OpenSAML user discussion

[Chad La Joie <>]

Yes, I believe this is a bug.  I was able to reproduce what I think you 
were doing and got the result you describe.  Please submit a bug report 
and I'll correct the issue in the code.

Rachana Ananthakrishnan wrote:
> Despite adding a bunch of Obligation Handlers, in my case different
> instances of the same obligation handler class for multiple obligation ids,
> evaluateObligation method of only the first added handler is invoked.
>
> Code snippet for adding obligation handler:
>
>             obligationService = new ObligationService();
>             Iterator iterator = this.obligationHandlers.iterator();
>             while (iterator.hasNext()) {
>                 AbstractObligationHandler handler =
>                     (AbstractObligationHandler) iterator.next();
>                 handler.setRequestEntities(requestEntities);
>                 logger.debug("Adding handler: " + handler
>                              + " for id " + handler.getObligationId());
>                 obligationService.addObligationhandler(handler);
>             }
>
> Code snippet from result type:
>
> ResultType result = pdpResponseType.getResult();
> logger.debug("Result has " +
> result.getObligations().getObligations().size());
>
>                 if (obligationService != null) {
>                     logger.debug("Process obligation in result");
>                     ObligationProcessingContext context =
>                         new ObligationProcessingContext(result);
>                     try {
>                         obligationService.processObligations(context);
>                     } catch (ObligationProcessingException exp) {
>                         return
> getDecisionForError("xacmlObligationProcessErr",
>                                                    null, containerEntity,
>                                                    requestor);
>                     }
>                 }
>
> Test Obligation handler code snippet:
>
> public void
>     evaluateObligation(ObligationProcessingContext
> obligationProcessingContext,
>                        ObligationType obligation)
>         throws ObligationProcessingException {
>
>         logger.debug("Obligation evaluation called with " +
>                      obligation.getObligationId());
> ...
> }
>
> XML on wire shows that 7 obligations, the ones for which handler has been
> added are sent. Attached is the relevant wire message.
>
> Here is debug output for adding of handlers:
>
> 2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/obligation/storage-access-priority 2008-06-25
> 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/obligation/secondary-gids 2008-06-25
> 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/obligation/root-and-home-paths 2008-06-25
> 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/2.0/obligation/username 2008-06-25
> 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/obligation/access-permissions 2008-06-25
> 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/obligation/afs-token 2008-06-25 19:51:54,062
> DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:605] Adding handler: class
> org.globus.authz.xacml.TestObligationHandler for id
> http://authz-interop.org/xacml/obligation/uidgid
>
> Result and processing debug:
>
> 2008-06-25 19:51:54,062 DEBUG authorization.XACMLAuthorizationCallout
> [ServiceThread-3,isPermitted:655] Result has 7 2008-06-25 19:51:54,062 DEBUG
> authorization.XACMLAuthorizationCallout [ServiceThread-3,isPermitted:659]
> Process obligation in result 2008-06-25 19:51:54,062 DEBUG
> xacml.TestObligationHandler [ServiceThread-3,evaluateObligation:54]
> Obligation evaluation called with
> http://authz-interop.org/xacml/obligation/storage-access-priority
>
> No other obligation handler instances are invoked. Does the obligation
> handling code look correct? Is the API being incorrectly used?
>
> Thanks,
> Rachana

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
 http://www.switch.ch