Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

XACML Authorization: Decision 'Indeterminate'

 
priya jayaraj
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

We have a Web Service management tool which does Authentication and Authorization for all the incoming WebService request.
Authorization is based on the rules that are configured for the appropriate service.
We also have XPath specification as part of rule configuration.

We have a rule configured as mentioned below
TestService authoized to the user of the particular group (TestGroup1) and XPath (\\com9:source[@VendorId='AB'])

When we tried accessing the Test Service and received the following response despite giving a valid user (TestUser1 belonging to TestGroup1) and the proper XML element [com9:source VendorId='AB'] in the request.

<Response>
<Result ResourceID="http://testHost:testPort/TestService">
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urnasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>error in XPath: Prefix must resolve to a namespace: com7</StatusMessage>
</Status>
</Result>
</Response>

Xacml Authorization is done with the help of sunxacml.jar. API 'PDP.evaluate(RequestCtx)' is invoked and
We got the above mentioned response. We came to know that the Decision 'Indeterminate' comes if any exception occurs during authorization.

It would be very helpful if we get to know the rootcause of the decision 'Indeterminate' in the above mentioned scenario and the possible scenarios to get 'Indeterminate' decision.

Thanks in advance,
With regards,
Priya.
 
priya jayaraj
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Sorry for the typo in the original topic. The status message in the response was

<StatusMessage>error in XPath: Prefix must resolve to a namespace: com9</StatusMessage>
 
Paul Clapham
Sheriff
Pie
Posts: 20750
30
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't understand your question about "the root cause". That error message is the root cause, isn't it? Or what's your question?
 
priya jayaraj
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
We have a uri that bound to the namespace say com9. Also, we could see in the log that the request element 'VendorId' prefixed with the required namespace com9 com9:source VendorId='AB', just before it is sent for xacml authorization. So we are stuck on what would be the cause and how and where the prefix is lost. The issue is not reproducible consistently as well (when we restart application servers). It would be great if we get any clues on how to proceed further up with the investigation.

Thanks in advance,
Priya J
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic