I checked out your wiki entry, and it was clear to me, thanks! :) If a user has already been authenticated against a handler, does the auth-protect action re-execute the handler's authentication pipeline? If it doesn't, this would be a problem, since I need to re-execute the access control checks for each resource the user accesses, even if they're already logged in.
> -----Original Message----- > From: Ralph Goers [mailto:[EMAIL PROTECTED] > Sent: Friday December 19, 2003 4:54 PM > To: '[EMAIL PROTECTED]' > Subject: RE: Access control with XACML > > > The authentiction pipeline returns an XML document which can be used to > determine what the error is. I just made a wiki entry in the last > couple of > days that clarifies how to do that (at least, I think its clear!). > > We use it to determine if the password has expired. If so a slightly > different login page is presented to allow the old and new password to be > entered. The same authentication pipeline accepts the new password and our > business tier then a) attempts to log in with the old password > and gets the > password expired exception b) changes the password if the new password is > supplied and c) logs in again using the new password. > > Ralph > > > -----Original Message----- > > From: Morley Howell [mailto:[EMAIL PROTECTED] > > Sent: Friday, December 19, 2003 1:32 PM > > To: [EMAIL PROTECTED] > > Subject: RE: Access control with XACML > > > > > > > > Wouldn't this make it difficult to differentiate which one > > failed? E.g. if > > the authentication fails, you might redirect to a login page, > > but if access > > is denied you likely want to do something else. > > > > > -----Original Message----- > > > From: Ralph Goers [mailto:[EMAIL PROTECTED] > > > Sent: Friday December 19, 2003 3:47 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: Access control with XACML > > > > > > > > > My first thought would be to use the Authentication > > framework and have all > > > of this take place in the authenticator pipeline. > > > > > > > -----Original Message----- > > > > From: Morley Howell [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, December 19, 2003 12:24 PM > > > > To: Cocoon Dev List > > > > Subject: Access control with XACML > > > > > > > > > > > > Hi all, > > > > > > > > Apologies in advance for the long message below. However, I > > > > hope what I'm > > > > trying to do could be of some value in general. > > > > > > > > I need to implement access control (aka authorization) in > > > > Cocoon, and I'm > > > > looking at the OASIS XACML standard as the basis for this. > > > > > > > > XACML defines a framework for submitting access control > > requests to a > > > > decision-making engine, which uses configured rules to return > > > > a 'Permit' or > > > > 'Deny' result. Requests are submitted in XML, the rules are > > > > specified in > > > > XML, and the decision is returned as XML. It looks something > > > > like this: > > > > > > > > Rules XML > > > > | > > > > | > > > > V > > > > Request XML --> XACML Engine --> Response XML > > > > > > > > For further details, check out > > > > http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xac > > > > ml. There is > > > > also an open source Java implementation of the framework on > > > > sourceforge at > > > > http://sunxacml.sourceforge.net/. > > > > > > > > This looks like a Cocoon transformer. It would load the rules > > > > on startup, > > > > accept the request XML on the incoming side, and spit out > > the engine's > > > > response on the other side. To use this in a pipeline, you would: > > > > - convert a user's request into the XACML request XML format > > > > - run this through the XACML transformer > > > > - use the 'Permit' or 'Deny' result contained in the > > > > transformer's XACML > > > > result output to trigger conditional logic later on in > > your pipeline > > > > > > > > I have a problem with this idea. I need to handle requests > > > > where the client > > > > submits XML to the server. I need to apply security rules to > > > > the user's XML, > > > > and then use it downstream. I can use a transformer to embed > > > > the user's XML > > > > inside a XACML request. The problem is that the XACML > > result does not > > > > include the request, and so I would lose the user's XML > > > > downstream of the > > > > XACML transformer. > > > > > > > > The transformer could include both the request and the result > > > > in its output. > > > > It would have to propagate the incoming XML both to the XACML > > > > engine and to > > > > the output of the transformer. Is this possible? How could > > > > this be done? > > > > > > > > An alternative is to write an action, much like > > auth-protect in the > > > > authentication framework. It would be configured with a URI > > > > from which it > > > > retrieves access control decisions. The URI could be pointed > > > > to a different > > > > pipeline that has the XACML transformer embedded in it. > > Anything this > > > > pipeline does would not affect the XML in the calling pipeline. > > > > > > > > My problem is how to pass a copy of the user's XML from the > > > > main pipeline to > > > > the access control pipeline. My other problem is that this > > > > option seems more > > > > complex and time-consuming for a Cocoon newbie like me to tackle. > > > > > > > > Any help with these ideas or any alternative ideas would > > be greatly > > > > appreciated! > > > > > > > > Thanks, > > > > > > > > Morley Howell > > > > > > > > > >
