Wouldn't this make it difficult to differentiate which one failed? E.g. if the authentication fails, you might redirect to a login page, but if access is denied you likely want to do something else.
> -----Original Message----- > From: Ralph Goers [mailto:[EMAIL PROTECTED] > Sent: Friday December 19, 2003 3:47 PM > To: '[EMAIL PROTECTED]' > Subject: RE: Access control with XACML > > > My first thought would be to use the Authentication framework and have all > of this take place in the authenticator pipeline. > > > -----Original Message----- > > From: Morley Howell [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 19, 2003 12:24 PM > > To: Cocoon Dev List > > Subject: Access control with XACML > > > > > > Hi all, > > > > Apologies in advance for the long message below. However, I > > hope what I'm > > trying to do could be of some value in general. > > > > I need to implement access control (aka authorization) in > > Cocoon, and I'm > > looking at the OASIS XACML standard as the basis for this. > > > > XACML defines a framework for submitting access control requests to a > > decision-making engine, which uses configured rules to return > > a 'Permit' or > > 'Deny' result. Requests are submitted in XML, the rules are > > specified in > > XML, and the decision is returned as XML. It looks something > > like this: > > > > Rules XML > > | > > | > > V > > Request XML --> XACML Engine --> Response XML > > > > For further details, check out > > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xac > > ml. There is > > also an open source Java implementation of the framework on > > sourceforge at > > http://sunxacml.sourceforge.net/. > > > > This looks like a Cocoon transformer. It would load the rules > > on startup, > > accept the request XML on the incoming side, and spit out the engine's > > response on the other side. To use this in a pipeline, you would: > > - convert a user's request into the XACML request XML format > > - run this through the XACML transformer > > - use the 'Permit' or 'Deny' result contained in the > > transformer's XACML > > result output to trigger conditional logic later on in your pipeline > > > > I have a problem with this idea. I need to handle requests > > where the client > > submits XML to the server. I need to apply security rules to > > the user's XML, > > and then use it downstream. I can use a transformer to embed > > the user's XML > > inside a XACML request. The problem is that the XACML result does not > > include the request, and so I would lose the user's XML > > downstream of the > > XACML transformer. > > > > The transformer could include both the request and the result > > in its output. > > It would have to propagate the incoming XML both to the XACML > > engine and to > > the output of the transformer. Is this possible? How could > > this be done? > > > > An alternative is to write an action, much like auth-protect in the > > authentication framework. It would be configured with a URI > > from which it > > retrieves access control decisions. The URI could be pointed > > to a different > > pipeline that has the XACML transformer embedded in it. Anything this > > pipeline does would not affect the XML in the calling pipeline. > > > > My problem is how to pass a copy of the user's XML from the > > main pipeline to > > the access control pipeline. My other problem is that this > > option seems more > > complex and time-consuming for a Cocoon newbie like me to tackle. > > > > Any help with these ideas or any alternative ideas would be greatly > > appreciated! > > > > Thanks, > > > > Morley Howell > > >
