On 10/29/07, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote: > For 4.0.x, look at section 3.1 in > http://www.globus.org/toolkit/docs/4.0/security/authzframe/developer-index.h > tml#s-authzframe-developer-archdes. Pasting relevant piece here: > > "A chain of PDPs and PIPs, with relevant configuration information, can be > configured at resource, service or container level. If no chain is specified > at resource level, service level is used; if nothing is specified at service > level, the container level configuration is used. The engine evaluates each > PDP and PIP in the order specified and a deny-override mechanism is used to > render a decision. If one PDP returns a deny, the decision rendered is > deny."
This doesn't seem to work as advertised. I have the following authz chains specified at both the container and service levels (resp.): <authz value="global:org.globus.gridshib.SAMLAssertionPushPIP"/> <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/> The latter initializes first (Bug 5545) but the container PIP is invoked when I request the service. See this log output: http://dev.globus.org/images/c/c8/Gt-container-log-output-20071030.txt Look for the following debug output (in order): org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (secctxecho) initializing... org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global) initializing... org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global) collecting attributes... Is this bug related to Bug 5545 or is this something new? Tom
