Resource Attribute in AuthorizationDecision Statement not accepting blank
-------------------------------------------------------------------------
Key: WSS-298
URL: https://issues.apache.org/jira/browse/WSS-298
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.6
Reporter: Srinivasa Kukatla
Assignee: Colm O hEigeartaigh
As per the Saml Specification, Resource is a required attribute. We have a
requirement, that either the resource ID should be an empty string or a valid
URI.
The following is from saml core xsd:
<complexType name="AuthzDecisionStatementType"><complexContent><extension
base="saml:StatementAbstractType"><sequence><element ref="saml:Action"
maxOccurs="unbounded"/><element ref="saml:Evidence"
minOccurs="0"/></sequence><attribute name="Resource" type="anyURI"
use="required"/><attribute name="Decision" type="saml:DecisionType"
use="required"/></extension></complexContent></complexType>
Which says, resource is required. But, when I have " " as resource, attribute
is completely missing.
Here is why:
Saml2ComponentBuilder.java
public static List<AuthzDecisionStatement>
createAuthorizationDecisionStatement(
List<AuthDecisionStatementBean> decisionData
) {
List<AuthzDecisionStatement> authDecisionStatements = new ArrayList();
if (authorizationDecisionStatementBuilder == null) {
authorizationDecisionStatementBuilder =
(SAMLObjectBuilder<AuthzDecisionStatement>)
builderFactory.getBuilder(AuthzDecisionStatement.DEFAULT_ELEMENT_NAME);
}
if (decisionData != null && decisionData.size() > 0) {
for (AuthDecisionStatementBean decisionStatementBean :
decisionData) {
AuthzDecisionStatement authDecision =
authorizationDecisionStatementBuilder.buildObject();
authDecision.setResource(decisionStatementBean.getResource());
authDecision.setDecision(
transformDecisionType(decisionStatementBean.getDecision())
);
for (ActionBean actionBean :
decisionStatementBean.getActions()) {
Action actionElement = createSamlAction(actionBean);
authDecision.getActions().add(actionElement);
}
if (decisionStatementBean.getEvidence() instanceof Evidence) {
authDecision.setEvidence((Evidence)decisionStatementBean.getEvidence());
}
authDecisionStatements.add(authDecision);
}
}
return authDecisionStatements;
}
In the above, when the setResource is called, the following implementation gets
called:
org.opensaml.saml2.core.impl.AuthzDecisionStatementImpl.java
/** {@inheritDoc} */
public void setResource(String newResourceURI) {
this.resource = prepareForAssignment(this.resource, newResourceURI);
}
protected String prepareForAssignment(String oldValue, String newValue) {
String newString = DatatypeHelper.safeTrimOrNullString(newValue);
if (!DatatypeHelper.safeEquals(oldValue, newString)) {
releaseThisandParentDOM();
}
return newString;
}
The blank string gets trimmed off, and null is returned. The Resource Attribute
never gets created.
This is voilating the specification. This is the defect in OpenSAML not really
in WSS4j.
/** {@inheritDoc} */
public void setResource(String newResourceURI) {
this.resource = prepareForAssignment(this.resource, newResourceURI);
}
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
