Shibboleth Developers

[Ian Young <>]

We came across a problem today that turned out to be a 1.3 IdP throwing 
a NullPointerException during the attribute query.  I have a workround, 
but I'd be interested to know if someone else has seen this one, or if I 
should try and dig deeper.

I think the IdP in question is running 1.3b, but with the latest 
OpenSAML and endorsed XML libraries.  If I have to, I'll do another 
install with the latest of everything to confirm, but I haven't yet.

The problem occurs when the ARP contains something like this:

<Rule>
  ...
  <Attribute name="...">
    <Value release="permit">...</Value>
  </Attribute>
</Rule>

In the 1.2 IdP, it looks like the default value for @matchFunction is 
applied.  In the 1.3 IdP, it looks like it isn't; the result is that the 
AttributeValue object created for the <Value> element has a null pointer 
in matchFunctionIdentifier.  This fails lookup and a 
NullPointerException then happens at line 578 of Rule.java when it tries 
to log a warning.

I can work round this by adding an explicit @matchFunction, but this 
clearly isn't what was intended.

I don't recall seeing this one on the list; any ideas as to whether it 
might be a new one, or maybe some kind of misconfiguration at this end? 
 Finding that the issue looks like it is something to do with attribute 
defaulting in a schema (perhaps because validation isn't happening for 
some reason) could point either way.

        -- Ian