This page will be used to design a WebAccessControl Authorization Delegate.
Link: <acl-uri>; rel=meta
acl:Control
and acl:Append
modesacl:include
|
See this comment below for more information on this removal.
Use ACL that directly references target resource, if exists, else
if multiple ACLs apply to a given target resource, the most permissive is used.
Use ACL from configured location that has policy for target resource class, if exists, else
if multiple ACLs apply to a given class, the most permissive is used.
accessToClass statements in ACLs not in the configured location are ignored.
Recursively follow steps 1 and 2 for parent resource that ldp:contains target resource, if exists, else
Deny access
Use policy that specifies requesting userId, if exists, else
Use policy that specifies requesting groupId, if exists, else
Note, if multiple requesting groupIds have policies, use the one that grants the most access.
Deny access
[NOTE: This section has been stricken because it is not germane to the specific effort to develop a WebACL authorization delegate; the authentication considerations described below need to be part of the larger configuration of the ways Fedora and the web server interact, but that is a separate issue.]
Fedora 4 always assumes that any incoming request has always been authenticated by the container (or other layers above it in the stack). Therefore, these considerations may not be central to the design of a new authorization delegate; however, I (peichman) do believe they represent an important part of setting up a Fedora instance (beyond just the core servlet code) and should be addressed in some form.
|