Hi All
I'm trying to write a XACML policy for Muradora so that an owner can have full
control of their publications within a particular collection.
The problem that I'm having is the Rule. I need to compare the user who is
logged in to the owner of the object.
There seem to be a few examples of this for Fedora, but this doesn't seem to
work in Muradora.
This is a line from my tomcat log file:
DEBUG [attribute.FedoraRIAttributeFinder]: Does not know about attribute:
urn:fedora:names:fedora:2.1:resource:object:owner
Here is an example policy.
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
PolicyId="public-changeme:49091-changeme:49085-policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>A policy to provide public users permissions to the
datatstream - changeme:49091-changeme:49085-policy</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>externalx</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>/changeme:49091/.*</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="1" Effect="Permit">
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"
DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:owner"
DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
</Condition>
</Rule>
</Policy>
Any ideas as to how I can compare the logged in user to the object owner?
Thanks so much,
Martin
------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
