Skip to Content.
Sympa Menu

mace-opensaml-users - RE: [OpenSAML] Attribute Values in XACMLAuthzQuery

Subject: OpenSAML user discussion

List archive

RE: [OpenSAML] Attribute Values in XACMLAuthzQuery


Chronological Thread 
  • From: "Rachana Ananthakrishnan" <>
  • To: <>
  • Subject: RE: [OpenSAML] Attribute Values in XACMLAuthzQuery
  • Date: Tue, 3 Jun 2008 13:25:30 -0500
Hi Håkon,

Thanks for your response.

The xsi:type is being added by the marshaller when I try to convert a
XACMLAuthzDecisionQueryType to a DOM Element. I need to convert it to send
it over the wire in my application context.

I also see that the sample posted in the guide has xs:string set as the
xsi:type for AttributeValue: page 7 in
http://www.bccs.uib.no/~hakont/SAMLXACMLExtension/files/ProgrammingGuideSAML
_XACML.pdf

Code snippet that I am using to convert:

MarshallerFactory factory = Configuration.getMarshallerFactory();
Marshaller marshaller =
factory.getMarshaller(XACMLAuthzDecisionQueryType.
TYPE_NAME_XACML20);
Element authzQueryElement= marshaller.marshall(xacmlQueryType);

logger.debug("The XACML query string:\n" +
XmlUtils.toString(authzQueryElement));

Pasting the logger output at the end of this email.

I could manually fix the element to remove the xsi:type attribute, but is
this something that can be fixed in the marshaller?

Thanks,
Rachana

2008-06-03 11:58:25,515 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-2,convertQuery:535] The XACML query string:
<xacml-samlp:XACMLAuthzDecisionQuery ID="_32be146cba60506e8492e02f69b33420"
InputContextOnly="false" Version="2.0"
xmlns:xacml-samlp="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:pr
otocol"><saml:Issuer
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">ISSUER</saml:Issuer><xacm
l-context:Request
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"><xacml-
context:Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subjec
t"><xacml-context:Attribute
AttributeId="http://authz-interop.org/xacml/subject/subject-x509-id";
DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="issuer"><xacml-context:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">C=US,O=Globus
Alliance,OU=User,CN=101497d3dcd.3dcd5aef,CN=1693307201</xacml-context:Attrib
uteValue></xacml-context:Attribute><xacml-context:Attribute
AttributeId="http://authz-interop.org/xacml/subject/subject-x509-issuer";
DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="issuer"><xacml-context:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">C=US,O=Globus
Alliance,OU=User,CN=101497d3dcd.3dcd5aef</xacml-context:AttributeValue></xac
ml-context:Attribute></xacml-context:Subject><xacml-context:Resource><xacml-
context:Attribute AttributeId="http://www.globus.org/xacml/service-endpoint";
DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="issuer"><xacml-context:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">https://192.168.1.100:1767/wsrf/services/xacml/TestServ
ice</xacml-context:AttributeValue></xacml-context:Attribute><xacml-context:A
ttribute AttributeId="urn:globus:4.0:container:service-name"
DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="Issuer"><xacml-context:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">https://192.168.1.100:1767/wsrf/services/xacml/TestServ
ice</xacml-context:AttributeValue></xacml-context:Attribute></xacml-context:
Resource><xacml-context:Action><xacml-context:Attribute
AttributeId="http://www.globus.org/xacml/operation-name";
DataType="http://www.w3.org/2001/XMLSchema#string";
Issuer="issuer"><xacml-context:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">method1</xacml-context:AttributeValue></xacml-context:A
ttribute></xacml-context:Action></xacml-context:Request></xacml-samlp:XACMLA
uthzDecisionQuery>


________________________________

From:


[mailto:]
On Behalf Of
Håkon Sagehaug
Sent: Tuesday, June 03, 2008 3:30 AM
To:

Subject: Re: [OpenSAML] Attribute Values in XACMLAuthzQuery


Hi

I tried to remove the xsi:type="xs:string" from the AttributeValue
element then everything works, so I asked Chad about it and he answered this

"The XML is wrong, there shouldn't be an xsi:type, that element is
already defined as having the xsi:type="AttributeValueType" and since it's
not declared as abstract you can't redefine the type."

So, if you can get rid of the type in attribute value you are good.
Also, the spec says, page 76

The data-type of the <xacml-context:AttributeValue> SHALL be
specified by using the
3055 DataType attribute of the parent <Attribute> element.

So no need to specify it in the AttributeVlaue element

cheers, Håkon




Archive powered by MHonArc 2.6.16.

Top of Page