Re: [fcrepo-user] findObjects REST API and 3.6 problem

Tue, 09 Oct 2012 09:02:50 -0700 

        <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" 
                
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
                
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
 urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
                PolicyId="permit-apia-to-localhost" 
                
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
 
                >
          <Description>A Policy that grants read access to localhost (or the VU 
Subnet)</Description>
          <Target>
        
            <Actions>
        
              <!-- Match API attribute -->
              <Action>
                <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
                  <ActionAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:action:api" 
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
                </ActionMatch>
              </Action>
              
              <!-- OR, Generic Read (this is probably redundant) -->
              <Action>
                <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
                  <ActionAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:action:id" 
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
                </ActionMatch>
              </Action>
      
            </Actions>
          </Target>
  
          <Rule Effect="Permit" 
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit">
            <Condition>
              <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <!-- Permit this Bag -->
                <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                  <EnvironmentAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
 DataType="http://www.w3.org/2001/XMLSchema#string"/>
                  <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</AttributeValue>
                      <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>::1</AttributeValue>
                      <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>0:0:0:0:0:0:0:1</AttributeValue>
                  </Apply>
                </Apply>
                <!-- OR, Permit this subnet string -->
                <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
                  <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>XXX\.XXX\.\d{1,3}\.\d{1,3}</AttributeValue>
  <!-- Villanova Subnet -->
                  <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                    <EnvironmentAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
 DataType="http://www.w3.org/2001/XMLSchema#string"/>
                  </Apply>
                </Apply>
              
              </Apply>
            </Condition>
          </Rule>
        </Policy>

David Lacy
Falvey Library Technology Services
Villanova University
library.villanova.edu

> -----Original Message-----
> From: Benjamin Armintor [mailto:[email protected]]
> Sent: Tuesday, October 09, 2012 11:47 AM
> To: Support and info exchange list for Fedora users.
> Subject: Re: [fcrepo-user] findObjects REST API and 3.6 problem
> 
> I'm pretty sure findObjects is handled by the same REST resource now.
> I thought messages like this meant that a request matched a policy
> target, but not any of its rule targets.  David, can you link a copy
> of the policy somewhere, or is it just matching the API attribute?
> 
> - Ben
> 


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

Reply via email to