Updated doc: http://www.globus.org/toolkit/docs/latest-stable/security/wsaajava/developer /#id2483308. The document describing framework explains it some more. It is mostly relevant where the combining algorithm does not use all the PIPs in the order specified, but needs a subset to set up request context.
This org.globus.security.authorization.BootstrapPIP exists in authorization module. Rachana > -----Original Message----- > From: Tom Scavo [mailto:[EMAIL PROTECTED] > Sent: Sunday, November 09, 2008 7:38 PM > To: Rachana Ananthakrishnan > Cc: GT User > Subject: Re: [gt-user] questions re security descriptors > > Thanks, Rachana. Also, may I ask, how is a bootstrap PIP different > than an ordinary PIP in an authz chain? > > Tom > > PS. I've read > org.globus.wsrf.impl.security.authorization.X509BootstrapPIP > but I can't find org.globus.security.authorization.BootstrapPIP. > > On Sun, Nov 9, 2008 at 8:24 PM, Rachana Ananthakrishnan > <[EMAIL PROTECTED]> wrote: > > Thanks - updated documentation. Comma-separated values are required. > > > > Rachana > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] On Behalf Of Tom Scavo > >> Sent: Friday, November 07, 2008 3:45 PM > >> To: GT User > >> Subject: Re: [gt-user] questions re security descriptors > >> > >> 11. Trusted Certificates > >> > >> The text says the values are comma-separated but the example shows > >> space-separated values. > >> > >> On Fri, Nov 7, 2008 at 4:35 PM, Tom Scavo > <[EMAIL PROTECTED]> wrote: > >> > Some questions about the Java WS A&A Security Descriptor > Framework > >> > documented here: > >> > > >> > > >> http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava > >> /descriptor/ > >> > > >> > 4. Administrator Authorization Chain > >> > > >> > "The decision returned by this chain overrides subsequent > >> > authorization decisions. That is, if the administrator's > >> authorization > >> > chain returns a deny, the rest of the configured > authorization (at > >> > container/service/resource) is not evaluated and the operation is > >> > denied. If the administrator's chain returns the permit, > the rest of > >> > the configuration is evaluated to see if the operation > is allowed." > >> > > >> > The above combining algorithm doesn't sound like any combining > >> > algorithm I know. If the Administrator Authorization Chain > >> "overrides > >> > subsequent authorization decisions," why doesn't permit > override the > >> > rest of the configured authorization (at > >> container/service/resource)? > >> > > >> > Does the <adminAuthz> element take a combiningAlg attribute? > >> > > >> > 5. Authorization > >> > > >> > What are possible values of the combiningAlg attribute? > >> > > >> > Are other elements besides <param:nameValueParam> supported > >> out of the > >> > box? For example, are multi-valued parameters supported? > >> > > >> > Thanks, > >> > Tom > >> > > > > >
