Hi,
enforceModifyObject in DefaultAuthorization.java (Fedora 2.2.3) looks
as follows:
public final void enforceModifyObject(Context context, String pid,
String objectNewState, String objectNewOwnerId)
throws AuthzException {
try {
LOG.debug("Entered enforceModifyObject");
String target = Constants.ACTION.MODIFY_OBJECT.uri;
log("enforcing " + target);
context.setActionAttributes(null);
MultiValueMap resourceAttributes = new MultiValueMap();
String name = "";
try {
name =
resourceAttributes.setReturn(Constants.OBJECT.NEW_STATE.uri,
objectNewState);
name =
resourceAttributes.setReturn(Constants.OBJECT.OWNER.uri,
objectNewOwnerId);
} catch (Exception e) {
context.setResourceAttributes(null);
throw new AuthzOperationalException(target + " couldn't
set " +
name, e);
}
context.setResourceAttributes(resourceAttributes);
xacmlPep.enforce(context.getSubjectValue(Constants.SUBJECT.LOGIN_ID.uri),
target, Constants.ACTION.APIM.uri, pid, extractNamespace(pid), context);
} finally {
LOG.debug("Exiting enforceModifyObject");
}
}
This looks to me as if the new ownerId set in the modifyObjects-
call would be available in the XACML policy as ResourceAttribute
(urn:fedora:names:fedora:2.1:resource:object:owner), but it isn't.
I tried different scenarios and verified that the owner-Resource-
Attribute still is the original owner of the object, not the new
string given in the modifyObject call. Also in the logs, the
following lines appear:
DEBUG 2008-10-28 16:11:32.451 [TP-Processor12] (AttributeFinderModule)
AttributeFinder:parmsOkfedora.server.security.ResourceAttributeFinderModule
looking for urn:fedora:names:fedora:2.1:resource:object:owner
...
DEBUG 2008-10-28 16:11:32.451 [TP-Processor12]
(ResourceAttributeFinderModule)
ResourceAttributeFinder.getAttributeLocally using ownerIdSeparator==[,]
DEBUG 2008-10-28 16:11:32.451 [TP-Processor12]
(ResourceAttributeFinderModule) got
urn:fedora:names:fedora:2.1:resource:object:owner= [oe]
DEBUG 2008-10-28 16:11:32.451 [TP-Processor12]
(ResourceAttributeFinderModule) Locally getting the
'urn:fedora:names:fedora:2.1:resource:object:owner' attribute for this
resource took 0ms.
So I'm wondering - is setting the new owner string in the code
above without effect and is this a bug?
The ideal solution for me would be a ResourceAttribute for the new
owner string like 'newOwner', similar to the 'newState' above
(which works, by the way), because I'd need both the original ownerId
and the new one from the modifyObject call available in a policy.
Thanks,
Tom
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Fedora-commons-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
