Hi Steve,
Yes indeed, that is what I wanted to achieve. I do not use FeSL, just policy
enforcing with object policies enabled. I think Asger (from the other reply)
is correct. When determining the policy xml for object A from an external
reference to another stream on the same Fedora Object, I get a loop from
policy requests, because Fedora tries to verify if I am allowed to read that
stream by trying to open the same policy stream again. That is exactly what
I was experiencing. Resolving the policy xml took a long time (loops), after
which a message appeared that I had no access (on all streams of object A,
access was denied).
I decided to skip this difficult manner of resolving acces from a central
policy. Now I'm going to store inline xml as a policy to each object
individually.
Thanks for your efforts,
Maarten Seegers
Maastricht University
The Netherlands
2010/10/16 Steve Bayliss <[email protected]>
> Hi Maarten
>
> Are you using FeSL Authorization?
>
> Some example files would probably be useful to understand what you're
> trying to achieve here. As far as I can tell from your email, Datastream 4
> in Object A is the POLICY datastream, and this is an "E" (external)
> datastream, and you want this to be dynamically generated using XSLT - is
> that correct?
>
> Regards
> Steve
>
> -----Original Message-----
> *From:* UB Mailing Subscription [mailto:[email protected]]
> *Sent:* 11 October 2010 14:19
> *To:* [email protected]
> *Cc:* [email protected];
> [email protected]
> *Subject:* [fcrepo-user] Help required on dynamic policy streams (using
> xsltstylesheet)
>
> Dear all,
>
> Within a Fedora 3.4 installation, I would like to enforce object policies
> in an external referenced datastream. When I implement this, things work
> fine if the referenced datastream from object A is referencing to a xml
> datastream in another object B, which contains correct XACML.
>
> Next, I want to change the static XACML to be dynamic, depending on a xml
> value in another datastream in object A. In my case, this is a date after
> which the policy must be less strict than before this date.
>
> The objective of the policies in object B is to protect access to the
> managed content stream of object A.
>
> What objects did I create (next to the objects of being able to apply the
> stylesheet to an xml datastream)?
> - Object A
> + Datastream 1: xml (containing date variable)
> + Datastream 2: stylesheet
> + Datastream 3: serviceDefinition
> + Datastream 4: external reference to URL, applying stylesheet to xml
> datastream
> + Datastream 5: managed content(e.g. pdf file)
>
> - Object B
> + Datastream 1: xml (XACML policy 1)
> + Datastream 2: xml (XACML policy 2)
> + Datastream 3: xml (XACML policy 3)
>
> What happens?
> When I disable policy enforcement in the fedora.fcfg file, the URL of the
> policy datastream of object A gives me correct XACML in xml format, exactly
> the same as a static link to an object B datastream. So the stylesheet and
> the service work fine, the resulting XACML is indeed depending on the date
> in datastream 1 of object A.
>
> When I enable policy enforcement, I can not access any datastream anymore
> in object A, whereas the policy only blocks access to the managed content
> datastream, even if I remove all global policy files from their location in
> the Fedora default dir and restart tomcat.
>
> Question: Is the approach of dynamic policies like described above
> possible? If yes, what am I doing wrong? If requested, I can send example
> xml, xslt and xacml files. If no, are there any other options to get this
> desired protection behaviour of Fedora?
>
> Any suggestions are welcome,
>
> Regards,
>
> Maarten Seegers
> Maastricht University
> The Netherlands
>
>
------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
