Ignore:
Timestamp:
13/05/09 15:00:34 (10 years ago)
Author:
pjkersha
Message:

Further improvements to the authorization middleware:

  • PEPFilter no longer explicitly calls the PEPResultHandlerMiddleware (This latter class is the WSGI component which handles the access denied response that the server returns). This is not necessary as it can set a 403 response in order to trigger multiHandlerIntercept callback function set in the MultiHandler? instance. This responds to all 403 type status codes by invoking the PEPResultHandlerMiddleware.
  • ndg.security.common.authz.msi: improvements to the PDP, PIP and Response classes.
  • ndg.security.test.integration.dap: added integration test for secured pyDAP service
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.common/ndg/security/common/authz/msi.py

    r5273 r5280  
    146146 
    147147class Response(object): 
    148  
     148    '''Response from a PDP''' 
    149149    decisionValues = range(4) 
    150150    (DECISION_PERMIT, 
     
    156156    DECISIONS = ("Permit", "Deny", "Indeterminate", "NotApplicable") 
    157157     
     158    decisionValue2String = dict(zip(decisionValues, DECISIONS)) 
     159     
    158160    def __init__(self, status, message=None): 
     161         
     162        self.status = status 
     163        self.message = message 
     164 
     165    def _setStatus(self, status): 
    159166        if status not in Response.decisionValues: 
    160167            raise TypeError("Status %s not recognised" % status) 
    161168         
    162         self.status = status 
    163         self.message = message 
    164   
     169        self._status = status 
     170         
     171    def _getStatus(self): 
     172        return getattr(self, '_status', Response.DECISION_INDETERMINATE) 
     173     
     174    status = property(fget=_getStatus, 
     175                      fset=_setStatus, 
     176                      doc="Integer response code; one of %r" % decisionValues) 
    165177         
    166178from ndg.security.common.AttCert import AttCertInvalidSignature, \ 
     
    260272    """Policy Information Point - this implementation enables the PDP to  
    261273    retrieve attributes about the Subject""" 
    262  
     274    wsseSectionName = 'wssecurity' 
     275     
    263276    def __init__(self, prefix='', **cfg): 
    264277        '''Set-up WS-Security and SSL settings for connection to an 
     
    272285        ''' 
    273286        self.wssecurityCfg = WSSecurityConfig() 
    274         wssePrefix = prefix + 'wssecurity' 
     287        wssePrefix = prefix + PIP.wsseSectionName 
    275288        self.wssecurityCfg.update(cfg, prefix=wssePrefix) 
    276289                  
    277290        # List of CA certificates used to verify peer certificate with SSL 
    278291        # connections to Attribute Authority 
    279         self.sslCACertFilePathList = cfg.get(prefix + 'sslCACertFilePathList', []) 
     292        self.sslCACertFilePathList=cfg.get(prefix+'sslCACertFilePathList', []) 
    280293         
    281294        # List of CA certificates used to verify the signatures of  
     
    495508         
    496509        knownAttributeAuthorityURIs = [] 
     510        request.subject[Subject.ROLES_NS] = [] 
    497511        for matchingTarget in matchingTargets: 
    498512             
     
    524538                                        matchingTarget.attributeAuthorityURI) 
    525539                 
    526                 request.subject[Subject.ROLES_NS] = attributeResponse[ 
     540                request.subject[Subject.ROLES_NS] += attributeResponse[ 
    527541                                                            Subject.ROLES_NS] 
    528542                
     
    532546                return Response(Response.DECISION_PERMIT) 
    533547             
    534         return Response(Response.DECISION_DENY) 
    535      
    536  
    537          
     548        return Response(Response.DECISION_DENY, 
     549                        message="Insufficient privileges to access the " 
     550                                "resource") 
     551     
     552 
     553         
Note: See TracChangeset for help on using the changeset viewer.