Skip to Content.
Sympa Menu

mace-opensaml-users - Issue with multiple obligation handlers

Subject: OpenSAML user discussion

List archive

Issue with multiple obligation handlers


Chronological Thread 
  • From: "Rachana Ananthakrishnan" <>
  • To: <>
  • Subject: Issue with multiple obligation handlers
  • Date: Wed, 25 Jun 2008 20:04:58 -0500

Despite adding a bunch of Obligation Handlers, in my case different
instances of the same obligation handler class for multiple obligation ids,
evaluateObligation method of only the first added handler is invoked.

Code snippet for adding obligation handler:

obligationService = new ObligationService();
Iterator iterator = this.obligationHandlers.iterator();
while (iterator.hasNext()) {
AbstractObligationHandler handler =
(AbstractObligationHandler) iterator.next();
handler.setRequestEntities(requestEntities);
logger.debug("Adding handler: " + handler
+ " for id " + handler.getObligationId());
obligationService.addObligationhandler(handler);
}

Code snippet from result type:

ResultType result = pdpResponseType.getResult();
logger.debug("Result has " +
result.getObligations().getObligations().size());

if (obligationService != null) {
logger.debug("Process obligation in result");
ObligationProcessingContext context =
new ObligationProcessingContext(result);
try {
obligationService.processObligations(context);
} catch (ObligationProcessingException exp) {
return
getDecisionForError("xacmlObligationProcessErr",
null, containerEntity,
requestor);
}
}

Test Obligation handler code snippet:

public void
evaluateObligation(ObligationProcessingContext
obligationProcessingContext,
ObligationType obligation)
throws ObligationProcessingException {

logger.debug("Obligation evaluation called with " +
obligation.getObligationId());
...
}

XML on wire shows that 7 obligations, the ones for which handler has been
added are sent. Attached is the relevant wire message.

Here is debug output for adding of handlers:

2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/storage-access-priority 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/secondary-gids 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/root-and-home-paths 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/2.0/obligation/username 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/access-permissions 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/afs-token 2008-06-25 19:51:54,062
DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/uidgid

Result and processing debug:

2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:655] Result has 7 2008-06-25 19:51:54,062 DEBUG
authorization.XACMLAuthorizationCallout [ServiceThread-3,isPermitted:659]
Process obligation in result 2008-06-25 19:51:54,062 DEBUG
xacml.TestObligationHandler [ServiceThread-3,evaluateObligation:54]
Obligation evaluation called with
http://authz-interop.org/xacml/obligation/storage-access-priority

No other obligation handler instances are invoked. Does the obligation
handling code look correct? Is the API being incorrectly used?

Thanks,
Rachana

Attachment: obligationTrace
Description: Binary data



  • Issue with multiple obligation handlers, Rachana Ananthakrishnan, 06/25/2008

Archive powered by MHonArc 2.6.16.

Top of Page