OpenSAML user discussion

["Rachana Ananthakrishnan" <>]

Despite adding a bunch of Obligation Handlers, in my case different
instances of the same obligation handler class for multiple obligation ids,
evaluateObligation method of only the first added handler is invoked.

Code snippet for adding obligation handler:

            obligationService = new ObligationService();
            Iterator iterator = this.obligationHandlers.iterator();
            while (iterator.hasNext()) {
                AbstractObligationHandler handler =
                    (AbstractObligationHandler) iterator.next();
                handler.setRequestEntities(requestEntities);
                logger.debug("Adding handler: " + handler
                             + " for id " + handler.getObligationId());
                obligationService.addObligationhandler(handler);
            }

Code snippet from result type:

ResultType result = pdpResponseType.getResult();
logger.debug("Result has " +
result.getObligations().getObligations().size());

                if (obligationService != null) {
                    logger.debug("Process obligation in result");
                    ObligationProcessingContext context =
                        new ObligationProcessingContext(result);
                    try {
                        obligationService.processObligations(context);
                    } catch (ObligationProcessingException exp) {
                        return
getDecisionForError("xacmlObligationProcessErr",
                                                   null, containerEntity,
                                                   requestor);
                    }
                }

Test Obligation handler code snippet:

public void
    evaluateObligation(ObligationProcessingContext
obligationProcessingContext,
                       ObligationType obligation)
        throws ObligationProcessingException {

        logger.debug("Obligation evaluation called with " +
                     obligation.getObligationId());
...
}

XML on wire shows that 7 obligations, the ones for which handler has been
added are sent. Attached is the relevant wire message.

Here is debug output for adding of handlers:

2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/storage-access-priority 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/secondary-gids 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/root-and-home-paths 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/2.0/obligation/username 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/access-permissions 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/afs-token 2008-06-25 19:51:54,062
DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/uidgid

Result and processing debug:

2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:655] Result has 7 2008-06-25 19:51:54,062 DEBUG
authorization.XACMLAuthorizationCallout [ServiceThread-3,isPermitted:659]
Process obligation in result 2008-06-25 19:51:54,062 DEBUG
xacml.TestObligationHandler [ServiceThread-3,evaluateObligation:54]
Obligation evaluation called with
http://authz-interop.org/xacml/obligation/storage-access-priority

No other obligation handler instances are invoked. Does the obligation
handling code look correct? Is the API being incorrectly used?

Thanks,
Rachana

Attachment: obligationTrace
Description: Binary data