DACS_SELECT_CREDENTI(8) DACS Web Services Manual DACS_SELECT_CREDENTI(8)
NAME
dacs_select_credentials - temporarily disable DACS credentials
SYNOPSIS
dacs_select_credentials [dacsoptions[1]]
DESCRIPTION
This program is part of the DACS suite.
A user may concurrently possess more than one set of DACS credentials during a session, with each representing a different identity. Zero
or more credentials may be submitted with a request for a DACS-wrapped web service. It is sometimes desirable or necessary for a user to
switch between identities, or to be considered unauthenticated. Middleware (software situated between a user agent and a DACS-capable web
server) and more sophisticated user agents might provide this functionality simply by sending some DACS HTTP cookies and not sending
others, under user control. With standard browsers or in other situations where this functionality is not available, achieving this by
repeatedly authenticating and signing off (or by manually deleting cookies) would be inconvenient at best.
The dacs_select_credentials web service can be used to temporarily disable credentials, leaving the remaining credentials selected for
access control purposes. The user agent continues to send all DACS HTTP cookies as usual, but dacs_acs(8)[2] will ignore disabled
identities before deciding to grant or deny access. This feature can be used to work around the maximum number of identities that DACS
allows to be associated with a request - determined by the ACS_CREDENTIALS_LIMIT[3] directive - or for administrative, testing, or other
reasons. There are similarities between dacs_select_credentials and su(1)[4].
A selected identity is handled normally, but a disabled identity is "hidden"; it is not considered for access control purposes and is not
reported by dacs_current_credentials(8)[5]. A disabled identity may be re-enabled by dacs_select_credentials, however, and
dacs_signout(8)[6] will work with disabled identities. All identities are considered for the purposes of revoking access, however, and in
other situations described below.
The selected credentials are identified by a cryptographically protected cookie that is issued by dacs_select_credentials. The HTTP cookie
name has the following format:
DACS:Federation-Name:::SELECTED
where Federation-Name is the official name assigned to the federation for which the cookie is valid. This cookie confers no identity or
access control rights to its possessor. If this cookie is deleted, or just not sent with a request, all credentials accompanying the
request are used for access control. If dacs_signout(8)[6] asks the browser to delete all credentials (i.e., no more credentials exist that
dacs_signout is aware of), it will also ask the browser to delete the selected credentials cookie.
The FORMAT argument (see dacs(1)[7]) determines the type of output, with the default being HTML, using the style sheet
dacs_select_credentials.css[8]. If XML output is selected, a document conforming to dacs_select_credentials.dtd[9] is returned.
OPTIONS
Web Service Arguments
dacs_select_credentials accepts the following arguments in addition to the standard CGI arguments[10].
OPERATION
This parameter is required and must be one of (case-insensitively):
SELECT
This operation replaces the current set of selected credentials, if any, with the set that match the DACS_USERNAME and
DACS_JURISDICTION arguments. It is an error if no credentials match the arguments.
DESELECT
This operation disables the specified enabled credentials. If no credentials remain selected, the user is effectively
unauthenticated as if by the SELECT_UNAUTH operation. Non-matching arguments are ignored.
ADD
The ADD operation adds the specified disabled credentials to the set of enabled credentials.
LIST
This operation lists the selection status.
CLEAR
This operation results in no selection, with all credentials available again.
SELECT_UNAUTH
This operation makes the user effectively unauthenticated; all credentials are disabled.
DESELECT_UNAUTH
This operation reverses SELECT_UNAUTH, resulting in there being no selection and all credentials are again available. It is an
error if the user is not effectively unauthenticated when the operation is invoked.
DACS_USERNAME
This argument specifies a username to match against existing credentials for the SELECT, DESELECT, and ADD operations. Exact string
matching is used. If this argument is absent, all usernames will be selected.
DACS_JURISDICTION
This argument specifies a jurisdiction name to match against existing credentials for the SELECT, DESELECT, and ADD operations. Exact
string matching is used. If this argument is absent, all jurisdictions will be selected.
COOKIE_SYNTAX
This parameter has the same semantics as with the dacs_authenticate(8)[11] service.
Tip
The dacs_authenticate(8)[12] web service takes an optional argument, OPERATION, that can have the value SELECT. If authentication
succeeds and this argument is present, the resulting credentials are selected as described above.
FILES
dacs_select_credentials.css[8]
DIAGNOSTICS
The program exits 0 if everything was fine, 1 if an error occurred.
BUGS
It might be useful to be able to temporarily suppress one or more specific roles of a given identity.
AUTHOR
Distributed Systems Software (www.dss.ca[13])
COPYING
Copyright2003-2012 Distributed Systems Software. See the LICENSE[14] file that accompanies the distribution for licensing information.
NOTES
1. dacsoptions
http://dacs.dss.ca/man/dacs.1.html#dacsoptions
2. dacs_acs(8)
http://dacs.dss.ca/man/dacs_acs.8.html
3. ACS_CREDENTIALS_LIMIT
http://dacs.dss.ca/man/dacs.conf.5.html#ACS_CREDENTIALS_LIMIT
4. su(1)
http://www.freebsd.org/cgi/man.cgi?query=su&apropos=0&sektion=1&manpath=FreeBSD+9.0-RELEASE&format=html
5. dacs_current_credentials(8)
http://dacs.dss.ca/man/dacs_current_credentials.8.html
6. dacs_signout(8)
http://dacs.dss.ca/man/dacs_signout.8.html
7. dacs(1)
http://dacs.dss.ca/man/dacs.1.html
8. dacs_select_credentials.css
http://dacs.dss.ca/man//css/dacs_select_credentials.css
9. dacs_select_credentials.dtd
http://dacs.dss.ca/man/../dtd-xsd/dacs_select_credentials.dtd
10. standard CGI arguments
http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args
11. dacs_authenticate(8)
http://dacs.dss.ca/man/dacs_authenticate.8.html#COOKIE_SYNTAX
12. dacs_authenticate(8)
http://dacs.dss.ca/man/dacs_authenticate.8.html
13. www.dss.ca
http://www.dss.ca
14. LICENSE
http://dacs.dss.ca/man/../misc/LICENSE
DACS 1.4.27b 10/22/2012 DACS_SELECT_CREDENTI(8)