Even without logs or example files I have a pretty good idea of what fails.
The policy stuff works as follows 1. attempt to get policy from POLICY datastream, 2. apply policy to request But, if step 1. fails, the request is denied. Now, why could request 1 fail? Because the xslt transformer does not have the nessesary credentials to access the datastreams in object B. To fix this, take the external url from Object A, and make this work with autorization enabled. Then, this url should work when you put it in the POLICY datastream in object A. Regards On Sat, 2010-10-16 at 10:25 +0200, Steve Bayliss wrote: > Hi Maarten > > Are you using FeSL Authorization? > > Some example files would probably be useful to understand what you're > trying to achieve here. As far as I can tell from your email, > Datastream 4 in Object A is the POLICY datastream, and this is an > "E" (external) datastream, and you want this to be dynamically > generated using XSLT - is that correct? > > Regards > Steve > > -----Original Message----- > From: UB Mailing Subscription > [mailto:ubmailsubscript...@gmail.com] > Sent: 11 October 2010 14:19 > To: fedora-commons-users@lists.sourceforge.net > Cc: j.odeker...@maastrichtuniversity.nl; > m.seeg...@maastrichtuniversity.nl > Subject: [fcrepo-user] Help required on dynamic policy streams > (using xsltstylesheet) > > > Dear all, > > > Within a Fedora 3.4 installation, I would like to enforce > object policies in an external referenced datastream. When I > implement this, things work fine if the referenced datastream > from object A is referencing to a xml datastream in another > object B, which contains correct XACML. > > > Next, I want to change the static XACML to be dynamic, > depending on a xml value in another datastream in object A. In > my case, this is a date after which the policy must be less > strict than before this date. > > > The objective of the policies in object B is to protect access > to the managed content stream of object A. > > > What objects did I create (next to the objects of being able > to apply the stylesheet to an xml datastream)? > - Object A > + Datastream 1: xml (containing date variable) > + Datastream 2: stylesheet > + Datastream 3: serviceDefinition > + Datastream 4: external reference to URL, applying > stylesheet to xml datastream > + Datastream 5: managed content(e.g. pdf file) > > > - Object B > + Datastream 1: xml (XACML policy 1) > + Datastream 2: xml (XACML policy 2) > + Datastream 3: xml (XACML policy 3) > > > What happens? > When I disable policy enforcement in the fedora.fcfg file, the > URL of the policy datastream of object A gives me correct > XACML in xml format, exactly the same as a static link to an > object B datastream. So the stylesheet and the service work > fine, the resulting XACML is indeed depending on the date in > datastream 1 of object A. > > > When I enable policy enforcement, I can not access any > datastream anymore in object A, whereas the policy only blocks > access to the managed content datastream, even if I remove all > global policy files from their location in the Fedora default > dir and restart tomcat. > > > Question: Is the approach of dynamic policies like described > above possible? If yes, what am I doing wrong? If requested, I > can send example xml, xslt and xacml files. If no, are there > any other options to get this desired protection behaviour of > Fedora? > > > Any suggestions are welcome, > > > Regards, > > > Maarten Seegers > Maastricht University > The Netherlands ------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
