Setup
-------
I have a fedora 3.2.1 server running on linux and using the bundled database
with an external tomcat 5.5.28 and java 1.6.
I ran a custom installation and configured with API-M secure, API-A open.
I have <param name="ENFORCE-MODE" value="enforce-policies"/> in my
fedora.fcfg.
I have a custom policy in
/opt/fedora-3.2.1/data/fedora-xacml-policies/repository-policies which
enforces deny-apia-datastream-DS-if-not-tomcat-role.xml (attached) which
permits only administrator access to datastreams with ID's that match the
pattern "DS.*".
I have a standard fedora-users.xml containing the fedora administrator. I
have not altered fedora's web.xml.
Problem
-----------
When i try to access the following url
http://wyrd.anu.edu.au:8080/fedora/objects/assda-ddi:00626/datastreams/DC i
am prompted to login, with either ="enforce-policies" or "permit-all". I
then get the following tomcat 401 error message 'description This request
requires HTTP authentication ()'.
With "enforce-policies" and the following urls i get
http://wyrd.anu.edu.au:8080/fedora/get/assda-ddi:00626/DC (should be
anonymous access and IS)
http://wyrd.anu.edu.au:8080/fedora/get/assda-ddi:00626/DDI1 (should be
anonymous access and IS)
http://wyrd.anu.edu.au:8080/fedora/get/assda-ddi:00626/DS1 (should be
restricted to administrator role but i am offered no login, just a 403
forbidden error)
Summary
------------
I have 3 questions:
1. With "permit-all", why is there a login at all browsing for
http://.../fedora/objects/...?
2. With "enforce-policies", why is there a 'requires HTTP
authentication()' error after login attempting to access any datastream?
3. With "enforce-policies", why is there no login offered when i try
to access a protected resource browsing for http://.../fedora/get/...?
steve
--
Steve Hassan
Development Programmer
ANU Supercomputer Facility
Leonard Huxley Building 56
Australian National University
Canberra ACT 0200
AUSTRALIA
http://anusf.anu.edu.au/
Phone: +61 2 6125 9166
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" PolicyId="deny-apia-datastream-DS-if-not-tomcat-role">
<!-- *********************************************************************************************************************************************************-->
<!-- This policy will DENY access to DS datastreams by controlling access to the getDatastreamDissemination method -->
<!-- of the Fedora Access Service (API-A). Specificallly, it will DENY access to users who are NOT of particular ROLES when -->
<!-- the requested resource is a datastream with identifier of 'DS' -->
<!-- *********************************************************************************************************************************************************-->
<!-- NOTE: User ROLES are defined using custom Fedora attributes in the tomcat-users.xml file. -->
<!-- See the Fedora system documentation on Tomcat Authentication for details of how to specify custom attributes -->
<!-- (such as 'fedoraRole') in the tomcat-users.xml file. -->
<!-- *********************************************************************************************************************************************************-->
<!-- TEST CASE: This policy can be tested on the object demo:6 -->
<!-- *********************************************************************************************************************************************************-->
<Description>This policy will DENY access to DS image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). Specificallly, it will DENY access to users who are NOT of particular ROLES when the requested resource is a datastream with identifier of 'DS.' </Description>
<Target>
<!-- *********************************************************************************************************************************************************-->
<!-- This policy is applicable to any Subject. However, the scope of the Subject is narrowed down in the Rule Condition (below). -->
<!-- *********************************************************************************************************************************************************-->
<Subjects>
<AnySubject/>
</Subjects>
<!-- *********************************************************************************************************************************************************-->
<!-- This policy is applicable to any Resource. -->
<!-- However, note that the Rule Target (below) narrows things down to the DS image datastream. -->
<!-- *********************************************************************************************************************************************************-->
<Resources>
<AnyResource/>
</Resources>
<!-- *********************************************************************************************************************************************************-->
<!-- This policy is applicable ONLY to actions (operations) of the Fedora Access Service (i.e., API-A). -->
<!-- The ActionAttributeDesignator element is used to specify the action identifier. -->
<!-- The action identifier (urn:fedora:names:fedora:2.1:action:api) indicates that the policy will apply broadly to an entire Fedora API -->
<!-- (a sort of composite action consisting of all methods in a particular API). -->
<!-- The AttributeValue names the specific Fedora API that is the target of this policy, namely API-A, as indicated by the -->
<!-- identifier urn:fedora:names:fedora:2.1:action:api-a. -->
<!-- *********************************************************************************************************************************************************-->
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination</AttributeValue>
<ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:fedora:names:fedora:2.1:action:id"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<!-- *********************************************************************************************************************************************************-->
<!-- Rule 1: This Rule will DENY access to DS image datastreams to users are NOT of a particular ROLE -->
<!-- (i.e., based on the Fedora 'fedoraRole' attribute). -->
<!-- *********************************************************************************************************************************************************-->
<Rule RuleId="1" Effect="Deny">
<!-- ******************************************************************************************************************************************************* -->
<!-- Rule Target: -->
<!-- Notice that a Target specification can occur at the Rule-level, instead of at the Policy level (above).-->
<!-- This is a question of style, whether you want a policy whose overall purpose applies to particular Subjects/ Resources/Actions -->
<!-- (a Target at the Policy-level), or you want a policy of broad applicability but with one or more Rules (with each Rule having its own -->
<!-- Target for Subjects/Resources/Actions). -->
<!-- ******************************************************************************************************************************************************* -->
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<!-- *********************************************************************************************************************************************************-->
<!-- This Rule is applicable to resources that are DS image datastreams. -->
<!-- *********************************************************************************************************************************************************-->
<!-- The ResourceMatch element enables the XACML enforcement engine to determine whether this policy is applicable based -->
<!-- on whether an incoming Fedora request pertains to the kind of a Resource entity specified in the ResourceMatch. -->
<!-- This is done by the XACML engine doing a comparison of attribute names/values in the incoming request against attribute -->
<!-- names/values in the ResourceMatch specification. Notice the XACML-based function "string-equal" on the ResourceMatch -->
<!-- element which indicates that the matching will be string-based. -->
<!-- The ResourceAttributeDesignator element specifies a match criterion as the attribute name datastream:id -->
<!-- (identified by urn:fedora:names:fedora:2.1:resource:datastream:id). The AttributeValue element indicates that the value -->
<!-- of the datastream:id must be 'DS' for this policy to be applicable. -->
<!-- *********************************************************************************************************************************************************-->
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>DS.*</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<!-- *********************************************************************************************************************************************************-->
<!-- Condition: This Rule sets up a Condition to DENY access to users who are NOT of a particular role (i.e., based on the -->
<!-- 'fedoraRole' attribute. See the Fedora system documentation on Tomcat Authentication for details of how to specify custom roles -->
<!-- (such as 'fedoraRole') in the tomcat-users.xml file. -->
<!-- ****************************************************************************************************************************************************-->
<!-- This sets up a Condition under which denial should occur. The Condition element sets up a NOT condition using the -->
<!-- XACML-defined negation function (urn:oasis:names:tc:xacml:1.0:function:not). -->
<!-- Within the Condition, the Apply element indicates what the negation applies to. In this case, the negation applies to a set -->
<!-- of user ROLES. Notice that the Apply element defines the notion of a set via an XACML-defined function -->
<!-- (string-at-least-one-member-of). This function applies to the 'fedoraRole' attribute (see the SubjectAttributeDesignator) -->
<!-- that is used to specify Fedora user roles. Any string value that matches one of the strings in the set will be denied access. -->
<!-- ****************************************************************************************************************************************************-->
<!-- BOTTOM LINE: If the user's role is NOT 'administrator' and NOT 'professor, the user is DENIED access. In other words, -->
<!-- everyone EXCEPT professors and administrators is DENIED. Incidentally, professors and administrators are not explicitly permitted -->
<!-- access, they are just NOT DENIED. This is relevant, because there could be another policy in scope for the repository that -->
<!-- explicitly denies access to administrators and professors. -->
<!-- *********************************************************************************************************************************************************-->
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>professor</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
