shibboleth-dev - Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
Subject: Shibboleth Developers
List archive
Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
Chronological Thread
- From: Tom Zeller <>
- To:
- Subject: Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
- Date: Fri, 29 Apr 2011 07:54:55 -0500
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=Rrs+8mHcgY0cLnsd+Z4nYaCMcxYsT3e5na65YwTSaLKXqhdLNjQIrCmiu3Bz5HxQJR GN9j/VL+Dq4ROAoGAXasLUyu//0JjnG/ITpvhINkmcsK0TpIODJoUqgSPzm92WWQ3t13 YZ4Q1a5WoKcnatSPn/Q5fFFuTowwX9pPSM/8A=
Right, thanks for the clue to customize AttributeQuery.
> Probably not a good idea. ;)
>
> I think a better approach would be to define a custom <Extensions>
> element and stick it in the AttributeQuery. That would work fine as
> long as you control the code making the request (which I think is the
> case here) and your data connector knows to look for it (which it would
> since you wrote it).
>
> On 4/28/11 5:56 PM, Tom Zeller wrote:
>> I imagine the response to my question is "probably not a good idea",
>> but here goes ...
>>
>> Ideally, I would like to pass arbitrary data (a DateTime object or
>> timestamp) into a AttributeRequestContext.
>>
>> I am using the attribute resolver for provisioning grouper via
>> ldappcng, and I think I would like to supply a DateTime object to an
>> AttributeAuthority when calculating attributes. The purpose of the
>> DateTime object would be for Grouper's DataConnectors to return
>> attributes based on Grouper's point-in-time auditing.
>>
>> Would it be a reasonable hack to co-opt a Session's
>> lastActivityInstant ? The user session would never be used elsewhere,
>> AFAIK.
>>
>> Pseudo-code follows :
>>
>> // a group or member identifier
>> String ID = provisioningRequest.getID();
>>
>> // when a change occurred
>> long when = provisioningRequest.getAuditTime();
>>
>> // create a context with principal name as the group or member identifier
>> BaseSAMLProfileRequestContext attributeRequestContext = new
>> BaseSAMLProfileRequestContext();
>> attributeRequestContext.setPrincipalName(ID);
>>
>> // BEGIN HACK
>> // pass a timestamp via user session
>> SessionImpl userSession = new SessionImpl(null, null, 0);
>> userSession.setLastActivityInstant(new DateTime(when));
>> attributeRequestContext.setUserSession(userSession);
>> // END HACK
>>
>> // get the attributes
>> attributeAuthority.getAttributes(attributeRequestContext);
>>
>> And in the DataConnector
>>
>> String principalName =
>> resolutionContext.getAttributeRequestContext().getPrincipalName();
>> DateTime when =
>> resolutionContext.getAttributeRequestContext().getUserSession().getLastActivityInstant();
>> Group group = PITGroupFinder.findByName(principalName, when ...)
>>
>> TomZ
>>
>
> --
> Chad La Joie
> http://itumi.biz
> trusted identities, delivered
>
- [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Tom Zeller, 04/28/2011
- Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Chad La Joie, 04/28/2011
- Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Tom Zeller, 04/29/2011
- Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Chad La Joie, 04/28/2011
Archive powered by MHonArc 2.6.16.