• 1 reply
  • Latest Post - ‏2013-04-06T17:58:04Z by shiufun
6772 Posts

Pinned topic LDAP + XACML combination in AAA policy

‏2013-04-05T19:43:59Z |
We have implemented an AAA policy in our web service proxy with the following details:

Authentication method: LDAP
Authorization method: XACML Authorization Decision

Doing our unit testing, we checked with a valid LDAP user having an incorrect password, and despite of we have the related ldap error, the AAA policy continues with its execution and checks the authorization step, which runs fine because the user is valid for the XACML policy.

Is this a correct behavior for the AAA policy execution?

Thanks in advance
Updated on 2013-04-06T17:58:04Z at 2013-04-06T17:58:04Z by shiufun
  • shiufun
    89 Posts

    Re: LDAP + XACML combination in AAA policy

    If you want to prevent unauthenticated user to go thru your xacml process. At the very beginning of your stylesheet, check for <mapped-credentials> and look for au-success attribute. And reject the request at at time.

    An example of how to deal with this is in store:///*xacml*.xsl