Hi Fedora has a lack. That lack is the ability to "try" an action. Either you do, or you do not, there is no try. So, it is impossible to determine if the action would work, without carrying it out.
The best suggestion is to put some webservice in front of Fedora, and have your users access this. This webservice could ask for authentication when nessesary, and not when not needed. Simply attempt to carry out the action without credentials. If it works, great, otherwise ask for authentication and do it again. Regards On Thu, 2010-07-29 at 15:27 +0200, Pierre-Yves JALLUD wrote: > Hi all, > if you followed the activity of the list, you seen that I had problems > with XACML rules. Finally, I succed to create XACML files generating the > wished rules. To summary the situation, I created rules to permit the > access to an object only for a fedoraRole. You can find the XACML files > below. The problem I have now is about the BASIC authentication popup. I > installed FedoraCommons without API-A authentication. I followed the > recommendation of Edwin > (http://sourceforge.net/mailarchive/message.php?msg_id=1606E8EF-FDE0-4A58-82CB-68C43446FBE6%40fedora-commons.org) > > and I have now an authentication for API-A. But the authentication is > systematic and I would like that the BASIC authentication sould be asked > just when it is necessary. In my example, when someone want to access to > the MyNS:MyID object. > > Does someone knows a solution for a "no systematic authentication" for > API-A? > > Greetings > Pierre-Yves > > deny-object-if-not-TOTO.xml: > > <?xml version="1.0" encoding="UTF-8"?> > <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > PolicyId="deny-object-if-not-TOTO" > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> > <Description> </Description> > > <Target> > > <Subjects> > <AnySubject/> > </Subjects> > > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>MyNS:MyID</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > > <Actions> > <AnyAction/> > </Actions> > > </Target> > > <Rule RuleId="1" Effect="Deny"> > > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> > <SubjectAttributeDesignator AttributeId="fedoraRole" > MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>TOTO</AttributeValue> > </Apply> > </Apply> > </Condition> > > </Rule> > > </Policy> > > > permit-apia-to-confidentiel.xml: > > <?xml version="1.0" encoding="UTF-8"?> > <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > PolicyId="permit-apia-to-confidentiel" > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> > <Description></Description> > > <Target> > > <Subjects> > <Subject> > <SubjectMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>confidentiel</AttributeValue> > <SubjectAttributeDesignator AttributeId="fedoraRole" > MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/> > </SubjectMatch> > </Subject> > </Subjects> > > <Resources> > <AnyResource/> > </Resources> > > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue> > <ActionAttributeDesignator > DataType="http://www.w3.org/2001/XMLSchema#string"; > AttributeId="urn:fedora:names:fedora:2.1:action:api"/> > </ActionMatch> > </Action> > </Actions> > > </Target> > > <Rule RuleId="1" Effect="Permit"/> > > </Policy> > ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
