Shibboleth Developers

[Jim Fox <>]

We have a local module that allows algebraic combinations of booleans,
and, or, not, grouping.  The "not" was included just because it was
easy.  Don't know if anyone's ever used it.

Jim

On Thu, 25 Oct 2007, Scott Cantor wrote:

> Date: Thu, 25 Oct 2007 16:16:18 -0400
> From: Scott Cantor 
> <>
> To: 
>
> Reply-To: 
>
> Subject: Negated require rules?
>
> I'm going through old bugs and requests so I can close out feature
> development, and I ran into one I'm not sure whether to implement or not.
>
> https://bugs.internet2.edu/jira/browse/SSPCPP-48
>
> I'm going to redo the htaccess logic anyway, because it's horrible to read,
> and it's inefficient anyway, but adding negation concerns me. I can do it,
> the other ACL plugin already supports the idea, but when I started thinking
> about how to deal with null/missing data, I realized that this is
> potentially dangerous to rely on.
>
> Basically, saying that the presence of a value triggers a denial of access
> is very dependent on attribute release never falling into the user's hands.
> If I can gain access simply by refusing the release of some of my
> attributes, obviously I will.
>
> So even though I supported NOT rules in my XML plugin, I'm not so sure this
> is a good thing to add to htaccess. It's also very confusing when you
> combine it with ShibRequireAll and that whole mess. I'm thinking this might
> be better left alone.
>
> Thoughts?
>
> -- Scott