Provided by: dacs_1.4.28b-3ubuntu2_i386 bug

NAME

       dacs_select_credentials - temporarily disable DACS credentials

SYNOPSIS

       dacs_select_credentials [dacsoptions[1]]

DESCRIPTION

       This program is part of the DACS suite.

       A user may concurrently possess more than one set of DACS credentials
       during a session, with each representing a different identity. Zero or
       more credentials may be submitted with a request for a DACS-wrapped web
       service. It is sometimes desirable or necessary for a user to switch
       between identities, or to be considered unauthenticated. Middleware
       (software situated between a user agent and a DACS-capable web server)
       and more sophisticated user agents might provide this functionality
       simply by sending some DACS HTTP cookies and not sending others, under
       user control. With standard browsers or in other situations where this
       functionality is not available, achieving this by repeatedly
       authenticating and signing off (or by manually deleting cookies) would
       be inconvenient at best.

       The dacs_select_credentials web service can be used to temporarily
       disable credentials, leaving the remaining credentials selected for
       access control purposes. The user agent continues to send all DACS HTTP
       cookies as usual, but dacs_acs(8)[2] will ignore disabled identities
       before deciding to grant or deny access. This feature can be used to
       work around the maximum number of identities that DACS allows to be
       associated with a request - determined by the ACS_CREDENTIALS_LIMIT[3]
       directive - or for administrative, testing, or other reasons. There are
       similarities between dacs_select_credentials and su(1)[4].

       A selected identity is handled normally, but a disabled identity is
       "hidden"; it is not considered for access control purposes and is not
       reported by dacs_current_credentials(8)[5]. A disabled identity may be
       re-enabled by dacs_select_credentials, however, and dacs_signout(8)[6]
       will work with disabled identities. All identities are considered for
       the purposes of revoking access, however, and in other situations
       described below.

       The selected credentials are identified by a cryptographically
       protected cookie that is issued by dacs_select_credentials. The HTTP
       cookie name has the following format:

           DACS:Federation-Name:::SELECTED

       where Federation-Name is the official name assigned to the federation
       for which the cookie is valid. This cookie confers no identity or
       access control rights to its possessor. If this cookie is deleted, or
       just not sent with a request, all credentials accompanying the request
       are used for access control. If dacs_signout(8)[6] asks the browser to
       delete all credentials (i.e., no more credentials exist that
       dacs_signout is aware of), it will also ask the browser to delete the
       selected credentials cookie.

       The FORMAT argument (see dacs(1)[7]) determines the type of output,
       with the default being HTML, using the style sheet
       dacs_select_credentials.css[8]. If XML output is selected, a document
       conforming to dacs_select_credentials.dtd[9] is returned.

OPTIONS

   Web Service Arguments
       dacs_select_credentials accepts the following arguments in addition to
       the standard CGI arguments[10].

       OPERATION
           This parameter is required and must be one of (case-insensitively):

           SELECT
               This operation replaces the current set of selected
               credentials, if any, with the set that match the DACS_USERNAME
               and DACS_JURISDICTION arguments. It is an error if no
               credentials match the arguments.

           DESELECT
               This operation disables the specified enabled credentials. If
               no credentials remain selected, the user is effectively
               unauthenticated as if by the SELECT_UNAUTH operation.
               Non-matching arguments are ignored.

           ADD
               The ADD operation adds the specified disabled credentials to
               the set of enabled credentials.

           LIST
               This operation lists the selection status.

           CLEAR
               This operation results in no selection, with all credentials
               available again.

           SELECT_UNAUTH
               This operation makes the user effectively unauthenticated; all
               credentials are disabled.

           DESELECT_UNAUTH
               This operation reverses SELECT_UNAUTH, resulting in there being
               no selection and all credentials are again available. It is an
               error if the user is not effectively unauthenticated when the
               operation is invoked.

       DACS_USERNAME
           This argument specifies a username to match against existing
           credentials for the SELECT, DESELECT, and ADD operations. Exact
           string matching is used. If this argument is absent, all usernames
           will be selected.

       DACS_JURISDICTION
           This argument specifies a jurisdiction name to match against
           existing credentials for the SELECT, DESELECT, and ADD operations.
           Exact string matching is used. If this argument is absent, all
           jurisdictions will be selected.

       COOKIE_SYNTAX
           This parameter has the same semantics as with the
           dacs_authenticate(8)[11] service.

           Tip
           The dacs_authenticate(8)[12] web service takes an optional
           argument, OPERATION, that can have the value SELECT. If
           authentication succeeds and this argument is present, the resulting
           credentials are selected as described above.

FILES

       dacs_select_credentials.css[8]

DIAGNOSTICS

       The program exits 0 if everything was fine, 1 if an error occurred.

BUGS

       It might be useful to be able to temporarily suppress one or more
       specific roles of a given identity.

AUTHOR

       Distributed Systems Software (www.dss.ca[13])

COPYING

       Copyright2003-2013 Distributed Systems Software. See the LICENSE[14]
       file that accompanies the distribution for licensing information.

NOTES

        1. dacsoptions
           http://dacs.dss.ca/man/dacs.1.html#dacsoptions

        2. dacs_acs(8)
           http://dacs.dss.ca/man/dacs_acs.8.html

        3. ACS_CREDENTIALS_LIMIT
           http://dacs.dss.ca/man/dacs.conf.5.html#ACS_CREDENTIALS_LIMIT

        4. su(1)
           http://www.freebsd.org/cgi/man.cgi?query=su&apropos=0&sektion=1&manpath=FreeBSD+9.1-RELEASE&format=html

        5. dacs_current_credentials(8)
           http://dacs.dss.ca/man/dacs_current_credentials.8.html

        6. dacs_signout(8)
           http://dacs.dss.ca/man/dacs_signout.8.html

        7. dacs(1)
           http://dacs.dss.ca/man/dacs.1.html

        8. dacs_select_credentials.css
           http://dacs.dss.ca/man//css/dacs_select_credentials.css

        9. dacs_select_credentials.dtd
           http://dacs.dss.ca/man/../dtd-xsd/dacs_select_credentials.dtd

       10. standard CGI arguments
           http://dacs.dss.ca/man/dacs.services.8.html#standard_cgi_args

       11. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html#COOKIE_SYNTAX

       12. dacs_authenticate(8)
           http://dacs.dss.ca/man/dacs_authenticate.8.html

       13. www.dss.ca
           http://www.dss.ca

       14. LICENSE
           http://dacs.dss.ca/man/../misc/LICENSE