jQuery in Action, 3rd edition
The moose likes XML and Related Technologies and the fly likes XACML Authorization: Decision 'Indeterminate' Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » XML and Related Technologies
Bookmark "XACML Authorization: Decision Watch "XACML Authorization: Decision New topic

XACML Authorization: Decision 'Indeterminate'

priya jayaraj

Joined: May 12, 2009
Posts: 5

We have a Web Service management tool which does Authentication and Authorization for all the incoming WebService request.
Authorization is based on the rules that are configured for the appropriate service.
We also have XPath specification as part of rule configuration.

We have a rule configured as mentioned below
TestService authoized to the user of the particular group (TestGroup1) and XPath (\\com9:source[@VendorId='AB'])

When we tried accessing the Test Service and received the following response despite giving a valid user (TestUser1 belonging to TestGroup1) and the proper XML element [com9:source VendorId='AB'] in the request.

<Result ResourceID="http://testHost:testPort/TestService">
<StatusCode Value="urnasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>error in XPath: Prefix must resolve to a namespace: com7</StatusMessage>

Xacml Authorization is done with the help of sunxacml.jar. API 'PDP.evaluate(RequestCtx)' is invoked and
We got the above mentioned response. We came to know that the Decision 'Indeterminate' comes if any exception occurs during authorization.

It would be very helpful if we get to know the rootcause of the decision 'Indeterminate' in the above mentioned scenario and the possible scenarios to get 'Indeterminate' decision.

Thanks in advance,
With regards,
priya jayaraj

Joined: May 12, 2009
Posts: 5
Sorry for the typo in the original topic. The status message in the response was

<StatusMessage>error in XPath: Prefix must resolve to a namespace: com9</StatusMessage>
Paul Clapham

Joined: Oct 14, 2005
Posts: 19973

I don't understand your question about "the root cause". That error message is the root cause, isn't it? Or what's your question?
priya jayaraj

Joined: May 12, 2009
Posts: 5
We have a uri that bound to the namespace say com9. Also, we could see in the log that the request element 'VendorId' prefixed with the required namespace com9 com9:source VendorId='AB', just before it is sent for xacml authorization. So we are stuck on what would be the cause and how and where the prefix is lost. The issue is not reproducible consistently as well (when we restart application servers). It would be great if we get any clues on how to proceed further up with the investigation.

Thanks in advance,
Priya J
I agree. Here's the link: http://aspose.com/file-tools
subject: XACML Authorization: Decision 'Indeterminate'
It's not a secret anymore!