dacs_select_credentials - temporarily disable DACS
This program is part of the DACS
A user may concurrently possess more than one set of DACS
during a session, with each representing a different identity. Zero or more
credentials may be submitted with a request for a DACS
service. It is sometimes desirable or necessary for a user to switch between
identities, or to be considered unauthenticated. Middleware (software situated
between a user agent and a DACS
-capable web server) and more
sophisticated user agents might provide this functionality simply by sending
HTTP cookies and not sending others, under user control. With
standard browsers or in other situations where this functionality is not
available, achieving this by repeatedly authenticating and signing off (or by
manually deleting cookies) would be inconvenient at best.
web service can be used to temporarily
disable credentials, leaving the remaining credentials selected for access
control purposes. The user agent continues to send all DACS
cookies as usual, but dacs_acs(8)
 will ignore disabled identities
before deciding to grant or deny access. This feature can be used to work
around the maximum number of identities that DACS
allows to be
associated with a request - determined by the ACS_CREDENTIALS_LIMIT
directive - or for administrative, testing, or other reasons. There are
similarities between dacs_select_credentials
A selected identity is handled normally, but a disabled identity is
"hidden"; it is not considered for access control purposes and is
not reported by dacs_current_credentials(8)
. A disabled identity may
be re-enabled by dacs_select_credentials
, however, and
 will work with disabled identities. All identities
are considered for the purposes of revoking access, however, and in other
situations described below.
The selected credentials are identified by a cryptographically protected cookie
that is issued by dacs_select_credentials
. The HTTP cookie name has the
is the official name assigned to the federation for
which the cookie is valid (see COOKIE_NAME_TERMINATORS
). This cookie
confers no identity or access control rights to its possessor. If this cookie
is deleted, or just not sent with a request, all credentials accompanying the
request are used for access control. If dacs_signout(8)
 asks the
browser to delete all credentials (i.e., no more credentials exist that
is aware of), it will also ask the browser to delete the
selected credentials cookie.
argument (see dacs(1)
) determines the type of
output, with the default being HTML, using the style sheet
. If XML output is selected, a document
conforming to dacs_select_credentials.dtd
 is returned. The JSON
format ( RFC 7159
) is also recognized.
accepts the following arguments in addition to
the standard CGI arguments
This parameter is required and must be one of
This operation replaces the current set of
selected credentials, if any, with the set that match the DACS_USERNAME
and DACS_JURISDICTION arguments. It is an error if no credentials match
This operation disables the specified enabled
credentials. If no credentials remain selected, the user is effectively
unauthenticated as if by the SELECT_UNAUTH operation. Non-matching
arguments are ignored.
The ADD operation adds the specified
disabled credentials to the set of enabled credentials.
This operation lists the selection
This operation results in no selection, with
all credentials available again.
This operation makes the user effectively
unauthenticated; all credentials are disabled.
This operation reverses SELECT_UNAUTH,
resulting in there being no selection and all credentials are again available.
It is an error if the user is not effectively unauthenticated when the
operation is invoked.
This argument specifies a username to match
against existing credentials for the SELECT, DESELECT, and ADD operations.
Exact string matching is used. If this argument is absent, all usernames will
This argument specifies a jurisdiction name to
match against existing credentials for the SELECT, DESELECT, and ADD
operations. Exact string matching is used. If this argument is absent, all
jurisdictions will be selected.
This parameter has the same semantics as with
the dacs_authenticate(8) service.
 web service takes an optional argument,
, that can have the value SELECT. If authentication succeeds
and this argument is present, the resulting credentials are selected as
The program exits 0 if everything was fine, 1 if an error occurred.
It might be useful to be able to temporarily suppress one or more specific roles
of a given identity.
Distributed Systems Software ( www.dss.ca
Copyright2003-2014 Distributed Systems Software. See the LICENSE
that accompanies the distribution for licensing information.
- RFC 7159
- standard CGI arguments