Hi Huan, You probably don't have policies to allow anoymous access to resources. From the request, it is identifying that there is no authenticated user trying to access the item. For this to work you will need to add a policy to the bootstrap policies to allow this.
Something like this might work: <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"; PolicyId="anonymous:readall" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description>A policy to provide public users the ability to view all objects in the demo object collection</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>anonymous</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"; /> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <!-- to view everything under the resource collection --> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>/.*</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"; /> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api" DataType="http://www.w3.org/2001/XMLSchema#string"; /> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"; /> </ActionMatch> </Action> </Actions> </Target> <Rule Effect="Permit" RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/> </Policy> Nishen Naidoo IT Projects Developer Library IT MACQUARIE UNIVERSITY NSW 2109 E-Mail: [email protected] Phone: +61 2 98506553 Mobile: +61 4 30006783 Fax: +61 2 98507912 http://www.library.mq.edu.au/ CRICOS Provider No 00002J This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of Macquarie University Library or Macquarie University. Please consider the environment before printing this email. ________________________________________ From: yf508 [[email protected]] Sent: Tuesday, 1 June 2010 6:13 PM To: 'Huan Thebault' Cc: 'fedora-commons-develop...@lists. sourceforge. net' Subject: Re: [Fedora-commons-developers] PEP Denying Access > Looking at sources, the "3" at last line means : > DECISION_NOT_APPLICABLE , which is an error (it should be : > DECISION_PERMIT, DECISION_INDETERMINATE, DECISION_DENY) It seems to me that 'DECISION_NOT_APPLICABLE' means the required policy does not exist - it's not an error state. So the problem you have might be related to bootstrap policies (there are bootstrap policies in Fedora 2.x. I'm not using Fedora 3.x so not sure whether there are some bootstrap ones in 3.x). Frank --------------------------------- Dr. Yankui(Frank) Feng Digital Library Systems Developer The University of York Heslington, York, YO10 5DD, UK Tel: +44 (0) 1904-434507 Email: yf508 at york.ac.uk --------------------------------- ------------------------------------------------------------------------------ _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers ------------------------------------------------------------------------------ _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
