Skip to Content.
Sympa Menu

mace-opensaml-users - Re: [OpenSAML] Assertion object does not return statements

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] Assertion object does not return statements


Chronological Thread 
  • From: Chad La Joie <>
  • To:
  • Subject: Re: [OpenSAML] Assertion object does not return statements
  • Date: Fri, 25 Jul 2008 07:40:21 +0200
  • Openpgp: id=146B2514
  • Organization: SWITCH

The library first attempts to look up the unmarshallers by *type* and then element name. There is, and really can't be, an unmarshaller for the <Statement> element so it has to rely on types. My guess is that the incoming message has a screwed up type declaration. I would check to make sure the xsi:type attribute is present, and that its prefix corresponds to the correct namespace (we are using the XACML profile for SAML 2, version 2 namespaces, version 1 had different namespaces so if the message isn't compliant with the spec it isn't going to be parsed.

Rachana Ananthakrishnan wrote:
Here is some logging information from this. In cases where the statement is
not picked up from the assertion, I see a statement that says "No
unmarshaller was registered for Statement".

Logs from case with the issue:

2008-07-24T14:20:21.906-05:00 DEBUG io.MarshallerFactory
[ServiceThread-52,registerMarshaller:102] Registering marshaller,
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeMarshall
er, for object type
{urn:oasis:names:tc:xacml:1.0:profile:shml2.0:v2:schema:assertion}XACMLAuthz
DecisionStatement 2008-07-24T14:20:21.906-05:00 DEBUG io.UnmarshallerFactory
[ServiceThread-52,registerUnmarshaller:103] Registering unmarshaller,
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeUnmarsha
ller, for object type,
{urn:oasis:names:tc:xacml:1.0:profile:saml2.0:v2:schema:assertion}XACMLAuthz
DecisionStatement

...

2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallChildElement:310] No unmarshaller was registered
for {urn:oasis:names:tc:SAML:2.0:assertion}Statement, child of
{urn:oasis:names:tc:SAML:2.0:assertion}Assertion. Using default
unmarshaller. 2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallChildElement:315] Unmarshalling child element
{urn:oasis:names:tc:SAML:2.0:assertion}Statementwith unmarshaller
org.opensaml.xml.schema.impl.XSAnyUnmarshaller 2008-07-24T14:20:28.359-05:00
TRACE io.AbstractXMLObjectUnmarshaller [ServiceThread-52,unmarshall:93]
Starting to unmarshall DOM element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,checkElementIsTarget:142] Targeted QName checking is not
available for this unmarshaller, DOM Element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement was not verified
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,buildXMLObject:183] Building XMLObject for
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,buildXMLObject:194] No builder was registered for
{urn:oasis:names:tc:SAML:2.0:assertion}Statement but the default builder
org.opensaml.xml.schema.impl.XSAnyBuilder was available, using it.
2008-07-24T14:20:28.359-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshall:99] Unmarshalling attributes of DOM Element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.375-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallAttribute:215] Pre-processing attribute
{http://www.w3.org/2001/XMLSchema-instance}type
2008-07-24T14:20:28.375-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshall:111] Unmarshalling other child nodes of DOM
Element {urn:oasis:names:tc:SAML:2.0:assertion}Statement
2008-07-24T14:20:28.375-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-52,unmarshallChildElement:298] Unmarshalling child elements
of XMLObject {urn:oasis:names:tc:SAML:2.0:assertion}Statement

In cases where the statement in the assertion is picked up, the logging
statement looks like this:

2008-07-24T16:00:34.703-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-4,unmarshallChildElement:298] Unmarshalling child elements of
XMLObject {urn:oasis:names:tc:SAML:2.0:assertion}Assertion
2008-07-24T16:00:34.703-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-4,unmarshallChildElement:315] Unmarshalling child element
{urn:oasis:names:tc:SAML:2.0:assertion}Statementwith unmarshaller
org.opensaml.xacml.profile.saml.impl.XACMLAuthzDecisionStatementTypeUnmarsha
ller 2008-07-24T16:00:34.703-05:00 TRACE io.AbstractXMLObjectUnmarshaller
[ServiceThread-4,unmarshall:93] Starting to unmarshall DOM element
{urn:oasis:names:tc:SAML:2.0:assertion}Statement
I am not able to tell what triggers the change. In both cases the same
service and clients are being used, so no configuration change is done. The
wire message(attached in previous email) in both cases look correct.
Thanks,
Rachana

-----Original Message-----
From: Chad La Joie [mailto:] Sent: Wednesday, July 23, 2008 12:17 PM
To:

Subject: Re: [OpenSAML] Assertion object does not return statements

If you turn on debug logging for OpenSAML it will tell you all the object provides it's loading in to its configuration.

Rachana Ananthakrishnan wrote:
This is using the latest version (with your fix for
obligations) - the same
code base works fine if I use a Java client to access it,
so the library
must be correct.

Is there any logging option that I can enable to see if
indeed the XACML
pieces are being ignored?

Thanks,
Rachana
-----Original Message-----
From: Chad La Joie [mailto:] Sent: Wednesday, July 23, 2008 11:35 AM
To:

Subject: Re: [OpenSAML] Assertion object does not return statements

I just tested this with the latest code and it works fine with me. If you are using old code and are not loading the XACML extension then the library is just going to ignore those extensions, which I would guess is what is happening.

Rachana Ananthakrishnan wrote:
We are testing interoperability between a C implementation
of XACML SAML
profile and a Java one that uses OpenSAML. A response
generated by C code
(attached is SOAP message and Response element), with
XACMLAutzDecisionStatementType, when parsed using OpenSAML
library creates a
Assertion object with no statements.
With the following code to validate the assertion:

Assertion assertion = (Assertion) assertionsIter.next();

logger.debug("assertion being looked at is \n" +
XmlUtils.toString(assertion.getDOM()));
List authzDecisionStmtList =
assertion.getStatements();
if ((authzDecisionStmtList == null) ||
(authzDecisionStmtList.size() < 1)) {
logger.debug("This assertion does not have
any XACML Authz "
+ "Decision Statement Type");
continue;
}


The assertion snippet looks like this:

<saml:Assertion IssueInstant="2008-07-21T18:22:25Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="saml:AssertionType"><saml:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xsi:type="saml:NameIDType"/><saml:Statement

xsi:type="XACMLassertion:XACMLAuthzDecisionStatementType"><XAC
MLcontext:Resp
onse
xmlns:XACMLcontext="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xsi:type="XACMLcontext:ResponseType"><XACMLcontext:Result

xsi:type="XACMLcontext:ResultType"><XACMLcontext:Decision>Perm
it</XACMLconte
xt:Decision><XACMLcontext:Status
xsi:type="XACMLcontext:StatusType"><XACMLcontext:StatusCode
Value="urn:oasis:names:tc:xacml:1.0:status:ok"

xsi:type="XACMLcontext:StatusCodeType"/></XACMLcontext:Status>
</XACMLcontext
:Result></XACMLcontext:Response></saml:Statement></saml:Assertion>

But the above error is triggered and the assertion does
not have any
statements.
Any ideas on what the issue is? How I can get further
logging information
from OpenSAML to understand issue with the Assertion object
creation?
Thanks,
Rachana
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch



--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
,
http://www.switch.ch




Archive powered by MHonArc 2.6.16.

Top of Page