mace-opensaml-users - Re: [OpenSAML] Issue with multiple obligation handlers
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] Issue with multiple obligation handlers
- Date: Tue, 15 Jul 2008 07:56:32 +0200
- Openpgp: id=146B2514
- Organization: SWITCH
Yes, I believe this is a bug. I was able to reproduce what I think you were doing and got the result you describe. Please submit a bug report and I'll correct the issue in the code.
Rachana Ananthakrishnan wrote:
Despite adding a bunch of Obligation Handlers, in my case different
instances of the same obligation handler class for multiple obligation ids,
evaluateObligation method of only the first added handler is invoked.
Code snippet for adding obligation handler:
obligationService = new ObligationService();
Iterator iterator = this.obligationHandlers.iterator();
while (iterator.hasNext()) {
AbstractObligationHandler handler =
(AbstractObligationHandler) iterator.next();
handler.setRequestEntities(requestEntities);
logger.debug("Adding handler: " + handler
+ " for id " + handler.getObligationId());
obligationService.addObligationhandler(handler);
}
Code snippet from result type:
ResultType result = pdpResponseType.getResult();
logger.debug("Result has " +
result.getObligations().getObligations().size());
if (obligationService != null) {
logger.debug("Process obligation in result");
ObligationProcessingContext context =
new ObligationProcessingContext(result);
try {
obligationService.processObligations(context);
} catch (ObligationProcessingException exp) {
return
getDecisionForError("xacmlObligationProcessErr",
null, containerEntity,
requestor);
}
}
Test Obligation handler code snippet:
public void
evaluateObligation(ObligationProcessingContext
obligationProcessingContext,
ObligationType obligation)
throws ObligationProcessingException {
logger.debug("Obligation evaluation called with " +
obligation.getObligationId());
...
}
XML on wire shows that 7 obligations, the ones for which handler has been
added are sent. Attached is the relevant wire message.
Here is debug output for adding of handlers:
2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/storage-access-priority 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/secondary-gids 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/root-and-home-paths 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/2.0/obligation/username 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/access-permissions 2008-06-25
19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/afs-token 2008-06-25 19:51:54,062
DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:605] Adding handler: class
org.globus.authz.xacml.TestObligationHandler for id
http://authz-interop.org/xacml/obligation/uidgid
Result and processing debug:
2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
[ServiceThread-3,isPermitted:655] Result has 7 2008-06-25 19:51:54,062 DEBUG
authorization.XACMLAuthorizationCallout [ServiceThread-3,isPermitted:659]
Process obligation in result 2008-06-25 19:51:54,062 DEBUG
xacml.TestObligationHandler [ServiceThread-3,evaluateObligation:54]
Obligation evaluation called with
http://authz-interop.org/xacml/obligation/storage-access-priority
No other obligation handler instances are invoked. Does the obligation
handling code look correct? Is the API being incorrectly used?
Thanks,
Rachana
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Re: [OpenSAML] Issue with multiple obligation handlers, Chad La Joie, 07/15/2008
Archive powered by MHonArc 2.6.16.