The topic of using Shibboleth for authentication and XACML for authorization has heated up again in our organization.
Here is our ideal scenario: * Authentication with Shibboleth, Shibboleth attributes made available for use in Fedora XACML policies: made possible by servlet filters developed at other institutions * XACML policies stored as Fedora objects, inheritable rules, indexed in the resource index, cached: made possible by FeSL However, it appears that if FeSL is enabled (necessary to get the new and improved version of the XACML implementation), then FeSL JAAS is also enabled, and so the Shibboleth authentication piece will be disabled or bypassed (right?). We'd like to have our cake and eat it, too, ideally without having to wrestle with developing a JAAS Shibboleth plugin. Is there a way to separate FeSL authentication from FeSL authorization, enable the latter, but not the former? Thoughts? Some background reading: https://jira.duraspace.org/browse/FCREPO-577 https://wiki.duraspace.org/display/FCR30/Fedora+Security+Layer+%28FeSL%29 thanks in advance, -- Scott ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
