Date: Thu, 28 Mar 2024 09:42:38 +0000 (UTC) Message-ID: <2007222244.147.1711618958662@bfebea88bdf4> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_146_1200933759.1711618958662" ------=_Part_146_1200933759.1711618958662 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The <AccessControl>
element is the =
root of an XML-based access control policy that prevents access to a resour=
ce unless the user's session satisfies the policy. It's a simple, boolean-c=
apable language provided as an example of how to implement an access contro=
l plugin.
Any one (and only one) of the following elements can appear:
Name |
Cardinality |
Description |
---|---|---|
<Rule> |
|
A single access rule to enforce. |
|
A single regular expression access rule to enforce. |
|
<OR> |
Exactly one |
An operator for combining any number of rules or operators with a disjun= ction. |
<AND> |
|
An operator for combining any number of rules or operators with a conjun= ction. |
<NOT> |
|
An operator for reversing the meaning of a single rule or operator. <= /td> |
The basic example below would enforce a policy that the user logged in a= nd supplied a SAML authn context class for a hardware token:
<!-- = Inside surrounding RequestMap... --> <Path name=3D"secure"> =09<AccessControl> =09=09<Rule require=3D"authnContextClassRef">urn:oasis:names:tc:SAML:= 2.0:ac:classes:TimeSyncToken</Rule> =09</AccessControl> </Path>
The more complex example below would enforce a policy that allows only O= hio State faculty or students, other than a single blacklisted person, if t= hey have authenticated with a password or a time-synchronized token.
<!-- = Inside surrounding RequestMap... --> <Path name=3D"secure"> =09<AccessControl> =09<AND> =09 <Rule require=3D"affiliation">faculty@osu.edu student@osu.= edu</Rule> =09 <NOT> =09 <Rule require=3D"user">cantor.2@osu.edu</Rule> =09 </NOT> =09 <OR> =09 <Rule require=3D"authnContextClassRef">urn:oasis:names= :tc:SAML:2.0:ac:classes:Password</Rule> =09 <Rule require=3D"authnContextClassRef">urn:oasis:names= :tc:SAML:2.0:ac:classes:TimeSyncToken</Rule> =09 </OR> =09 </AND> =09</AccessControl> </Path>