[
https://issues.apache.org/jira/browse/WSS-298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-298.
-------------------------------------
Resolution: Won't Fix
Marking this as "Won't Fix", as it's not a bug in WSS4J, as per the JIRA
description, but in Opensaml.
Please file the issue in the Opensaml JIRA instead:
https://issues.shibboleth.net/jira/browse/JOST
Colm.
> Resource Attribute in AuthorizationDecision Statement not accepting blank
> -------------------------------------------------------------------------
>
> Key: WSS-298
> URL: https://issues.apache.org/jira/browse/WSS-298
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6
> Reporter: Srinivasa Kukatla
> Assignee: Colm O hEigeartaigh
>
> As per the Saml Specification, Resource is a required attribute. We have a
> requirement, that either the resource ID should be an empty string or a valid
> URI.
> The following is from saml core xsd:
> <complexType name="AuthzDecisionStatementType"><complexContent><extension
> base="saml:StatementAbstractType"><sequence><element ref="saml:Action"
> maxOccurs="unbounded"/><element ref="saml:Evidence"
> minOccurs="0"/></sequence><attribute name="Resource" type="anyURI"
> use="required"/><attribute name="Decision" type="saml:DecisionType"
> use="required"/></extension></complexContent></complexType>
> Which says, resource is required. But, when I have " " as resource, attribute
> is completely missing.
> Here is why:
> Saml2ComponentBuilder.java
> public static List<AuthzDecisionStatement>
> createAuthorizationDecisionStatement(
> List<AuthDecisionStatementBean> decisionData
> ) {
> List<AuthzDecisionStatement> authDecisionStatements = new ArrayList();
> if (authorizationDecisionStatementBuilder == null) {
> authorizationDecisionStatementBuilder =
> (SAMLObjectBuilder<AuthzDecisionStatement>)
>
> builderFactory.getBuilder(AuthzDecisionStatement.DEFAULT_ELEMENT_NAME);
> }
> if (decisionData != null && decisionData.size() > 0) {
> for (AuthDecisionStatementBean decisionStatementBean :
> decisionData) {
> AuthzDecisionStatement authDecision =
> authorizationDecisionStatementBuilder.buildObject();
> authDecision.setResource(decisionStatementBean.getResource());
> authDecision.setDecision(
> transformDecisionType(decisionStatementBean.getDecision())
> );
> for (ActionBean actionBean :
> decisionStatementBean.getActions()) {
> Action actionElement = createSamlAction(actionBean);
> authDecision.getActions().add(actionElement);
> }
> if (decisionStatementBean.getEvidence() instanceof Evidence)
> {
>
> authDecision.setEvidence((Evidence)decisionStatementBean.getEvidence());
> }
>
> authDecisionStatements.add(authDecision);
> }
> }
> return authDecisionStatements;
> }
> In the above, when the setResource is called, the following implementation
> gets called:
> org.opensaml.saml2.core.impl.AuthzDecisionStatementImpl.java
> /** {@inheritDoc} */
> public void setResource(String newResourceURI) {
> this.resource = prepareForAssignment(this.resource, newResourceURI);
> }
> protected String prepareForAssignment(String oldValue, String newValue) {
> String newString = DatatypeHelper.safeTrimOrNullString(newValue);
> if (!DatatypeHelper.safeEquals(oldValue, newString)) {
> releaseThisandParentDOM();
> }
> return newString;
> }
> The blank string gets trimmed off, and null is returned. The Resource
> Attribute never gets created.
> This is voilating the specification. This is the defect in OpenSAML not
> really in WSS4j.
> /** {@inheritDoc} */
> public void setResource(String newResourceURI) {
> this.resource = prepareForAssignment(this.resource, newResourceURI);
> }
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
