Depending on how much you need to have both XACML and the external authorization, you could probably just implement alternative authorization filters and wire them into the Spring configuration. With a couple of noteworthy exceptions, FESL expects the filters to do the authZ work (and deal directly with the XACML machinery).

- Ben

On Thu, May 16, 2013 at 12:17 PM, Stefano Cossu <> wrote:
Hi there,
My team and I are building a Fedora repository and we are starting to
wrap our heads around FeSL and the XACML specifications.

The repository we are building has to necessarily rely on an external
application to apply some of its policies. The external application
should be accessed via HTTP request with something like: "Can user John
Doe read the EXIF data for image 12345ABC?" and receive a positive or
negative outcome which will determine the result of the authorization
policy. I have looked around on how to do this, but I'm not sure about
how to approach the problem.

Any suggestions?


AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
Fedora-commons-users mailing list