We have implemented an AAA policy in our web service proxy with the following details:
Authentication method: LDAP
Authorization method: XACML Authorization Decision
Doing our unit testing, we checked with a valid LDAP user having an incorrect password, and despite of we have the related ldap error, the AAA policy continues with its execution and checks the authorization step, which runs fine because the user is valid for the XACML policy.
Is this a correct behavior for the AAA policy execution?
Thanks in advance
This topic has been locked.
1 reply Latest Post - 2013-04-06T17:58:04Z by shiufun
Pinned topic LDAP + XACML combination in AAA policy
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-04-06T17:58:04Z at 2013-04-06T17:58:04Z by shiufun
shiufun 120000ADNF29 PostsACCEPTED ANSWER
Re: LDAP + XACML combination in AAA policy2013-04-06T17:58:04Z in response to SystemAdminIf you want to prevent unauthenticated user to go thru your xacml process. At the very beginning of your stylesheet, check for <mapped-credentials> and look for au-success attribute. And reject the request at at time.
An example of how to deal with this is in store:///*xacml*.xsl