Skip to Content.
Sympa Menu

shibboleth-dev - Re: Negated require rules?

Subject: Shibboleth Developers

List archive

Re: Negated require rules?


Chronological Thread 
  • From: Jim Fox <>
  • To:
  • Subject: Re: Negated require rules?
  • Date: Thu, 25 Oct 2007 14:20:36 -0700 (PDT)


We have a local module that allows algebraic combinations of booleans,
and, or, not, grouping. The "not" was included just because it was
easy. Don't know if anyone's ever used it.

Jim

On Thu, 25 Oct 2007, Scott Cantor wrote:

Date: Thu, 25 Oct 2007 16:16:18 -0400
From: Scott Cantor
<>
To:

Reply-To:

Subject: Negated require rules?

I'm going through old bugs and requests so I can close out feature
development, and I ran into one I'm not sure whether to implement or not.

https://bugs.internet2.edu/jira/browse/SSPCPP-48

I'm going to redo the htaccess logic anyway, because it's horrible to read,
and it's inefficient anyway, but adding negation concerns me. I can do it,
the other ACL plugin already supports the idea, but when I started thinking
about how to deal with null/missing data, I realized that this is
potentially dangerous to rely on.

Basically, saying that the presence of a value triggers a denial of access
is very dependent on attribute release never falling into the user's hands.
If I can gain access simply by refusing the release of some of my
attributes, obviously I will.

So even though I supported NOT rules in my XML plugin, I'm not so sure this
is a good thing to add to htaccess. It's also very confusing when you
combine it with ShibRequireAll and that whole mess. I'm thinking this might
be better left alone.

Thoughts?

-- Scott






Archive powered by MHonArc 2.6.16.

Top of Page