This PIP can be used to filter out attributes that should not be accepted within a request.
- Create a new INI section for you PIP (you may
choose any valid INI section name. e.g.
WHITELIST_PIP
) - Into the PIP INI section add the
parserClass
property with the valueorg.glite.authz.pep.pip.provider.AttributeWhitelistPIPIniConfigurationParser
- Configure which request attributes are to be accepted
Property | Description | Required? | Default Value |
---|---|---|---|
acceptedActionAttributes | spaced delimited list attribute IDs that may appear in the request action | N | None. |
acceptedEnvrionmentAttributes | spaced delimited list attribute IDs that may appear in the request environment | N | None. |
acceptedResourceAttributes | spaced delimited list attribute IDs that may appear in the request resource | N | None. |
acceptedSubjectAttributes | spaced delimited list attribute IDs that may appear in the request subject | N | None. |
Note
If a property is not given then all attributes within the section (i.e. action, environment, resource, or subject) are accepted.
The following example shows a PEP Server configuration with the whitelist PIP enabled, accepting only the key-info attribute from the request subject, and filtering out all other subject attributes. All the other request attributes (action, resource and environment) are accepted as is.
[SERVICE] entityId = https://example.org/pep hostname = example.org pips = WHITELIST_PIP [PDP] pdps = http://localhost:8152/authz [SECURITY] trustInfoDir = /etc/grid-security/certificates [WHITELIST_PIP] parserClass = org.glite.authz.pep.pip.provider.AttributeWhitelistPIPIniConfigurationParser acceptedSubjectAttributes = urn:oasis:names:tc:xacml:1.0:subject:key-info