Provided by: dacs_1.4.40-2_amd64 bug


       dacs_select_credentials - temporarily disable DACS credentials


       dacs_select_credentials [dacsoptions[1]]


       This program is part of the DACS suite.

       A user may concurrently possess more than one set of DACS credentials during a session,
       with each representing a different identity. Zero or more credentials may be submitted
       with a request for a DACS-wrapped web service. It is sometimes desirable or necessary for
       a user to switch between identities, or to be considered unauthenticated. Middleware
       (software situated between a user agent and a DACS-capable web server) and more
       sophisticated user agents might provide this functionality simply by sending some DACS
       HTTP cookies and not sending others, under user control. With standard browsers or in
       other situations where this functionality is not available, achieving this by repeatedly
       authenticating and signing off (or by manually deleting cookies) would be inconvenient at

       The dacs_select_credentials web service can be used to temporarily disable credentials,
       leaving the remaining credentials selected for access control purposes. The user agent
       continues to send all DACS HTTP cookies as usual, but dacs_acs(8)[2] will ignore disabled
       identities before deciding to grant or deny access. This feature can be used to work
       around the maximum number of identities that DACS allows to be associated with a request -
       determined by the ACS_CREDENTIALS_LIMIT[3] directive - or for administrative, testing, or
       other reasons. There are similarities between dacs_select_credentials and su(1)[4].

       A selected identity is handled normally, but a disabled identity is "hidden"; it is not
       considered for access control purposes and is not reported by
       dacs_current_credentials(8)[5]. A disabled identity may be re-enabled by
       dacs_select_credentials, however, and dacs_signout(8)[6] will work with disabled
       identities. All identities are considered for the purposes of revoking access, however,
       and in other situations described below.

       The selected credentials are identified by a cryptographically protected cookie that is
       issued by dacs_select_credentials. The HTTP cookie name has the following format:


       where Federation-Name is the official name assigned to the federation for which the cookie
       is valid (see COOKIE_NAME_TERMINATORS[7]). This cookie confers no identity or access
       control rights to its possessor. If this cookie is deleted, or just not sent with a
       request, all credentials accompanying the request are used for access control. If
       dacs_signout(8)[6] asks the browser to delete all credentials (i.e., no more credentials
       exist that dacs_signout is aware of), it will also ask the browser to delete the selected
       credentials cookie.

       The FORMAT argument (see dacs(1)[8]) determines the type of output, with the default being
       HTML, using the style sheet dacs_select_credentials.css[9]. If XML output is selected, a
       document conforming to dacs_select_credentials.dtd[10] is returned. The JSON format (RFC
       7159[11]) is also recognized.


   Web Service Arguments
       dacs_select_credentials accepts the following arguments in addition to the standard CGI

           This parameter is required and must be one of (case-insensitively):

               This operation replaces the current set of selected credentials, if any, with the
               set that match the DACS_USERNAME and DACS_JURISDICTION arguments. It is an error
               if no credentials match the arguments.

               This operation disables the specified enabled credentials. If no credentials
               remain selected, the user is effectively unauthenticated as if by the
               SELECT_UNAUTH operation. Non-matching arguments are ignored.

               The ADD operation adds the specified disabled credentials to the set of enabled

               This operation lists the selection status.

               This operation results in no selection, with all credentials available again.

               This operation makes the user effectively unauthenticated; all credentials are

               This operation reverses SELECT_UNAUTH, resulting in there being no selection and
               all credentials are again available. It is an error if the user is not effectively
               unauthenticated when the operation is invoked.

           This argument specifies a username to match against existing credentials for the
           SELECT, DESELECT, and ADD operations. Exact string matching is used. If this argument
           is absent, all usernames will be selected.

           This argument specifies a jurisdiction name to match against existing credentials for
           the SELECT, DESELECT, and ADD operations. Exact string matching is used. If this
           argument is absent, all jurisdictions will be selected.

           This parameter has the same semantics as with the dacs_authenticate(8)[13] service.

           The dacs_authenticate(8)[14] web service takes an optional argument, OPERATION, that
           can have the value SELECT. If authentication succeeds and this argument is present,
           the resulting credentials are selected as described above.




       The program exits 0 if everything was fine, 1 if an error occurred.


       It might be useful to be able to temporarily suppress one or more specific roles of a
       given identity.


       dacs_authenticate(8)[14], dacs_signout(8)[6]


       Distributed Systems Software ([15])


       Copyright © 2003-2018 Distributed Systems Software. See the LICENSE[16] file that
       accompanies the distribution for licensing information.


        1. dacsoptions

        2. dacs_acs(8)


        4. su(1)

        5. dacs_current_credentials(8)

        6. dacs_signout(8)


        8. dacs(1)

        9. dacs_select_credentials.css

       10. dacs_select_credentials.dtd

       11. RFC 7159

       12. standard CGI arguments

       13. dacs_authenticate(8)

       14. dacs_authenticate(8)


       16. LICENSE