"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "man/dacs_notices.8" between
dacs-1.4.45.txz and dacs-1.4.46.txz

About: DACS (Distributed Access Control System) is a light-weight single sign-on and role-based access control system for web servers and server-based software.

dacs_notices.8  (dacs-1.4.45.txz):dacs_notices.8  (dacs-1.4.46.txz)
skipping to change at line 22 skipping to change at line 22
Some web service providers have a requirement that users must acknowledge a notice of some sort before Some web service providers have a requirement that users must acknowledge a notice of some sort before
access can be granted to an associated resource. A user attempting to acc ess such a resource is shown a access can be granted to an associated resource. A user attempting to acc ess such a resource is shown a
web page containing the notice and asked to acknowledge it or accept its conditions, typically by pressing web page containing the notice and asked to acknowledge it or accept its conditions, typically by pressing
an "I Accept" button on the web page. These notices are commonly legal no tices, such as copyright notices, an "I Accept" button on the web page. These notices are commonly legal no tices, such as copyright notices,
licensing notices, restricted access notices, and terms-of-use notices. T his can also be applied to alert licensing notices, restricted access notices, and terms-of-use notices. T his can also be applied to alert
users to news (a warning about upcoming system maintenance, for example). users to news (a warning about upcoming system maintenance, for example).
dacs_acs(8)[2] (the DACS access control service, or ACS) can be configure d to invoke dacs_notices when dacs_acs(8)[2] (the DACS access control service, or ACS) can be configure d to invoke dacs_notices when
access control processing determines that one or more notices have not be en acknowledged. dacs_notices access control processing determines that one or more notices have not be en acknowledged. dacs_notices
acts as both a generic notice presentation handler (it retrieves notices, presents them to the user, and acts as both a generic notice presentation handler (it retrieves notices, presents them to the user, and
requests the user to acknowledge the notices) and a matching notice ackno wledgement handler (executed to asks the user to acknowledge the notices) and a matching notice acknowled gement handler (executed to
process the user´s response and take appropriate action). The presentatio n aspect of the program can be process the user´s response and take appropriate action). The presentatio n aspect of the program can be
customized. It takes steps to defeat attempts to bypass notice presentati on. customized. Measures are taken to defeat attempts to bypass notice presen tation.
In the DACS implementation, a notice (N) is usually some text, identified by a URL. A notice is associated In the DACS implementation, a notice (N) is usually some text, identified by a URL. A notice is associated
with one or more resources (R) such that an attempt to access any of thes e resources requires the user to with one or more resources (R) such that an attempt to access any of thes e resources requires the user to
first explicitly acknowledge the textual material. A DACS event handler ( H) is responsible for presenting first explicitly acknowledge the textual material. A DACS event handler ( H) is responsible for presenting
the notice to the user. The basic flow of control is roughly as follows: the notice to the user. The basic flow of control is roughly as follows:
USER | Apache/DACS USER | Apache/DACS
a) --- Request for R --->|---> (DACS Access Control Service) a) --- Request for R --->|---> (DACS Access Control Service)
b) <--- Redirect to H ---|<-- b) <--- Redirect to H ---|<--
c) --- Request for H --->|---> (a notice presentation handler) c) --- Request for H --->|---> (a notice presentation handler)
d) <--- Return N ----|<--- d) <--- Return N ----|<--
e) --- Submit Ack N --->|--> (a notice acknowledgement handler e) --- Submit Ack N --->|---> (a notice acknowledgement handler
) )
f) <--- Redirect to R ---|<-- f) <--- Redirect to R ---|<--
g) --- Request for R --->|---> (DACS access control service) g) --- Request for R --->|---> (DACS access control service)
h) <--- R ---|<-- h) <--- R ---|<--
More than one notice can be associated with a resource, in which case the y are effectively concatenated More than one notice can be associated with a resource, in which case the y are effectively concatenated
for presentation purposes and collectively acknowledged (so N may be N1, N2, ..., Nn and Ack N for presentation purposes and collectively acknowledged (so N may be N1, N2, ..., Nn and Ack N
acknowledges all of them). acknowledges all of them).
Having already acknowledged N in a session, a user should not need to do so again. dacs_notices uses a Having already acknowledged N in a session, a user should not need to do so again. dacs_notices uses a
purely client-side approach; cookies are issued to remember that resource s have been acknowledged. These purely client-side approach; cookies are issued to remember that resource s have been acknowledged. These
cookies are called notice acknowledgement tokens or NATs. The implementat ion handles both authenticated cookies are called notice acknowledgement tokens or NATs. The implementat ion handles both authenticated
and unauthenticated (anonymous) users. The cookie name consists of a pref ix, the federation name, the and unauthenticated (anonymous) users. The cookie name consists of a pref ix, the federation name, the
skipping to change at line 172 skipping to change at line 172
Neither this argument nor the TIME[13] argument are used or required if the NOTICES_SECURE_HANDLER[14] Neither this argument nor the TIME[13] argument are used or required if the NOTICES_SECURE_HANDLER[14]
configuration directive has the value "no". configuration directive has the value "no".
NOTICE_URIS NOTICE_URIS
The value of this argument is a space-separated list of URIs, each of which is invoked using the GET The value of this argument is a space-separated list of URIs, each of which is invoked using the GET
method and is expected to return a notice document. method and is expected to return a notice document.
Note Note
The notices are expected to be fragments of HTML text, not comple te HTML documents; each notice is The notices are expected to be fragments of HTML text, not comple te HTML documents; each notice is
"pasted" into the presentation page exactly as obtained from its "pasted" into the presentation page exactly as obtained from its
URI. URI. At present, these URIs may
not have a query component.
TIME TIME
This is the Unix time at which dacs_acs invoked the notice presentati on handler for this workflow. It This is the Unix time at which dacs_acs invoked the notice presentati on handler for this workflow. It
is used to limit the lifetime of the workflow so that it cannot easil y be rerun to obtain notice is used to limit the lifetime of the workflow so that it cannot easil y be rerun to obtain notice
acknowledgement tokens at will. acknowledgement tokens at will.
RESOURCE_URIS RESOURCE_URIS
The value of this argument is a space-separated list of URIs, each of which is associated with the The value of this argument is a space-separated list of URIs, each of which is associated with the
notice(s). notice(s).
RESPONSE RESPONSE
Passed to the notice acknowledgement handler, this argument is the us Passed to the notice acknowledgement handler, this argument is the us
er´s response and must either be er´s response and must be the
accepted or declined. string "accepted" or the string "declined".
Middleware Support Middleware Support
dacs_notices can be asked to emit various flavours of XML in support of m iddleware or thick clients. This dacs_notices can be asked to emit various flavours of XML in support of m iddleware or thick clients. This
is useful when middleware would prefer to prompt the user itself (acting as a notice presentation handler) is useful when middleware would prefer to prompt the user itself (acting as a notice presentation handler)
and then invoke a acknowledgement handler (such as dacs_notices) to obtai n a NAT. Any customizations and then invoke a acknowledgement handler (such as dacs_notices) to obtai n a NAT. Any customizations
specified for HTML output are ignored when XML is being produced and are not passed to middleware. specified for HTML output are ignored when XML is being produced and are not passed to middleware.
The XML emitted by dacs_notices conforms to the DTD dacs_notices.dtd[15]. When acting as a notice The XML emitted by dacs_notices conforms to the DTD dacs_notices.dtd[15]. When acting as a notice
presentation handler, it returns a presentation_reply element and when ac ting as a notice acknowledgement presentation handler, it returns a presentation_reply element and when ac ting as a notice acknowledgement
handler, it returns a ack_reply element; in either mode of operation an e rror reply is possible (via the handler, it returns an ack_reply element; in either mode of operation an error reply is possible (via the
common_status element). common_status element).
In conjunction with dacs_acs(8)[2], dacs_notices can optionally operate i n a "secure" mode, where a In conjunction with dacs_acs(8)[2], dacs_notices can optionally operate i n a "secure" mode, where a
particular control flow is enforced. particular control flow is enforced.
The simple (non-secure) mode will be described first. The simple (non-secure) mode will be described first.
Simple Mode Simple Mode
The presentation_reply element lists one or more notices that must be acknowledged by the user. It The presentation_reply element lists one or more notices that must be acknowledged by the user. It
includes a space-separated list of the URIs of the notices and a spac e-separated list of the URIs of includes a space-separated list of the URIs of the notices and a spac e-separated list of the URIs of
skipping to change at line 300 skipping to change at line 301
BUGS BUGS
A client-side approach is used to note that resources have been acknowled ged. While this is probably the A client-side approach is used to note that resources have been acknowled ged. While this is probably the
simplest approach that works with both authenticated and unauthenticated users, it does not offer much simplest approach that works with both authenticated and unauthenticated users, it does not offer much
support if one wants acknowledgements by authenticated users to be rememb ered across sessions (i.e., support if one wants acknowledgements by authenticated users to be rememb ered across sessions (i.e.,
permanently). One possible solution is to allow persistent notice acknowl edgements to be enabled for permanently). One possible solution is to allow persistent notice acknowl edgements to be enabled for
authenticated users, suppressing NAT cookies and causing a record to be w ritten to a configured VFS item authenticated users, suppressing NAT cookies and causing a record to be w ritten to a configured VFS item
type when an authenticated user has accepted a notice. The ack() predicat e would be extended so that the type when an authenticated user has accepted a notice. The ack() predicat e would be extended so that the
existence of persistent acknowledgement records could be checked, and som e means of maintaining the existence of persistent acknowledgement records could be checked, and som e means of maintaining the
persistent records might be added. persistent records might be added.
There is no attempt to detect or prevent circular dependencies that might
be created when a URI in
NOTICE_URIS points to a resource that must itself be acknowledged.
The method used for generation of custom web pages is clunky and should b e reconsidered. The method used for generation of custom web pages is clunky and should b e reconsidered.
SEE ALSO SEE ALSO
dacs.nat(5)[17], dacs_acs(8)[2] dacs.nat(5)[17], dacs_acs(8)[2]
AUTHOR AUTHOR
Distributed Systems Software (www.dss.ca[21]) Distributed Systems Software (www.dss.ca[21])
COPYING COPYING
Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[22] f ile that accompanies the Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[22] f ile that accompanies the
skipping to change at line 379 skipping to change at line 383
20. HMAC 20. HMAC
http://dacs.dss.ca/man/#HMAC http://dacs.dss.ca/man/#HMAC
21. www.dss.ca 21. www.dss.ca
https://www.dss.ca https://www.dss.ca
22. LICENSE 22. LICENSE
http://dacs.dss.ca/man/../misc/LICENSE http://dacs.dss.ca/man/../misc/LICENSE
DACS 1.4.45 01/20/2021 DACS_NOTICES(8) DACS 1.4.46 06/08/2021 DACS_NOTICES(8)
 End of changes. 10 change blocks. 
14 lines changed or deleted 19 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)