Ignore:
Timestamp:
25/08/10 11:03:04 (10 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • working caching with ndg.security.test.integration.full_system integration test. Caching works at the app, caching authz decisions but also at the PIP inside the authorisation service, caching Attribute Authority query results.
  • TODO: make PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/authz/pep.py

    r7359 r7361  
    202202        # Check for cached decision 
    203203        if self.cacheDecisions: 
    204             cachedAssertion = self._retrieveAuthzDecision(request.url) 
     204            assertions = self._retrieveCachedAssertions(request.url) 
    205205        else: 
    206             cachedAssertion = None    
    207              
    208         if cachedAssertion is not None: 
    209             assertions = (cachedAssertion,) 
    210         else:  
     206            assertions = None   
     207              
     208        noCachedAssertion = assertions is None or len(assertions) == 0 
     209        if noCachedAssertion: 
    211210            # No stored decision in cache, invoke the authorisation service    
    212211            self.client.resourceURI = request.url 
     
    260259            return response(environ, start_response)      
    261260                
    262         if self.cacheDecisions: 
    263             self._cacheAuthzDecision(request.url, [assertion]) 
     261        # Cache assertion if flag is set and it's one that's been freshly  
     262        # obtained from an authorisation decision query rather than one  
     263        # retrieved from the cache 
     264        if self.cacheDecisions and noCachedAssertion: 
     265            self._cacheAssertions(request.url, [assertion]) 
    264266             
    265267        # If got through to here then all is well, call next WSGI middleware/app 
    266268        return self._app(environ, start_response) 
    267269 
    268     def _retrieveAuthzDecision(self, resourceId): 
    269         """Return assertion containing authorisation decision for the given 
     270    def _retrieveCachedAssertions(self, resourceId): 
     271        """Return assertions containing authorisation decision for the given 
    270272        resource ID. 
    271273         
     
    280282        walletKeyName = self.__class__.CREDENTIAL_WALLET_SESSION_KEYNAME 
    281283        credWallet = self.session.get(walletKeyName) 
     284        if credWallet is None: 
     285            return None 
    282286         
    283287        # Wallet has a dictionary of credential objects keyed by resource ID 
    284         credentials = getattr(credWallet, 'credentials', {}) 
    285          
    286         # Retrieve assertion from Credential object 
    287         assertion = getattr(credentials.get(resourceId), 'credential', None) 
    288         return assertion 
    289          
    290          
    291     def _cacheAuthzDecision(self, resourceId, assertions): 
     288        return credWallet.retrieveCredentials(resourceId) 
     289         
     290    def _cacheAssertions(self, resourceId, assertions): 
    292291        """Cache an authorisation decision from a response retrieved from the  
    293292        authorisation service.  This is invoked only if cacheDecisions boolean 
Note: See TracChangeset for help on using the changeset viewer.