Hi Simon,this section of the "Fedora Repository 3.3 Documentation" is currently my bedside book. I have finally found a combination of policies corresponding to my aim. in fact, the XACML that I put was not enough. I still have a problem with the BASIC authentification... and the solution is probably in the tomcat configuration. If I don't success, I'll create a new post for that, but I have already seen passed such problem in the list. I'm optimistic!
Thank you for your cooperation and best regards Pierre-Yves Simon McMillan a écrit :
Hi Pierre-Yves, I have attempted to replicate your XACML policy for a single PID, but have not been successful. I think, perhaps, that you have to make the policy refer to specific datastreams and disseminations as well as an object. See https://wiki.duraspace.org/display/FR22DOC/Fedora+XACML+Policy+Writing+Guide section 5.1.1 I am sorry that I cannot be more helpful. Regards, Simon. -----Original Message-----From: Pierre-Yves JALLUD [mailto:[email protected]] Sent: Wednesday, 28 July 2010 5:50 PMTo: fedora-commons-developers Subject: Re: [Fedora-commons-developers] XACML - restrict the access I Simon, thank you for the remark. It's effectively simpler. I have already tested many sort of method to test (urn:oasis:names:tc:xacml:1.0:function:string-equal, urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of, urn:oasis:names:tc:xacml:1.0:function:string-bag, urn:oasis:names:tc:xacml:1.0:function:regexp-string-match, ...) the user (urn:fedora:names:fedora:2.1:subject:loginId) or his group (fedoraRole), but each time the rule doesn't have the attempted effect. When I put the DEBUG level for the logs, I interpret the informations as if FedoraCommons couldn't get the role or the name of the user when the rule concern a single object. I can't imagine it's a bug of FC because the rule is very basical... but I really don't know where to search to solve my problem. I have limited the XACML file to the minimum to be sure that the rule isn't disturb by another one. I have get the sources of FC (RC1) and recompile thefcrepo-server adding more tracks... but the informations seems to be in the XACML libraries, not included in FC. Have you other advices or remarks?... Greetings Pierre-Yves Simon McMillan a écrit :Hi Pierre-Yves, Your RuleID="1" could be simpler, I think. Have you tried something like this? <Rule RuleId="1" Effect="Deny"> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Group1</AttributeValue> <SubjectAttributeDesignator AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Condition></Rule> Regards, Simon. -----Original Message----- From: Pierre-Yves JALLUD [mailto:[email protected]] Sent: Wednesday, 28 July 2010 12:51 AM To: fedora-commons-developers Subject: [Fedora-commons-developers] XACML - restrict the access Hi all,as I didn't have a reponse, I permit me to send again my question in the developper list. I have made many tests from the examples of https://wiki.duraspace.org/display/FCR30/XACML+Vocabulary+and+ExamplesBut I don't success to permit the access of an specific object to a single user. Have you any recommandations?... It's very important for my project and really don't understand why it doesn't work. Greetings Pierre-YvesDate: Fri, 23 Jul 2010 12:59:56 +0200 From: Pierre-Yves JALLUD <[email protected]> Subject: [Fedora-commons-users] XACML - restrict the access To: fedora-commons-users <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Hi all, I'm trying to make a policy role to deny the access to an object(MyNS:Restricted_Object) if the user hasn't the Group1 role (defined in the fedora-users.xml). You can find below the definition of the user and the XACML file. But it doesn't work! When I don't activate the XACML file, there is no restriction to access to the object and its datastreams. But when I activate it, the access is denied to any user. I'm using the version 3.2.1 of Fedora Commons, installed in a LINUX server (Linux myFCComputer2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux). Doese anyone knows why it doesn't work as I want? Greetings Pierre-Yves error returned by the web admin:Could not retrieve object '' from the repository. Either the object does not exist, or you do not have permission to view it.error returned by the access to the url of the object: 403 Forbidden Authorization failed fedora-users.xml: ... <user name="User1" password="XXXXX"> <attribute name="fedoraRole"> <value>Group1</value> </attribute> </user> ... deny-access-object-list-if-not-group1.xml:<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="deny-access-object-list-if-not-group1"RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algori thm:first-applicable"> <Description> </Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>MyNS:Restricted_Object</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="1" Effect="Deny"> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>Group1</AttributeValue> </Apply> </Apply> </Condition> </Rule> </Policy>
<<attachment: pierre-yves_jallud.vcf>>
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
_______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
