Grouper Users - Open Discussion List

["Jie Lv" <>]

Do you think you can add log statements where you see fit, rebuild, and let
us know how it goes?
-----------------

I did add the following log statement before line 261,which now became line
269:
249             if (LOG.isDebugEnabled()) {
250               LOG.debug("resolve {} attributes {}", msg,
attributes.size());
251               for (String key : attributes.keySet()) {
252                 for (Object value : attributes.get(key).getValues()) {
253                   LOG.debug("resolve {} '{}' : {}", new Object[] { msg,
key, value });
254                 }
255               }
256             }
257             return attributes;
258           }
259         });
260         String msg = "UUUUU:";
261         if (LOG.isDebugEnabled()) {
262               LOG.debug("UUUUU resolve {} attributes {}", msg,
attributes.size());
263               for (String key : attributes.keySet()) {
264                 for (Object value : attributes.get(key).getValues()) {
265                   LOG.debug("UUUUU resolve {} '{}' : {}", new Object[] {
msg, key, value });
266                 }
267               }
268             }
269     return attributes;

And this is what I got in idp-process.log:
18:20:21.985 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:250] - resolve '10101' dc 'Membe
rDataConnector2' attributes 2
18:20:21.986 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253] - resolve '10101' dc 'Membe
rDataConnector2' 'id' : 10101
18:20:21.988 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253] - resolve '10101' dc 'Membe
rDataConnector2' 'groups' :
Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]
18:20:21.989 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:262] - UUUUU resolve UUUUU: attr
ibutes 2
18:20:21.989 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:265] - UUUUU resolve UUUUU: 'id'
 : 10101
18:20:21.989 - DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:265] - UUUUU resolve UUUUU: 'gro
ups' : Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]

18:20:22.245 - DEBUG [org.apache.xml.security.utils.DigesterOutputStream:-1]
- <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML
:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema";
ID="_a9e45dc1e0a92b9c0e8f065d3dab5909" IssueInstant="2011-09-23T10:20:22
.187Z" Version="2.0"><saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp2.pku.e
du.cn/idp/shibboleth/
carsifed</saml2:Issuer><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
NameQualifier="http
s://idp2.pku.edu.cn/idp/shibboleth/carsifed"
SPNameQualifier="https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed";>_5d6a4d
0514570030e
548d9a24b04cb17</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationDa
ta Address="2001:da8:201:1130:5490:4cef:4cd8:8332"
InResponseTo="_12e6eb509b60298d05b99eb5464f8ef1"
NotOnOrAfter="2011-09-23T10:25:2
2.187Z"
Recipient="http://sp-chat.zzu6.edu.cn/Shibboleth.sso/SAML2/POST";></saml2:Sub
jectConfirmationData></saml2:SubjectConfirmation
></saml2:Subject><saml2:Conditions NotBefore="2011-09-23T10:20:22.187Z"
NotOnOrAfter="2011-09-23T10:25:22.187Z"><saml2:AudienceRestr
iction><saml2:Audience>https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed</s
aml2:Audience></saml2:AudienceRestriction></saml2:Condit
ions><saml2:AuthnStatement AuthnInstant="2011-09-23T10:20:21.802Z"
SessionIndex="e8b0d3333f6cdb1955dbaacade73a9f20299ef64b2e70937224
e354868f74fcb"><saml2:SubjectLocality
Address="2001:da8:201:1130:5490:4cef:4cd8:8332"></saml2:SubjectLocality><sam
l2:AuthnContext><s
aml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</saml2:AuthnContextClassRef></saml2:AuthnContext></saml
2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
FriendlyName="carsifed:username" Name="carsifed:username" NameFormat="ur
n:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type=
"xs:string">10101</saml2:AttributeValue></saml2:Attribute></saml2:AttributeS
tatement></saml2:Assertion>

Still, there is NO attribute named "isMemberOf" in the SAML attribute
statement.
Seems really weird to me.

Jie
-----Original Message-----
From: Chris Hyzer 
[mailto:]
 
Sent: Friday, September 23, 2011 1:36 PM
To: Jie Lv; 'Tom Zeller'
Cc: 

Subject: RE: [grouper-users] Problem with configuration of Grouper Plugin
for Shibboleth


> So I understand, what do you think the problem is between lines 199-200 ?
> ---
> Line 199 is:
> nameAttribute.setValues(GrouperUtil.toList(new String[] { name }));
> I don't quite understand why you're using GrouperUtil.toList( ) instead of
> Java Util classess to construct a list?

Because there is more than one way to do things, and if there is no bug in
it, or performance problem, or maintainability problem etc, then lets focus
on working on more important things :)  FYI we have a lot of Grouper and
Jakarta etc utility methods that are null safe / shortcuts and are used
throughout the code.

> The variable "attributes" in line 261, INSTEAD OF the variable in line 257
,
> is the value to be used by Shibboleth.
> I'm not quite sure why you wrote the code like this. 
> But I wonder if you could insert the code for logging before line 261 to
> check if the return value for function resolve() is correct?
> 

Its an anonymous inner class that passes the value to the outer part which
returns it... looks fine to me.  Do you think you can add log statements
where you see fit, rebuild, and let us know how it goes?  :)

Thanks,
Chris