> > Some questions about the Java WS A&A Security Descriptor Framework > documented here: > > http://www.globus.org/toolkit/docs/4.2/4.2.1/security/wsaajava > /descriptor/ > > 4. Administrator Authorization Chain > > "The decision returned by this chain overrides subsequent > authorization decisions. That is, if the administrator's authorization > chain returns a deny, the rest of the configured authorization (at > container/service/resource) is not evaluated and the operation is > denied. If the administrator's chain returns the permit, the rest of > the configuration is evaluated to see if the operation is allowed." > > The above combining algorithm doesn't sound like any combining > algorithm I know. If the Administrator Authorization Chain "overrides > subsequent authorization decisions," why doesn't permit override the > rest of the configured authorization (at container/service/resource)?
It is meant to serve as black list decision point. I'll reword the write up. > > Does the <adminAuthz> element take a combiningAlg attribute? Yes. Like the text mentions, the schema is the same as the authzChain element. > > 5. Authorization > > What are possible values of the combiningAlg attribute? Other than custom ones, FirstApplicableAlg and DenyOverrideAlg in the same package as PermitOverrideAlgorithm is supported. Updated documentation. > > Are other elements besides <param:nameValueParam> supported out of the > box? For example, are multi-valued parameters supported? No, that is the only parameter is supported out of the box. Rachana > > Thanks, > Tom
