The <AccessControl>
element is the root of an XML-based access control policy that prevents access to a resource unless the user's session satisfies the policy. It's a simple, boolean-capable language provided as an example of how to implement an access control plugin.
Child Elements
Any one (and only one) of the following elements can appear:
Name | Cardinality | Description |
---|---|---|
<Rule> | A single access rule to enforce. | |
A single regular expression access rule to enforce. | ||
<OR> | Exactly one | An operator for combining any number of rules or operators with a disjunction. |
<AND> | An operator for combining any number of rules or operators with a conjunction. | |
<NOT> | An operator for reversing the meaning of a single rule or operator. |
Examples
The basic example below would enforce a policy that the user logged in and supplied a SAML authn context class for a hardware token:
Code Block | ||
---|---|---|
| ||
<!-- Inside surrounding RequestMap... --> <Path name="secure"> <AccessControl> <Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</Rule> </AccessControl> </Path> |
The more complex example below would enforce a policy that allows only Ohio State faculty or students, other than a single blacklisted person, if they have authenticated with a password or a time-synchronized token.
Code Block | ||
---|---|---|
| ||
<!-- Inside surrounding RequestMap... --> <Path name="secure"> <AccessControl> <AND> <Rule require="affiliation">faculty@osu.edu student@osu.edu</Rule> <NOT> <Rule require="user">cantor.2@osu.edu</Rule> </NOT> <OR> <Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:Password</Rule> <Rule require="authnContextClassRef">urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</Rule> </OR> </AND> </AccessControl> </Path> |