Hi Scott, Actually FeSL AuthN and AuthZ are now separate options at install-time, so enabling one shouldn't force you to use the other. If you find that's happening, it's a bug that needs to be addressed...it's certainly not intentional. But the first release we did with FeSL included did force them to both either be on or off, so that may be a source of confusion if you're using an older version.
Also, I'm not sure if you're aware of this, but Adam Soroka has been putting together a non-FeSL servlet filter that allows Shib integration. I believe he's planning on having something available for others to check out sometime after the 3.5 release. - Chris On Tue, Mar 22, 2011 at 10:32 AM, Scott Prater <[email protected]> wrote: > The topic of using Shibboleth for authentication and XACML for authorization > has heated up again in our organization. > > Here is our ideal scenario: > > * Authentication with Shibboleth, Shibboleth attributes made available for > use in Fedora XACML policies: made possible by servlet filters developed at > other institutions > > * XACML policies stored as Fedora objects, inheritable rules, indexed in the > resource index, cached: made possible by FeSL > > However, it appears that if FeSL is enabled (necessary to get the new and > improved version of the XACML implementation), then FeSL JAAS is also > enabled, and so the Shibboleth authentication piece will be disabled or > bypassed (right?). > > We'd like to have our cake and eat it, too, ideally without having to wrestle > with developing a JAAS Shibboleth plugin. Is there a way to separate FeSL > authentication from FeSL authorization, enable the latter, but not the > former? Thoughts? > > Some background reading: > > https://jira.duraspace.org/browse/FCREPO-577 > https://wiki.duraspace.org/display/FCR30/Fedora+Security+Layer+%28FeSL%29 > > thanks in advance, > > -- Scott > > > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Fedora-commons-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
