• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

XACML Authorization: Decision 'Indeterminate'

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

We have a Web Service management tool which does Authentication and Authorization for all the incoming WebService request.
Authorization is based on the rules that are configured for the appropriate service.
We also have XPath specification as part of rule configuration.

We have a rule configured as mentioned below
TestService authoized to the user of the particular group (TestGroup1) and XPath (\\com9:source[@VendorId='AB'])

When we tried accessing the Test Service and received the following response despite giving a valid user (TestUser1 belonging to TestGroup1) and the proper XML element [com9:source VendorId='AB'] in the request.

<Response>
<Result ResourceID="http://testHost:testPort/TestService">
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>error in XPath: Prefix must resolve to a namespace: com7</StatusMessage>
</Status>
</Result>
</Response>

Xacml Authorization is done with the help of sunxacml.jar. API 'PDP.evaluate(RequestCtx)' is invoked and
We got the above mentioned response. We came to know that the Decision 'Indeterminate' comes if any exception occurs during authorization.

It would be very helpful if we get to know the rootcause of the decision 'Indeterminate' in the above mentioned scenario and the possible scenarios to get 'Indeterminate' decision.

Thanks in advance,
With regards,
Priya.
 
priya jayaraj
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry for the typo in the original topic. The status message in the response was

<StatusMessage>error in XPath: Prefix must resolve to a namespace: com9</StatusMessage>
 
Marshal
Posts: 28193
95
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't understand your question about "the root cause". That error message is the root cause, isn't it? Or what's your question?
 
priya jayaraj
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
We have a uri that bound to the namespace say com9. Also, we could see in the log that the request element 'VendorId' prefixed with the required namespace com9 com9:source VendorId='AB', just before it is sent for xacml authorization. So we are stuck on what would be the cause and how and where the prefix is lost. The issue is not reproducible consistently as well (when we restart application servers). It would be great if we get any clues on how to proceed further up with the investigation.

Thanks in advance,
Priya J
 
Humans and their filthy friendship brings nothing but trouble. My only solace is this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic