Standalone Server User Guide

tenuousdrunkshipInternet and Web Development

Nov 12, 2013 (3 years and 11 months ago)

154 views

1



S
t
andal
o
ne

Se
r
v
e
r

User

G
uide




Author

V
e
rsion

D
a
te

Comm
e
nts

G
e
o
r
ge

I
nman

1

19/10/09

F
irst

V
e
rsion

G
e
o
r
ge

I
nman

1.1

07/12/09

Upd
a
ted

V
e
rsion

G
e
o
r
ge

I
nman

1.2

08/12/09

Add
e
d
e
ndor
s
e
d

dire
c
to
r
y

I
nstr
u
c
tions

S
tijn
L
ie
v
e
ns

1.3

04/
1
1/2010

Add
e
d inst
a
ll
a
tion in
T
omc
a
t; how to
e
n
a
ble

B
TG
fun
c
tion
a
li
t
y
; how to co
n
fi
g
u
r
e

oblig
a
tions

S
tijn
L
ie
v
e
ns

1.3.1

23/
1
1/2010

Minor
u
pd
a
te to obli
g
a
t
i
ons

S
tijn
L
ie
v
e
ns

1.4

05/04/20
1
1

F
irst ve
r
sion in
c
ludi
n
g

the

Aip
e
pConf
i
g
u
r
a
tion
e
lem
e
nt

S
tijn
L
ie
v
e
ns

1.5

20/05/20
1
1

F
i
x
ing

the n
a
mespa
c
e

p
r
oblems on the

sti
c
k
y
p
a
d
e
x
a
mpl
e
.

I
ntrod
u
ce
d

the

„suppo
r
tMultiR
e
sour
c
e
s‟

a
ttribut
e
. Some
f
u
r
ther
c
la
r
ific
a
tions.

S
tijn
L
ie
v
e
ns

1.6

01/06/20
1
1

Add
e
d se
c
tion
a
bout tru
s
ted

p
r
o
x
ies.

Add
e
d the
f
i
r
st v
er
sion of

the

poli
c
y

mana
g
e
m
e
nt int
e
r
fa
c
e
.





Ta
b
l
e of

Co
n
te
n
ts

S
ta
n
d
a
lo
n
e
S
er
v
er

User

Guide

................................
................................
................................
...............

1

In
t
ro
du
c
tion

................................
................................
................................
................................
............................

2

Ove
r
v
i
ew

o
f the
S
ervi
c
e

................................
................................
................................
................................
......

2

Ins
t
a
l
l
i
n
g t
h
e
S
ervice

................................
................................
................................
................................
...........

2

Set
t
i
n
g up Lo
g
gi
n
g

................................
................................
................................
................................
.................

6

Se
r
ver

C
o
n
f
i
gur
a
ti
o
n

................................
................................
................................
................................
............

7

The

TC
P
Co
n
f
i
g
ura
t
ion

el
e
ment

................................
................................
................................
................................
......

7

P
DP

a
n
d CVS

C
o
n
f
igu
r
a
t
ion

................................
................................
................................
...............................

9

Co
n
f
i
g
u
ri
n
g

a

PE
R
M
I
S
P
D
P

and

CVS

................................
................................
................................
.............................

9

Co
n
f
i
g
u
ri
n
g

a

Sun

PDP

................................
................................
................................
................................
...................

13

Co
n
f
i
g
u
ri
n
g

a

T
r
u
s
t

PDP

................................
................................
................................
................................
................

13

T
e
sti
n
g

t
he

S
er
v
er

................................
................................
................................
................................
............................

14

C
o
n
f
i
guri
n
g
a
n

A
p
pli
c
at
i
o
n

I
n
d
ep
e
n
d
en
t
P
EP

(A
I
-
P
E
P
)

................................
................................
........

14

P
ro
t
o
c
o
l

I
n
f
or
mation

................................
................................
................................
................................
.........

17

Spe
c
if
y
i
n
g

a

C
V
S
p
ol
i
cy

w
hen

ma
k
i
n
g

a

W
S
-
T
r
u
st

Re
q
uest

................................
................................
............

18

Spe
c
if
y
i
n
g

an

A
uthor
i
sa
t
i
on

Policy

t
o

u
s
e
w
hen

m
a
king

an

XACML
A
ut
h
zRe
q
uest

..............................

18

Sub
m
itting

S
t
icky

P
o
l
i
c
i
e
s

t
o Use
f
or a

Par
t
i
c
ular
R
I
D

................................
................................
......................

20

Retur
n
i
n
g

S
t
icky

P
o
l
i
c
i
e
s

f
rom

t
h
e
A
IPEP

................................
................................
................................
..............

22

Refe
r
e
n
ces

................................
................................
................................
................................
.............................

24

App
e
n
dix

1
.

S
erver

W
S
D
L

................................
................................
................................
................................
.

25

2


I
n
tr
odu
cti
o
n



The

stand
a
lone serv
e
r is

a

n
e
twork

a
c
c
e
ssible
a
p
p
li
ca
tion indep
e
nd
e
nt

Au
t
horis
a
tion s
e
rv
e
r th
a
t

ca
n
be

used

a
s an

a
ppli
ca
tion

indep
e
nd
e
nt
P
EP

or C
r
e
d
e
nti
a
l

V
a
lid
a
tion S
e
rvice

to r
e
spond to
a
n
y
a
ppli
ca
tion
'
s

r
e
qu
e
st f
o
r

a
n
a
uthorisation de
c
isio
n
.


The

f
ollowing

instr
u
c
tions will t
eac
h

y
ou h
o
w to install and t
a
ilor

the stand
a
lone

s
e
r
v
e
r to
a
llow
y
o
u to m
a
ke

a
uthorisati
o
n r
e
qu
e
sts
a
c
ross a

n
e
tw
o
rk using

stan
d
a
rdis
e
d
a
u
t
horis
a
tion p
r
otocols
a
nd
r
e
ce
i
v
e

a
uthorisation
r
e
sponses
f
or

use in

y
our

a
p
pli
ca
tion.




Over
v
iew

o
f

t
h
e

S
erv
i
ce


The

stand
a
lone serv
e
r is

a

J
a
v
a
[
1]

b
a
s
e
d
a
ppli
ca
tion with an
e
mbedd
e
d

A
p
ac
he

A
x
is2
[
2
]

se
r
vice
that
ac
c
e
pts r
e
qu
e
sts
f
o
r

a
uthorisation using

three

stand
a
rdis
e
d pr
o
tocols
m
e
ss
a
g
e
s sent usi
n
g
SO
A
P
[
3
]
.

As of

v
e
rsion

0.2.0 the s
e
rvi
c
e

ca
n

a
lso be inst
a
ll
e
d in a s
e
rvl
e
t
c
ontain
e
r
(
like

T
om
c
a
t)
using

the

A
x
is2 s
e
rvl
e
t.


The

f
irst of the

supp
o
rted pr
o
tocol lan
g
u
a
g
e
s is
X
AC
M
L

[
4]

whi
c
h is imp
l
e
ment
e
d
a
s a
t
e
st
mess
a
ge

h
a
ndl
e
r
a
nd sh
o
u
l
d not be us
e
d in production
e
nvironme
n
ts.

The

s
ec
ond h
a
ndl
e
r is
a
n
X
A
C
M
L

o
v
e
r SA
M
L

2.0

[
5]

mess
a
g
e

h
a
ndle
r
, this

h
a
ndler

h
a
s
b
e
e
n pr
o
d
u
c
e
d in a
c
c
o
rd
a
n
c
e

with
the
c
onstr
a
ined

a
uthoris
a
tion p
r
o
f
ile

outlined in
[
6
]
.

The

f
inal h
a
ndler

o
p
e
rates
a
s a

W
s
-
T
rust
[
7]
CVS handl
e
r
w
hich p
r
o
v
ides the
r
e
qu
e
stor

with a

SA
M
L

a
sse
r
tion
c
ontain
i
ng

v
a
lid

Attribut
e
s as
spe
c
ified

in
[
8
]
. Cur
re
ntly

the

h
a
ndle
r
s that supp
o
rts the use

of multiple

poli
c
ies is the

X
A
C
M
L
ov
e
r SA
M
L

2.0 mess
a
ge

h
a
ndler

a
nd the

W
S
-
T
ru
s
t m
e
ssage

h
a
ndl
e
r
.


R
e
qu
e
st m
e
ss
a
g
e
s should

be

sent to the

se
r
v
er
'
s e
n
dpoint whi
c
h will d
e
te
r
mine

the
t
y
p
e

of the
mess
a
g
e
s bas
e
d on t
h
e

X
M
L

n
a
mespa
c
e

of the r
e
q
u
e
st m
e
ss
a
g
e
. Ple
a
se

no
t
e

that on
l
y

mes
s
a
g
e
s that
c
onfo
r
m to the
r
e
l
e
v
a
nt

mess
a
ge

sch
e
m
a
s will be

ac
c
e
pted
b
y

the
s
e
rvi
c
e
.


I
n
sta
l
li
n
g

t
h
e

S
e
r
v
ice


Prior

to install
a
tion the s
t
a
nd
a
lone serv
e
r
h
a
s the
f
ollowing

re
qui
r
e
ments:




A

Sun
J
a
va

Runtime
E
nvironme
n
t



this should be

a

1.6
re
l
e
a
se

of the

J
RE.
O
lder

v
e
rsions
a
re

not suppo
r
ted.




(
O
ption
a
l)

I
f

y
ou wish to

make

the s
e
r
v
e
r

a
v
a
il
a
b
l
e

ov
e
r a

n
e
twork

then

a

s
in
g
le po
r
t
number

should be

re
s
e
r
v
e
d for

the servi
c
e

a
nd this port should then be

op
e
n
e
d in

y
o
u
r
fi
re
w
a
ll.




(
O
ption
a
l)

I
f

y
ou wish to

r
un the s
e
rver usi
n
g

S
S
L

then

y
ou m
a
y

wish to inst
a
ll Op
e
nS
S
L

or
simil
a
r
f
or

use
w
h
e
n

c
r
ea
ting

se
r
v
e
r c
e
rtifi
ca
t
e
s.




(
O
ption
a
l)

I
f

y
ou wish to

d
e
pl
o
y

the
s
e
rvice

inside

a

se
r
vlet
c
on
t
a
ine
r
,

y
ou

will n
ee
d
a
s
e
rvl
e
t cont
a
in
e
r
a
s
w
e
ll
a
s the

A
x
is2 s
e
rvl
e
t.

V
e
rsion 5.5.31 of

T
omc
a
t t
o
g
e
ther

with

A
x
is2
v
e
rsion 1.5.1 h
a
s b
e
e
n t
e
sted.


Installation as

a sta
n
da
l
one

se
r
vice


I
n
o
rd
e
r to inst
a
ll the s
e
r
vice

y
ou should downlo
a
d the l
a
test r
e
le
a
s
e

of the s
e
rvi
c
e

f
rom
the
PER
M
I
S w
e
bsite

(
http://se
c
.
c
s.ke
n
t
.
ac
.uk/pe
r
mi
s
)

a
nd un
z
ip the

re
le
a
se

p
a
c
k
a
g
e

to a

fold
e
r
o
f

y
o
u
r
c
hoic
e
. O
n
c
e

this fold
e
r

h
a
s be
e
n un
z
ipped

y
ou
s
hould open a

n
e
w t
e
rmin
a
l window
a
nd n
a
v
i
g
a
t
e
into the

n
e
w
l
y

un
z
ipped

dir
e
c
to
r
y
.

B
e
fore

the s
e
r
v
e
r
c
a
n
b
e

r
un

y
ou must
e
ndorse

the
X
M
L

p
a
rsers
c
ontain
e
d in the

e
ndor
se
d dir
e
c
to
r
y

of the r
e
l
e
a
s
e
.

This
c
a
n be

acc
omplish
e
d
b
y

c
o
p
y
i
n
g

the
e
ndors
e
d dire
c
to
r
y

in the

r
e
le
a
s
e

to the


lib/” di
r
ec
to
r
y

of

y
o
u
r
J
a
va

runtime

e
nvironme
n
t

3


inst
a
ll
a
tio
n
.


F
or

W
indows use
r
s:


C:
\
..
.
\
stan
d
a
lone
>
: co
p
y

e
ndors
e
d %
J
AV
A_
H
OME
%
\
li
b
\



F
or

L
inux

use
r
s:


...:~/stand
a
lone$
c
p

R ./endors
e
d $
J
AV
A_
H
OM
E
/lib/



No
t
e
: if

y
ou h
a
v
e

not corr
e
c
t
l
y

e
ndor
s
e
d the
X
M
L

lib
ra
ri
e
s,

y
ou will be

c
o
n
f
r
onted
b
y

a

mes
s
a
g
e
simil
a
r to the

f
ollowing

wh
e
n t
r
y
in
g

to st
a
rt the

s
o
f
tw
a
re:


Op
e
nSA
M
L

re
qu
i
r
e
s an

x
ml p
a
rs
e
r th
a
t suppo
r
ts
J
A
X
P

1.3
a
nd D
O
M3.

The

J
VM is

c
u
r
r
e
nt
l
y

c
o
n
f
i
g
u
r
e
d to use

the Sun

X
M
L

p
a
r
s
e
r
, whi
c
h is k
n
own
to be bug
g
y

a
nd
ca
n not

be

used

with Op
e
nSA
M
L
.

Ple
a
s
e

e
ndor
s
e

a

f
u
n
c
tion
a
l

J
A
X
P

lib
ra
r
y
(i
e
s
) su
c
h
a
s

X
e
rc
e
s and

X
a
lan.

F
o
r
i
nstru
c
tions on how to
e
ndorse
a

n
e
w pars
e
r
s
e
e

http://j
a
v
a
.sun.
c
o
m
/j2se/1.5.0/docs/
g
uide/st
a
n
d
a
rds/inde
x
.html



Y
ou
ca
n find mo
r
e

info
r
mation about the
J
a
va

e
ndorsing

m
e
c
h
a
nism

a
t the

f
ollowing

U
R
L
:

http://download.o
r
ac
le.
c
o
m/jav
a
s
e
/1.5.0/do
c
s/
g
ui
d
e
/st
a
nd
a
rds/inde
x
.html




Y
ou should now be

r
e
a
d
y

to t
e
st the

se
r
vice

b
y

r
u
n
ning

one

o
f the

two
f
oll
o
wing

c
omm
a
nds:
F
or

W
indows use
r
s:

C:
\
..
.
\
stan
d
a
lone
>
: st
a
nd
a
lone.b
a
t



F
or

L
inux

use
r
s:


...:~/stand
a
lone$ ./st
a
nd
a
lone.sh



At this
point

y
ou should

be

a
ble to v
e
r
i
f
y

that the

s
e
rvi
c
e

h
a
s be
e
n inst
a
ll
e
d

pro
pe
r
l
y

b
y

n
a
v
i
g
a
ti
n
g
to
https:/
/
loc
a
lhost:
1
104/

whi
c
h should show a

p
a
ge

simil
a
r to the

one

displ
a
y
e
d b
e
low:

4



Ple
a
se

e
nsure

t
h
a
t a s
e
rv
i
c
e

n
a
med

Auth
z
S
e
rvi
c
e

h
a
s be
e
n d
e
pl
o
y
e
d
a
nd th
a
t it has thr
e
e

separ
a
te
op
e
r
a
tions SA
M
L
2
X
A
CM
L
Auth
z
R
e
qu
e
st, X
ACM
L
Auth
z
R
e
qu
e
st and

W
s
T
rustAuth
z
R
e
qu
e
st.


P
lea
s
e

no
te
:
O
c
c
a
sionally

w
h
e
n st
a
rt
e
d

a
dditional op
e
r
a
tions
a
r
e

made
a
v
a
i
labl
e
.

I
f this oc
c
u
rs
ple
a
se

r
e
sta
r
t the

s
e
rv
e
r

a
s the
r
e

is
a b
u
g

within the

A
x
is

W
S
D
L

p
a
rsi
n
g

c
o
de

me
a
ni
n
g

that the
s
c
h
e
ma is in
c
o
r
r
ec
t
l
y

l
oa
d
e
d o
c
c
a
sional
l
y

a
nd we
a
re

c
u
r
r
e
nt
l
y

w
o
rking

to

fix

this bu
g
.


At this st
a
g
e

y
ou should

h
a
ve

a

f
ul
l
y

op
e
r
a
tion
a
l
s
tand
a
lone PER
M
I
S

Aut
h
o
r
isation se
r
v
e
r
d
e
pl
o
y
e
d
with two d
e
f
a
ult poli
c
ies,

one

of
w
hich

ca
n be

q
u
e
ri
e
d using

the

e
x
a
mple

SO
A
P

re
qu
e
st m
e
s
s
a
g
e
s
includ
e
d in the


./E
x
a
mple

R
e
qu
e
st M
e
ss
a
g
e
s


f
o
l
d
e
r of

the r
e
le
a
s
e

p
a
c
k
a
ge

using

some

fo
r
m of
So
a
p
c
li
e
nt such
a
s So
a
p
U
I
[
9
]
.




Installation
i
nsi
d
e

a se
r
vlet

c
ontaine
r
.

W
e

a
ssume th
a
t

y
ou
h
a
ve

a

se
r
vlet
c
on
t
a
iner

like

T
omc
a
t install
e
d in a di
re
c
to
r
y

c
a
ll
e
d

$
T
OMC
A
T
.
F
irst,

y
ou
n
ee
d to install the

A
x
is2 s
e
rvl
e
t in the servl
e
t cont
a
in
e
r
. Do
w
nlo
a
d the

A
x
is2

W
AR (
W
e
b

A
r
c
hive) f
r
om the

A
x
is2

sit
e
:

http://ws.
a
p
ac
h
e
.o
r
g/a
x
is2
/
inde
x
.h
t
m
l
. S
i
mp
l
y

c
o
p
y

t
h
e

W
AR file

into

the $
T
OMC
A
T/w
e
b
a
pps

dir
e
c
to
r
y
.

W
h
e
n

y
ou

r
e
s
t
a
rt

T
omc
a
t

y
ou should h
a
ve

the

A
x
is2 s
e
rvl
e
t
a
v
a
il
a
ble.

Y
ou

ca
n

c
h
ec
k

this
b
y

visiting
http://lo
ca
lhost:8080/
a
x
is
2
/
.
[
Th
i
s

a
ssum
e
s that

T
omc
a
t is
listening

on po
r
t

8080.]

Ch
ec
k that

A
x
is2 has
f
ound
a
ll the
r
e
quir
e
d lib
r
a
r
i
e
s
b
y

visiting

t
h
e


V
a
lid
a
te‟

link

on

this

pa
g
e
.


I
n
o
rd
e
r to inst
a
ll the s
e
r
vice

y
ou should downlo
a
d the l
a
test r
e
le
a
s
e

of the s
e
rvi
c
e

f
rom the
PER
M
I
S w
e
bsite

(
http://se
c
.
c
s.ke
n
t
.
ac
.uk/pe
r
mi
s
)

a
nd un
z
ip the

re
le
a
se

p
a
c
k
a
g
e

to a

fold
e
r of

y
o
u
r
c
hoic
e
.


Prior

to installing

the
a
uthorisation se
r
vic
e
,

y
ou
w
ill ne
e
d to

e
ndorse

the
X
M
L

p
a
rsi
n
g

lib
ra
ri
e
s in
T
omc
a
t.

I
n

T
om
c
a
t ve
r
si
o
n 5.5.x

this

is done

b
y

c
r
ea
t
ing
c
o
p
y
i
n
g

a
ll the
J
AR files inside

the
distribution

s


e
ndors
e
d‟

dir
e
c
to
r
y

to

the

dire
c
to
r
y

$
T
OMC
A
T/common/
e
ndors
e
d.

S
e
e
http://tomc
a
t.ap
a
c
h
e
.o
r
g
/
tom
ca
t
-
5.5
-
do
c
/c
l
a
ss
-
lo
a
d
e
r
-
howto.html
for

a
ddit
i
on
a
l in
f
o
r
mation.


No
t
e
:

if

y
ou

h
a
v
e
n

t

do
n
e

the

e
ndorsi
n
g

c
o
r
r
e
c
t
l
y
,

y
ou

will

be

g
r
ee
ted

b
y

t
h
e

same

mess
a
ge

f
rom
Op
e
nSA
M
L

a
s

in

the

c
a
s
e

of


I
nstall
a
tion

a
s

a

st
a
nd
a
lone

s
e
rvic
e
‟.


N
e
x
t

y
ou

ca
n inst
a
ll the authorisation se
r
vice

b
y

s
i
mp
l
y

c
o
p
y
i
n
g

the

Auth
z
S
e
rvi
c
e
-

5


w
e
b
a
pp_
x_
y
_
z
.
a
a
r
f
ile

t
h
a
t is included

in the

distribution

to $
T
OMC
A
T/w
e
b
a
pps/
a
x
is2
/
W
E
B
-

I
N
F
/s
e
rvi
c
e
s
.

Y
ou will n
e
e
d to edit the

ME
T
A
-
I
N
F/se
r
vic
e
s.
x
ml
f
ile

in th
a
t

A
A
R
(
A
x
is2

A
r
c
hive)
file to
re
fle
c
t the

loc
a
tion

of the

main
c
onf
i
g
u
r
a
tion file of

the s
e
rv
i
c
e

a
s
we
ll
a
s the loc
a
tion of

the
lo
g
4j

properties

f
il
e
.

The

p
r
op
e
rties

th
a
t

n
e
e
d

to

be

set

a
r
e
:


c
onf
i
g
F
il
e


a
nd

„lo
g
4
J
Confi
g
F
il
e


r
e
spe
c
tiv
e
l
y
.
F
o
r
e
x
a
mpl
e
:


<parameter

name="configFile">permis.xml</parameter>

<parameter

name="log4JConfigFile">log4j.properties</parameter>



Re
m
a
r
k
: if

y
our servi
c
e

is list
e
d
b
y

A
x
is2 as a

fa
u
l
t
y

se
r
vi
c
e
, then pl
e
a
se

c
h
ec
k the

T
om
c
a
t log

files
a
nd make

su
r
e

that the
m
a
in con
f
i
g
u
ra
tion file

(permis.
x
m
l) is found.

Note

that the
c
u
r
r
e
nt dir
e
c
to
r
y
is the

one

f
rom
w
hich

T
o
mc
a
t w
a
s st
a
rt
e
d.


Re
m
a
r
k
:

if

y
ou

e
v
e
r

g
e
t

a
n
e
r
r
o
r m
e
ss
a
g
e

s
a
y
i
n
g
t
h
a
t a
c
e
rt
a
in m
e
thod in the
o
r
g
.
a
p
a
c
h
e
.
c
ommons.
c
o
d
ec
.B
a
s
e
64

c
lass
ca
nnot
b
e

f
ound then

y
ou n
e
e
d to r
e
place

the
c
ommon
s
-

c
od
ec
-
1.3.
j
a
r in $
T
OM
C
A
T/w
e
b
a
pps/
a
x
is2/
W
EB
-
I
N
F
/lib with the

c
ommon
s
-
c
od
e
c
-
1.4.jar

supplied
with the

softw
a
r
e
.


S
e
t
t
i
n
g up an
S
SL

c
on
n
ec
tion.


W
h
e
n

y
ou w
a
nt the

a
uthz

se
r
v
e
r to be
a
v
a
il
a
ble us
i
ng

a
n S
S
L

c
on
n
ec
tion, i
.
e
. using

H
T
TPS

ra
ther
than pl
a
in HTT
P
,

y
ou wi
l
l ne
e
d to do the

f
ollowin
g
:


-

Confi
g
u
r
e

the S
S
L

c
on
n
ec
tor
f
or

y
o
u
r s
e
rv
l
e
t co
n
tain
e
r
.

This

g
uide d
o
e
s
n
ot e
x
plain how to
do this.

W
h
e
n using

the
AipepConfiguration

e
lem
e
nt or
w
h
e
n usi
n
g

the s
e
rvi
c
e

a
s a
CVS, it is prob
a
b
l
y

a

g
o
o
d idea

to r
e
qui
r
e

c
li
e
nt a
u
thentic
a
tion
a
s w
e
ll.


-

Upd
a
te the

a
x
is2.
x
ml
f
ile

to t
e
ll

A
x
is2

to use
H
T
T
PS tr
a
nsport
a
s w
e
ll.

I
n the

T
r
a
nsports

I
n
s
ec
tion,
c
h
a
n
g
e

t
h
e

f
oll
o
win
g
:



<transportReceiver

name="http”

class="org.apache.axis2.transport.http.AxisServletListener"/>


T
o:


<transportReceiver

name="http"

class="org.apache.axis2.transport.http.AxisServletListener">

<parameter

name="port">8080</parameter>

<
/transportReceiver>

<transportReceiver

name="https"

class="org.apache.axis2.transport.http.AxisServletListener">

<parameter

name="port">8443</parameter>

</transportReceiver>


This

amounts

to

adding

a


HT
T
PS‟

tr
a
nsport

re
c
e
i
v
e
r
,

a
nd

sp
e
c
i
f
y
i
n
g

the

p
o
r
t

to

use

f
or

both
the
H
TTP

a
nd H
T
TPS

r
e
ce
iv
e
r
. Be su
r
e

to u
s
e

the

same

ports
a
s the on
e
s t
h
a
t

y
our
s
e
rvl
e
t
c
ontain
e
r is listening

on.


Allo
w
i
ng only sele
c
t
e
d hosts
t
o use

t
he

authorisa
t
ion

se
r
vice


I
n some

ca
s
e
s it m
a
y

b
e

use
f
ul

to limit the possib
l
e

c
li
e
nts of the
a
uthz

se
r
v
ice

to a s
e
t of kno
w
n
c
li
e
nts.

A

s
ec
u
r
e

w
a
y

o
f

doing

c
li
e
nt aut
h
e
nti
ca
tion is via
c
li
e
nt
S
S
L

c
e
rtifi
ca
tes.

This
c
a
n be

set up
e
ntir
e
l
y

usi
n
g

c
ontain
e
r

m
a
n
a
g
e
d s
e
c
u
r
i
t
y
.

Y
ou
w
ill

n
ee
d to edit a
c
ouple
o
f
f
il
e
s.


Add the

f
ollowing

to the

webapps/axis2/WEB
-
INF/conf
/
axis2.xml

file

(inside the

webapp

e
lem
e
nt
)
:


<!
--

This

is

the

role

we

are

using

--
>

<security
-
role>

<role
-
name>authz
-
trusted
-
proxy</role
-
name>

6


</security
-
role>



<security
-
constraint>

<!
--

The

URL

pattern

for

the

authz

service

--
>

<web
-
resource
-
collection>

<web
-
resource
-
name>authz

service</we
b
-
resource
-
name>

<url
-
pattern>/services/AuthzService</url
-
pattern>

</web
-
resource
-
col
l
ection>



<!
--

Anyone

accessing

this

URL

must

have

the

auth
z
-
trusted
-
proxy

role

--
>

<auth
-
constraint>

<role
-
name>authz
-
trusted
-
proxy</role
-
name>

</auth
-
constraint>



<!
--

A

connection

to

the

authz

service

must

be

done

over

SSL

--
>

<user
-
data
-
constraint>

<transport
-
guarantee>CONFIDENTIAL</transport
-
guarantee>

<
/user
-
data
-
constraint>

</security
-
constraint>



<!
--

client

authentication

is

done

using

client

certificates

--
>

<login
-
config>

<auth
-
method>CLIENT
-
CERT</auth
-
method>

</login
-
config>



This basi
ca
l
l
y

s
a
y
s t
h
e

c
l
ients must conn
e
c
t to the s
e
rvi
c
e

usi
n
g

S
S
L
, that
t
h
e
y

must
a
uthenti
c
a
te
using

a

c
li
e
nt

ce
rtifi
c
a
te

a
nd that th
e
y

must possess the
a
uth
z
-
truste
d
-
p
r
o
x
y

r
ole in o
r
d
e
r to

g
e
t
ac
c
e
ss to the s
e
rvic
e
.

At
t
his point in
t
i
me nobo
d
y

ca
n
c
all the s
e
rvi
c
e

a
s n
o
bo
d
y

h
a
s t
h
e

a
uth
z
-

trusted
-
p
r
o
x
y

r
ole.

Addi
n
g

c
li
e
nts to this role

in d
o
ne

in the

conf/tomc
a
t
-
users.xml

file:


<!
--

define

the

auth
z
-
trusted
-
proxy

role

--
>

<role

rolename="auth
z
-
trusted
-
proxy"/>

<!
--

Add

the

client

to

the

authz
-
trusted
-
proxy

role

--
>

<user

username="
DN

of

client
"

password="null"

roles="authz
-
trusted
-
proxy"/>

<!
--
Optionally

add

more

c
lients

to

the

authz
-
trusted
-
proxy

role

--
>



No
t
e
:

it is possible to
re
t
ri
e
ve

the
D
N

of

the
c
li
e
nt

a
s pe
r
c
e
ived
b
y

T
om
c
a
t

b
y

turni
n
g

S
S
L
d
e
bug
g
i
n
g

on. This is d
o
ne

b
y

s
e
t
ting

JAVA_OP
T
S=
-
Djavax.net.debug=ssl

in
bin/catalina.sh
.

T
his will
ca
use
de
b
u
g
g
i
n
g

output
w
.
r
.t the

S
S
L

c
on
n
ec
tions to be

logged in
the

T
omc
a
t l
o
g

f
il
e
.


Setti
n
g

u
p

Logg
i
n
g


The

softw
a
r
e

uses

L
o
g
4J

a
s its log
g
i
n
g

f
r
a
m
e
wo
r
k.

The

c
onf
i
g
u
r
a
tion is r
e
a
d in f
r
om a

L
o
g
4J
p
r
op
e
rties
f
il
e
.

A

d
e
f
a
ult

p
r
op
e
rties
f
ile

(
l
o
g
4j.pr
o
p
e
rties)

c
omes

with the

softw
a
r
e
.


I
n

g
e
n
e
r
a
l the

a
uthorisat
i
on s
e
rvi
c
e

pr
o
vides two t
y
p
e
s
o
f log
g
i
n
g
:


-

The

f
irst
t
y
pe

is m
a
in
l
y

a
im
e
d
a
t pr
o
g
r
a
mm
e
r
s
/d
e
v
e
lope
r
s who
w
a
nt to und
e
rst
a
nd in (too)
g
r
ea
t det
a
il w
h
a
t the

sof
t
w
a
re

is doi
n
g
.

The

s
o
ft
w
a
re

uses the

c
onv
e
ntion
t
h
a
t e
a
c
h

c
lass
outputs its lo
g
g
i
n
g

info
r
mation to a

log
g
e
r
n
a
med

a
ft
e
r the ful
l
y

q
u
a
lifi
e
d

n
a
me of

the
c
l
a
ss.
This is common pr
a
c
ti
c
e

a
nd

a
llows one

to sel
e
c
t on
l
y

the l
o
g
g
i
n
g

output
f
rom a

sin
g
le

c
lass
for

inst
a
n
ce
.


-

The

se
c
ond
t
y
pe

is m
e
a
nt to pr
o
vide a

tr
a
il of the
r
e
qu
e
sts
re
c
e
ived
a
nd

r
e
s
p
onses s
e
nt
b
y

7


the

s
e
rvi
c
e
.

The

n
a
m
e

of

the

log
g
e
r

us
e
d

f
o
r

this

is


a
c
c
e
ss.log‟.

B
y

c
onf
i
g
u
ring

the
a
pp
e
nd
e
rs

a
nd l
o
g

lev
e
l
f
or

this pa
r
ti
c
ular

l
o
g
g
e
r

y
ou will
g
e
t a

c
le
a
r p
i
c
ture of the

re
q
u
e
sts
a
nd r
e
sponses
s
e
nt to
a
nd

b
y

the servi
c
e
.

The

f
oll
o
wing

l
o
g

lev
e
ls
a
re

use
d
:

W
ARN: lo
g
s
on
l
y

re
q
u
e
sts
(a
nd

r
e
sp
o
nses)

that
re
v
ea
l a serio
u
s prog
r
a
mming
e
r
r
o
r;

I
N
F
O:
a
s ab
o
v
e

a
nd
a
lso log

the r
e
qu
e
sts
(a
nd

re
sponses)

that
f
a
il to lo
ca
te
a
n

a
ppro
p
r
i
a
te poli
c
y

(
e
ith
e
r be
ca
use
no d
e
f
a
ult poli
c
y

is con
f
i
g
u
r
e
d or
b
e
ca
use t
h
e

re
q
u
e
st m
e
ntions a

poli
c
y

i
d
e
ntifi
e
r th
a
t
c
ouldn

t

be

id
e
ntifi
e
d
)
;

D
E
B
U
G
:

as

a
bove

but

also

l
o
g
s

all

r
e
q
u
e
sts

a
nd

c
o
r
r
e
sponding
r
e
sponses
f
or

whi
c
h there

w
a
s no probl
e
m.


Serv
e
r

Con
fi
gu
r
a
t
io
n


All se
r
v
e
r
a
nd

poli
c
y

c
o
n
fi
g
u
r
a
tions
a
re

d
e
fin
e
d in

a

sin
g
le

file in the

root
d
ir
e
c
to
r
y

of the r
e
l
e
a
se
p
ac
k
a
ge

ca
ll
e
d


p
e
rmis.
x
ml

.

This file

is consists of a

sin
g
l
e

<
PER
M
I
S
S
t
a
nd
a
loneConfi
g
u
r
a
tion>
e
lem
e
nt

c
ontaini
n
g

a

si
n
g
le

<
TC
P
Confi
g
u
ra
tion>

e
lem
e
nt th
a
t is used to
c
onfi
g
u
r
e

the
a
x
is s
e
rv
e
r
its
e
lf
a
nd multiple
e
lem
e
nts us
e
d to con
f
i
g
u
re

e
a
c
h indivu
a
l m
e
ssage

h
a
nd
l
e
r
t
y
p
e
:

<
PER
M
I
SConfi
g
u
r
a
tio
n
>

e
lem
e
nts th
a
t
a
re

used

t
o
c
onfi
g
u
re

individual
i
n
stan
c
e
s of PER
M
I
S.

<
SunPDPConfi
g
u
ra
tion>

e
lem
e
nts th
a
t a
r
e

used

to

c
onfi
g
u
re

individual instan
c
e
s of t
h
e

X
A
C
M
L
PD
P
.
<
T
rustPDPConfi
g
u
r
a
tion>

e
lem
e
nts th
a
t
a
re used

to con
f
i
g
u
r
e

indivi
d
u
a
l instan
c
e
s of the
T
rustPDP

a
nd
<
T
e
s
t
S
e
rvi
c
e
>

e
lem
e
nts th
a
t are

us
e
d
to con
f
i
g
u
re

GRA
N
T

a
ll or
D
ENY

a
ll h
a
ndl
e
rs.


Th
e

TC
P
Con
fi
gu
rati
o
n

e
leme
n
t


Not
e
: this elem
e
nt is i
g
n
o
re
d wh
e
n inst
a
lli
n
g

inside

a

se
r
v
l
e
t cont
a
in
e
r
.


At its most basic the

TC
P
Confi
g
u
r
a
tion
e
lem
e
nt d
e
fin
e
s the po
r
t numb
e
r u
p
on

whi
c
h the s
e
r
v
e
r
listens, the

numb
e
r of

th
r
ea
ds to use

f
or

r
e
q
u
e
sts
a
nd the p
r
otocol to use.

W
h
e
re

r
e
quir
e
d

a
dditional
c
onfi
g
u
r
a
tion p
a
r
a
met
e
rs
a
re

includ
e
d in
o
rd
e
r to

c
onfi
g
u
re

the
p
roto
c
ol list
e
n
e
r
e
.
g
.

for

S
S
L
.

W
e
spe
c
i
f
y

b
e
low the possib
l
e

p
a
r
a
m
e
te
r
s

f
o
r this s
e
r
v
ice

a
nd their

e
x
p
ec
ted
c
o
ntents.


G
e
ner
a
l P
a
ramet
e
rs


Th
e
se

p
a
r
a
met
e
rs
a
r
e

re
q
uir
e
d
b
y

a
ll se
r
v
e
r
c
onf
i
gur
a
tions.


<
S
e
rv
e
rPor
t
>

-

This el
e
m
e
nt is used to sp
ec
i
f
y

the

port number

on whi
c
h t
h
e

se
r
v
e
r should
a
c
ce
pt
incoming

re
q
u
e
sts.

I
t t
a
k
e
s a s
i
n
g
l
e

nume
r
ic
v
a
lu
e
.

I
f a

port h
a
s
b
ee
n o
p
e
n
e
d in

y
our
f
i
r
e
w
a
ll to
support this se
r
vice

then

this value

should mat
c
h the v
a
lue of

that p
o
rt.


<
Th
r
e
a
dCount>
-

The

T
h
r
e
a
dCount el
e
ment is us
e
d to sp
ec
i
f
y

how m
a
y

r
e
q
u
e
sts
ca
n be

h
a
ndled in
p
a
r
a
ll
e
l
b
y

the serv
e
r
.

T
h
e

v
a
lue pl
a
ce
d h
e
re

shou
l
d be

nume
r
ic
a
nd should

v
a
r
y

a
c
c
o
r
di
n
g

to the
r
e
sourc
e
s allo
ca
t
e
d to the

s
y
stem.


<
Proto
c
ol>
-

T
h
e

Protocol el
e
ment sp
ec
ifies the

u
nd
e
r
l
y
i
n
g

p
roto
c
ol upon

whi
c
h SO
A
P

re
qu
e
sts
will be

rece
i
v
e
d
b
y

the serv
e
r
.

This m
a
y

c
u
r
r
e
nt
l
y

c
ontain a

v
a
lue
o
f
e
ith
e
r


http”

or

https”.

I
f

the
s
y
stem
c
a
nnot det
e
rmine

the
t
y
pe

o
f the

proto
c
ol
t
h
e
n it will d
e
f
a
ult to “http”.


T
able
1
.

E
x
ample

H
T
TP

Con
f
iguration


<
TC
P
Confi
g
u
ra
tion>

<
S
e
rv
e
rPor
t
>
1
104
<
/
Se
rv
e
rPort>

<
Th
r
e
a
dCount>10
<
/
T
h
rea
dCount>

<
Proto
c
ol>http</Proto
c
ol>

<
/TCPConfi
g
u
ra
tion>



Using

the

a
bove

c
o
n
fi
g
u
r
a
tion

y
ou should be

a
b
l
e

to navi
g
a
t
e

to

http://lo
ca
lhost:
1
104

a
nd view

the
s
e
rvi
c
e

a
s be
f
o
r
e
.

8


SSL

Spe
c
ific

Para
m
e
ter
s
1


Th
e
se

p
a
r
a
met
e
rs
a
r
e

o
nly

r
e
quir
e
d w
h
e
n op
e
r
a
ting

usi
n
g

the
H
TTPS

se
r
v
e
r
.


<
Priv
a
te
K
e
y
>
-

This e
l
e
ment should
c
ontain a

re
l
a
tive

or
a
bsolute p
a
th th
a
t

ca
n be

used

to
d
e
te
r
mine
a

f
ile

c
ontaini
n
g

a

p
riv
a
te

k
e
y

ce
rtif
i
ca
te.

This
c
e
rt
i
fi
c
a
te
w
ill be us
e
d to s
ec
u
r
e

the S
S
L

s
e
rver
a
nd
m
a
y

or
m
a
y

not be
e
n
c
r
y
pted.

I
f the

f
ile

is e
n
c
r
y
p
t
e
d, how
e
v
e
r
, the Priv
a
t
e
K
e
y
P
a
sswo
r
d
e
l
e
ment
must be

pr
e
s
e
nt.


<
Publi
c
K
e
y
>
-

This el
e
m
e
nt should cont
a
in a
r
e
l
a
tive

or
a
bsolute p
a
th th
a
t

ca
n be

used

to
d
e
te
r
mine
a

f
ile

c
ontaini
n
g

a

public

k
e
y

ce
rtif
i
ca
t
e
(PKC).

T
h
e

c
ontents of this
f
ile

m
u
st contain a

PKC
ce
rtifi
c
a
te th
a
t m
a
tch
e
s
t
he

d
e
tails cont
a
ined in t
h
e

priv
a
te k
e
y

file
de
fi
n
e
d

a
bov
e
.


<
Priv
a
te
K
e
y
P
a
ssw
o
rd>

-

This el
e
ment should
c
o
n
tain a

string

r
e
p
r
e
s
e
ntati
o
n of the

p
a
sswo
r
d
r
e
quir
e
d to
a
c
c
e
ss the

P
r
ivate

K
e
y

f
il
e
.

This el
e
m
e
nt is on
l
y

r
e
quir
e
d

wh
e
n

the p
r
ivate

k
e
y

is
p
r
ote
c
ted
b
y

a

p
a
sswo
r
d.


<
K
e
y
S
tore>

-

This e
l
e
ment should
c
ontain a

re
l
a
tive

or
a
bsolute p
a
th th
a
t

ca
n be

used

to

c
re
a
te a
J
a
va

Ke
y
S
to
r
e

f
ile

c
onta
i
ning

the p
r
iva
t
e

a
nd pub
l
ic k
e
y

c
e
r
t
ific
a
tes lo
a
d
e
d

f
r
om th
e
ir
re
s
p
ec
tive
files. Pl
ea
se

note th
a
t this file

should not e
x
ist pri
o
r to s
e
rvi
c
e

initi
a
lis
a
tion.

If

t
he

f
i
le is
f
o
und
t
o
e
xist it
w
ill
b
e

ov
er
w
r
it
te
n.


<
T
rust
S
tore>

-

This e
l
e
ment should
c
ontain a

re
l
a
tive

or
a
bsolute p
a
th th
a
t

ca
n

be

used

to lo
c
a
te a
J
a
va

T
rust
S
tore

f
ile

c
on
t
a
ining

the c
e
rtifi
ca
tes
o
f
s
e
rv
e
r

e
ntiti
e
s that the

service

trusts.
F
or

mo
r
e
info
r
mation pl
ea
se

s
e
e

S
ec
tion 4.


<
K
e
y
S
tor
e
P
a
ssw
o
rd>

-

T
his option
a
l el
e
ment should
c
ontain a

string r
e
p
re
s
e
ntation of the

p
a
sswo
r
d
that will be

used

to a
c
ce
ss the

K
e
y
S
t
o
re

f
il
e
.

I
f

t
h
is el
e
ment is not pr
e
s
e
nt the

K
e
y
S
tore

p
a
sswo
r
d
will be

a
ssum
e
d to be

p
a
sswo
r
d

.


<
T
rust
S
tor
e
P
a
ssw
o
rd>

-

This optional
e
lem
e
nt should cont
a
in a string

r
e
p
r
e
s
e
ntation of the
p
a
sswo
r
d r
e
qu
i
r
e
d to
a
c
c
e
ss
t
he

T
rust
S
tore file.

I
f

this el
e
ment is not pr
e
s
e
n
t the

K
e
y
S
to
r
e

p
a
ssw
o
rd
will be

a
ssum
e
d to be

p
a
sswo
r
d

.




<
R
e
quir
e
Cli
e
ntAuthenti
c
a
tion>

-

This el
e
ment s
p
e
c
ifies
w
h
e
th
e
r or

not the

s
e
rv
e
r should on
l
y
ac
c
e
pt r
e
qu
e
sts
f
rom s
e
r
v
e
rs
w
ith whom it h
a
s a pr
e
-
e
x
isting

trust r
e
lations
h
ip i.
e
. their

S
S
L
ce
rtifi
c
a
te is in the

T
rus
t
S
tor
e
.

A

v
a
lue of

true”

s
p
ec
ifies th
a
t on
l
y

trusted

s
e
rv
e
rs

ca
n
a
c
c
e
ss the
s
e
rvi
c
e

a

v
a
lue of

f
a
lse” spe
c
ifies th
a
t a
n
y

s
e
rver

m
a
y

ma
k
e

a
uthorisation
r
e
qu
e
sts.




T
able
2
.

E
x
ample

H
T
TPS

Co
n
figuration



<
TC
P
Confi
g
u
ra
tion>

<
S
e
rv
e
rPor
t
>
1
104
<
/
S
e
rv
e
rPort>

<
Th
r
e
a
dCount>10</Thr
e
a
dCount>

<
Proto
c
ol>https
<
/
P
roto
c
ol>


<!
-
-

S
S
L

on
l
y

Con
f
i
g
u
ra
tions

-
-
>




1

If

y
o
u

w
a
n
t

to

u
s
e

S
S
L
,

it

is

b
etter

to

i
n
s
tall

t
h
e

s
e
r
v
ice

in
s
i
d
e

a

s
e
r
v
let

c
o
n
ta
i
n
er

li
k
e

To
m
cat.

T
h
e

S
S
L

s
u
pp
o
rt

p
r
o
v
ided

b
y

t
h
e

s
t
a
n
d
al
o
n
e

a
p
p
licati
o
n

is

f
la
k
y

at

b
est.

9


<
Publi
c
K
e
y
>
./se
r
v
e
r
.
c
r
t
<
/
P
ubli
c
K
e
y
>

<
Priv
a
te
K
e
y
>
./se
r
v
e
r
.
k
e
y
<
/
P
riv
a
te
K
e
y
>

<
Priv
a
te
K
e
y
P
a
ssw
o
rd
>
p
a
sswo
r
d
<
/
P
riv
a
te
Ke
y
P
a
sswo
r
d
>

<
K
e
y
S
tore
>
./k
e
y
st
o
r
e
.jks</K
e
y
S
tore>

<
K
e
y
S
tor
e
P
a
ssw
o
r
d
>
p
a
sswo
r
d
<
/K
e
y
S
tor
e
P
a
sswo
r
d>

<
R
e
quir
e
Cli
e
ntAuthentic
a
tion
>
true
<
/R
e
quireCli
e
ntAuthentic
a
tion>

<
T
rust
S
tore
>
./truststo
re
.jks</
T
rust
S
tore>

<
T
rust
S
tor
e
P
a
ssw
o
r
d
>
p
a
sswo
r
d
<
/
T
rust
S
toreP
a
sswo
r
d>

<
/TCPConfi
g
u
ra
tion>


I
f

y
ou now n
a
v
i
g
a
t
e

to

https://lo
ca
lhost:
1
104/

y
ou

should be

a
sked

b
y

y
our

b
r
ows
e
r to

p
r
ovide

a
ce
rtifi
c
a
te
f
or

a
uthentic
a
t
ion.

The

e
x
a
mple

trust store

includ
e
d in the

r
e
le
a
s
e

should
c
ontain a

si
n
g
le
PKC th
a
t co
r
r
e
sponds to

a

PKCS#12
f
ile

in the

re
le
a
se

n
a
m
e
d trusted.p12,

whi
c
h h
a
s a
p
a
sswo
r
d of

p
a
sswo
r
d

.

Y
ou should

now be

a
ble to s
e
e

t
h
e

s
e
rvi
c
e

a
s
b
e
for
e
.


P
lea
s
e

No
t
e

:

The

S
S
L

c
e
rtifi
ca
tes
p
rovid
e
d with

the
r
e
le
a
s
e

should not be

used

to provide

S
S
L
support in depl
o
y
e
d
s
y
st
e
ms.


P
D
P

a
n
d

C
VS

Con
fi
gu
ra
t
i
o
n


The

a
uthorisation se
r
v
e
r

o
f
f
e
rs supp
o
rt
f
or

se
v
e
r
a
l

PDP

implem
e
ntations i
n
c
luding

t
h
e

PER
M
I
S
PdP/CVS

[
9
]
,

Sun

s

X
A
C
M
L

PDP

[
10]

a
nd

Eindhoven

s

T
rust

PD
P
.

E
a
c
h

of

th
e
se

c
onf
i
g
u
r
a
tion
t
y
p
e
s utilise a

di
f
f
e
r
e
nt
t
y
pe

of
c
onf
i
g
u
r
a
tion
e
le
m
e
nt in the m
a
in con
f
i
g
u
r
a
tion file:




<
PER
M
I
SConfi
g
u
r
a
tio
n
>

e
lem
e
nts co
n
fi
g
u
re

a
n
i
nstan
c
e

of the

PER
M
I
S
P
DP/CVS.




<
SunPDPConfi
g
u
ra
tion>

e
lem
e
nts con
f
i
g
u
r
e

a
n i
n
stan
c
e

of the

Sun X
A
C
M
L

PD
P
.




<
T
rustPDPConfi
g
u
r
a
tio
n
>

e
lem
e
nts co
n
fi
g
u
re

a
n
i
nstan
c
e

of the

T
rust PD
P
.


I
f a

e
r
r
or

o
cc
u
r
s

whilst con
f
i
g
u
r
i
n
g

the
s
e

e
lem
e
n
t
s the
e
lem
e
nt will be
skipp
e
d
a
nd
a
ppr
o
p
r
iate
e
r
r
or

inf
o
rm
a
tion will be

outputted to the log

f
il
e
.


P
lea
s
e

No
t
e
:
At
c
onstr
uc
tion the s
e
rv
e
r
w
ill atte
m
pt to d
e
te
r
mine

a

d
e
f
a
ult PD
P
/CVS for

incoming
r
e
qu
e
sts.

This def
a
ult poli
c
y

will be

d
e
fin
e
d usi
n
g

the isD
e
f
a
ult
a
ttribute

p
r
e
s
e
nt on all the

PDP
c
onfi
g
u
r
a
tion
e
le
m
e
nts. On
l
y

one

d
e
fault poli
c
y

m
a
y

b
e

spe
c
if
i
e
d in a
n
y

c
onfi
g
u
r
a
tion file instan
c
e
.


Con
fi
gu
ri
n
g

a

PE
R
M
IS

P
D
P

a
n
d

C
V
S


E
a
c
h
<
PER
M
I
SConfi
g
u
r
a
tion>

e
lem
e
nt d
e
fin
e
d
i
n the
c
onf
i
g
u
ra
tion file
d
e
s
c
rib
e
s a
s
e
p
e
r
a
te
inst
a
n
c
e

of
a

PER
M
I
S R
B
AC se
r
v
e
r th
a
t is

a
c
ce
s
s
ible

throu
g
h the
s
e
rve
r
'
s

a
uthorisation endpoint.
W
hilst

multiple polici
e
s

ca
n be

c
onf
i
g
u
re
d v
i
a

this co
n
fi
g
u
r
a
tion file on
l
y

one

ca
n
b
e

used

to ac
ce
ss
the
X
AC
M
L

on
l
y

e
ndpo
i
nt or

be

used

a
s f
o
r S
A
M
L
2X
A
C
M
L

a
nd

W
S
-
TRUST

re
qu
e
sts that do
n
ot
c
ontain a

poli
c
y

identifi
e
r
.

W
e

c
a
ll this poli
c
y

the

d
e
f
a
ult poli
c
y

a
nd sp
e
c
i
f
y

it
a
s a b
o
ol
e
a
n
a
ttribute

of the

PER
M
I
S
Confi
g
u
r
a
tion
e
lem
e
nt itself
c
a
ll
e
d


isDef
a
ult

.




The

possible
c
onf
i
g
u
ra
ti
o
n
e
lem
e
nts de
f
ined

for

t
h
is con
f
i
g
u
r
a
tion
t
y
p
e

a
r
e
:


<
Poli
c
yL
o
c
a
tio
n
>

-

T
h
e

Poli
c
yL
o
ca
tion
e
l
e
ment sp
ec
ifies the

lo
c
a
tion of

the poli
c
y

to
b
e

used

with
this se
r
vic
e
.

This m
a
y

ta
k
e

the
f
o
r
m of

the

U
R
L

of

a
n

L
D
A
P

se
r
v
e
r
,

a

W
e
b
D
A
V

s
e
rv
e
r

U
R
L
, the
p
a
th to
a
n

Attribute

C
e
rt
i
fi
c
a
te or

t
h
e

P
a
th to
a
n
X
M
L

file.


<
Poli
c
y
I
ss
u
e
r>

-

the Poli
c
y

I
ssuer

s
p
ec
ifies the

P
o
li
c
y

w
r
it
e
r
.

W
h
e
n

ac
c
e
ssing

poli
c
ies
w
hich

a
r
e
stor
e
d in r
e
mote

r
e
positori
e
s this value

is also us
e
d to det
e
rmine

the us
e
r

e
nt
r
y

in which the

poli
c
y

10


is stor
e
d.


<
Poli
c
y
I
d
e
ntifi
e
r>

-

The Poli
c
y

I
d
e
ntifier sp
e
c
if
i
e
s a
U
n
i
que

identifi
e
r th
a
t

ca
n be

used

to id
e
nti
f
y
the
c
o
r
r
ec
t poli
c
y

to be
u
s
e
d.

This value

must mat
c
h the
O
I
D

a
ttribute

c
on
t
a
ined in the poli
c
y

f
ile
its
e
lf.

This value

is th
e
n us
e
d to det
e
rmine

whi
c
h

poli
c
y

to lo
a
d
f
rom
re
po
s
ito
r
ies
a
nd lat
e
r this
identifi
e
r
c
a
n
b
e

used

w
h
e
n making

both

Ws
-
T
rust

a
nd SA
M
L
-
X
A
C
M
L

r
e
q
u
e
sts to det
e
rmine
whi
c
h poli
c
y

to use

for

c
r
e
d
e
nti
a
l validation or
a
u
thorisation.


<
L
D
A
P
ACAttribut
e
>

-

T
his elem
e
nt spe
c
ifies the

L
D
AP

a
ttribute

n
a
me th
a
t is used to hold
Attribute

C
e
rtifi
ca
tes
f
o
r

a
u
t
horis
a
tion.


<
L
D
A
PPKCAttribut
e
>
-

This el
e
ment sp
ec
ifies t
h
e

L
D
A
P

a
ttribute

n
a
m
e

that is used

to hold us
e
r
PKCs for

si
g
n
a
tu
r
e

v
e
ri
f
i
ca
tion.


<
Cr
e
d
e
nti
a
l
L
o
c
a
tion>
-

The

Cr
e
d
e
nti
a
l

L
o
ca
tion
e
lem
e
nt is used in
pull mode to d
e
fine

the
r
e
positori
e
s f
r
om which

user

c
r
e
d
e
nti
a
ls should be pulled.

This el
e
ment s
h
ould t
a
ke

the v
a
lue of
a
n
L
D
AP

or

W
e
bD
A
V

a
ttri
b
ute
r
e
posito
r
y
's U
R
L
.


<
Root
P
KC>
-

This el
e
ment sp
ec
ifies the

p
a
ths to
ce
rtifi
c
a
te
a
uthori
t
y
s that

ca
n be

used

wh
e
n
v
e
ri
f
y
i
n
g

user
ce
rtifi
c
a
tes

a
nd si
g
n
e
d
c
r
e
d
e
nti
a
ls.


<
Obligations
S
e
rvi
c
e
Con
f
i
g
u
ra
tion>

-

Sp
ec
ifies

a
n

obli
g
a
tions se
r
vi
c
e

that

will be

a
tt
ac
h
e
d to the
PD
P
.

This el
e
ment is discuss
e
d in mo
r
e

d
e
tail bel
o
w
.


<
En
g
i
n
e
I
d
e
ntit
i
y
>
-

D
e
t
e
rmin
e
s the v
a
lue us
e
d

a
s

the

I
ss
u
e
r of

t
h
e

a
sse
r
tion

e
mbedd
e
d in the
R
e
qu
e
st
S
ec
u
r
i
t
y
T
ok
e
nR
e
sponse.

This

v
a
lue is thus on
l
y

used

f
o
r the

CVS
f
un
c
tion
a
li
t
y
.




T
able
3
.

PER
M
IS

Pol
i
cy Con
f
iguration E
x
a
mple


<!
-
-

e
x
a
mple

Poli
c
y

Confi
g
u
r
a
tion using

X
M
L

a
n
d no Si
g
n
a
ture

V
e
ri
f
i
ca
t
i
on.

This poli
c
y

is the

d
e
fault poli
c
y

a
s sp
e
c
i
f
ied
b
y

the isD
e
f
a
ult
a
ttribut
e
-
-
>

<
PER
M
I
SConfi
g
u
r
a
tion

isDe
f
a
ult
=
"
true">

<!
-
-

The

lo
c
a
tion of

the
p
oli
c
y

-
-
>

<
Poli
c
yL
o
c
a
tion
>
.
/
poli
c
y
.
x
ml
<
/
P
oli
c
yL
o
c
a
tion>

<!
-
-

The

issu
e
r
o
f the

po
l
i
c
y

-
-
>

<
Poli
c
y
I
ss
u
e
r>
c
n
=
A

P
e
rmis

T
e
st Us
e
r
,o
=
P
e
rmisv
5
,
c
=
g
b
<
/
P
oli
c
y
I
ss
u
e
r>

<!
-
-

F
or

X
M
L

poli
c
ies t
h
e

Poli
c
y

I
d
e
ntifi
e
r m
a
y

h
a
ve

a
n
y

unique
v
a
lue but

MUST

still be

set
--
>


<
Poli
c
y
I
d
e
ntifi
e
r>
T
e
st
P
oli
c
y
<
/
P
oli
c
y
I
d
e
ntifier>

<!
-
-

The
L
D
AP

a
ttribute

wh
e
re

the u
s
e
rs poli
c
y
/a
t
tribut
e
s a
r
e

stor
e
d

--
>

<
L
D
A
P
ACAttribut
e>a
ttribut
e
C
e
rtifi
ca
t
e
Attr
i
bute
<
/
L
D
A
P
ACAttribut
e
>

<!
-
-

The
L
D
AP

a
ttribute

wh
e
re

the u
s
e
r
'
s PK c
e
rt
i
fi
c
a
te is sto
re
d

-
-
>

<
L
D
A
PPKCAttribut
e>
use
r
C
e
rtifi
ca
te
A
ttrib
u
te
<
/
L
D
A
PPKCAttribut
e
>

<!
-
-

The

lo
c
a
tion of

user

c
r
e
d
e
nti
a
ls

-
-
>

<
Cr
e
d
e
nti
a
l
L
o
c
a
tion
>
ldap://s
ec
.
c
s.ke
n
t
.
ac
.
u
k/c=
g
b
<
/Cr
e
d
e
nti
a
l
L
o
ca
t
ion>

<
/
P
ER
M
I
SConfi
g
u
r
a
tio
n
>

The

PER
M
I
SConf
i
g
u
ra
t
i
on
e
lem
e
nt supports the following

a
ttribut
e
s:

-

isDe
f
a
ult: indic
a
tes
w
h
e
t
h
e
r or

not this is the d
e
fault
poli
c
y

f
or

this se
r
v
e
r
.

D
e
f
a
ult:
f
a
lse

-

is
B
t
g
E
n
a
bled:

wh
e
n

s
e
t

to

„t
r
u
e


then

a

B
T
G
-
w
r
a
p
p
e
r

w
ill

be

us
e
d

a
round

the

stat
e
less

PD
P
.
This en
a
bles the PDP

to
r
e
turn the
B
T
G
-
a
n
s
we
r
.

T
his wr
a
pp
e
r

will hold all the

re
lev
a
nt st
a
te
info
r
mation for

the

B
TG
-
p
r
otocol.

D
e
f
a
ult: f
a
lse

11


-

bt
g
Mode:

d
e
t
e
rmine
s

the


mode‟

in

which

the

B
T
G
-
w
r
a
p
p
e
r

w
ill

wo
r
k.

V
a
lid

v
a
lues

a
r
e
:
PRE_
F
ETCH
a
nd
F
ET
C
H_
O
N_
D
EMA
N
D.
O
n
l
y

c
onsid
e
r
e
d w
h
e
n the
a
tt
r
ibute
is
B
t
g
E
n
a
bled is set to tr
u
e
. D
e
f
a
ult:
P
RE_
F
ETCH

-

a
uthentic
a
teCalle
r
:

w
h
e
n

true

then the

I
ssu
e
r of

the

top l
e
v
e
l

Ass
e
rtion u
s
e
d

in a
R
e
qu
e
st
S
ec
u
r
i
t
y
T
ok
e
n
m
e
ss
a
g
e h
a
s to m
a
tch t
h
e

DN

of the

c
li
e
nt
c
e
rtifi
ca
te

used

for

the
S
S
L

c
onn
e
c
tion.

This par
a
met
e
r thus on
l
y

influ
e
n
c
e
s the CVS
f
un
c
tion
a
li
t
y
.

W
h
e
n this
a
ttri
b
ute is set to tru
e
,

then the

CVS c
a
n on
l
y

b
e

(
me
a
ningful
l
y
)

ca
ll
e
d o
v
e
r S
S
L
.

-

supportMultiR
e
sour
c
e
s: wh
e
n this is set to true

then one

c
a
n se
n
d multiple
r
e
sourc
e
s in a
sin
g
le r
e
qu
e
st.

The

x
ac
m
l
-
c
onte
x
t:R
e
sponse
w
ill
t
h
e
n
c
ontain multiple
x
ac
m
l
-
c
onte
x
t:R
e
sult
e
lem
e
nts, one

f
or

e
a
c
h resour
c
e

in the

r
e
qu
e
st.

Th
i
s is p
a
rticul
a
r
l
y

use
f
ul
w
h
e
n using

the
SA
M
L

pr
o
file
o
f
X
AC
M
L
.

I
n this
c
a
se

c
r
e
d
e
nti
a
l

v
a
lid
a
tion

(i.
e
.
fe
tchi
n
g
,

p
a
rsing

a
nd
v
a
lid
a
ting

the

us
e
r

s
c
r
e
d
e
nti
a
ls)
will

on
l
y

be

do
n
e on
c
e.

This

should

r
e
sult

in

a

si
g
nifi
c
a
nt

p
e
r
f
o
r
ma
n
c
e

imp
r
o
v
e
m
e
nt comp
a
r
e
d to m
a
ki
n
g

multiple

ca
lls, one

f
or

e
a
c
h r
e
qu
e
st.

D
e
f
a
ult:
f
a
lse.


F
or

a
dditional poli
c
y

c
o
n
f
i
g
u
r
a
tions pl
ea
se

r
e
f
e
r

to the

e
x
a
mple

p
e
rmis.xml con
f
i
g
u
r
a
tion file
includ
e
d in the

re
l
e
a
se

p
a
c
k
a
g
e
.


Co
n
figuring an Obli
g
ations Se
r
vi
c
e


Note:

due

to class loading issues
c
onfiguring

an obligations ser
v
ice

do
e
s

not
work with ser
v
let
c
ontain
e
r de
p
loy
me
nt w
h
e
n using a
ve
rsion small
e
r then 0.2.
3
. F
r
om
v
e
rsi
o
n 0.2.3

onwa
r
ds
y
ou
should be

able to use

an obligations ser
v
ice

no matter how
you d
e
ploy the

authorisation ser
ve
r
.


The

option
a
l Ob
l
i
g
a
tion
s
S
e
rvi
c
e
Conf
i
g
u
ra
tion
e
l
e
ment sp
ec
ifies
a
n obl
i
g
a
t
ions s
e
rvi
c
e

that will be
a
tt
ac
h
e
d to the

PD
P
.

This is, if the
X
AC
M
L

r
e
sp
o
nse
c
ontains Oblig
a
tions th
e
n some

of th
e
m m
a
y
be

e
n
f
o
r
ce
d
b
y

the s
p
ec
i
f
ied obli
g
a
tions se
r
vi
c
e
.

T
he

me
c
h
a
nism used

is fl
e
x
i
b
le
a
nd
a
llows
a
dministr
a
tors to sp
ec
i
f
y

their

own obli
g
a
tions wi
t
hout having

to c
h
a
n
g
e

or

r
e
c
ompile the

c
o
d
e
.

The
und
e
r
l
y
i
n
g

f
r
a
m
e
wo
r
k u
s
e
d is
S
p
r
ing

v
e
rsion 3
[
1
1
]
.

The

softw
a
re

distribu
t
ion cont
a
ins
the
n
ece
ss
a
r
y

lib
ra
ri
e
s but t
h
e

a
dministr
a
tor
w
ill have

to spe
c
i
f
y

a

Sp
r
i
n
g

c
onf
i
g
u
r
a
tion file.


An
O
bli
g
a
tionsS
e
rvic
e
Confi
g
u
r
a
tion
e
lem
e
nt co
n
sists of
z
e
ro or

more

Obli
g
a
tion
e
l
e
ments. E
ac
h
Obli
g
a
tion

e
le
m
e
nt

has

a

r
e
quir
e
d


p
a
th‟

a
ttribute

t
h
a
t

g
ives

the

l
o
ca
tion

of

a

Sp
r
ing

c
onf
i
g
u
ra
tion
file.
F
u
r
th
e
r
,
e
a
c
h Obl
i
g
a
tion
e
lem
e
nt ne
e
ds to h
a
v
e

one

or mo
r
e

Obligation
I
d
e
ntifi
e
r
e
l
e
ments.


An
e
x
a
mple

of
a
n Oblig
a
tionsS
e
rvi
c
e
Confi
g
u
r
a
tion
e
lem
e
nt is
g
iven
b
e
lo
w
:


<ObligationsServiceConfiguration

processAll="false">

<Obligation

path="./obligations/AlwaysSucceedObligation.xml">

<ObligationIdentifier>AlwaysSucceedObligation</ObligationIdentifier>

</Obligation>

<Obligation

path="./obligations/EmailObligation.xml">

<ObligationIdentifier>EmailObligation
</ObligationIdentifier>

</Obligation>

</ObligationsServic
e
Configuration>



The

Obligatio
n
I
d
e
ntifi
e
r

e
lem
e
nts sp
ec
i
f
y

the i
d
e
n
tifi
e
rs th
a
t this pa
r
ti
c
ular obli
g
a
tion will be
re
g
ist
e
r
e
d un
d
e
r in the

o
b
li
g
a
tions se
r
vi
c
e
.

I
n other wo
r
ds, if this id
e
ntifi
e
r

mat
c
h
e
s the
Obli
g
a
tio
n
I
d
a
ttribute

on

one

of the

r
e
turn
e
d ob
li
g
a
tions, th
e
n this Obli
g
a
tionConstru
c
tor obje
c
t
(s
e
e

lat
e
r)

will be

used

to

c
onstru
c
t the

e
x
ec
utable

obli
g
a
tion whi
c
h will th
e
n be

e
n
f
o
r
ce
d.


The

Obligations
S
e
rvi
c
e
C
onfi
g
u
r
a
tion

e
lem
e
nt

also

h
a
s

an

a
ttribute

c
a
ll
e
d


p
ro
c
e
ssAll‟.

I
f

this

is

set
to f
a
lse, th
e
n the
O
bl
i
g
a
t
i
onsS
e
rvi
c
e

will simp
l
y

r
e
turn
a
n
y

unre
c
o
g
nised o
b
li
g
a
tions (i.
e
.
obli
g
a
tions for

whi
c
h no

mat
c
hing

Obl
i
g
a
tio
n
I
d
e
n
tifi
e
r
w
a
s found
.
)

I
f it is set to true

then if

there
a
re

such

u
n
r
e
c
o
g
ni
s
e
d o
b
li
g
a
tions, th
e
n
a
c
ce
ss wi
l
l be d
e
nied.

I
f

y
ou
h
a
v
e

c
onfi
g
u
r
e
d
a
dditional

12


obli
g
a
tions se
r
vi
c
e

c
om
p
on
e
nts in

y
our
s
y
stem
(
e
.
g
. to handle

a
ppli
ca
tion
s
p
ec
ific
o
bl
i
g
a
tions), th
e
n
y
o
u should set the
p
r
o
ce
s
sAll attribute

to f
a
lse.


I
n

the

e
x
a
mple

a
bove

the

f
irst obli
g
a
tion is
a
n
e
x
tr
e
me
l
y

simple on
e
: this
o
bl
i
g
a
tion just prints a
mess
a
ge

on st
a
nd
a
rd o
u
tput to s
a
y

that it h
a
s b
e
e
n

ca
ll
e
d.

The
c
ontent of

t
h
e
Alw
a
y
sSu
cc
e
e
dObl
i
g
a
tion.
x
ml

is as
f
ollows:


<?xml

version="1.0"

encoding="UT
F
-
8"?>

<beans

xmlns=
http://www.springframework.org/schema/beans

xmlns:xsi=
http://www.w3.org/2001/XMLSchema
-
instance

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring
-
beans
-
2.5.x
sd">


<bean

id="always
-
succeed"

class="issrg.aipep.obligations.AlwaysSucceedObligationConstructor"/>

</beans>



The

f
irst five lines
w
ill
b
e

the s
a
me
f
o
r
e
v
e
r
y

such

f
il
e
. E
a
c
h file

h
a
s to sp
e
c
i
f
y

ex
a
c
tly

one

b
e
a
n
whi
c
h

implem
e
nts

the

issrg.aipep.obligations.ObligationConstructor

int
e
r
f
a
c
e
.

This

does
not m
ea
n that the
c
onf
i
g
u
r
a
tion file m
a
y

not cont
a
i
n
a
dditional b
ea
ns (
w
hi
c
h
a
re

then
p
rob
a
b
l
y

used
to help in spe
c
i
f
y
i
n
g

t
h
e

Obli
g
a
tionConstru
c
tor be
a
n
)
.

Anoth
e
r
e
x
a
mple

is
g
iv
e
n
b
y

the
E
mailObl
i
g
a
tio
n
.
x
ml
f
i
le
w
h
e
re

the
E
m
a
ilObli
g
a
tionConstru
c
tor
obje
c
t is spe
c
ified

b
y

us
i
ng

a

c
onstru
c
tor

whi
c
h
u
s
e
s an
o
bje
c
t of
t
y
pe

Pr
o
p
e
rties.

This obj
ec
t (
b
ea
n
)
h
a
s

be
e
n

c
re
a
ted

a
s

the

b
ea
n

with

id
e
ntifi
e
r


m
a
ilProp
e
rties‟

a
nd

is
r
e
f
e
r
e
n
ce
d

in

the

b
e
a
n

with
identifi
e
r
e
mail
-
obl
i
g
a
ti
o
n.

This is the
a
c
tual Obli
g
a
tionConstru
c
tor
d
e
fined
b
y

this file.


<?xml

version="1.0"

encoding="UT
F
-
8"?>

<beans

xmlns=
http://www.springframework.org/schema/beans

xmlns:xsi=
http://www.w3.org/2001/XMLSchema
-
instance

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring
-
beans
-
2.5.xsd">

<bean

id="mailProperties"

class="org.springframework.beans.factory.config.PropertiesFactoryBean">

<property

name="proper
ties">

<props>

<prop

key="mail.smtp.host">mx.cs.kent.ac.uk</prop>

<prop

key="mail.transport.protocol">smtp</prop>

</props>

</property>

</bean>



<bean

id="email
-
obligation"

class="issrg.aipep.obligations.EmailObligationConstructor">

<constructor
-
arg

ref="mailProperties"/>

</bean>

</beans>



More

info
r
mation on h
o
w to sp
ec
i
f
y

such

a

Sp
r
ing
I
n
v
e
rsion of

Control c
o
n
f
i
g
u
r
a
tion file
c
a
n
b
e
found

h
e
r
e
:
http://st
a
ti
c
.sprin
g
sou
r
ce
.
o
r
g
/sprin
g
/
d
o
c
s/3.0.3.R
E
L
EASE/sp
r
i
n
g
-
f
r
a
m
e
wo
r
k
-

r
e
fer
e
n
c
e
/
html/b
ea
ns.html


I
f

y
ou
a
r
e

int
e
r
e
sted in
i
mpl
e
menting

y
our
o
wn
o
bli
g
a
tions, th
e
n we r
e
f
e
r

to D
e
liv
e
r
a
ble
D
7.1
[
12]
s
ec
tions 2.5.1
a
nd 2.5.2
f
or

a

d
e
s
c
ription of the

v
a
rious
c
lass
e
s and

int
e
r
f
a
c
e
s involved.

Y
ou
c
ould
a
lso look
a
t the

sour
c
e

c
o
de

of
e
x
is
t
ing

obli
g
a
tions

[
13
]
.

13


Con
fi
gu
ri
n
g

a

S
u
n

P
D
P


E
a
c
h
<
SunPDPConfi
g
u
r
a
tion>

e
lem
e
nt d
e
fin
e
d
i
n the
c
onf
i
g
u
ra
tion file
d
e
s
c
rib
e
s a
s
e
p
a
r
a
te
inst
a
n
c
e

of a

Sun X
A
C
M
L

PD
P
,
a
cce
ssible th
r
o
u
gh the s
e
rv
e
r
'
s

a
uthorisati
o
n
e
ndpoint.

W
e

do not
c
u
r
r
e
nt
l
y

support

W
s
-
T
r
u
st r
e
qu
e
sts
f
or

this PDP

t
y
p
e
.


P
lea
s
e

No
t
e
:

I
n or
d
e
r to

p
r
ovide
a
c
ce
ss to a

Sun

X
A
C
M
L

PDP

inst
a
n
c
e

it

MUST

be

c
onf
i
g
u
r
e
d
a
s
the d
e
f
a
ult poli
c
y
.



The

possible
c
onf
i
g
u
ra
ti
o
n
e
lem
e
nts de
f
ined

for

t
h
is con
f
i
g
u
r
a
tion
t
y
p
e

a
r
e
:


<
Po
l
i
c
yL
o
c
a
tion>

-

T
h
e

Poli
c
yL
o
ca
tion
e
l
e
ment sp
ec
ifies the

a
bsolute or

r
e
lative p
a
th lo
ca
tion of
the poli
c
y

to be u
s
e
d with this s
e
rvi
c
e
.

This m
a
y

on
l
y

take

t
h
e

f
o
r
m of

a

P
a
th to
a
n X
M
L

f
ile
c
ontaining
a
n X
A
C
M
L

2
.0 Poli
c
y

c
onstru
c
t.

This

e
lem
e
nt must be p
re
s
e
nt

a
t l
ea
st onc
e
,

a
nd m
a
y

be
used

multiple tim
e
s to s
p
ec
i
f
y

multiple polici
e
s.

<
Poli
c
y
I
d
e
ntifi
e
r>

-

Giv
e
s a n
a
me to the PDP

wh
i
c
h must be us
e
d in the

SA
M
L
/XAC
M
L

r
e
q
u
e
st
wh
e
n the PDP

is not the

d
e
f
a
ult on
e
.

<
Obligations
S
e
rvi
c
e
Con
f
i
g
u
ra
tion>

-

This el
e
ment

is
c
onfi
g
u
r
e
d in the

sa
m
e

w
a
y

a
s the
c
o
r
r
e
spondi
n
g

e
lem
e
nt
o
n the PER
M
I
SConfi
g
u
r
a
t
ion el
e
ment.


T
able
4
.

XA
CM
L

Poli
c
y Con
f
iguration E
x
a
mple


<!
--

an

example

XACML

Policy

Configuration

--
>

<SunPDPConfiguration

isDefault="false">

<!
--

The

location

of

the

XACML

Policy

files

--
>

<PolicyLocation>xacmlpolicy.xml</PolicyLocation>

<PolicyLocation>xacmlpolicy
-
second.xml<
/PolicyLocation>

<PolicyIdentifier>My
-
PDP</PolicyIdentifier>

</SunPDPConfiguration>



The

SunPDPConfi
g
u
ra
t
i
on
e
l
e
ment supports the

f
ollowing

a
ttribut
e
s,
e
ac
h

with the

same

me
a
ni
n
g
a
s in the PER
M
I
SConfigu
ra
tion
e
lem
e
n
t
.


-

isDe
f
a
ult


-

is
B
t
g
E
n
a
bled


-

bt
g
Mode


-

supportMultiR
e
sour
c
e
s




I
f

y
ou w
a
nt this con
f
i
g
u
r
a
tion to r
e
spond to

W
s
T
r
ust qu
e
ri
e
s as

w
e
ll, then

y
o
u n
e
e
d to s
e
t the

„isCVS‟

a
ttribute

to

tru
e
.

I
f

y
ou

do

not

m
e
ntion

the

a
ttribute

it

d
e
f
a
ults

to


f
a
lse‟

a
nd

this

el
e
ment
will not r
e
spond to

W
s
T
rust qu
e
ri
e
s,

h
e
n
c
e

y
ou w
i
ll not be
a
ble to use

it
a
s a

Cr
e
d
e
nti
a
l

V
a
lid
a
tion
S
e
rvi
c
e
.




Con
fi
gu
ring

a

T
r
u
st

P
D
P


E
a
c
h
<
T
rustPDPConfi
g
u
r
a
tion>

e
lem
e
nt
d
e
fin
e
d
i
n the
c
onf
i
g
u
ra
tion file
d
e
s
c
rib
e
s a
s
e
p
a
r
a
te
inst
a
n
c
e

of a

T
rust PD
P
,

ac
c
e
ssible th
r
ou
g
h t
h
e

s
e
rv
e
r
'
s
autho
r
i
s
a
tion
e
nd
p
oint.

W
e

do not cu
r
r
e
nt
l
y
support

SA
M
L

X
AC
M
L

or

W
s
-
T
rust
re
q
u
e
sts
f
or

this

PDP

t
y
pe

a
nd whilst multiple

poli
c
ies
c
a
n be
c
onfi
g
u
r
e
d via this
c
o
n
fi
g
u
r
a
tion file on
l
y

o
n
e

ca
n be

used

to ac
ce
ss the

X
AC
M
L

on
l
y

e
ndpoint.

W
e
ca
ll this poli
c
y

the

def
a
u
l
t poli
c
y

a
nd sp
e
c
i
f
y

it
a
s

a

boole
a
n
a
ttribute

o
f the

T
rustPDPConfi
g
u
r
a
tion
e
lem
e
nt
its
e
lf
c
a
ll
e
d


is
D
e
f
a
ult

.

14


P
lea
s
e

No
t
e
:

I
n or
d
e
r to

p
r
ovide
a
c
ce
ss to a

T
rust

PDP

inst
a
n
c
e

it MUST

be

c
onf
i
g
u
r
e
d
a
s the
d
e
f
a
ult poli
c
y
.


The

possible
c
onf
i
g
u
ra
ti
o
n
e
lem
e
nts de
f
ined

for

t
h
is con
f
i
g
u
r
a
tion
t
y
p
e

a
r
e
:


<
Poli
c
y
Conf
i
g
F
il
e
>

-

T
h
e

Poli
c
y
Conf
i
g
F
i
le

e
lem
e
nt is used to p
r
ovide a

re
l
a
tive

or
a
bsolute p
a
th to
a

T
rustPDP

poli
c
y

c
o
n
figu
ra
tion file th
a
t de
f
ines
t
he

poli
c
ies
re
qui
r
e
d to init
a
lise

the PDP

inst
a
n
ce
.
The

e
lem
e
nt m
a
y

on
l
y

be

d
e
fin
e
d on
c
e

p
e
r

T
rust
P
DPConfi
g
u
ra
tion instanc
e
.


<
T
rustS
e
rvic
e
Conf
i
g
F
il
e
>
-

The

T
rustS
e
rv
i
ce
Co
n
fig
F
ile

is us
e
d to provide

a

re
lative
o
r
a
bsolute
p
a
th to a

T
rust S
e
rv
i
c
e

c
o
n
f
iur
a
tion file
w
hich spe
c
ifies the

c
lass
n
a
mes of

the
r
e
quir
e
d trust
s
e
rvi
c
e
s.


T
able
5
.

T
rust PDP

C
on
f
iguration examp
l
e


<
T
rustPDPConfi
g
u
r
a
tion

isD
e
f
a
u
l
t
=
"
true">

<!
-
-

The

lo
c
a
tion of

the Poli
c
y

Conf
i
g
u
ra
tion f
i
le

--
>

<
Poli
c
y
Conf
i
g
F
il
e
>./
c
onfi
g
.
x
ml
<
/
P
oli
c
y
Conf
i
g
F
il
e
>

<!
-
-

The

lo
c
a
tion of

the

T
rust S
e
rv
i
c
e

Conf
i
g
u
r
a
tion file

--
>

<
T
rustS
e
rvic
e
Conf
i
g
Fil
e
>
./con
f
i
g
-
trusts
e
rv
i
ce
.x
ml
<
/
T
rustS
e
rvi
c
eConfig
F
il
e
>

<
/
T
rustPDPConfi
g
u
r
a
tion>



F
or

more

i
n
fo
r
mation on

c
onfi
g
u
ri
n
g

a

T
rust PDP

a
nd the
c
ontents of the

ref
e
r
e
n
ce
d

c
onf
i
g
u
ra
tion
files

pl
ea
se

r
e
fer

to

the

t
r
ust

P
DP

s

installation

d
o
c
uments.


T
esti
n
g t
h
e

S
e
r
v
er


The

stand
a
lone serv
e
r

a
l
s
o pr
o
vides a testing

m
ec
h
a
nism that p
r
ovides both XAC
M
L

a
nd SA
M
L
X
A
C
M
L

g
ra
nt and
d
e
n
y

h
a
ndle
r
s.

This s
e
rv
i
c
e

m
e
a
ns th
a
t as long
a
s the s
e
r
v
e
r
r
e
ce
ives

c
o
r
r
ec
t
l
y
fo
r
matted
r
e
q
u
e
sts then eith
e
r g
r
a
nt or d
e
n
y

r
e
pli
e
s will
a
lw
a
y
s
b
e

r
e
ce
ived

f
rom the d
e
f
a
ult poli
c
y
e
ndpoints no matter

the contents of the

re
qu
e
st.


The

test h
a
ndle
r
s

ca
n be

i
nitialised
b
y

a
ddi
n
g

a

<
T
e
st
S
e
rvi
c
e
>

e
lem
e
nt to the p
e
rmis.
x
ml
c
onfi
g
u
r
a
tion
file.

This e
l
e
ment

s
hould have

a

si
n
gle
a
ttribute


h
a
ndl
e
r”

wh
i
c
h is us
e
d to sp
ec
i
f
y
wh
e
ther

the
s
e
rvi
c
e

r
e
tu
r
ns GRANT

or
D
E
N
Y

r
e
s
pons
e
s.
F
or

GR
A
NT

r
e
sponses the
a
ttribute
should h
a
ve

the v
a
lue


p
e
rmit”
a
nd f
o
r
d
e
n
y

r
e
sponses

d
e
n
y

.


T
able
6
.

T
est
S
erv
i
ce

Co
n
figuration Exam
p
le


<!
-
-

An
e
x
a
mple

GRA
N
T

test h
a
ndler
-
-
>

<
T
e
st
S
e
rvi
c
e

h
a
ndler
=

g
ra
nt”/>



P
lea
s
e

no
te
:
T
his hand
l
e
r ov
e
r
r
ides

a
n
y

other

d
e
f
a
ult poli
c
ies
c
onf
i
g
u
re
d
i
n the p
e
rmis.
x
ml
c
onfi
g
u
r
a
tion file
a
nd s
h
ould be omitted in p
r
odu
c
tion s
e
rvi
c
e
s.


Con
fi
gu
ri
n
g

a
n

A
p
p
lica
t
i
o
n

I
nd
e
p
e
n
d
e
n
t

PEP

(
A
I
-
PEP)


The

a
uthorisation se
r
v
e
r

ca
n
a
lso

c
ontain o
n
e

(
or

mor
e
)

A
I
-
PEP

inst
a
n
c
e
(
s
).

This is done

b
y

usi
n
g
the

Aip
e
pConf
i
g
u
r
a
tion
e
lem
e
nt.

The

Aip
e
pConf
i
gur
a
tion
e
lem
e
nt supports

the
f
ollowing

a
ttribut
e
s:


-

isDe
f
a
ult: indic
a
tes
w
h
e
t
h
e
r or

not this is the d
e
fault PDP

of the

se
r
v
e
r; de
f
a
ults to f
a
lse
wh
e
n
a
bsent


-

I
D:

g
ives

a
n id
e
ntifi
e
r

for this PD
P
.

W
ill be us
e
d
t
o loc
a
te this PDP

wh
e
n
s
p
ec
i
f
y
i
n
g

a

PDP

15


e
x
pli
c
it
l
y

in the

re
q
u
e
st
a
s spe
c
ified

lat
e
r
in the

d
o
c
ument
(
s
e
e

Sp
e
c
i
f
y
i
n
g

a
n

Autho
r
isation
Poli
c
y

to use

wh
e
n mak
i
ng

a
n

X
A
C
M
L
Auth
z
R
e
qu
e
st)


-

submitA
c
tion:
g
ives the

n
a
me of

the a
c
tion to be

used

wh
e
n submitting

sti
c
k
y

poli
c
i
e
s.


-

d
e
let
e
A
c
tion:

g
ives the
n
a
me of

the a
c
tion to be
u
s
e
d for

d
e
leti
n
g

a

p
a
rticu
l
a
r
r
e
so
u
r
c
e
identifi
e
r
f
rom the stic
k
y

stor
e
.


No
t
e
:

wh
e
n

e
ith
e
r

of

the

„submitA
c
t
ion‟

or


d
e
let
e
A
c
tion‟

h
a
s

not

be
e
n

sp
e
c
ified,

then

submitting
poli
c
ies
a
nd d
e
leti
n
g

re
s
o
u
rc
e

identifi
e
rs
w
ill not be

possible th
r
ou
g
h this p
a
rticul
a
r int
e
rf
ace
.


The

f
ollowing

c
hild
e
le
m
e
nts a
r
e

suppor
t
e
d:


-

<
D
a
ta
b
a
s
e
Conf
i
g
u
ra
tio
n
>


-

<
Obligations
S
e
rvi
c
e
Con
f
i
g
u
r
a
tion>


-

<
Mast
e
rPDPConfi
g
u
r
a
t
i
on>




The

Obligations
S
e
rvi
c
e
C
onfi
g
u
r
a
tion
e
lem
e
nt is the s
a
me
a
s f
o
r instan
c
e

t
he
Obli
g
a
tionsS
e
rvic
e
Confi
g
u
r
a
tion
e
lem
e
nt on the

PER
M
I
SConfi
g
u
r
a
tion
e
l
e
ment.


The

D
a
ta
b
a
s
e
Conf
i
g
u
ra
t
i
on
e
lem
e
nt is used to
c
o
n
fi
g
u
r
e

the storage

f
o
r sti
c
k
y

poli
c
ies th
a
t
w
e
re
submitted to the

A
I
PE
P
.

Y
ou
ca
n
c
hoo
s
e

to either use a

f
ile

s
y
stem b
a
c
k
e
d

stor
a
ge

(
e
a
s
y

f
or

t
e
stin
g
)
or

one

ca
n u
s
e

a

sto
r
a
g
e

b
ac
k
e
d
b
y

a

re
lational
d
a
tab
a
s
e
.

W
h
e
n the
D
a
tabas
e
Confi
g
u
r
a
tion
e
lem
e
nt
is abs
e
nt th
e
n i
n
-
memo
r
y

stor
a
ge

is us
e
d.
This
m
e
ans t
h
at
s
ti
c
ky

poli
c
ies su
b
m
itted to
t
he
aut
h
oris
a
tion ser
v
e
r

a
r
e

lost wh
e
n
i
t is stopp
e
d.


T
o

use

a

f
ile

s
y
stem

b
a
c
k
e
d

sto
r
a
g
e

the

following

t
wo

a
ttribut
e
s

ha
v
e

to

be

used:


dir
e
c
to
r
y


a
nd


f
il
e
P
a
th‟.

The

di
r
ec
to
r
y

a
ttribute

should

g
ive
a
n

e
x
i
s
ting

(
w
r
it
a
bl
e
)

f
older

on

the

f
ile

s
y
stem.

N
e
w
sti
c
k
y

poli
c
ies
w
ill be st
o
r
e
d inside

this fold
e
r
w
i
t
h a

f
ile

n
a
me th
a
t is a

(SH
A
-
1)

h
a
sh
o
f the

sti
c
k
y
poli
c
y

s

identifie
r
.

The

fileP
a
th

attribute

should

g
i
ve

a

f
ile

that

c
on
t
a
ins

the

mapping

b
e
t
w
ee
n
r
e
source

identifi
e
rs

a
nd stic
k
y

poli
c
ies.

An
e
x
a
mple

of su
c
h a

c
onf
i
g
u
r
a
tion is
g
iven b
e
low:


<DatabaseConfiguration
filePath=”./policystore/stickystore.txt”
directory=”./policystore”/>



I
t is also possible to use

a

re
lational d
a
ta
b
a
se

a
s t
h
e

b
ac
k
e
nd
s
tora
g
e
.

I
n this c
a
se

the
D
a
tab
a
s
e
Conf
i
g
u
r
a
tion
e
lem
e
nt simp
l
y

points to a

Sp
r
ing

c
onf
i
g
u
r
a
tion fil
e
, whi
c
h should

d
e
fine
one

b
ea
n of
t
y
p
e

jav
a
x
.sql.D
a
taSour
c
e
.

The

spri
n
gConfi
g
u
r
a
tion
F
ile

a
ttrib
u
te should
g
ive the
loc
a
tion of

the Spring
c
o
n
f
i
g
u
r
a
tion file.

One
c
ould thus h
a
v
e
:


<DatabaseConfiguration

springConfigurationPath="webapps/axis2/WE
B
-

INF/services/authz/conf/policy
-
store
-
spring.xml"/>



The

f
ile

poli
c
y
-
stor
e
-
spr
i
n
g
.
x
ml
c
ould cont
a
in som
e
thing

simil
a
r to:


<?xml

version="1.0"

encoding="UT
F
-
8"?>

<beans

xmlns=
http://www.springframework.org/schema/beans

xmlns:xsi=
http://www.w3.org/2001/XMLSchema
-
instance

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring
-
beans
-
2.5.xsd">


<bean

id="dataSource"

class="org.springframework.jdbc.datasource.DriverManagerDataSource">

<property

name="driverClassName"

value="com.mysql.jdbc.D
r
iver"/>

<property

name="url"

value="jdbc:mysql://localhost/store"/>

16


<property

name="username"

value="xxx"/>

<property

name="password"

value="yyy"/>

</bean>

</beans>



Note

that in this c
a
se

we used

a

M
y
S
Q
L

d
a
ta
b
a
s
e
,

but in prin
c
iple

this shou
l
d

not m
a
tt
e
r
.


Re
m
a
r
k:
it m
a
y

be

n
e
ce
ssa
r
y

to put the libr
a
r
y

(
j
a
r
f
il
e
)
p
roviding
ac
c
e
ss to the d
a
tab
a
se

in the
dir
e
c
to
r
y

$
T
OMC
A
T/
we
b
a
pps/
a
x
is2
/
W
EB
-
I
N
F
/lib

fold
e
r
s
o that it
ca
n be

l
o
ca
ted.


The

D
a
ta
b
a
s
e
Conf
i
g
u
ra
t
i
on

e
lem
e
nt

also

supports

the


rid
A
ttribut
e
I
d
e
ntifie
r


a
ttribute

whi
c
h

g
ives
the id
e
ntifi
e
r of

the
X
AC
M
L

a
ttribute

in the

re
q
u
e
st conte
x
t th
a
t spe
c
ifies the

re
sou
r
c
e

identifi
e
r of
the
r
e
qu
e
st.

T
h
e

d
e
f
a
ult v
a
lue
f
or

this attribute
(
w
h
e
n not sp
ec
ifie
d
)

is:
u
r
n:oasis:n
a
mes:t
c
:
x
ac
m
l
:1.0:r
e
sour
c
e
:
r
e
sou
rc
e
-
id


P
r
e
pa
r
i
n
g the

da
t
abas
e
.

The

implem
e
ntation e
x
p
ec
ts th
a
t cert
a
in t
a
bles
a
r
e

pr
e
s
e
nt in the
d
a
tab
a
s
e
.
The

ea
siest
w
a
y

to set up

these

tabl
e
s is to use

the

D
a
tab
a
s
e
Conf
i
g
u
r
a
tionP
a
rs
e
r m
a
in
p
r
o
g
r
a
m.

This
e
x
p
ec
ts a Sp
r
ing

c
o
n
fi
g
u
r
a
tion file
a
s ab
o
v
e

a
s i
n
put on the

c
omm
a
nd line,
a
nd will
c
r
e
a
t
e

the
n
ece
ss
a
r
y

tabl
e
s f
o
r

y
ou.

F
or

inst
a
n
c
e
,

y
ou
c
ould
r
un the
f
ollowing

c
omm
a
nd f
r
om inside

$
T
OMC
A
T/w
e
b
a
pps/
a
x
is2/
W
EB
-
I
N
F
/s
e
rvi
c
e
s/a
u
th
z
/li
b
:


java

-
cp

*:../../../lib/*

issrg.standalone.configuration.parser.DatabaseConfigurationParser

../conf/policy
-
stor
e
-
spring.xml


Note

that the
a
c
t
u
a
l dat
a
b
a
se

(
store

in this instan
c
e
) is not c
r
ea
ted

for

y
ou
a
nd n
ee
ds to
e
x
ist prior

to
e
x
ec
uting

this st
a
tem
e
nt.

Y
ou m
a
y

a
lso ne
e
d to use

a

di
f
fer
e
nt use
r
n
a
me/p
a
s
swo
r
d for

table
c
r
e
a
tion.




The

Mast
e
rPDPConfi
g
u
r
a
tion
e
lem
e
nt allows
c
o
n
fi
g
u
r
i
n
g

the

ac
tual PDP

t
h
a
t will be us
e
d
b
y

t
h
e
A
I
PE
P
.

I
t has the

following

c
hild
e
l
e
ments:


-

L
a
w
Confli
c
tR
e
solution
P
DP: spe
c
ifies the

c
onfli
c
t

re
solution
P
DP

to

used

by

the l
a
w
..

-

L
a
wPDP: spe
c
ifies the

l
a
w polici
e
s that will be us
e
d
b
y

t
h
e

Mast
e
r PD
P
.


-

Controll
e
rCon
f
li
c
tR
e
solution
P
D
P
: the

c
onfli
c
t r
e
solution
P
DP

that will be

used

b
y

t
h
e
c
ont
r
oll
e
r
.


-

Controll
e
rPDP: spe
c
if
i
e
s the poli
c
y

that the

c
ontr
o
ll
e
r/k
e
e
p
e
r

of

the d
a
t
a

w
o
uld like to
e
n
f
o
r
c
e
.


-

T
rustPDP: spe
c
ifies a

s
y
s
tem wide

trust poli
c
y


All
e
lem
e
nts t
a
ke

a

PE
RM
I
SConf
i
g
u
ra
tio
n
, SunPDPConfi
g
u
ra
tion

or

T
ru
s
t
P
DPConfi
g
u
ra
tion
e
lem
e
nt as its child to
c
onfi
g
u
r
e

the a
c
tual PD
P
.


W
h
e
n the

L
a
wPDP

or Controll
e
rPDP

e
lem
e
nt is missin
g
, this is int
e
rp
r
e
ted

a
s ha
v
ing a PDP

that
a
lw
a
y
s r
e
turns

NotApplic
a
ble.


The

f
ollowing

c
onfli
c
t
re
solution str
a
te
g
ies are

c
u
r
r
e
nt
l
y

support
e
d


-

p
e
rmit
-
ov
e
r
r
i
d
e
s


-

d
e
n
y
-
ov
e
r
rid
e
s


-

fi
r
st
-
a
ppli
ca
ble


The

c
onfli
c
t
r
e
solution
P
DP

indi
ca
tes the

c
onfli
c
t

r
e
solution str
a
t
e
g
y

b
y

h
a
ving

a
n obl
i
g
a
tion on its
r
e
sponse
w
ith
a
n

a
ttribute

identifi
e
r of
http://se
c
.
c
s.ke
n
t.a
c
.uk/m
a
ste
r
pdp/
c
onfli
c
tr
e
solution/p
e
rmi
t
-

ov
e
r
r
ides
or

http://se
c
.
c
s
.
k
e
nt.a
c
.uk/m
a
ste
r
pdp
/
c
o
n
f
li
c
tr
e
solution/d
e
n
y
-
ov
e
r
r
ides
or

17


http://se
c
.
c
s.ke
n
t.a
c
.uk/m
a
ste
r
pdp/con
f
li
c
t
r
e
solution/fi
r
s
t
-
a
ppli
ca
bl
e
.


W
h
e
n
e
ith
e
r the

law

or t
h
e

c
ontroll
e
r

a
re

not inter
e
sted in spe
c
i
f
y
i
n
g

a

c
o
n
flict
re
solution str
a
t
e
g
y
for

a

p
a
rticul
a
r r
e
qu
e
st,
t
h
e
y

should
r
e
turn
N
otA
p
ppli
ca
ble.

W
h
e
n no PDP

is sp
ec
ified for a

c
onfli
c
t
r
e
solution el
e
ment then this is inte
r
p
re
ted
a
s
r
e
tu
r
ning

NotApplic
a
b
l
e

f
or

e
v
e
r
y

re
q
u
e
st.


Subje
c
ts (
a
nd issu
e
rs)
c
a
n
submit their

own
c
onfli
c
t r
e
solution poli
c
y

t
o u
s
e

in the

same

w
a
y

a
s th
e
y
ca
n

submit

a
uthori
z
a
t
ion

polici
e
s.

The

poli
c
y

t
y
p
e
,

how
e
v
e
r
,

must

be

s
e
t

to

„Con
f
li
c
tR
e
solution‟,

r
a
ther

than


A
uthori
z
a
tion‟.




An
e
x
a
mple

of a

c
ompl
e
t
e

Aip
e
pConf
i
g
u
r
a
tion
e
l
e
ment
ca
n be

f
ound
b
e
lo
w
.


<AipepConfiguration

isDef
a
ult="true"

submitAction=”SUBMIT”

deleteAction=”DELETE”

>

<DatabaseConfiguration

ridAttributeIdentifier="rid"

filePath=”./policystore/stickystore.txt”

directory=”./policystore”/>

<
ObligationsServiceConfiguration

processAll="false">

<Obligation

path="./obligations/EmailObligation.xml">

<ObligationIdentifier>

http://sec.cs.kent.ac.uk/obligations/EmailObligation

</
ObligationIdentifier>

</Obligation>

</ObligationsServiceConfiguration>

<MasterPDPConfiguration>

<LawConflictResolutionPDP>

<SunPDPConfiguration>

<PolicyLocation>always
-
permit
-
overrides.xacml</PolicyLocation>

<PolicyIdentifier>always
-
permit
-
overrides</Polic
yIdentifier>

</SunPDPConfiguration>

</LawConflictResolutionPDP>

<LawPDP>

<PERMISConfiguration

isDefault="true">

<PolicyLocation>./lawPolicy.xml</PolicyLocation>

<PolicyIssuer>cn=law,o=Permisv5,

c=gb</PolicyIssuer>

<PolicyIdentifier>lawPolicyIdentifier<
/PolicyIdentifier>

</PERMISConfiguration>

</LawPDP>

<!

Note

that

ControllerConflictResolutionPDP

and

ControllerPDP

elements

are

missing.

This

is

allowed.

--
>

</MasterPDPConfiguration>

</AipepConfiguration>





Pr
o
t
o
c
o
l

I
n
f
o
r
m
at
io
n


Due

the the

proli
f
e
r
a
tion

of

di
f
fer
e
nt st
a
nd
a
rds
a
nd

v
e
rsions of st
a
nd
a
rds

we wish to make

c
lear th
a
t
c
ontr
a
r
y

to p
r
e
vious
re
l
e
a
s
e
s of this softw
a
r
e

we now on
l
y

support th
r
e
e

d
istinct mess
a
g
e

t
y
p
e
s:


1.

x
ac
m
l
-
c
onte
x
t:R
e
qu
e
st

m
e
ssag
e
s as defin
e
d in
[
4
]
.


2.

x
ac
m
l
-
s
a
mlp:XACM
L
A
uth
z
D
e
c
isionQu
e
r
y

mes
s
a
g
e
s as defin
e
d in
[
5
]
.


3.

wst:
R
e
qu
e
st
S
ec
u
r
i
t
y
T
o
k
e
n mess
a
g
e
s as defin
e
d in

[
7]

a
nd
c
onstr
a
ined
b
y

[
8
]
.


I
n

a
ddition to the stan
da
r
d mess
a
ge

t
y
p
e
s d
e
fin
e
d

in th
e
se

f
ile

we

h
a
ve

a
lso

implem
e
nted

stand
a
rds
c
ompliant but oth
e
r
w
ise

u
n
-
p
r
o
f
il
e
d me
a
ns
o
f spe
c
i
f
y
i
n
g

the CVS or

a
uthorisation polici
e
s to use
wh
e
n maki
n
g

R
e
qu
e
st
Se
c
u
r
i
t
y
T
o
k
e
n
a
nd
X
ACM
L
Auth
z
D
e
c
isionQ
u
e
r
y

m
e
ss
a
g
e
s,
w
e

a
r
e

c
u
r
r
e
nt
l
y

18


in the

pro
c
e
ss of
p
ro
f
iling

these r
e
q
u
e
sts
a
nd st
a
n
d
a
rdising

them

a
nd

will make

the
f
ull pro
f
il
e
s
a
v
a
il
a
ble in the ne
a
r
f
ut
u
r
e
.


S
p
eci
f
y
i
n
g

a

C
VS

po
li
c
y

w
h
en

ma
k
in
g

a

W
S
-
T
r
u
st

R
e
qu
est


I
n
o
rd
e
r to sp
e
c
i
f
y

the
C
VS poli
c
y

to use

w
h
e
n making

the

W
S
-
T
rust R
e
q
u
e
st a
re
q
u
e
st should be
spe
c
ified

a
cc
o
r
di
n
g

to t
h
e

pro
f
ile

d
e
s
c
rib
e
d in
[
8
]
. On
c
e

this r
e
q
u
e
st has b
e
e
n
c
onstru
c
ted

a

<
wsp:Poli
c
y
R
e
f
e
r
e
n
c
e
>

e
lem
e
nt should be
a
dd
e
d

to the

bo
d
y

of the r
e
q
u
e
st.

The

U
R
I

a
ttribute

of
this el
e
ment should
c
ontain a

poli
c
y

O
I
D th
a
t m
a
t
c
h
e
s a p
o
li
c
y

O
I
D

c
onf
i
g
u
r
e
d into the m
a
in
c
onfi
g
u
r
a
tion file
o
f t
h
e

se
r
v
e
r

(p
e
rmis.
x
ml).


F
or

e
x
a
mple

the r
e
qu
e
st

d
e
fin
e
d b
e
low

would me
a
n that a

poli
c
y

with the

O
I
D of

m
y
sit
e
-
poli
c
y
would be

used

to provide

the
c
r
e
d
e
nti
a
ls for

this requ
e
st.


T
able
7
.

An
E
xamp
l
e

W
S
-
T
rust Request,
w
ith refer
e
n
c
ed Pol
i
cy

Iden
t
ifi
e
r


<
wst:
R
e
qu
e
st
S
ec
u
r
i
t
y
T
o
k
e
n
x
mlns
=
"
http://ww
w
.
w3.o
r
g
/2001/X
M
L
S
c
h
e
ma"

x
mln
s
:wst
=
"
http://docs.o
a
si
s
-
op
e
n.o
r
g
/ws
-
s
x
/ws
-
trust/200512/
"
x
mln
s
:wsp
=
"
http://sch
e
mas.
x
mlsoap
.
o
r
g
/ws/2004/09/poli
c
y
" >

<
wst:
T
ok
e
n
T
y
p
e
>
u
r
n:oasis:n
a
mes:t
c
:
S
A
M
L
:2.0:p
r
o
f
il
e
s:attri
b
ute:X
A
C
M
L

<
/wst:
T
ok
e
n
T
y
p
e
>

<
wst:
R
e
qu
e
st
T
y
p
e
>

http://sch
e
mas.
x
m
l
s
o
a
p.o
r
g
/ws/2005/02/trust/v
a
lid
a
te

<
/wst:R
e
qu
e
st
T
y
p
e
>

<
w
sp:
P
oli
c
yR
e
f
e
r
e
n
c
e

u
r
i=”
m
ysi
t
e
-
poli
c
y”
/
>

<
wst:
C
laims Di
a
le
c
t="htt
p:/
/ww
w
.o
g
f.o
r
g
/auth
z
/2008/06/CVS/pu
l
l
"
>

<
s
a
ml:Asse
r
tion

I
D
=
"
P
e
rmi
s
-
Cr
e
d
e
nti
a
l
-
V
a
lid
a
tion
-
S
e
rvi
c
e
-
V1.
0
"
I
s
s
u
e
I
nstant
=
"
W
e
d O
c
t 14
16:10:15
B
ST

2009"

V
e
r
sion=
"
2.
0
"

x
mlns:s
a
ml
=
"
u
r
n:oasis:n
a
mes:t
c
:
S
AM
L
:2.0:
a
ss
e
rtion
"
>

<
s
a
ml
:
I
ss
u
e
r>

c
n
=
A

P
e
rmis

T
e
st Use
r
,o
=
PER
M
I
Sv5,
c
=
g
b

<
/saml
:
I
ssu
e
r>

<
s
a
ml:
S
ubje
c
t>

<
s
a
ml:N
a
m
e
I
D

F
o
r
mat
=
"
u
r
n:
o
a
sis:nam
e
s:t
c
:
S
A
M
L
:2.0:n
a
mei
d
-

fo
r
mat:X509Subje
c
tN
a
m
e
">

CN
=
Us
e
r0,
o
=
PER
M
I
Sv5,
c
=
g
b

<
/saml:N
a
m
e
I
D
>

<
/saml:
S
ubje
c
t>

<
/saml:Asse
r
tion>

<
/wst:Claims>

<
/wst:R
e
qu
e
st
S
ec
u
r
i
t
y
T
o
k
e
n>




S
p
eci
f
y
i
n
g

an

A
u
t
ho
risa
t
i
o
n

P
ol
i
c
y

t
o

u
se

w
h
en

maki
n
g

an
X
A
C
M
L
A
u
t
h
z
R
eq
u
est


I
n
o
rd
e
r to sp
e
c
i
f
y

the p
o
li
c
y

to use
w
h
e
n maki
n
g

a
n X
A
C
M
L
Auth
z
R
e
qu
e
st a
re
qu
e
st should be
spe
c
ified

a
cc
o
r
di
n
g

to t
h
e

pro
f
ile

d
e
s
c
rib
e
d in
[
5
]
. On
c
e

this r
e
q
u
e
st has b
e
e
n
c
onstru
c
ted

a

<
Poli
c
y
>

e
lem
e
nt of
t
y
pe


u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:2.0:poli
c
y
:sc
h
e
ma:os”

should be

a
dd
e
d to the
bo
d
y

of t
h
e

re
q
u
e
st.

The Poli
c
y
I
d
a
ttribute

of this

e
lem
e
nt should cont
a
in a

poli
c
y

O
I
D

that mat
c
h
e
s
a

poli
c
y

O
I
D

c
onf
i
g
u
re
d

into the m
a
in

con
f
i
g
u
r
a
tion file of

the s
e
r
v
e
r
(
p
e
r
mis
.
x
ml).

The
RuleCombinin
g
Alg
I
d

a
ttribute

of this m
e
ssage

s
h
ould be s
e
t to

u
r
n:oas
i
s:nam
e
s:t
c
:
x
ac
ml:1.0:rule
-

c
ombinin
g
-
a
l
g
o
rithm:pe
r
mi
t
-
ov
e
r
r
ide
s
"

a
nd
a
n

e
m
p
t
y

ta
r
g
e
t el
e
ment should

be

includ
e
d
e
.
g
.

19


T
able
8
.

An

examp
l
e

SA
M
L
-
XA
CM
L

Poli
c
y r
e
fer
e
n
c
e.


<
Poli
c
y

x
mlns
=
"
u
r
n:oas
i
s:nam
e
s:t
c
:
x
ac
ml:2.0:po
l
i
c
y
:sc
h
e
ma:os" Poli
c
y
I
d
=
"
m
y
site
-
pol
i
c
y
"

RuleCombinin
g
Alg
I
d
=
"
u
rn:o
a
sis:nam
e
s:t
c
:
x
ac
ml:1.0:rul
e
-
c
ombinin
g
-
a
l
g
o
r
ithm:p
e
rmi
t
-

ov
e
r
r
ide
s
"
>

<
T
a
r
g
e
t/>

<
/
P
oli
c
y
>


F
or

e
x
a
mple

the r
e
qu
e
st

d
e
fin
e
d b
e
low

would me
a
n that a

poli
c
y

with the

O
I
D of

m
y
sit
e
-
poli
c
y
would be

used

to provide

the
a
uthorisation d
ec
isi
o
n for

this r
e
qu
e
st.


T
able
9
.

An
E
xamp
l
e

SA
M
L
-
XA
CM
L

Requ
e
st, with

r
e
fe
r
enc
e
d

P
oli
c
y

Iden
t
ifier


<
X
A
C
M
L
Auth
z
D
e
c
isionQu
e
r
y
x
mlns
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:2.0:p
r
o
f
il
e
:sam
l
2.0:v2:s
c
h
e
ma:p
r
otocol:
c
d
-
01"

x
mln
s
:
x
si=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
m
a
-
inst
a
n
c
e
"
x
si
:
s
c
h
e
m
a
L
o
ca
tion
=
"urn:o
a
sis:nam
e
s:t
c
:
x
ac
m
l
:2.0:p
r
o
f
il
e
:saml2.0:v2:
s
c
h
e
ma:p
r
otocol:c
d
-
01

file:/hom
e
/sfl/wo
r
k/iss
r
g
/
o
a
si
s
-
do
c
uments/
x
ac
ml3/XAC
M
L
-
3.
0
-
c
d
-
1
-
upd
a
t
e
d
-
2009
-
M
a
y
-

07/XSD/
x
ac
m
l
-
2.0
-
p
r
o
f
il
e
-
s
a
ml2.0
-
v2
-
s
c
h
e
m
a
-
p
r
otocol
-
c
d
-
1.
x
sd"

I
D=
"
A200
9
-
1
0
-
13T1
2
.57.07"

V
e
rsion
=
"
2.
0
"

I
ss
u
e
I
nstant
=
"
2009
-
1
0
-
13T12:58:12.209Z
"
>

<
x
ac
m
l
-
c
onte
x
t:R
e
qu
e
st

x
mln
s
:
x
ac
m
l
-

c
onte
x
t=
"
u
r
n:oasis:n
a
m
e
s:t
c
:
x
ac
ml:2.0:
c
ont
e
x
t:s
c
h
e
ma:os">

<
Subje
c
t
x
mlns
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:2.
0
:cont
e
x
t:s
c
h
e
ma:os
"
>

<
Attribute

Attribut
e
I
d
=
"
u
r
n:oid:1.2.826.0.1.3344810.1.1.14"
D
a
ta
T
y
p
e=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma#string
"
>

<
Attribut
e
V
a
lu
e
>

memb
e
r

<
/Attribut
e
V
a
lu
e
>

<
/Attribut
e
>

<
/
S
ubje
c
t>

<
R
e
source

x
mlns
=
"
u
r
n:
o
a
sis:nam
e
s:t
c
:
x
ac
ml:
2
.0:cont
e
x
t:s
c
h
e
ma:os
"
>

<
Attribute

Attribut
e
I
d
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:1.0:r
e
sourc
e
:r
e
sou
r
c
e
-
i
d
"
D
a
ta
T
y
p
e=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma#string
"
>

<
Attribut
e
V
a
lu
e
>

http://ww
w
.
m
y
sit
e
.
c
om/memb
e
rs/

<
/Attribut
e
V
a
lu
e
>

<
/Attribut
e
>

<
/R
e
sour
c
e
>

<
A
c
tion
x
mlns
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:2.0
:
c
onte
x
t:s
c
h
e
ma:os
"
>

<
Attribute

Attribut
e
I
d
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:1.0:
ac
tion:a
c
tio
n
-
i
d
"
D
a
ta
T
y
p
e=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
#
string
"
>

<
Attribut
e
V
a
lu
e>
GE
T<
/Attribut
e
V
a
lu
e
>

<
/Attribut
e
>

<
/A
c
tion>

<
Environm
e
nt
x
mlns
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
a
c
ml:2.0:
c
onte
x
t
:sch
e
ma:os
"
/>

<
/
x
ac
m
l
-
c
onte
x
t:R
e
qu
e
s
t
>

<
P
oli
c
y
x
m
l
n
s=
"
u
r
n:oasis:na
m
e
s
:
t
c
:x
ac
m
l:2.
0:
poli
c
y
:
s
c
h
e
m
a
:
os"

20


P
oli
c
yId="
m
ysi
t
e
-
po
l
icy"

Rul
e
C
o
m
bi
n
i
n
gAlgI
d
="u
r
n:oasis:na
m
e
s:t
c
:
x
a
c
m
l:1.0
:r
ul
e
-
c
o
m
bi
n
i
ng
-
algori
t
h
m
:per
m
i
t
-

ov
err
i
d
e
s
"
>

<
T
a
r
g
e
t/>

</
P
oli
c
y>

<
/XAC
M
L
Auth
z
D
e
c
isionQu
e
r
y
>





S
ub
mitt
i
n
g

S
ti
c
k
y

P
o
li
c
ies

to

U
se

f
o
r

a

P
ar
t
ic
u
l
a
r

R
ID


I
n

the

e
x
a
mple

b
e
lo
w
,

we

show

how

a


m
e
mbe
r


of

a

c
e
rt
a
in

site/se
r
vi
c
e

p
rovid
e
r

(
p
r
e
sumab
l
y
ou
=
some
,o
=
s
e
rvi
c
e
,
c=
g
b
)
r
e
qu
e
sts to submit some

(
p
e
rson
a
l) in
f
o
r
mation,

known to the s
e
rvi
c
e
p
r
ovider

with the

R
I
D
r
i
d
-
123.

The

memb
e
r

h
a
s a

sti
c
k
y

poli
c
y

whi
c
h on
l
y

a
llows tr
a
nsfer of

this
d
a
ta oth
e
r p
r
ovi
d
e
rs
w
it
h
in the

UK

a
nd wh
e
n this

h
a
pp
e
n he

w
a
nts
t
his poli
c
y

to
b
e

a
tt
ac
h
e
d to his
d
a
ta

so

that

the

oth
e
r

site
ca
n

a
lso

honour

this

poli
c
y
.

Note

that

the

u
s
e
r

s

poli
c
y

s
a
y
s

nothi
n
g

a
bout
submitti
n
g

the

d
a
ta,

a
s

in

this

c
a
se

it

is

assum
e
d

that

the

o
r
g
a
nisatio
n

s

poli
c
y

d
e
te
r
min
e
s

who

m
a
y
submit d
a
ta.




<soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soapenv:Header/>

<soapenv:Body>

<
XACMLAuthzDecisionQuery

xmlns="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol:cd
-
01"

ID="A2010
-
12
-
13T12.58.12"

Version="2.0"

IssueInstant="2010
-
12
-
13T12:58:12.209Z">

<xacml
-
context:Request

xmlns:xacml
-
context="urn:oasis:names:tc:xacml:2.0:
context:schema:os">

<Subject

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<Attribute

AttributeId="urn:oid:1.2.826.0.1.3344810.1.1.14"

DataType="
http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>member</AttributeValue>

</Attribute>

</Subject>

<Resource

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<Attribute

AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource
-
id"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>ou=some,o=service,c=gb</AttributeValue>

</Attribute>

<Attribute

AttributeId="rid"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>rid
-
123</AttributeValue>

</Attribute>

</Resource>

<Action

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<Attribute

AttributeId="urn:oasis:names:tc:xacml:1.
0:action:action
-
id"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>SUBMIT</AttributeValue>

</Attribute>

</Action>

<Environment

xmlns="
urn:oasis:names:tc:xacml:2.0:context:schema:os"/>

</xacml
-
context:Request>

<Extensions

">

<
sp:StickyPolicy

xmlns:sp=”http://sec.cs.kent.ac.uk/stickypolicy”

PolicyID="sticky
-
policy
-
1"

PolicyLanguage="
PERMIS"

21


PolicyType="Authorization"

TimeOfCreation="2010
-
08
-
09T00:00:00Z">

<sp:PolicyAuthor>

<sp:AuthorType>DataSubject</sp:AuthorType>

</sp:PolicyAuthor>

<sp:PolicyResourceTypes>

<sp:ResourceType>personal:preferences</sp:ResourceType>

</
sp:PolicyResourceTypes>

<sp:PolicyContents><X.509_PMI_RBAC_Policy

OID=
"
sticky
-
policy
-
1">

<SubjectPolicy>

<SubjectDomainSpec

ID="everywhere">

<Include

LDAPDN=""/>

</SubjectDomainSpec>

</SubjectPolicy>

<RoleHierarchyPolicy>

<RoleSpec

Type="permisRole"

OID="1.2.826.0.1.3344810.1.1.14">

<SupRole

Value="UNSPECIFIED"/>

</RoleSpec>

</RoleHierarchyPolicy>

<SOAPolicy>

<SOASpec

ID="anyone"

LDAPDN=""/>

</SOAPolicy>

<RoleAssignmentPolicy>

<RoleAssignment>

<SubjectDomain

ID="everywhere"/>

<RoleList>

<Role

Type="permisRole"/>

</RoleList>

<Delegate

Depth="0"/>

<SOA

ID="anyone"/>

<Validity/>

</RoleAssignment>

</RoleAssignmentPolicy>

<TargetPolicy>

<TargetDomainSpec

ID=
"
UK">

<Include

LDAPDN="c=gb"/>

</TargetDomainSpec>

</TargetPolicy>

<ActionPolicy>

<Action

Name="TRANSFER"

ID="TRANSFER"/>

</ActionPolicy>

<TargetAccessPolicy>

<TargetAccess>

<RoleList/>

<TargetList>

<Target>

<TargetDomain

ID="UK"/>

<AllowedAction

ID="TRANSFER"/>

</Target>

</TargetList>

<Obligations>

<Obligation

ObligationId=”
http://sec.cs.kent.ac.uk/obligations/AttachStickyPolicy


FulfillOn="Permit"/>

</Obligations>

</TargetAccess>

</TargetAccessPolicy>

</X.509_PMI_RBAC_Policy>

</sp:PolicyContents>

</sp:S
tickyPolicy>

<Extensions>

</XACMLAuthzDecisionQuery>

</soapenv:Body>

22


</soapenv:Envelope>



Not
e
: it is very

import
a
n
t the

the

Extensions
e
lem
e
nt used is in the same
X
M
L

n
a
mes
p
ac
e

a
s
the

XACMLAuthzDecisionQuery,

othe
r
wi
s
e

y
o
u
r stic
k
y

poli
c
y

will not be
f
ound
a
nd will
h
e
n
c
e

not be

sto
r
e
d.


R
et
u
r
n
i
n
g

S
t
ic
k
y

P
o
li
c
ies

fr
o
m

t
h
e

A
IPEP


N
e
x
t,

a
ssume

that a

re
q
u
e
st com
e
s in f
r
om anoth
e
r
U
K b
a
s
e
d site to t
r
a
nsfer the

d
a
ta
w
ith
R
I
D
r
i
d
-

123

to

his

site,

th
e
n

the

r
e
sponse

w
ill

come

b
a
c
k

a
s

„Pe
r
mit‟

a
nd

the

us
e
r

s

poli
c
y

will

be

includ
e
d
in
i
t as shown b
e
lo
w
.


Thus, the
r
e
qu
e
st m
a
y

b
e

the
f
ollowin
g
:


<soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<
soapenv:Header/>

<soapenv:Body>

<XACMLAuthzDecisionQuery

xmlns="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:protocol:cd
-
01"

ID="A2011
-
01
-
01T12:58:12.209Z"

Version="2.0"

IssueInstant="2011
-
01
-
01T12:58:12.209Z">

<xacml
-
context:Request

xmlns:xacml
-
context="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<Subject

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">

</Subject>

<Resource

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<Attribute

AttributeId="urn:oasis:names:t
c:xacml:1.0:resource:resource
-
id"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>o=other

service,c=gb</AttributeValue>

</Attribute>

<Attribute

AttributeId="rid"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>rid
-
123</AttributeValue>

</Attribute>

</Resource>

<Action

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<Attribute

AttributeId="urn:oasis:names:tc:xacml:1.0:action:action
-
id"

DataType="http://www.w3.org/2001/XMLSchema#string">

<AttributeValue>TRANSFER</AttributeValue>

</Attribute>

</Action>

<Environment

xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os"/>

</xacml
-
context:Request>

</XACMLAuthzDecisionQuery>

</soapenv:Body>

</soapenv:Envelope>



The

re
sponse
m
a
y

then
b
e

a
s follow
s
. Note

how t
h
e
re

is an obl
i
g
a
tion with id
e
ntifi
e
r
http://se
c
.
c
s.ke
n
t.a
c
.uk/
o
bli
g
a
tions/sti
c
k
y
poli
c
y
o
b
li
g
a
tion

r
e
tur
n
e
d.

This o
n
e

d
e
notes that this the
poli
c
ies m
e
ntion
e
d
a
s

http://se
c
.
c
s.ke
n
t.a
c
.uk/obl
i
g
a
tions/sti
c
k
y
poli
c
y
oblig
a
tion/stic
k
y
poli
c
y
n
ee
d
to be
a
tt
ac
h
e
d

wh
e
n the
d
a
ta is tr
a
nsfer
r
e
d to the

o
t
h
e
r p
a
r
t
y
.


<soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">

<soa
p
env:Body>

<urn:Response

IssueInstant="2011
-
0
1
-
01T12:58:13.209Z"
ID="_66149d3bc0c909eb607847edd65dc030"

Version="2.0"
InResponseTo="

A
2011
-
0
1
-
01T12:58:12.209Z

"

xmlns:urn="urn:oasis:names:tc:SAML:2.0:protocol">

<urn:Status>

<urn:StatusCo
d
e Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

23


</urn:Status>

<urn1:Assertion

IssueInstant="2011
-
0
1
-
01T12:58:13.209Z"
ID="_24c1
5e6bb46b2bc3aea05f9fdc53a068"

Version="2.0"
xmlns:urn1="urn:oasis:names:tc:SAML:2.0:assertion">

<urn1:State
m
ent

xsi:type="urn:XACMLAuthzDecisionStatementType"
xmlns:urn="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion:cd
-
01"

xmlns:xsi="http://www.w3.org/2001/XMLSchema
-
instance">

<urn2:Response

xmlns:urn2="urn:oasis:names:tc:xacml:2.0:context:schema:os">

<urn2:Result>

<urn2:Decision>Permit</urn2:Decision>

<urn2:Status>

<
urn2:StatusCode

Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>

</urn2:Status>

<urn3:Obligations

xmlns:urn3="urn:oasis:names:tc:xacml:2.0:policy:schema:os">

<urn3:Obligation
ObligationId="
http://sec.cs.kent.ac.uk/obligations/stickypolicyobligation
">

<urn3:AttributeAssignment
AttributeId="
http://sec.cs.kent.ac.uk/obligations/stickypolicyobligation/stickypolicy
"

DataType="http://www.w3.org/2001/X
M
LSchema#base64Binary">

PD94b

remainder

of

base64

encoding

cut</
urn3:AttributeAssignment>

</urn3:Obligation>

</urn3:Obligations>

</urn2:Result>

</urn2:Response>

</urn1:Statement>

</urn1:Assertion>

</urn:Response>

</soapenv:Body>

</soapenv:Envelope>



Note

that in this c
a
se

the

r
e
turn
e
d poli
c
ies

a
re

b
a
s
e
64
e
n
c
od
e
d.

This
b
e
h
a
v
i
our
c
a
n be

c
h
a
n
g
e
d
b
y
s
e
tting

the


b
a
s
e
64En
c
o
d
e
S
ti
c
k
y
Poli
c
ies‟

a
ttribute

on

the

Aip
e
pConf
i
g
u
r
a
tion

e
lem
e
nt

to

f
a
lse.




Th
e

P
o
licy

M
a
n
a
g
eme
n
t

W
eb

Ser
v
i
c
e


I
t is possible

to use a

d
e
d
ic
a
ted poli
c
y

manag
e
me
n
t inte
r
f
a
c
e

f
or

the

a
uthor
i
z
a
tion s
e
rv
e
r
.

This
a
llows submittin
g
, vie
w
ing

a
nd
d
e
leti
n
g

of stic
k
y

poli
c
ies.


I
m
po
r
tant
N
o
te
: sin
c
e

manipulation of sti
c
k
y

p
oli
c
ies is a s
e
nsitive subje
c
t it is ve
r
y

much
r
e
c
omm
e
nd
e
d t
h
a
t

y
o
u
o
nly allow t
r
usted p
r
oxies to c
o
n
t
a
c
t the

poli
c
y

m
a
nag
e
m
e
nt

w
e
b

s
e
r
v
ic
e
.
E
a
rlier

in this do
c
ument it is e
x
plain
e
d how to s
e
t
u
p trusted p
r
o
x
ies
f
or

a
n

A
x
is2 bas
e
d w
e
b se
r
vic
e
.


The

A
x
is2 s
e
rvi
c
e
s.
x
ml
f
ile

c
ontains the

n
e
c
e
ssa
r
y

info
r
mation to
e
n
a
ble t
h
e

p
o
li
c
y

m
a
n
a
g
e
m
e
nt
int
e
r
f
a
c
e
. Simp
l
y

un
c
o
m
ment the Poli
c
y
Manag
e
ment s
e
rvi
c
e
.


I
n
o
rd
e
r to use

t
h
e

Poli
c
y

Ma
n
a
g
e
ment

W
e
b S
e
rv
i
c
e

in conjun
c
tion with an

A
I
PE
P
,

you
m
ust use a
r
e
lational
d
a
t
abase back
e
nd
f
or

t
he

sti
c
ky pol
i
c
ie
s
.

This is the
(
indir
e
c
t)

w
a
y

in whi
c
h the Poli
c
y
Mana
g
e
ment

W
e
b S
e
rv
ic
e

a
nd the

A
I
PEP

c
omm
u
nic
a
te.


The

A
x
is2

s
e
rvi
c
e
s.
x
ml

f
ile

c
ontains

a

p
a
r
a
met
e
r

c
a
ll
e
d


c
onf
i
g
F
il
e


whose

v
a
lue

should

point

to

the
c
onfi
g
u
r
a
tion file
(
t
y
pi
ca
l
l
y

ca
ll
e
d pm.
x
ml)
f
or

the poli
c
y

m
a
n
a
g
e
m
e
nt w
e
b se
r
vic
e
:


<paramete
r

name="configFile">/path/to/pm.xml</parameter>



The

c
ontent of

this

co
n
f
i
g
u
r
a
tion file is
fa
ir
l
y

r
e
strict
e
d.

I
t consists of a

top

lev
e
l el
e
ment
c
a
ll
e
d
Poli
c
y
Manag
e
mentConfi
g
u
r
a
tion
a
nd a

c
hild
e
l
e
ment
ca
ll
e
d
D
a
tab
a
s
e
Conf
i
g
u
r
a
tion.

An
e
x
a
mple

is
g
iven
b
e
low:


<PolicyManagementConfiguration>

<DatabaseConfiguration
ridAttributeIdentifier="rid"

24


springConfigurationPath="/path/to/policy
-
store
-
spring.xml"/>

</PolicyManagementConfiguration>



The

D
a
ta
b
a
s
e
Conf
i
g
u
ra
t
i
on
e
lem
e
nt

y
ou use

shou
l
d be

the s
a
me one
a
s that

used

on

y
o
u
r
Aip
e
pConfi
g
u
r
a
tion
e
l
e
men
t
,
a
s th
e
y

n
ee
d to sh
a
re

the s
a
me
d
a
tab
a
s
e

b
a
c
k
e
nd.


A
vaila
b
le

O
p
er
a
ti
o
n
s


The

poli
c
y

m
a
n
a
g
e
m
e
nt w
e
b se
r
vi
c
e

h
a
s the

following

op
e
r
a
tions:


-

stor
e
Poli
c
y
: t
a
k
e
s

a

sti
c
k
y

poli
c
y

a
nd sto
r
e
s it in the

d
a
tab
a
s
e
.

A
ft
e
r

ca
lling this op
e
r
a
tion
the poli
c
y

is p
r
e
s
e
nt in the
s
y
stem but it do
e
s not

y
e
t app
l
y

to

a
n
y

re
sou
r
ce
.


-

stor
e
Poli
c
y
B
a
s
e
64:
h
a
s the s
a
me
f
u
n
c
tion
a
li
t
y

a
s

a
bove

but is use
f
ul for

c
li
e
nts th
a
t have
p
r
oblems to se
n
d
c
ompl
e
x

e
lem
e
nts to a

w
e
b se
r
v
i
ce
.

I
n t
h
is c
a
s
e

the sti
c
k
y

poli
c
y

c
onstr
u
c
t
should be

a

b
a
s
e
64

e
n
c
o
d
e
d strin
g
.


-

r
e
movePoli
c
y
: t
a
k
e
s a p
o
li
c
y

identifi
e
r
.

A
f
ter
ca
ll
i
ng

this op
e
r
a
tion the poli
c
y

is no lo
n
g
e
r
p
re
s
e
nt in the
s
y
stem, w
h
ich m
ea
ns th
a
t a
n
y

r
e
sou
r
c
e

identifi
e
r to
w
h
i
c
h this poli
c
y

w
a
s
ap
plic
a
ble are

no lo
n
g
e
r

c
ov
e
r
e
d
b
y

this poli
c
y
.


-

g
e
t
P
oli
c
y
: t
a
k
e
s a p
o
li
c
y

identifi
e
r
a
nd
r
e
turns the

sti
c
k
y

poli
c
y

with th
a
t id
e
ntifi
e
r
.


-

g
e
t
P
oli
c
y
B
a
s
e
64: as

a
b
o
ve

but r
e
turns the sti
c
k
y

poli
c
y

in a
b
a
s
e
64
e
n
c
o
d
e
d strin
g
.


-

a
ssoci
a
te: tak
e
s

a

poli
c
y

identif
i
e
r
a
nd

a

re
sou
r
c
e

i
d
e
ntifi
e
r
.

A
f
t
e
r
c
a
lli
n
g

t
h
is m
e
thod the
poli
c
y

r
e
fer
e
n
c
e
d
b
y

the

poli
c
y

identifi
e
r
a
ppli
e
s
t
o the
g
iven

r
e
sou
r
c
e

ide
n
tifi
e
r
. Calling

this
method multiple tim
e
s h
a
s no
e
f
f
ec
t (it is id
e
mpot
e
nt).


-

dis
a
ssoci
a
te: this is the
r
e
v
e
rse

of the

a
ssoci
a
t
e
-
m
e
thod.


-

g
e
t
P
oli
c
y
I
d
e
ntif
i
e
rs: takes a
r
e
sou
r
c
e

identifi
e
r
a
n
d r
e
turns the list (possibly

e
mp
t
y
)
o
f the
poli
c
y

identifi
e
rs of

the
p
oli
c
ies th
a
t a
r
e

a
p
pli
ca
ble

to the

re
source

identifi
e
r
.


-

g
e
tR
e
so
u
r
c
e
I
d
e
ntifi
e
rs:

t
a
k
e
s a p
o
li
c
y

identifi
e
r
a
nd r
e
turns the list of
re
s
o
u
rc
e

identifi
e
rs
(possib
l
y

e
mp
t
y
) th
a
t this poli
c
y

identifi
e
r
a
ppli
e
s

to


R
efere
n
ces


[
1]

Gos
l
in
g
,
J
.,

Jo
y
,
B
.,
S
te
e
le,
G
.,
a
nd

B
r
ac
h
a
,
G
.

2005
J
a
v
a
(
T
m)

L
a
n
g
u
a
ge

Sp
ec
ific
a
tion, the

(3
r
d
Edition)
(
J
a
va

(
Addiso
n
-
W
e
sl
e
y
)
)
.

Addison
-
W
e
sl
e
y

Profession
a
l.

[
2]

Ap
a
c
he

A
x
is 2 proj
e
c
t, see

http://ws.
a
p
ac
h
e
.
o
r
g
/a
x
is2/

[
3]

Gud
g
in,

M.,

H
a
dl
e
y
,

M.,

Mend
e
lsohn,

M.

e
t

a
l
.

(200
3
),


SO
A
P

V
e
rsion 1.2

P
a
rt

1:

Mess
a
g
i
n
g
F
r
a
m
e
wo
r
k

,

W
3C

R
ec
omm
e
nd
a
tion,

24th

J
une

(
U
R
L
:

ht
t
p://

w
w
w
.w3.o
r
g
/TR/2003/RE
C
-
soap
1
2
-

p
a
rt1


20030624/
).

[
4]

O
A
S
I
S,

O
A
S
I
S
e
Xt
e
nsible

Ac
ce
ss Control

Ma
r
kup

L
a
n
g
u
a
g
e

(
X
AC
M
L
)

V
e
rsion 2.
0

,

O
A
S
IS
S
tand
a
rd, 1

F
e
b
r
u
a
r
y

20
0
5.

[
5]

O
A
S
I
S, “SA
M
L

2.0

Pro
f
ile

of
X
AC
M
L
,

V
e
rsion 2

, Committ
e
e

D
r
a
ft

1, 16

Ap
r
il 2009

[
6]

D
a
vid

W

Ch
a
dwi
c
k,

L
i
n
y
i
n
g

Su, Romain

L
a
b
o
r
de

,

U
s
e

of
X
AC
M
L

R
e
qu
e
st
C
onte
x
t to Obt
a
i
n
a
n

Autho
r
isation De
c
ision

, O
G
SA

S
tan
d
a
rd, S
e
p
t
e
mber

200
6
.

[
7]

S.

And
e
rson
e
t al.,

W
e
b S
e
rv
i
ce
s

T
rust

L
a
n
gu
a
ge

(
W
S
-
T
rust)
,


te
c
hn
i
ca
l r
e
p
o
rt, 2005.

[
8]

D
a
vid Ch
a
dwi
c
k,

L
in
y
in
g

Su, Use

of

W
S
-
T
R
UST

a
nd SA
M
L

to ac
ce
s
s a C
re
d
e
nti
a
l

V
a
lid
a
tion

S
e
rvi
c
e
, O
G
S
A

Dr
a
ft,
J
une

2009.

[
9]

PERM
I
S PDP/CVS, s
e
e

http:
/
/se
c
.
c
s.ke
n
t.
a
c
.
u
k/pe
r
mis

or

http://ww
w
.
o
p
e
np
e
rmis.o
rg
/

[
10]

Sun

s

X
A
C
M
L

PD
P
,

see

http://sun
x
ac
ml.sou
r
ce
f
o
r
g
e
.n
e
t/

[
1
1]

Sp
r
ing

f
r
a
me
w
o
r
k:

h
ttp://ww
w
.sprin
g
sour
c
e
.
o
r
g
/

[
12]

D
e
liv
e
r
a
ble
D
7.1 of

the

T
AS3 proj
ec
t:

http://ww
w
.tas3.
e
u/proje
c
t/pu
b
li
ca
tions/downlo
a
d/wp
7
-

identi
t
y
-
manag
e
ment
-
a
u
t
h
e
nti
ca
tio
n
-
a
uthori
z
a
tion/
T
AS3_D07p1
_
I
D
M
-
Au
t
hn
-

25


Auth
z
_V2p1.pd
f
/at_downlo
a
d/file

[
13]

SVN

re
posito
r
y

of

ISSRG sou
rc
e

c
od
e
:

http://proj
ec
ts.cs.k
e
nt.
a
c
.uk/p
r
oje
c
ts/p
e
rmis/svn/trunk


App
e
nd
ix

1.

Serv
e
r

W
S
D
L


This app
e
ndix

c
ontains a

c
o
p
y

o
f the

wsdl used to

g
e
n
e
r
a
t
e

the Pe
r
mis
S
ta
n
d
a
lone s
e
r
v
e
r
'
s mess
a
ge
h
a
ndling

c
o
d
e
.
F
o
r
a
dditional s
c
h
e
ma in
f
o
r
m
a
tion ple
a
se

r
e
f
e
r the

the “r
e
s
o
u
rce
s”

fold
e
r in the
r
e
le
a
s
e

p
ac
k
a
g
e

wh
i
c
h
c
o
ntains a

c
o
p
y

of this wsdl
a
s w
e
ll
a
s all the

sc
h
e
ma

used

to gen
e
r
a
te the
s
e
rvi
c
e
.


<
wsdl:d
e
finitions t
a
r
g
e
t
N
a
mesp
a
c
e
=
"
http://se
c
.
c
s.ke
n
t.a
c
.uk/auth
z
s
e
rvi
c
e
"
x
s
i
:sch
e
m
a
L
o
ca
tion
=
"
ht
t
p://sch
e
mas.
x
m
l
soap
.
o
r
g
/wsdl/

http://sch
e
mas.
x
m
lsoap.o
r
g
/wsdl/wsdl.
x
sd

h
t
tp
:
//w
w
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
m
a

http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma.
x
sd"

x
mln
s
:
x
ac
m
l
-

poli
c
y
=
"
u
rn:o
a
sis:nam
e
s:t
c
:
x
ac
ml:2.0:po
l
i
c
y
:schema:os"
x
mln
s
:wsdl
=
"
http://sch
e
mas.
x
mlsoap
.
o
r
g
/wsdl/"

x
mln
s
:saml
=
"
u
r
n:oasis:n
a
mes:t
c
:
S
A
M
L
:2.0:
a
ss
e
rtion"

x
mlns
:
x
ac
m
l
-

s
a
ml
=
"
u
r
n:
o
a
sis:nam
e
s:t
c
:
x
ac
ml:2.0:p
r
o
f
il
e
:sam
l
2.0:v2:s
c
h
e
ma:
a
sse
r
tion
:
c
d
-
0
1
"

x
mlns
:
x
ac
m
l
-

c
onte
x
t=
"
u
r
n:oasis:n
a
m
e
s:t
c
:
x
ac
ml:2.0:
c
ont
e
x
t:s
c
h
e
ma:os"
x
mln
s
:ws
=
"
http://ww
w
.
e
x
a
mpl
e
.
c
om/w
e
bse
r
vice
"
x
m
ln
s
:wst
=
"
http://docs.o
a
si
s
-
op
e
n.o
r
g
/ws
-

s
x
/ws
-
trust/200512/"

x
m
l
ns:so
a
p
e
n
c
=
"
http://schemas.
x
mlsoap
.
o
r
g
/soap/e
n
c
odin
g
/
"
x
mln
s
:http=
"
http://sch
e
mas.
x
mlsoap
.
o
r
g
/wsdl/http/
"
x
mln
s
:tns
=
"
http://se
c
.
c
s.ke
n
t.a
c
.uk/auth
z
s
e
rvic
e
"
x
mln
s
:wso
a
p
=
"
http://ww
w
.w3.o
r
g
/2004/
0
8/wsdl/soap12"

x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma"

x
mln
s
:samlp
=
"
u
r
n:oasis:n
a
mes:t
c
:
S
A
M
L
:2.0:p
r
o
t
o
c
ol"
x
mln
s
:mim
e=
"
http://sch
e
mas.
x
mlsoap
.
o
r
g
/wsdl/mim
e
/"

x
mln
s
:soap
="
http://sch
e
mas.
x
mlsoap
.
o
r
g
/wsdl/soap/"

x
mlns
:
x
ac
m
l
-

s
a
mlp
=
"
u
r
n:
o
a
sis:nam
e
s:t
c
:
x
ac
m
l
:2.0:p
r
o
f
i
l
e
:sam
l
2.0:v2:s
c
h
e
ma:p
r
otocol:
cd
-
01"
x
mln
s
:ds=
"
http://ww
w
.w3.o
r
g
/2000/09/
x
m
ldsi
g
#"

x
mln
s
:
x
si=
"
http://ww
w
.
w3.o
r
g
/2001/X
M
L
S
c
h
e
m
a
-
inst
a
n
c
e
"
>

<
wsdl:
t
y
p
e
s
>

<
x
sd:s
c
h
e
ma t
a
r
g
e
tN
a
mesp
a
c
e
=
"
u
rn:o
a
sis:na
m
e
s:t
c
:
x
ac
ml:2.0:poli
c
y
:s
c
h
e
ma:os"
x
mln
s
:
x
sd
=
"
h
t
tp://w
w
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import n
a
m
e
spa
c
e=
"
u
r
n:oasis:n
a
me
s
:t
c
:
x
ac
ml:2.0:p
o
li
c
y
:
s
c
h
e
ma:os"
s
c
h
e
m
a
L
o
c
a
tion
=
"
a
c
ce
s
s
_
c
ontro
l
-
x
ac
m
l
-
2.0
-
poli
c
y
-
s
c
h
e
m
a
-
os.
x
sd
"
/>

<
/
x
sd:s
c
h
e
ma>

<
x
sd:s
c
h
e
ma t
a
r
g
e
tN
a
mesp
a
c
e
=
"
u
rn:o
a
sis:na
m
e
s:t
c
:
xa
c
ml:2.0:
c
ontext:
s
c
h
e
ma:os"
x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import n
a
m
e
spa
c
e=
"
u
r
n:oasis:n
a
me
s
:t
c
:
x
ac
ml:2.0:
c
ont
e
x
t:s
c
h
e
ma:os"
s
c
h
e
m
a
L
o
c
a
tion
=
"
a
c
ce
s
s
_
c
ontro
l
-
x
ac
m
l
-
2.0
-
c
ont
e
x
t
-
s
c
h
e
m
a
-
os.
x
sd
"
/>

<
/
x
sd:s
c
h
e
ma>

<
x
sd:s
c
h
e
ma t
a
r
g
e
tN
a
mesp
a
c
e
=
"
http://docs.o
a
s
i
s
-
op
e
n.o
r
g
/ws
-
s
x
/ws
-
trust/200512/"

x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import n
a
m
e
spa
c
e=
"
http://docs.o
a
s
i
s
-
op
e
n.o
r
g
/ws
-
s
x
/ws
-
trust/200512/"

s
c
h
e
m
a
L
o
c
a
tion
=
"
http:/
/
do
c
s.oasi
s
-
op
e
n.
o
r
g
/ws
-
sx
/ws
-
trust/200512/ws
-
tr
u
st
-
1.3.
x
sd
"
/>

<
/
x
sd:s
c
h
e
ma>

<
x
sd:s
c
h
e
ma
ta
r
g
e
tN
a
m
e
spac
e
=
"
u
r
n:
o
a
sis:nam
e
s:t
c
:
x
ac
ml:2.0
:
p
r
o
f
il
e
:saml2.0:v2:s
c
h
e
ma:
a
sse
r
tion:c
d
-
0
1
"
x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import
n
a
mesp
a
c
e
=
"
u
r
n:oasis:n
a
m
e
s:t
c
:
x
ac
ml:2.0:p
r
o
f
il
e
:
s
a
ml2.0:v2:s
c
h
e
ma:
a
ssertion:c
d
-
01"

26


s
c
h
e
m
a
L
o
c
a
tion
=
"
x
ac
m
l
-
2.0
-
p
r
o
f
il
e
-
s
a
ml2.0
-
v2
-
s
c
h
e
m
a
-
a
sse
r
tion
-
c
d
-
1.
x
sd
"
/>

<
/
x
sd:s
c
h
e
ma>

<
x
sd:s
c
h
e
ma
ta
r
g
e
tN
a
m
e
spac
e
=
"
u
r
n:
o
a
sis:nam
e
s:t
c
:
x
ac
ml:2.0
:
p
r
o
f
il
e
:saml2.0:v2:s
c
h
e
ma:p
r
otocol:c
d
-
0
1
"
x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import
n
a
mesp
a
c
e
=
"
u
r
n:oasis:n
a
mes:t
c
:
x
ac
ml:2.0:p
r
o
f
il
e
:
s
a
ml2.0:v2:s
c
h
e
ma:p
r
otocol:c
d
-
01"
s
c
h
e
m
a
L
o
c
a
tion
=
"
x
ac
m
l
-
2.0
-
p
r
o
f
il
e
-
s
a
ml2.0
-
v2
-
s
c
h
e
m
a
-
p
roto
c
ol
-
c
d
-
1.
x
s
d
"
/>

<
/
x
sd:s
c
h
e
ma>

<
x
sd:s
c
h
e
ma t
a
r
g
e
tN
a
mesp
a
c
e
=
"
u
rn:o
a
sis:na
m
e
s:t
c
:
S
A
M
L
:2.0:p
r
otoco
l
"
x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import n
a
m
e
spa
c
e=
"
u
r
n:oasis:n
a
me
s
:t
c
:
S
A
M
L
:2.0:p
r
otocol" s
c
h
e
m
a
L
o
c
a
tion
=
"
s
a
m
l
-

s
c
h
e
m
a
-
p
r
ot
o
c
ol
-
2.0.
x
sd
"
/>

<
/
x
sd:s
c
h
e
ma>

<
x
sd:s
c
h
e
ma t
a
r
g
e
tN
a
mesp
a
c
e
=
"
u
rn:o
a
sis:na
m
e
s:t
c
:
S
A
M
L
:2.0:
a
sse
r
ti
o
n"
x
mln
s
:
x
sd
=
"
http://ww
w
.w3.o
r
g
/2001/X
M
L
S
c
h
e
ma
"
>

<
x
sd:import n
a
m
e
spa
c
e=
"
u
r
n:oasis:n
a
me
s
:t
c
:
S
A
M
L
:2.0:
a
sse
r
tion"

s
c
h
e
m
a
L
o
c
a
tion
=
"
s
a
m
l
-

s
c
h
e
m
a
-
a
sse
r
tion
-
2.0.
x
sd
"
/>

<
/
x
sd:s
c
h
e
ma>

<
/wsdl:
t
y
p
e
s>

<
wsdl:mess
a
g
e

n
a
m
e=
"saml2X
A
C
M
L
Auth
z
R
e
q
u
e
stM
e
ss
a
g
e
"
>

<
wsdl:p
a
rt n
a
m
e
=
"
p
a
r
a
met
e
r
s
"

e
le
m
e
nt
=
"
x
ac
m
l
-
s
a
mlp:XAC
M
L
Auth
zD
ec
isionQu
e
r
y
">

<
/wsdl:pa
r
t>

<
/wsdl:m
e
ssag
e
>

<
wsdl:mess
a
g
e

n
a
m
e=
"
W
s
T
rustAuth
z
R
e
sponseM
e
ss
a
g
e
"
>

<
wsdl:p
a
rt

n
a
m
e
=
"
p
a
r
a
met
e
r
s
"

e
le
m
e
nt
=
"
wst:
R
e
qu
e
st
S
ec
u
r
i
t
y
T
ok
e
nR
e
sponse
"
>

<
/wsdl:pa
r
t>

<
/wsdl:m
e
ssag
e
>

<
wsdl:mess
a
g
e

n
a
m
e=
"
W
s
T
rustAuth
z
R
e
qu
e
st
M
e
ss
a
g
e
"
>

<
wsdl:p
a
rt n
a
m
e
=
"
p
a
r
a
met
e
r
s
"

e
le
m
e
nt
=
"
wst:
R
e
qu
e
st
S
ec
u
r
i
t
y
T
ok
e
n
"
>

<
/wsdl:pa
r
t>

<
/wsdl:m
e
ssag
e
>

<
wsdl:mess
a
g
e

n
a
m
e=
"saml2X
A
C
M
L
Auth
z
R
e
sponseM
e
ss
a
g
e
"
>

<
wsdl:p
a
rt n
a
m
e
=
"
p
a
r
a
met
e
r
s
"

e
le
m
e
nt
=
"
s
a
mlp:R
e
sponse
"
>

<
/wsdl:pa
r
t>

<
/wsdl:m
e
ssag
e
>

<
wsdl:mess
a
g
e

n
a
m
e=
"
x
ac
mlAuth
z
R
e
qu
e
stM
e
ssage
"
>

<
wsdl:p
a
rt n
a
m
e
=
"
p
a
r
a
met
e
r
s
"

e
le
m
e
nt
=
"
x
ac
m
l
-
c
onte
x
t:R
e
qu
e
st
"
>

<
/wsdl:pa
r
t>

<
/wsdl:m
e
ssag
e
>

<
wsdl:mess
a
g
e

n
a
m
e=
"
x
ac
mlAuth
z
R
e
sponseM
e
ssag
e
">

<
wsdl:p
a
rt n
a
m
e
=
"
p
a
r
a
met
e
r
s
"

e
le
m
e
nt
=
"
x
ac
m
l
-
c
onte
x
t:R
e
sponse
"
>

<
/wsdl:pa
r
t>

<
/wsdl:m
e
ssag
e
>

<
wsdl:port
T
y
p
e

n
a
m
e=
"Auth
z
I
nte
r
f
a
c
e
">

<
wsdl:op
e
r
a
tion n
a
m
e
=
"
X
AC
M
L
Auth
z
R
e
qu
e
st
"
>

<
wsdl:input mess
a
g
e
=
"
tns:
x
ac
mlAuth
z
R
e
qu
e
stM
e
ssag
e
">

<
/wsdl:input>

<
wsdl:output mess
a
g
e
=
"
tns:
x
ac
mlAuth
z
R
e
s
p
onseM
e
ss
a
g
e
"
>

<
/wsdl:output>

<
/wsdl:ope
r
a
tion>

27


<
wsdl:op
e
r
a
tion n
a
m
e
=
"
W
s
T
rustAuth
z
R
e
qu
e
s
t
"
>

<
w
s
dl:input mess
a
g
e
=
"
tns:
W
s
T
rustAuth
z
R
e
qu
e
stM
e
ss
a
g
e
"
>

<
/wsdl:input>

<
wsdl:output mess
a
g
e
=
"
tns:
W
s
T
rustAuth
z
R
e
s
pons
e
Messa
g
e
"
>

<
/wsdl:output>

<
/wsdl:ope
r
a
tion>

<
wsdl:op
e
r
a
tion n
a
m
e
=
"
SA
M
L
2
X
AC
M
L
Aut
h
z
R
e
qu
e
st
"
>

<
wsdl:input mess
a
g
e
=
"
tns:saml2X
A
C
M
L
Au
t
h
z
R
e
qu
e
stM
e
ssag
e
">

<
/wsdl:input>

<
wsdl:output mess
a
g
e
=
"
tns:s
a
ml2X
A
C
M
L
A
u
th
z
R
e
sponseM
e
ssa
g
e
">

<
/wsdl:output>

<
/wsdl:ope
r
a
tion>

<
/wsdl:port
T
y
p
e
>

<
wsdl:binding

n
a
m
e=
"Auth
z
So
a
pHttp
B
indin
g
"
t
y
p
e
=
"
tns:Auth
z
I
nte
r
f
a
ce
"
>

<
soap:binding

s
t
y
le="docum
e
nt"

t
r
a
nsport
=
"
http://sch
e
mas.
x
mlsoap
.
o
r
g
/soap/http
"
/>

<
wsdl:op
e
r
a
tion n
a
m
e
=
"
X
AC
M
L
Auth
z
R
e
qu
e
st
"
>

<
soap:op
e
r
a
tion so
a
pA
c
tion
=
"
u
rn:o
a
sis:nam
e
s
:t
c
:
x
ac
ml:2.0:p
o
li
c
y
:
s
c
h
e
ma:os
"
/>

<
wsdl:input>

<
soap:bo
d
y

use=
"
lite
r
a
l
"
/>

<
/wsdl:input>

<
wsdl:output>

<
soap:bo
d
y

use=
"
lite
r
a
l
"
/>

<
/wsdl:output>

<
/wsdl:ope
r
a
tion>

<
wsdl:op
e
r
a
tion n
a
m
e
=
"
W
s
T
rustAuth
z
R
e
qu
e
s
t
"
>

<
soap:op
e
r
a
tion so
a
pA
c
tion
=
"
http://sch
e
mas.
x
mlsoap
.
o
r
g
/ws/2005/02/trust
"
/>

<w
sdl:input>

<
soap:bo
d
y

use=
"
lite
r
a
l
"
/>

<
/wsdl:input>

<
wsdl:output>

<
soap:bo
d
y

use=
"
lite
r
a
l
"
/>

<
/wsdl:output>

<
/wsdl:ope
r
a
tion>

<
wsdl:op
e
r
a
tion n
a
m
e
=
"
SA
M
L
2
X
AC
M
L
Aut
h
z
R
e
qu
e
st
"
>

<
soap:op
e
r
a
tion
soap
A
c
tion
=
"
u
r
n:oasis:
n
a
mes:t
c
:
x
ac
ml:2.0:p
r
o
f
i
l
e
:saml2.0:v2:s
c
h
e
ma:p
r
o
tocol:c
d
-
01
"
/>

<
wsdl:input>

<
soap:bo
d
y

use=
"
lite
r
a
l
"
/>

<
/wsdl:input>

<
wsdl:output>

<
soap:bo
d
y

use=
"
lite
r
a
l
"
/>

<
/wsdl:output>

<
/wsdl:ope
r
a
tion>

<
/wsdl:bindin
g
>

<
wsdl:s
e
rvi
c
e

n
a
me=
"
A
uth
z
S
e
rvi
c
e
"
>

<
wsdl:port n
a
me=
"
Au
t
h
z
Endpoint"

bindin
g
=
"
t
n
s:Auth
z
So
a
pHttp
B
indin
g
"
>

<
soap:
a
dd
r
e
ss lo
ca
ti
o
n
=
"
https://lo
ca
lhost:
1
104/a
x
is2/s
e
rvi
c
e
s/Auth
z
S
e
r
vic
e
.Auth
z
Endpoint/
"
/>

<
/wsdl:port>

<
/wsdl:se
r
vic
e
>

<
/wsdl:de
f
in
i
tions>

28