JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for PERMIS-USERS Archives


PERMIS-USERS Archives

PERMIS-USERS Archives


PERMIS-USERS@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

PERMIS-USERS Home

PERMIS-USERS Home

PERMIS-USERS  June 2011

PERMIS-USERS June 2011

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: [SOLVED] Ownership problem

From:

Stijn Lievens <[log in to unmask]>

Reply-To:

For users/administrators of the PERMIS authorisation software <[log in to unmask]>

Date:

Mon, 6 Jun 2011 20:26:11 +0100

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (64 lines)

Hi Eliana,

On 06/06/11 16:48, Eliana Lazzeri wrote:
> Hello again,
>
> I found an answer to my question:
>
>> 2011-06-01 13:18:50,488 [main] DEBUG issrg.utils.handler.Handler - to
>> create a PERMIS Subject with DN: null
>> -->  this would imply that you haven't given your subject a name ?
>
>> Yes, in the XACML request I have to give only the role of the subject. How can I add also the subject's name? Have I to use the user
>> certificate?
>
> I have to add an attribute to XACML request.
> In particular, I have to add:
>
> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string">
> <AttributeValue>  <!-- LDAPDN -->  </AttributeValue>
> </Attribute>
>
> Is It correct?
>

Yes, that is correct. The subject-id attribute gives the (distinguished) 
name of the subject.

> How can I verify that that LDAPDN refers to a subject with the Role necessary to perform the Action?
>

In the example you had earlier, you included a validated attribute in 
your request context, i.e. you would have had something like:

<Attribute 
AttributeId="permisRole"><AttributeValue>student</AttributeValue></Attribute>


In this case no credential validation checking is done as it is assumed 
that the credential has already been validated.

Now, if you wanted to do credential validation, you could push the 
base64 encoding of an X.509 AC for your subject in the request. This is, 
you would use something like
<Attribute AttributeId="urn:oid:2.5.4.58"><AttributeValue>Base64 
encoding of certificate here</AttributeValue>
</Attribute>

Then only if the student role (say) was (indirectly) assigned by an SOA 
(Source of Authority) would it validate and would the subject get 
assigned the subject role.

> Thank you very much for your help
>

No worries.


Kind regards,

Stijn.

> Kind regards
>
> Eliana

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

September 2017
May 2014
June 2013
April 2013
November 2012
September 2012
July 2012
February 2012
November 2011
October 2011
September 2011
June 2011
May 2011
April 2011
March 2011
February 2011
November 2010
October 2010
August 2010
July 2010
April 2010
March 2010
February 2010
January 2010
December 2009
October 2009
August 2009
June 2009
March 2009
February 2009
January 2009
November 2008
October 2008
May 2008
April 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
May 2007
March 2007
February 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager