Ignore:
Timestamp:
25/08/10 16:40:51 (11 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Started work making PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

    r7357 r7364  
    9595                </Resource> 
    9696            </Resources> 
     97            <Actions> 
     98                <Action> 
     99                    <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     100                        <ActionAttributeDesignator 
     101                            AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
     102                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     103                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> 
     104                    </ActionMatch> 
     105                </Action> 
     106            </Actions> 
    97107        </Target> 
    98108         
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system

    • Property svn:ignore set to
      pip-session-cache
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7357 r7364  
    9797pep.cacheDecisions = True 
    9898 
     99# Including this setting activates a simple PDP local to this PEP which filters  
     100# requests to cut down on calls to the authorisation service.  This is useful 
     101# for example to avoid calling the authorisation service for non-secure content 
     102# such as HTML CSS or graphics.  Note that filters based on resource URI  
     103# requested alone.  Subject, action and environment settings are not passed in  
     104# the request context to the local PDP. 
     105# 
     106# The policy content should be set carefully to avoid unintended override of the 
     107# authorisation service's policy 
     108pep.localPolicyFilePath = %(here)s/request-filter.xml 
     109 
    99110# Settings for Policy Information Point used by the Policy Decision Point to 
    100111# retrieve subject attributes from the Attribute Authority associated with the 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

    r7353 r7364  
    3232authz.pep.cacheDecisions = True 
    3333 
     34# Including this setting activates a simple PDP local to this PEP which filters  
     35# requests to cut down on calls to the authorisation service.  This is useful 
     36# for example to avoid calling the authorisation service for non-secure content 
     37# such as HTML CSS or graphics.  Note that filters based on resource URI  
     38# requested alone.  Subject, action and environment settings are not passed in  
     39# the request context to the local PDP. 
     40# 
     41# The policy content should be set carefully to avoid unintended override of the 
     42# authorisation service's policy 
     43authz.pep.localPolicyFilePath = %(here)s/request-filter.xml 
     44 
    3445# If omitted, DN of SSL Cert is used 
    3546authz.pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test 
Note: See TracChangeset for help on using the changeset viewer.