mace-opensaml-users - Re: [OpenSAML] Assertion object does not return statements
Subject: OpenSAML user discussion
List archive
- From: Chad La Joie <>
- To:
- Subject: Re: [OpenSAML] Assertion object does not return statements
- Date: Fri, 25 Jul 2008 07:40:21 +0200
- Openpgp: id=146B2514
- Organization: SWITCH
The library first attempts to look up the unmarshallers by *type* and then element name. There is, and really can't be, an unmarshaller for the <Statement> element so it has to rely on types. My guess is that the incoming message has a screwed up type declaration. I would check to make sure the xsi:type attribute is present, and that its prefix corresponds to the correct namespace (we are using the XACML profile for SAML 2, version 2 namespaces, version 1 had different namespaces so if the message isn't compliant with the spec it isn't going to be parsed.
Rachana Ananthakrishnan wrote:
Here is some logging information from this. In cases where the statement is
not picked up from the assertion, I see a statement that says "No
unmarshaller was registered for Statement".
Logs from case with the issue:
2008-07-24T14:20:21.906-05:00 DEBUG io.MarshallerFactory
[ServiceThread-52,registerMarshaller:102] Registering marshaller,
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeMarshall
er, for object type
{urn:oasis:names:tc:xacml:1.0:profile:shml2.0:v2:schema:assertion}XACMLAuthz
DecisionStatement 2008-07-24T14:20:21.906-05:00 DEBUG io.UnmarshallerFactory
[ServiceThread-52,registerUnmarshaller:103] Registering unmarshaller,
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeUnmarsha
ller, for object type,
{urn:oasis:names:tc:xacml:1.0:profile:saml2.0:v2:schema:assertion}XACMLAuthz
DecisionStatement
...
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallChildElement:310] No unmarshaller was registered
for {urn:oasis:names:tc:SAML:2.0:assertion}Statement, child of
{urn:oasis:names:tc:SAML:2.0:assertion}Assertion. Using default
unmarshaller. 2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallChildElement:315] Unmarshalling child element
{urn:oasis:names:tc:SAML:2.0:assertion}Statementwith unmarshaller
org.opensaml.xml.schema.impl.XSAnyUnmarshaller 2008-07-24T14:20:28.359-05:00
TRACE io.AbstractXMLObjectUnmarshaller [ServiceThread-52,unmarshall:93]
Starting to unmarshall DOM element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,checkElementIsTarget:142] Targeted QName checking is not
available for this unmarshaller, DOM Element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement was not verified
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,buildXMLObject:183] Building XMLObject for
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,buildXMLObject:194] No builder was registered for
{urn:oasis:names:tc:SAML:2.0:assertion}Statement but the default builder
org.opensaml.xml.schema.impl.XSAnyBuilder was available, using it.
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshall:99] Unmarshalling attributes of DOM Element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.375-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallAttribute:215] Pre-processing attribute
{http://www.w3.org/2001/XMLSchema-instance}type
2008-07-24T14:20:28.375-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshall:111] Unmarshalling other child nodes of DOM
Element {urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.375-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallChildElement:298] Unmarshalling child elements
of XMLObject {urn:oasis:names:tc:SAML:2.0:assertion}Statement
In cases where the statement in the assertion is picked up, the logging
statement looks like this:
2008-07-24T16:00:34.703-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-4,unmarshallChildElement:298] Unmarshalling child elements of
XMLObject {urn:oasis:names:tc:SAML:2.0:assertion}Assertion
2008-07-24T16:00:34.703-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-4,unmarshallChildElement:315] Unmarshalling child element
{urn:oasis:names:tc:SAML:2.0:assertion}Statementwith unmarshaller
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeUnmarsha
ller 2008-07-24T16:00:34.703-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-4,unmarshall:93] Starting to unmarshall DOM element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
I am not able to tell what triggers the change. In both cases the same
service and clients are being used, so no configuration change is done. The
wire message(attached in previous email) in both cases look correct.
Thanks,
Rachana
-----Original Message-----
From: Chad La Joie [mailto:] Sent: Wednesday, July 23, 2008 12:17 PM
To:
Subject: Re: [OpenSAML] Assertion object does not return statements
If you turn on debug logging for OpenSAML it will tell you all the object provides it's loading in to its configuration.
Rachana Ananthakrishnan wrote:
This is using the latest version (with your fix forobligations) - the same
code base works fine if I use a Java client to access it,so the library
must be correct.indeed the XACML
Is there any logging option that I can enable to see if
pieces are being ignored?assertion.getStatements();
Thanks,
Rachana-----Original Message-----
From: Chad La Joie [mailto:] Sent: Wednesday, July 23, 2008 11:35 AM
To:
Subject: Re: [OpenSAML] Assertion object does not return statements
I just tested this with the latest code and it works fine with me. If you are using old code and are not loading the XACML extension then the library is just going to ignore those extensions, which I would guess is what is happening.
Rachana Ananthakrishnan wrote:
We are testing interoperability between a C implementationof XACML SAML
profile and a Java one that uses OpenSAML. A responsegenerated by C code
(attached is SOAP message and Response element), withlibrary creates a
XACMLAutzDecisionStatementType, when parsed using OpenSAML
Assertion object with no statements.
With the following code to validate the assertion:
Assertion assertion = (Assertion) assertionsIter.next();
logger.debug("assertion being looked at is \n" +
XmlUtils.toString(assertion.getDOM()));
List authzDecisionStmtList =
not have anyif ((authzDecisionStmtList == null) ||any XACML Authz "
(authzDecisionStmtList.size() < 1)) {
logger.debug("This assertion does not have
+ "Decision Statement Type");xsi:type="XACMLassertion:XACMLAuthzDecisionStatementType"><XAC
continue;
}
The assertion snippet looks like this:
<saml:Assertion IssueInstant="2008-07-21T18:22:25Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="saml:AssertionType"><saml:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xsi:type="saml:NameIDType"/><saml:Statement
MLcontext:Resp
onsexmlns:XACMLcontext="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xsi:type="XACMLcontext:ResponseType"><XACMLcontext:Resultxsi:type="XACMLcontext:ResultType"><XACMLcontext:Decision>Perm
it</XACMLconte
xt:Decision><XACMLcontext:Statusxsi:type="XACMLcontext:StatusCodeType"/></XACMLcontext:Status>
xsi:type="XACMLcontext:StatusType"><XACMLcontext:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"
</XACMLcontext
:Result></XACMLcontext:Response></saml:Statement></saml:Assertion>
But the above error is triggered and the assertion does
--statements.logging information
Any ideas on what the issue is? How I can get further
from OpenSAML to understand issue with the Assertion objectcreation?
Thanks,--
Rachana
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch
- Assertion object does not return statements, Rachana Ananthakrishnan, 07/23/2008
- Re: [OpenSAML] Assertion object does not return statements, Chad La Joie, 07/23/2008
- RE: [OpenSAML] Assertion object does not return statements, Rachana Ananthakrishnan, 07/23/2008
- Re: [OpenSAML] Assertion object does not return statements, Chad La Joie, 07/23/2008
- RE: [OpenSAML] Assertion object does not return statements, Rachana Ananthakrishnan, 07/24/2008
- Re: [OpenSAML] Assertion object does not return statements, Chad La Joie, 07/25/2008
- RE: [OpenSAML] Assertion object does not return statements, Scott Cantor, 07/25/2008
- Re: [OpenSAML] Assertion object does not return statements, Chad La Joie, 07/25/2008
- RE: [OpenSAML] Assertion object does not return statements, Rachana Ananthakrishnan, 07/24/2008
- Re: [OpenSAML] Assertion object does not return statements, Chad La Joie, 07/23/2008
- RE: [OpenSAML] Assertion object does not return statements, Rachana Ananthakrishnan, 07/23/2008
- Re: [OpenSAML] Assertion object does not return statements, Chad La Joie, 07/23/2008
Archive powered by MHonArc 2.6.16.