Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

This is a cross-platform (any web server) plugin that allows AccessControl to be applied by attaching XML-based rules directly within the XML-based RequestMap syntax in Shibboleth.xml. The plugin was added in release 1.3*b* 3b of the ServiceProvider software.

There are two different methods to define the ! AuthZ rules. One of them can be used to delegate the management of access control rules \ (carefully consider the dangers in doing so!). Changes to the rules are applied in the same way as changes to the general Shibboleth.xml file, so you don't need to restart the webserver.

...

AuthZ rules inline in Shibboleth.xml

Insert an <AccessControl> element as the first child of a <Host> or <Path> element in the RequestMap, which applies to all requests at or below that point of the web site.

A simple inline example:

Code Block
xml
xml

<!-- ... -->
<Host name="sp.example.org">
	

...

<Path name="secure" authType="shibboleth" requireSession="true">
		

...

<AccessControl>

...

			<AND>
				

...

<OR>

...

					

...

<Rule require="affiliation">member@osu.edu</Rule>

...

					

...

<Rule require="affiliation">member@psu.edu</Rule>

...

				

...

</OR>

...

				

...

<Rule require="entitlement">urn:mace:example.edu:exampleEntitlement</Rule>

...

			</AND>
		

...

</AccessControl>
	

...

</Path>
</Host>
<!-- ... -->

In English, this means "requests for resources in the secure folder on the virtual host named sp.example.org on ports 80 and 443 are granted only to members of the Ohio State or Penn State communities who also posssess the entitlement "urn:mace:example.edu:exampleEntitlement".

The example plugin syntax supports AND and OR operators that can contain any number of children, and a NOT operator that negates a single child rule (which could itself be a rule or a nested operator).

...

AuthZ rules in an external XML file

Insert an <AccessControlProvider> element as the first child of a <Host> or <Path> element in the RequestMap, which applies to all requests at or below that point of the web site. The type attribute must be set to edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl and a uri attribute points to an external file containing the <AccessControl> element.

...

Here, the policy is placed in a hidden file in a public directory much like a .htaccess file. The web server should be configured to deny PUBLIC access to it if the policy were secret (note: the webserver itself has to be able to read it). The syntax in Shibboleth.xml looks like:

Code Block
xml
xml

<!-- ... -->
<Host name="sp.example.org">
	

...

<Path name="secure" authType="shibboleth" requireSession="true">
		

...

<AccessControlProvider uri="/var/www/secure/.shibacl.xml" 

...

type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl"/>
	

...

</Path>
</Host>
<!-- ... -->

The syntax in .shibacl.xml looks like (similar to inline but note the required xml namespace definition):

Code Block
xml
xml

<?xml version="1.0" encoding="UTF-8"?>
<AccessControl xmlns="urn:mace:shibboleth:target:config:1.0">
	

...

<AND>
		

...

<OR>

...

			<Rule require="affiliation">member@osu.edu</Rule>

...

			<Rule require="affiliation">member@psu.edu</Rule>
		

...

</OR>
		

...

<Rule require="entitlement">urn:mace:example.edu:exampleEntitlement</Rule>
	

...

</AND>
</AccessControl>

Do not forget to configure the webserver to not disclose this file since it will most likely contain some private information.