dacs_select_credentials

DACS_SELECT_CREDENTI(8)     DACS Web Services Manual     DACS_SELECT_CREDENTI(8)



NAME
       dacs_select_credentials - temporarily disable DACS credentials

SYNOPSIS
       dacs_select_credentials [dacsoptions[1]]

DESCRIPTION
       This program is part of the DACS suite.

       A user may concurrently possess more than one set of DACS credentials
       during a session, with each representing a different identity. Zero or
       more credentials may be submitted with a request for a DACS-wrapped web
       service. It is sometimes desirable or necessary for a user to switch
       between identities, or to be considered unauthenticated. Middleware
       (software situated between a user agent and a DACS-capable web server)
       and more sophisticated user agents might provide this functionality
       simply by sending some DACS HTTP cookies and not sending others, under
       user control. With standard browsers or in other situations where this
       functionality is not available, achieving this by repeatedly
       authenticating and signing off (or by manually deleting cookies) would be
       inconvenient at best.

       The dacs_select_credentials web service can be used to temporarily
       disable credentials, leaving the remaining credentials selected for
       access control purposes. The user agent continues to send all DACS HTTP
       cookies as usual, but dacs_acs(8)[2] will ignore disabled identities
       before deciding to grant or deny access. This feature can be used to work
       around the maximum number of identities that DACS allows to be associated
       with a request - determined by the ACS_CREDENTIALS_LIMIT[3] directive -
       or for administrative, testing, or other reasons. There are similarities
       between dacs_select_credentials and su(1)[4].

       A selected identity is handled normally, but a disabled identity is
       "hidden"; it is not considered for access control purposes and is not
       reported by dacs_current_credentials(8)[5]. A disabled identity may be
       re-enabled by dacs_select_credentials, however, and dacs_signout(8)[6]
       will work with disabled identities. All identities are considered for the
       purposes of revoking access, however, and in other situations described
       below.

       The selected credentials are identified by a cryptographically protected
       cookie that is issued by dacs_select_credentials. The HTTP cookie name
       has the following format:

           DACS:Federation-Name::::SELECTED

       where Federation-Name is the official name assigned to the federation for
       which the cookie is valid (see COOKIE_NAME_TERMINATORS[7]). This cookie
       confers no identity or access control rights to its possessor. If this
       cookie is deleted, or just not sent with a request, all credentials
       accompanying the request are used for access control. If
       dacs_signout(8)[6] asks the browser to delete all credentials (i.e., no
       more credentials exist that dacs_signout is aware of), it will also ask
       the browser to delete the selected credentials cookie.

       The FORMAT argument (see dacs(1)[8]) determines the type of output, with
       the default being HTML, using the style sheet
       dacs_select_credentials.css[9]. If XML output is selected, a document
       conforming to dacs_select_credentials.dtd[10] is returned. The JSON
       format (RFC 7159[11]) is also recognized.

OPTIONS
   Web Service Arguments
       dacs_select_credentials accepts the following arguments in addition to
       the standard CGI arguments[12].

       OPERATION
           This parameter is required and must be one of (case-insensitively):

           SELECT
               This operation replaces the current set of selected credentials,
               if any, with the set that match the DACS_USERNAME and
               DACS_JURISDICTION arguments. It is an error if no credentials
               match the arguments.

           DESELECT
               This operation disables the specified enabled credentials. If no
               credentials remain selected, the user is effectively
               unauthenticated as if by the SELECT_UNAUTH operation.
               Non-matching arguments are ignored.

           ADD
               The ADD operation adds the specified disabled credentials to the
               set of enabled credentials.

           LIST
               This operation lists the selection status.

           CLEAR
               This operation results in no selection, with all credentials
               available again.

           SELECT_UNAUTH
               This operation makes the user effectively unauthenticated; all
               credentials are disabled.

           DESELECT_UNAUTH
               This operation reverses SELECT_UNAUTH, resulting in there being
               no selection and all credentials are again available. It is an
               error if the user is not effectively unauthenticated when the
               operation is invoked.


       DACS_USERNAME
           This argument specifies a username to match against existing
           credentials for the SELECT, DESELECT, and ADD operations. Exact
           string matching is used. If this argument is absent, all usernames
           will be selected.

       DACS_JURISDICTION
           This argument specifies a jurisdiction name to match against existing
           credentials for the SELECT, DESELECT, and ADD operations. Exact
           string matching is used. If this argument is absent, all
           jurisdictions will be selected.

       COOKIE_SYNTAX
           This parameter has the same semantics as with the
           dacs_authenticate(8)[13] service.

           Tip
           The dacs_authenticate(8)[14] web service takes an optional argument,
           OPERATION, that can have the value SELECT. If authentication succeeds
           and this argument is present, the resulting credentials are selected
           as described above.

FILES
       dacs_select_credentials.css[9]

DIAGNOSTICS
       The program exits 0 if everything was fine, 1 if an error occurred.

BUGS
       It might be useful to be able to temporarily suppress one or more
       specific roles of a given identity.

SEE ALSO
       dacs_authenticate(8)[14], dacs_signout(8)[6]

AUTHOR
       Distributed Systems Software (www.dss.ca[15])

COPYING
       Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[16]
       file that accompanies the distribution for licensing information.

NOTES
        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. dacs_acs(8)
           http://dacs.dss.ca/man/dacs_acs.8.html

        3. ACS_CREDENTIALS_LIMIT
           http://dacs.dss.ca/man/dacs.conf.5.html#ACS_CREDENTIALS_LIMIT

        4. su(1)
           https://www.freebsd.org/cgi/man.cgi?query=su&apropos=0&sektion=1&manpath=FreeBSD+10.3-RELEASE&format=html

        5. dacs_current_credentials(8)
           http://dacs.dss.ca/man/dacs_current_credentials.8.html

        6. dacs_signout(8)
           http://dacs.dss.ca/man/dacs_signout.8.html

        7. COOKIE_NAME_TERMINATORS
           http://dacs.dss.ca/man/dacs.conf.5.html#COOKIE_NAME_TERMINATORS

        8. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

        9. dacs_select_credentials.css
           http://dacs.dss.ca/man//css/dacs_select_credentials.css

       10. dacs_select_credentials.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_select_credentials.dtd

       11. RFC 7159
           https://tools.ietf.org/html/rfc7159

       12. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

       13. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html#COOKIE_SYNTAX

       14. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       15. www.dss.ca
           http://www.dss.ca

       16. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE



DACS 1.4.40                        02/19/2019            DACS_SELECT_CREDENTI(8)