My first thought would be to use the Authentication framework and have all of this take place in the authenticator pipeline.
> -----Original Message----- > From: Morley Howell [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 12:24 PM > To: Cocoon Dev List > Subject: Access control with XACML > > > Hi all, > > Apologies in advance for the long message below. However, I > hope what I'm > trying to do could be of some value in general. > > I need to implement access control (aka authorization) in > Cocoon, and I'm > looking at the OASIS XACML standard as the basis for this. > > XACML defines a framework for submitting access control requests to a > decision-making engine, which uses configured rules to return > a 'Permit' or > 'Deny' result. Requests are submitted in XML, the rules are > specified in > XML, and the decision is returned as XML. It looks something > like this: > > Rules XML > | > | > V > Request XML --> XACML Engine --> Response XML > > For further details, check out > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xac > ml. There is > also an open source Java implementation of the framework on > sourceforge at > http://sunxacml.sourceforge.net/. > > This looks like a Cocoon transformer. It would load the rules > on startup, > accept the request XML on the incoming side, and spit out the engine's > response on the other side. To use this in a pipeline, you would: > - convert a user's request into the XACML request XML format > - run this through the XACML transformer > - use the 'Permit' or 'Deny' result contained in the > transformer's XACML > result output to trigger conditional logic later on in your pipeline > > I have a problem with this idea. I need to handle requests > where the client > submits XML to the server. I need to apply security rules to > the user's XML, > and then use it downstream. I can use a transformer to embed > the user's XML > inside a XACML request. The problem is that the XACML result does not > include the request, and so I would lose the user's XML > downstream of the > XACML transformer. > > The transformer could include both the request and the result > in its output. > It would have to propagate the incoming XML both to the XACML > engine and to > the output of the transformer. Is this possible? How could > this be done? > > An alternative is to write an action, much like auth-protect in the > authentication framework. It would be configured with a URI > from which it > retrieves access control decisions. The URI could be pointed > to a different > pipeline that has the XACML transformer embedded in it. Anything this > pipeline does would not affect the XML in the calling pipeline. > > My problem is how to pass a copy of the user's XML from the > main pipeline to > the access control pipeline. My other problem is that this > option seems more > complex and time-consuming for a Cocoon newbie like me to tackle. > > Any help with these ideas or any alternative ideas would be greatly > appreciated! > > Thanks, > > Morley Howell >
