Shibboleth Developers

[Nathan Dors <>]

> > Have you considered extending the IIS implementation of
> > XMLAccessControl to read the ACL on a per-directory basis?
>
> I think you mean "load the ACL from the directory", in which case my answer
> is that it already supports that, in that you can externalize a pointer to
> an ACL file anywhere in the file system that you want. But it requires an
> explicit path pointer to avoid the need to actually know the URL->physical
> path mapping. I have no idea how to do that in IIS, and not much interest in
> learning.

Our Windows/IIS admins would like delegate maintenance of ACLs to 
app owners and development teams. Therefore an explicit path 
pointer, configured at initial set-up time, would be a significant 
win for them.

> I think static access control is rarely useful in a system like this. You
> need graceful failure modes because attributes can be suppressed or just
> fail to show up, and static rules preclude that. I think this encourages a
> lot of fragile systems.

Yeah, the user is either in or not, but in some cases two shades 
is all you need and graceful failure might not be necessary for 
folks outside your ACL.

-Nathan