Changeset 7350 for TI12-security


Ignore:
Timestamp:
20/08/10 15:42:14 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Working version integrated with the ndg.security.test.integration.full_system test. This secures a test HTTP app with the XACML based authorisation called over a SAML interface from a PEP in the app's authorisation middleware
  • Some tuning is needed to optimise performance:
    • caching of attribute queries in the PEP
    • Possible additional PDP in the authorisation filter to filter out some requests from being routed to the SAML authorisation service.
    • possible caching of authorisation decisions at the PEP as another way of avoiding the authorisation service round-trips.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
18 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

    r7292 r7350  
    128128    @type: defPaths: dict 
    129129     
     130    @cvar FORM_MATCH_TEXT: use in _displayResponse method to detect whether to 
     131    wrap the response in the FORM_RESP_WRAPPER_TMPL Javascript.  This is only 
     132    needed when this Provider is return key/values pairs back to the RP as  
     133    a POST'ed form 
     134     
     135    @type FORM_MATCH_TEXT: basestring 
     136     
    130137    @cvar FORM_RESP_WRAPPER_TMPL: If the response to the Relying Party is too  
    131138    long it's rendered as form with the POST method instead of query arguments  
     
    134141    below... 
    135142    @type FORM_RESP_WRAPPER_TMPL: basestring""" 
    136      
     143 
     144    FORM_MATCH_TEXT = '<form'     
    137145    FORM_RESP_WRAPPER_TMPL = """<html> 
    138146    <head> 
     
    13351343        # If the content length exceeds the maximum to represent on a URL, it's 
    13361344        # rendered as a form instead 
    1337         # FIXME: Commented out oidResponse.renderAsForm() test as it doesn't  
    1338         # give consistent answers.  Testing based on body content should work 
    1339         # OK 
    1340         if webresponse.body: 
    1341         #if oidResponse.renderAsForm(): 
     1345        # FIXME: Got rid out oidResponse.renderAsForm() test as it doesn't  
     1346        # give consistent answers.   
     1347        # 
     1348        # The FORM_MATCH_TEXT test detects whether the response needs to be  
     1349        # wrapped in the FORM_RESP_WRAPPER_TMPL Javascript.  This is only 
     1350        # needed when this Provider is return key/values pairs back to the RP as  
     1351        # a POST'ed form 
     1352        if webresponse.body.startswith( 
     1353                                    OpenIDProviderMiddleware.FORM_MATCH_TEXT): 
    13421354            # Wrap in HTML with Javascript OnLoad to submit the form 
    13431355            # automatically without user intervention 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/serveryadis.xml

    r7292 r7350  
    11<?xml version="1.0" encoding="UTF-8"?> 
    22<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 
    3     <XRD> 
    4         <Service priority="0"> 
    5             <Type>$openid20type</Type> 
    6             <URI>$endpoint_url</URI> 
    7         </Service> 
    8     </XRD> 
    93    <XRD> 
    104        <Service priority="1"> 
     
    1913        </Service> 
    2014    </XRD> 
     15    <XRD> 
     16        <Service priority="0"> 
     17            <Type>$openid20type</Type> 
     18            <URI>$endpoint_url</URI> 
     19        </Service> 
     20    </XRD> 
    2121</xrds:XRDS> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/renderinginterface/genshi/templates/yadis.xml

    r7298 r7350  
    11<?xml version="1.0" encoding="UTF-8"?> 
    22<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> 
    3     <XRD> 
    4         <Service priority="0"> 
    5             <Type>$openid20type</Type> 
    6             <Type>$openid10type</Type> 
    7             <URI>$endpoint_url</URI> 
    8             <LocalID>$user_url</LocalID> 
    9         </Service> 
    10     </XRD> 
    113    <XRD> 
    124        <Service priority="1"> 
     
    3729        </Service> 
    3830    </XRD> 
     31    <XRD> 
     32        <Service priority="0"> 
     33            <Type>$openid20type</Type> 
     34            <Type>$openid10type</Type> 
     35            <URI>$endpoint_url</URI> 
     36            <LocalID>$user_url</LocalID> 
     37        </Service> 
     38    </XRD> 
    3939</xrds:XRDS> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/relyingparty/signin_interface/genshi/templates/signin.html

    r7077 r7350  
    3434                        <div id="aboutOpenID" class="hidden"> 
    3535                                <div class="helptxt"> 
    36                                         <p><a href="http://openid.net/get-an-openid/what-is-openid/>OpenID">OpenID</a> is a  
     36                                        <p><a href="http://openid.net/get-an-openid/what-is-openid/">OpenID</a> is a  
    3737                                                technology which enables you to sign in at different websites using the same  
    3838                                                identity.  Rather than having to remember usernames/passwords for all the  
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/ctx_handler/saml_ctx_handler.py

    r7335 r7350  
    312312            samlAuthzDecisionStatement.decision = _saml.DecisionType.PERMIT 
    313313         
    314         elif (xacmlResponse.results[0].decision ==  
    315               _xacmlContext.result.Decision.INDETERMINATE): 
    316             log.info("PDP returned a status of [%s] denying access for URI " 
    317                      "path [%s]", _xacmlContext.result.Decision.INDETERMINATE, 
    318                      samlAuthzDecisionQuery.resource)  
     314        # Nb. Mapping XACML NotApplicable => SAML INDETERMINATE 
     315        elif (xacmlResponse.results[0].decision in  
     316              (_xacmlContext.result.Decision.INDETERMINATE, 
     317               _xacmlContext.result.Decision.NOT_APPLICABLE)): 
     318            log.info("PDP returned a status of [%s] for URI path [%s]; " 
     319                     "mapping to SAML response [%s] ...",  
     320                     xacmlResponse.results[0].decision, 
     321                     samlAuthzDecisionQuery.resource, 
     322                     _saml.DecisionType.INDETERMINATE)  
    319323             
    320324            samlAuthzDecisionStatement.decision = \ 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/xacml/pip/saml_pip.py

    r7335 r7350  
    284284                                         'request context' % 
    285285                                         self.subjectAttributeId) 
     286        elif not subjectId: 
     287            # Empty string 
     288            return None 
    286289        else: 
    287290            # Keep a reference to the matching Subject instance 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/policy.xml

    r7335 r7350  
    136136                    DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    137137                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    138                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue> 
    139                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue> 
     138                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue> 
     139                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue> 
    140140                </Apply> 
    141141            </Apply> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/__init__.py

    r7077 r7350  
    8888</html> 
    8989""" % (AuthZTestApp.header, 
    90        '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     90       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, link)  
    9191                 for link,name in self.method.items() if name != 'default']) 
    9292       ) 
     
    208208    <body> 
    209209        <h1>Logged Out</h1> 
    210         <p>Successfully redirected to specified return to UIR query argument  
     210        <p>Successfully redirected to specified return to URI query argument  
    211211        ndg.security.logout.r=%s following logout.   
    212212        <a href="/">Return to tests</a></p> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/attributeinterface.py

    r7077 r7350  
    2727        if userId.endswith("/openid/PhilipKershaw"): 
    2828            return [ 
    29                 'urn:siteA:security:authz:1.0:attr:postdoc', 
    30                 'urn:siteA:security:authz:1.0:attr:staff',  
    31                 'urn:siteA:security:authz:1.0:attr:undergrad',  
    32                 'urn:siteA:security:authz:1.0:attr:coapec' 
     29                'postdoc', 
     30                'staff',  
     31                'undergrad',  
     32                'coapec' 
    3333            ] 
    3434        elif userId == 'test': 
    3535            return [ 
    36                 'urn:siteA:security:authz:1.0:attr:staff',  
     36                'staff',  
    3737            ] 
    3838        else: 
    39             return ['urn:siteA:security:authz:1.0:attr:guest'] 
     39            return ['guest'] 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/pip-mapping.txt

    r7337 r7350  
    1919 
    2020# Entries are whitespace delimited <attribute id> <attribute authority> 
    21 urn:siteA:security:authz:1.0:attr https://localhost:5443/AttributeAuthority 
     21urn:siteA:security:authz:1.0:attr https://localhost:7443/AttributeAuthority 
    2222myattributeid https://myattributeauthority.ac.uk/ 
    2323http://someotherattributeid.schema https://another.ac.uk/attributeservice/ 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/policy.xml

    r7337 r7350  
    2424                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    2525                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    26                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue> 
     26                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/.*$</AttributeValue> 
    2727                </ResourceMatch> 
    2828            </Resource> 
     
    4747                <Resource> 
    4848                    <!-- Match the request URI --> 
    49                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
     49                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
    5050                        <ResourceAttributeDesignator 
    5151                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    5252                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    53                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_200</AttributeValue> 
     53                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/(test_401|test_403|test_logoutWithReturn2QueryArg)?$</AttributeValue> 
    5454                    </ResourceMatch> 
    5555                </Resource> 
     
    5858    </Rule> 
    5959 
    60     <Rule RuleId="urn:ndg:security:underlying-app-denies-access-uri" Effect="Permit"> 
     60    <Rule RuleId="urn:ndg:security:access-denied-for-testuser-uri" Effect="Permit"> 
    6161        <!--  
    62             Define URIs which this policy permits but for which the underlying 
    63             app returns 40x HTTP response 
     62            Demonstrate a URI secured with an attribute which the test user  
     63            doesn't have  
    6464        --> 
    6565        <Target> 
     
    7171                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    7272                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    73                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_40[13]</AttributeValue> 
     73                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost:7080/test_accessDeniedToSecuredURI</AttributeValue> 
    7474                    </ResourceMatch> 
    7575                </Resource> 
    7676            </Resources> 
     77            <Subjects> 
     78                <Subject> 
     79                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
     80                        <SubjectAttributeDesignator  
     81                            AttributeId="urn:siteA:security:authz:1.0:attr"  
     82                            DataType="http://www.w3.org/2001/XMLSchema#string"/> 
     83                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">special-privileges</AttributeValue> 
     84                    </SubjectMatch> 
     85                </Subject> 
     86            </Subjects> 
    7787        </Target> 
    7888    </Rule> 
     
    8696            <Resources> 
    8797                <Resource> 
    88                     <!-- Pattern match the request URI --> 
    89                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match"> 
     98                    <!-- Match 'test_securedURI' --> 
     99                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    90100                        <ResourceAttributeDesignator 
    91101                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    92102                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    93                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue> 
     103                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost:7080/test_securedURI</AttributeValue> 
    94104                    </ResourceMatch> 
    95105                </Resource> 
     
    117127        </Condition> 
    118128    </Rule> 
    119     <Rule RuleId="Test Access Granted to secured URI Rule" Effect="Permit"> 
    120         <Target> 
    121             <Resources> 
    122                 <Resource> 
    123                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    124                         <ResourceAttributeDesignator 
    125                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    126                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    127                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI</AttributeValue> 
    128                     </ResourceMatch> 
    129                 </Resource> 
    130             </Resources> 
    131         </Target> 
    132         <Condition> 
    133             <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> 
    134                 <SubjectAttributeDesignator  
    135                     AttributeId="urn:siteA:security:authz:1.0:attr"  
    136                     DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    137                 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> 
    138                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:staff</AttributeValue> 
    139                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:postdoc</AttributeValue> 
    140                 </Apply> 
    141             </Apply> 
    142         </Condition> 
    143     </Rule> 
    144     <Rule RuleId="Access Granted to secured URI Rule modified for special admin query argument" Effect="Permit"> 
    145         <!--  
    146             This rule is a modified version of the above to allow for a real use 
    147             case where adding a special query argument grants extra privileges 
    148             associated with an administrator 
    149         --> 
    150         <Target> 
    151             <Resources> 
    152                 <Resource> 
    153                     <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal"> 
    154                         <ResourceAttributeDesignator 
    155                             AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" 
    156                             DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> 
    157                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://localhost/test_accessGrantedToSecuredURI?admin=1</AttributeValue> 
    158                     </ResourceMatch> 
    159                 </Resource> 
    160             </Resources> 
    161             <Subjects> 
    162                 <Subject> 
    163                     <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
    164                         <SubjectAttributeDesignator  
    165                             AttributeId="urn:siteA:security:authz:1.0:attr"  
    166                             DataType="http://www.w3.org/2001/XMLSchema#string"/> 
    167                         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:siteA:security:authz:1.0:attr:admin</AttributeValue> 
    168                     </SubjectMatch> 
    169                 </Subject> 
    170             </Subjects> 
    171         </Target> 
    172     </Rule> 
    173129</Policy> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7341 r7350  
    3030pipeline = BeakerSessionFilter  
    3131                   AuthenticationFilter  
    32                    PolicyEnforcementPointFilter  
     32                   AuthorisationFilter  
    3333                   AuthZTestApp 
    3434 
     
    8282 
    8383# 
    84 # Policy Enforcement Point enforces access control decisions made by the  
    85 # Authorisation Service  
    86 [filter:PolicyEnforcementPointFilter] 
    87 paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepFilter.filter_app_factory 
    88 prefix = pep. 
     84# Authorisation filter contains a Policy Enforcement Point which enforces access 
     85# control decisions made by the Authorisation Service  
     86[filter:AuthorisationFilter] 
     87paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory 
     88 
     89# Result handler handles the response for HTTP 403 responses set by the  
     90# application or the PEP. 
     91resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 
     92resultHandler.staticContentDir = %(here)s/pep_result_handler 
     93 
     94# Settings for the PEP (Policy Enforcement Point) 
    8995pep.sessionKey = beaker.session.ndg.security 
    9096pep.authzServiceURI = https://localhost:7443/AuthorisationService 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7341 r7350  
    375375saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML 
    376376 
    377 saml.soapbinding.pathMatchList = /AttributeAuthority 
     377saml.soapbinding.mountPath = /AttributeAuthority 
    378378saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s 
    379379 
     
    404404 
    405405# Sets the identity of THIS authorisation service when filling in SAML responses 
    406 saml.issuerName = /O=Test/OU=Authorisation Service 
     406saml.issuerName = /O=Site A/CN=Authorisation Service 
    407407saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
    408408 
     
    426426# 
    427427# XACML Context handler manages PEP (Policy Information Point) requests and the  
    428 # PDP's (Policy Decison Point's) interface to the PIP (Policy Information Point) 
    429 #  
     428# PDP's (Policy Decision Point's) interface to the PIP (Policy Information  
     429# Point) 
    430430 
    431431# XACML Policy file 
     
    434434# Settings for SAML authorisation decision response to a Policy Enforcement Point 
    435435# making a decision query 
    436 authz.ctx_handler.issuerName = O=NDG, OU=Security, CN=localhost 
     436authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service 
    437437authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
    438438authz.ctx_handler.assertionLifetime = 86400 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/__init__.py

    r7335 r7350  
    120120 
    121121    ATTRIBUTE_VALUES = ( 
    122         'urn:siteA:security:authz:1.0:attr:postdoc', 
    123         'urn:siteA:security:authz:1.0:attr:staff',  
    124         'urn:siteA:security:authz:1.0:attr:undergrad',  
    125         'urn:siteA:security:authz:1.0:attr:coapec', 
    126         'urn:siteA:security:authz:1.0:attr:rapid', 
    127         'urn:siteA:security:authz:1.0:attr:admin' 
     122        'postdoc', 
     123        'staff',  
     124        'undergrad',  
     125        'coapec', 
     126        'rapid', 
     127        'admin' 
    128128    ) 
    129129    N_ATTRIBUTE_VALUES = len(ATTRIBUTE_VALUES) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.0.xml

    r7077 r7350  
    66        <URIPattern>^/test_securedURI*$</URIPattern> 
    77        <Attributes> 
    8             <Attribute>urn:siteA:security:authz:1.0:attr:staff</Attribute> 
     8            <Attribute>staff</Attribute> 
    99        </Attributes> 
    1010        <AttributeAuthority> 
     
    1515        <URIPattern>^/test_accessDeniedToSecuredURI$</URIPattern> 
    1616        <Attributes> 
    17             <Attribute>urn:siteA:security:authz:1.0:attr:forbidden</Attribute> 
    18             <Attribute>urn:siteA:security:authz:1.0:attr:keepout</Attribute> 
     17            <Attribute>forbidden</Attribute> 
     18            <Attribute>keepout</Attribute> 
    1919        </Attributes> 
    2020        <AttributeAuthority> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/authz/msi/policy-1.1.xml

    r7077 r7350  
    77        <Attributes> 
    88            <Attribute> 
    9                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     9                <Name>staff</Name> 
    1010                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    1111            </Attribute> 
     
    1616        <Attributes> 
    1717            <Attribute> 
    18                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name> 
     18                <Name>forbidden</Name> 
    1919                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    2020            </Attribute> 
    2121            <Attribute> 
    22                 <Name>urn:siteA:security:authz:1.0:attr:keepout</Name> 
     22                <Name>keepout</Name> 
    2323                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    2424            </Attribute> 
     
    3030        <Attributes> 
    3131            <Attribute> 
    32                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     32                <Name>staff</Name> 
    3333                <AttributeAuthorityURI>http://localhost:7443/AttributeAuthority</AttributeAuthorityURI> 
    3434            </Attribute> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/saml-policy.xml

    r7077 r7350  
    77        <Attributes> 
    88            <Attribute> 
    9                 <Name>urn:siteA:security:authz:1.0:attr:staff</Name> 
     9                <Name>staff</Name> 
    1010                <!-- Endpoint is for SOAP/SAML based ESG Interface --> 
    1111                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 
     
    1717        <Attributes> 
    1818            <Attribute> 
    19                 <Name>urn:siteA:security:authz:1.0:attr:forbidden</Name> 
     19                <Name>forbidden</Name> 
    2020                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 
    2121            </Attribute> 
     
    3434        <Attributes> 
    3535            <Attribute> 
    36                 <Name>urn:siteA:security:authz:1.0:attr:admin</Name> 
     36                <Name>admin</Name> 
    3737                <AttributeAuthorityURI>https://localhost:5443/AttributeAuthority</AttributeAuthorityURI> 
    3838            </Attribute> 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/saml/policy.xml

    r7077 r7350  
    5656             
    5757            The user must have at least one of the roles set - in this 
    58             case 'urn:siteA:security:authz:1.0:attr:staff' 
     58            case 'staff' 
    5959        --> 
    6060        <Condition> 
Note: See TracChangeset for help on using the changeset viewer.