source: TI12-security/trunk/python/ @ 5279

Subversion URL:
Revision 5279, 940 bytes checked in by pjkersha, 12 years ago (diff)

Major fix to authorisation middleware:

  • Apply request URI checking in WSGI middleware not in MultiHandler? checker function
  • MultiHandler? checker is still used but this performs the function of responding to HTTP 403 Forbidden responses from applications to be protected downstream in the WSGI stack
  • Refactored:
    • PEPFilter is a WSGI app to enforce access control decisions made by the PDP.
    • AuthZResultMiddleware -> PEPResultMiddleware
  • PEPResultMiddleware provides the response if access is denied. This can happen if a URI path matches a target in the policy or if an application downstream sets a 403 response.
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy PolicyId="pyDAP" xmlns="urn:ndg:security:authz:1.0:policy">
3    <Description>Restrict access for Authorization integration tests</Description>
5    <Target>
6        <URIPattern>^/test_securedURI*$</URIPattern>
7        <Attributes>
8            <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute>
9        </Attributes>
10        <AttributeAuthority>
11            <uri>http://localhost:7443/AttributeAuthority</uri>
12        </AttributeAuthority>
13    </Target>
14    <Target>
15        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern>
16        <Attributes>
17            <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute>
18            <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute>
19        </Attributes>
20        <AttributeAuthority>
21            <uri>http://localhost:7443/AttributeAuthority</uri>
22        </AttributeAuthority>
23    </Target>
Note: See TracBrowser for help on using the repository browser.