Thanks, Chris. That improvement to allow separate enabling of AuthN and AuthZ had slipped under my radar. I'll give that a try (I'm currently running Fedora 3.4.2). I'll also update the wiki documentation.
Concerning Adam's work: in fact, my question was prompted by a side conversation I've recently had with Adam on that very topic. We hope to be early adopters/beta testers of his servlet filter. I'll report back here on my experiments. -- Scott On 03/22/11, Chris Wilper wrote: > Hi Scott, > > Actually FeSL AuthN and AuthZ are now separate options at > install-time, so enabling one shouldn't force you to use the other. If > you find that's happening, it's a bug that needs to be > addressed...it's certainly not intentional. But the first release we > did with FeSL included did force them to both either be on or off, so > that may be a source of confusion if you're using an older version. > > Also, I'm not sure if you're aware of this, but Adam Soroka has been > putting together a non-FeSL servlet filter that allows Shib > integration. I believe he's planning on having something available for > others to check out sometime after the 3.5 release. > > - Chris > > On Tue, Mar 22, 2011 at 10:32 AM, Scott Prater <pra...@wisc.edu> wrote: > > The topic of using Shibboleth for authentication and XACML for > > authorization has heated up again in our organization. > > > > Here is our ideal scenario: > > > > * Authentication with Shibboleth, Shibboleth attributes made available for use in Fedora XACML policies: made possible by servlet filters developed at other institutions > > > > * XACML policies stored as Fedora objects, inheritable rules, indexed in the resource index, cached: made possible by FeSL > > > > However, it appears that if FeSL is enabled (necessary to get the new and improved version of the XACML implementation), then FeSL JAAS is also enabled, and so the Shibboleth authentication piece will be disabled or bypassed (right?). > > > > We'd like to have our cake and eat it, too, ideally without having to wrestle with developing a JAAS Shibboleth plugin. Is there a way to separate FeSL authentication from FeSL authorization, enable the latter, but not the former? Thoughts? > > > > Some background reading: > > > > https://jira.duraspace.org/browse/FCREPO-577 > > https://wiki.duraspace.org/display/FCR30/Fedora+Security+Layer+%28FeSL%29 > > > > thanks in advance, > > > > -- Scott > > > > > > > > > > ------------------------------------------------------------------------------ > > Enable your software for Intel(R) Active Management Technology to meet the > > growing manageability and security demands of your customers. Businesses > > are taking advantage of Intel(R) vPro (TM) technology - will your software > > be a part of the solution? Download the Intel(R) Manageability Checker > > today! http://p.sf.net/sfu/intel-dev2devmar > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > -- -- Scott Prater Library, Instructional, and Research Applications (LIRA) Division of Information Technology (DoIT) University of Wisconsin - Madison ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
