer
> > - use  the 'Permit' or 'Deny' result contained in the
> > transformer's XACML
> > result output to trigger conditional logic later on in your pipeline
> >
> > I have a problem with this idea. I need to handle requests
> > where the client
> > submits XML to the server. I need to apply security rules to
> > the user's XML,
> > and then use it downstream. I can use a transformer to embed
> > the user's XML
> > inside a XACML request. The problem is that the XACML result does not
> > include the request, and so I would lose the user's XML
> > downstream of the
> > XACML transformer.
> >
> > The transformer could include both the request and the result
> > in its output.
> > It would have to propagate the incoming XML both to the XACML
> > engine and to
> > the output of the transformer. Is this possible? How could
> > this be done?
> >
> > An alternative is to write an action, much like auth-protect in the
> > authentication framework. It would be configured with a URI
> > from which it
> > retrieves access control decisions. The URI could be pointed
> > to a different
> > pipeline that has the XACML transformer embedded in it. Anything this
> > pipeline does would not affect the XML in the calling pipeline.
> >
> > My problem is how to pass a copy of the user's XML from the
> > main pipeline to
> > the access control pipeline. My other problem is that this
> > option seems more
> > complex and time-consuming for a Cocoon newbie like me to tackle.
> >
> > Any help with these ideas or any alternative ideas would be greatly
> > appreciated!
> >
> > Thanks,
> >
> > Morley Howell
> >
>


Mime
View raw message