Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?


Chronological Thread 
  • From: Tom Zeller <>
  • To:
  • Subject: Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
  • Date: Mon, 23 May 2011 10:32:05 -0600
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=cKGlBR1BX8c+W9iO47f/oRp6Sv/saFuAkFrQEIuHDENfLmrEsuAAbulnGQpZA+CEqA /ifGPRXzHTXeT9PJ61QxY14qYVD1SnyuLCL3J51+VIgYJIuni1w8y5pqeuBGJhvemAVX XPMYdAbOH7OH5TFdl+sohafx1cqOD46c9oDsU=

Does this code look correct for a custom grouper attribute query extension ?

https://spaces.internet2.edu/display/Grouper/AttributeQuery+UpdatedSince+Extension

Thanks for looking,
TomZ

> Right, thanks for the clue to customize AttributeQuery.
>
>> Probably not a good idea.  ;)
>>
>> I think a better approach would be to define a custom <Extensions>
>> element and stick it in the AttributeQuery.  That would work fine as
>> long as you control the code making the request (which I think is the
>> case here) and your data connector knows to look for it (which it would
>> since you wrote it).
>>
>> On 4/28/11 5:56 PM, Tom Zeller wrote:
>>> I imagine the response to my question is "probably not a good idea",
>>> but here goes ...
>>>
>>> Ideally, I would like to pass arbitrary data (a DateTime object or
>>> timestamp) into a AttributeRequestContext.
>>>
>>> I am using the attribute resolver for provisioning grouper via
>>> ldappcng, and I think I would like to supply a DateTime object to an
>>> AttributeAuthority when calculating attributes. The purpose of the
>>> DateTime object would be for Grouper's DataConnectors to return
>>> attributes based on Grouper's point-in-time auditing.
>>>
>>> Would it be a reasonable hack to co-opt a Session's
>>> lastActivityInstant ? The user session would never be used elsewhere,
>>> AFAIK.
>>>
>>> Pseudo-code follows :
>>>
>>>  // a group or member identifier
>>>  String ID = provisioningRequest.getID();
>>>
>>>  // when a change occurred
>>>  long when = provisioningRequest.getAuditTime();
>>>
>>>  // create a context with principal name as the group or member identifier
>>>  BaseSAMLProfileRequestContext attributeRequestContext = new
>>> BaseSAMLProfileRequestContext();
>>>  attributeRequestContext.setPrincipalName(ID);
>>>
>>>  // BEGIN HACK
>>>  // pass a timestamp via user session
>>>  SessionImpl userSession = new SessionImpl(null, null, 0);
>>>  userSession.setLastActivityInstant(new DateTime(when));
>>>  attributeRequestContext.setUserSession(userSession);
>>>  // END HACK
>>>
>>>  // get the attributes
>>>  attributeAuthority.getAttributes(attributeRequestContext);
>>>
>>> And in the DataConnector
>>>
>>>  String principalName =
>>> resolutionContext.getAttributeRequestContext().getPrincipalName();
>>>  DateTime when =
>>> resolutionContext.getAttributeRequestContext().getUserSession().getLastActivityInstant();
>>>  Group group = PITGroupFinder.findByName(principalName, when ...)
>>>
>>> TomZ
>>>
>>
>> --
>> Chad La Joie
>> http://itumi.biz
>> trusted identities, delivered
>>
>



Archive powered by MHonArc 2.6.16.

Top of Page