ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Srinivasa Kukatla (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WSS-298) Resource Attribute in AuthorizationDecision Statement not accepting blank
Date Fri, 01 Jul 2011 21:43:28 GMT
Resource Attribute in AuthorizationDecision Statement not accepting blank
-------------------------------------------------------------------------

                 Key: WSS-298
                 URL: https://issues.apache.org/jira/browse/WSS-298
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 1.6
            Reporter: Srinivasa Kukatla
            Assignee: Colm O hEigeartaigh


As per the Saml Specification, Resource is a required attribute. We have a requirement, that
either the resource ID should be an empty string or a valid URI. 

The following is from saml core xsd:

<complexType name="AuthzDecisionStatementType"><complexContent><extension base="saml:StatementAbstractType"><sequence><element
ref="saml:Action" maxOccurs="unbounded"/><element ref="saml:Evidence" minOccurs="0"/></sequence><attribute
name="Resource" type="anyURI" use="required"/><attribute name="Decision" type="saml:DecisionType"
use="required"/></extension></complexContent></complexType>

Which says, resource is required. But, when I have " " as resource, attribute is completely
missing.

Here is why:

Saml2ComponentBuilder.java
 public static List<AuthzDecisionStatement> createAuthorizationDecisionStatement(
        List<AuthDecisionStatementBean> decisionData
    ) {
        List<AuthzDecisionStatement> authDecisionStatements = new ArrayList();
        if (authorizationDecisionStatementBuilder == null) {
            authorizationDecisionStatementBuilder = 
                (SAMLObjectBuilder<AuthzDecisionStatement>)
                    builderFactory.getBuilder(AuthzDecisionStatement.DEFAULT_ELEMENT_NAME);
        }

        if (decisionData != null && decisionData.size() > 0) {
            for (AuthDecisionStatementBean decisionStatementBean : decisionData) {
                AuthzDecisionStatement authDecision = 
                    authorizationDecisionStatementBuilder.buildObject();
                authDecision.setResource(decisionStatementBean.getResource());
                authDecision.setDecision(
                    transformDecisionType(decisionStatementBean.getDecision())
                );

                for (ActionBean actionBean : decisionStatementBean.getActions()) {
                    Action actionElement = createSamlAction(actionBean);
                    authDecision.getActions().add(actionElement);
                }

                if (decisionStatementBean.getEvidence() instanceof Evidence) {           
                        
                    authDecision.setEvidence((Evidence)decisionStatementBean.getEvidence());
                }
                
                authDecisionStatements.add(authDecision);
            }
        }

        return authDecisionStatements;
    }

In the above, when the setResource is called, the following implementation gets called:
org.opensaml.saml2.core.impl.AuthzDecisionStatementImpl.java

 /** {@inheritDoc} */
    public void setResource(String newResourceURI) {
        this.resource = prepareForAssignment(this.resource, newResourceURI);
    }



  protected String prepareForAssignment(String oldValue, String newValue) {
        String newString = DatatypeHelper.safeTrimOrNullString(newValue);

        if (!DatatypeHelper.safeEquals(oldValue, newString)) {
            releaseThisandParentDOM();
        }

        return newString;
    }


The blank string gets trimmed off, and null is returned. The Resource Attribute never gets
created.

This is voilating the specification. This is the defect in OpenSAML not really in WSS4j.

 /** {@inheritDoc} */
    public void setResource(String newResourceURI) {
        this.resource = prepareForAssignment(this.resource, newResourceURI);
    }


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message