We have implemented an AAA policy in our web service proxy with the following details:
Authentication method: LDAP
Authorization method: XACML Authorization Decision
Doing our unit testing, we checked with a valid LDAP user having an incorrect password, and despite of we have the related ldap error, the AAA policy continues with its execution and checks the authorization step, which runs fine because the user is valid for the XACML policy.
Is this a correct behavior for the AAA policy execution?
Thanks in advance
Pinned topic LDAP + XACML combination in AAA policy
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-04-06T17:58:04Z at 2013-04-06T17:58:04Z by shiufun
shiufun 120000ADNF58 Posts
Re: LDAP + XACML combination in AAA policy2013-04-06T17:58:04ZThis is the accepted answer. This is the accepted answer.If you want to prevent unauthenticated user to go thru your xacml process. At the very beginning of your stylesheet, check for <mapped-credentials> and look for au-success attribute. And reject the request at at time.
An example of how to deal with this is in store:///*xacml*.xsl