It may be useful for me to mention here that Swithun Crowe of St. Andrews, Scott and myself will be taking a look at the servlet filter question in the next few weeks and hopefully will have something concrete to bring back o he community at some point not long after that.
--- A. Soroka Online Library Environment the University of Virginia Library On Mar 22, 2011, at 11:17 AM, Scott Prater wrote: > Thanks, Chris. That improvement to allow separate enabling of AuthN and > AuthZ had slipped under my radar. I'll give that a try (I'm currently > running Fedora 3.4.2). I'll also update the wiki documentation. > > Concerning Adam's work: in fact, my question was prompted by a side > conversation I've recently had with Adam on that very topic. We hope to be > early adopters/beta testers of his servlet filter. > > I'll report back here on my experiments. > > -- Scott > > On 03/22/11, Chris Wilper wrote: >> Hi Scott, >> >> Actually FeSL AuthN and AuthZ are now separate options at >> install-time, so enabling one shouldn't force you to use the other. If >> you find that's happening, it's a bug that needs to be >> addressed...it's certainly not intentional. But the first release we >> did with FeSL included did force them to both either be on or off, so >> that may be a source of confusion if you're using an older version. >> >> Also, I'm not sure if you're aware of this, but Adam Soroka has been >> putting together a non-FeSL servlet filter that allows Shib >> integration. I believe he's planning on having something available for >> others to check out sometime after the 3.5 release. >> >> - Chris >> >> On Tue, Mar 22, 2011 at 10:32 AM, Scott Prater <pra...@wisc.edu> wrote: >>> The topic of using Shibboleth for authentication and XACML for >>> authorization has heated up again in our organization. >>> >>> Here is our ideal scenario: >>> >> >> * Authentication with Shibboleth, Shibboleth attributes made > available for use in Fedora XACML policies: made possible by servlet > filters developed at other institutions >>> >>> * > XACML policies stored as Fedora objects, inheritable rules, indexed in > the resource index, cached: made possible by FeSL >>> >> >> However, it appears that if FeSL is enabled (necessary to get the > new and improved version of the XACML implementation), then FeSL JAAS is > also enabled, and so the Shibboleth authentication piece will be > disabled or bypassed (right?). >>> >>> We'd like to > have our cake and eat it, too, ideally without having to wrestle with > developing a JAAS Shibboleth plugin. Is there a way to separate FeSL > authentication from FeSL authorization, enable the latter, but not the > former? Thoughts? >>> >>> Some background reading: >>> >>> https://jira.duraspace.org/browse/FCREPO-577 >>> https://wiki.duraspace.org/display/FCR30/Fedora+Security+Layer+%28FeSL%29 >>> >>> thanks in advance, >>> >>> -- Scott >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Enable your software for Intel(R) Active Management Technology to meet the >>> growing manageability and security demands of your customers. Businesses >>> are taking advantage of Intel(R) vPro (TM) technology - will your software >>> be a part of the solution? Download the Intel(R) Manageability Checker >>> today! http://p.sf.net/sfu/intel-dev2devmar >>> _______________________________________________ >>> Fedora-commons-users mailing list >>> Fedora-commons-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>> > > -- > -- > Scott Prater > Library, Instructional, and Research Applications (LIRA) > Division of Information Technology (DoIT) > University of Wisconsin - Madison > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
