DACS Tools

The core DACS technologies can be accessed directly or indirectly from the command line or by invoking simple web services. Instead of relying on complicated and hard-to-use protocols (such as SOAP, WSDL, and so on), DACS uses a REST-oriented design where its web services can be invoked from an ordinary browser, HTTP client utility, or API that provides HTTP functionality. Simple XML or HTML documents are returned. Because of this approach, writing programs, including middleware, that builds on DACS web services is not difficult.

A PowerPoint overview for developers is available.

dacscheck

Through the dacscheck command, the DACS rule-processing engine can be used from the command line. This allows scripts (Perl, PHP, shell, etc.) and compiled programs to make data-driven access control decisions rather than program-driven ones. Although no authentication or identity management is performed by dacscheck and it is a totally stand-alone program, CGI programs in particular can benefit from its capabilities.

A script or other program might use dacscheck with appropriate access control rules to decide, for instance:

• if the current user is allowed to use the program
• if the current user has the right to use a particular program feature
• if the current user has administrative privileges
• if the current user is allowed to access a particular resource, such as a file or device

For example, a program might use dacscheck to control access to a printer. Access could easily be limited to certain users or classes of user. Usage could be further limited to certain days, times, locations, etc., all depending on the policy expressed by the access control rules.

dacscheck could be used by a resource allocation/scheduling system. For example, exclusive use of a remotely-controlled web cam might be managed by a set of rules that allocates time slots to individuals.

dacscheck has many advantages over specially-written access control logic:

• Access control rules are separate from code, so changes to a set of rules automatically applies to all uses of those rules throughout an application or set of applications; code does not need to be modified if the policy is changed.
• Bug fixes and improvements to rules are automatically available to programs that use dacscheck; no recompilation of applications is necessary.
• The person who administers the rules does not have to be the application's programmer (or even someone who understands the code), so delegating responsibility is much easier. This reduces the amount of programming required when changes are required, reduces code maintenance effort, and decreases the chance of error.
• It is usually easier to understand (and express) a set of rules that describes an access control policy; code that implements the same policy will be more complex and difficult to understand, increasing the chance of error.
• Applications are simplified and programming time and effort are reduced because existing access control code (i.e., dacscheck) is reused.
• Sophisticated rules can be constructed without having to write any code. DACS features are available, such as roles and groups, and can be used to construct simpler and more expressive authorization policies than are likely to be hand-coded.
• Rules are platform independent, can be stored remotely from the applications that use them, and can potentially be evaluated remotely. dacscheck is available for a variety of platforms.
• Rules can be shared and used in different situations and by different programs.
• Because it does not rely on a web server, it can be used by virtually any CGI-based program.
• With respect to DACS, it can be used in circumstances where the mod_auth_dacs module cannot be used with Apache, or where Apache cannot be used at all.
• Because it is implemented as an ordinary command, dacscheck can be used from the command line or invoked from almost any script or program.
• For CGI-based programs, dacscheck can be used without any assistance from a system administrator; e.g., it does not require a web server to be configured to provide authorization for a CGI program because all access control functionality is performed within the program.
• dacscheck neither performs authentication nor relies on any particular authentication method, so the authentication method can be changed without affecting the application's use of dacscheck. Any supported means of authentication can be used, not only the typical password-based method. dacscheck can be configured to work in conjunction with a system's native authentication system, or for CGI programs, with any authentication methods used by a web server.

A C/C++ API is being developed to expose this functionality directly to scripting languages and compiled programs.

Please refer to dacscheck(1) for technical information and examples.

dacsauth

dacscauth is to authentication testing what dacscheck is to authorization testing. dacscauth harnesses the DACS authentication infrastructure, providing command line access to its authentication modules. Programmers do not need to waste time reinventing the wheel, perhaps poorly, by building username/password authentication into their programs - through dacscauth, they can reuse the DACS username/password mechanism. Even better, instead of having to create new, application-specific accounts, they can call dacscauth and ask it to authenticate using your existing Unix, NTLM, LDAP, Apache, CAS, etc. accounts.

dacscauth makes it easy to leverage existing authentication methods, helping to prevent the proliferation of accounts that makes life difficult for both users and system administrators.

Programs that use dacscauth can issue DACS credentials after successful user authentication, but they do not have to.

Please refer to dacsauth(1) for technical information and examples.

Contributed Resources

A variety of other software and resources for DACS can be found in the dacs-contrib project at SourceForge.

The DACS Java Library (DJL) is being developed to support the use of DACS in Java client applications. It implements Java wrapper classes for selected DACS services, and provides an HTTP client through which DACS services may be accessed and DACS credentials obtained and managed.

The FedAdmin Web Application is an administrator console for managing the configuration of DACS federations and jurisdictions. It is deployed in a servlet container such as Tomcat, but must be accessed via an Apache+DACS proxy and deployed under a dedicated FEDADMIN DACS application jurisdiction. FedAdmin implements partial coverage of the most common DACS configuration tasks, including viewing federation and jurisdiction configuration directives, adding and deleting local DACS users, and creating, editing, and deleting ACL rules.