Skip to Content.
Sympa Menu

shibboleth-dev - RE: SHIB design call -- (2/27/2006) , 3:00 pm est, noon pst

Subject: Shibboleth Developers

List archive

RE: SHIB design call -- (2/27/2006) , 3:00 pm est, noon pst


Chronological Thread 
  • From: Nathan Dors <>
  • To:
  • Subject: RE: SHIB design call -- (2/27/2006) , 3:00 pm est, noon pst
  • Date: Mon, 27 Feb 2006 14:32:14 -0800 (PST)

Have you considered extending the IIS implementation of
XMLAccessControl to read the ACL on a per-directory basis?

I think you mean "load the ACL from the directory", in which case my answer
is that it already supports that, in that you can externalize a pointer to
an ACL file anywhere in the file system that you want. But it requires an
explicit path pointer to avoid the need to actually know the URL->physical
path mapping. I have no idea how to do that in IIS, and not much interest in
learning.

Our Windows/IIS admins would like delegate maintenance of ACLs to app owners and development teams. Therefore an explicit path pointer, configured at initial set-up time, would be a significant win for them.

I think static access control is rarely useful in a system like this. You
need graceful failure modes because attributes can be suppressed or just
fail to show up, and static rules preclude that. I think this encourages a
lot of fragile systems.

Yeah, the user is either in or not, but in some cases two shades is all you need and graceful failure might not be necessary for folks outside your ACL.

-Nathan




Archive powered by MHonArc 2.6.16.

Top of Page