[Fedora-commons-users] XACML - restrict the access

Fri, 23 Jul 2010 04:00:08 -0700 

Hi all,
I'm trying to make a policy role to deny the access to an object (MyNS:Restricted_Object) if the user hasn't the Group1 role (defined in the fedora-users.xml). You can find below the definition of the user and the XACML file. But it doesn't work! When I don't activate the XACML file, there is no restriction to access to the object and its datastreams. But when I activate it, the access is denied to any user. I'm using the version 3.2.1 of Fedora Commons, installed in a LINUX server (Linux myFCComputer 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux). 

Doese anyone knows why it doesn't work as I want?
Greetings
Pierre-Yves


error returned by the web admin:

Could not retrieve object '' from the repository. Either the object does 
not exist, or you do not have permission to view it.


error returned by the access to the url of the object:
403 Forbidden
Authorization failed


fedora-users.xml:
...
   <user name="User1" password="XXXXX">
     <attribute name="fedoraRole">
       <value>Group1</value>
     </attribute>
   </user>
...

deny-access-object-list-if-not-group1.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
       PolicyId="deny-access-object-list-if-not-group1"

       
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">


 <Description> </Description>
 <Target>

   <Subjects>
     <AnySubject/>
   </Subjects>

   <Resources>
     <Resource>

       <ResourceMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
         <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>MyNS:Restricted_Object</AttributeValue>
         <ResourceAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

       </ResourceMatch>
     </Resource>
   </Resources>

   <Actions>
     <AnyAction/>
   </Actions>

 </Target>

 <Rule RuleId="1" Effect="Deny">

   <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">

     <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
       <SubjectAttributeDesignator AttributeId="fedoraRole" 
MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
       <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
         <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>Group1</AttributeValue>

       </Apply>
     </Apply>
   </Condition>

 </Rule>

</Policy>

<<attachment: pierre-yves_jallud.vcf>>
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users














    











					Reply via email to