« DC Metadata fields used by UMN DSPACE instances: | Main | Reaching the Fedora Repository from a remote box ... localhost issue »

Turning XACML ON and OFF in Fedora

2.1 Enabling/Disabling XACML Policy Enforcement To enable/disable XACML policy enforcement in Fedora, use the Fedora configuration file (fedora.fcfg). Whether Fedora uses XACML for authorization decisions is controlled by the ENFORCE-MODE parameter in the Authorization module: <param name="ENFORCE-MODE" value="enforce-policies"/> The ENFORCE-MODE parameter can contain one of three values, with the following meanings: 1. enforce-policies – enable XACML enforcement to determine whether a request is permitted or denied
2. permit-all-requests – disable XACML enforcement; PERMIT every request by default
3. deny-all-requests – disable XACML enforcement; DENY every request by default
The enforce-policies setting is used to enable the enforcement of XACML policies, and is the default setting for a Fedora repository. The permit-all-requests setting can facilitate testing code independent of security. The deny-all-requests setting can be used to quickly shut down access to the server, but requires a server restart to affect this. Tomcat container security is, of course, still a first barrier to authentication/authorization (i.e., Fedora's Tomcat web.xml specifies access protection earlier than XACML. Tomcat container security is always in place regardless of the setting for parameter ENFORCE-MODE. see Fedora Commons on XACML

Posted by Jeffrey Silvis on November 13, 2009 10:40 AM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)