[OTDev] AA

chung chvng at mail.ntua.gr
Thu Jun 17 16:44:42 CEST 2010 

Sorry, I wasn't precise enough! I meant an OpenTox service. Nina had
sent a file where the token was included in the URL like
http://someserver.com/resource?tokenid=sglkglfnetc.... 

@Andreas:
In the documentation of AA services at
http://opentox.org/dev/apis/api-1.1/AA it says about authorization that
if the user is granted to perform the action the openSSO server replies
with a status code 200 and a boolean (I guess true), otherwise the
status code is 401 and the boolean should be false. So we have only two
options:

200  + "boolean=true"

or 

401 + "boolean=false"

I have created the following policy:

<?xml version="1.0" encoding="UTF-8"?>
<Policies>
    <Policy name="bibTexAllPolicy_1"
createdby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
lastmodifiedby="id=amadmin,ou=user,dc=opensso,dc=java,dc=net"
creationdate="1276785457819" lastmodifieddate="1276785457819"
referralPolicy="false" active="true">
        <Rule name="rule1">
            <ServiceName name="iPlanetAMWebAgentService"/>
            <ResourceName name="http://opentox.ntua.gr:3000/bibtex"/>
            <AttributeValuePair>
                <Attribute name="POST"/>
                <Value>deny</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="GET"/>
                <Value>allow</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="DELETE"/>
                <Value>deny</Value>
            </AttributeValuePair>
            <AttributeValuePair>
                <Attribute name="PUT"/>
                <Value>deny</Value>
            </AttributeValuePair>
        </Rule>
        <Subjects name="mySubjects" description="">
            <Subject name="YAQPservice" type="LDAPUsers"
includeType="inclusive">
                <AttributeValuePair>
                    <Attribute name="Values"/>
                    <Value>uid=YAQPservice, ou=groups,
dc=opentox,dc=org</Value>
                </AttributeValuePair>
            </Subject>
            <Subject name="Sopasakis" type="LDAPUsers"
includeType="inclusive">
                <AttributeValuePair>
                    <Attribute name="Values"/>
                    <Value>uid=Sopasakis, ou=groups,
dc=opentox,dc=org</Value>
                </AttributeValuePair>
            </Subject>
        </Subjects>
    </Policy>
</Policies>

and tried the following request:

curl -i -d "uri=http://opentox.ntua.gr:3000/bibtex" -d "action=GET" -d
"subjectid=AQIC5wM2LY4Sfcyf2W48%2FUFKeDRvZ2aEpCcaeK9bBI0NrpE%3D%
40AAJTSQACMDE%3D%23"
http://opensso.in-silico.ch/opensso/identity/authorize

which should return 200+true but instead I get 200+false (?). What is
this supposed to mean?

Best regards,
Pantelis

On Thu, 2010-06-17 at 17:02 +0300, Luchesar V. ILIEV wrote:
> Sorry to interfere, but what service are we talking about?
> 
> If we're talking about OT services (as opposed to the OpenSSO/Policy
> services), then probably it's up to the service developers to decide.
> And when we talk about uploading of data or requesting computations
> that create new data, then, besides the token, we also need to provide
> the desired policies to the service -- as we discussed on Friday.
> Frankly, I'm not quite sure what would be the best approach to send
> this information...
> 
> L.
> 
> 
> On Thu, Jun 17, 2010 at 16:54, Andreas Maunz <andreas at maunz.de> wrote:
> > chung wrote on 06/17/2010 03:50 PM:
> >>
> >> Hi Andreas,
> >>  How is the token supposed to be provided to a service: as a Header or a
> >> form parameter?
> >
> > It works only in the combination of form parameter/POST.
> >
> > Andreas
> > _______________________________________________
> > Development mailing list
> > Development at opentox.org
> > http://www.opentox.org/mailman/listinfo/development
> >
>

More information about the Development mailing list