Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-670

Entitlement evaluation throws org.json.JSONException when evaluating entitlements with resource attributes

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Snapshot9, Snapshot9.5, Snapshot9.5.1, Snapshot9.5.2_RC1, Snapshot9.5.2, 9.5.3_RC1, 9.5.3, 9.5.4_RC1, 9.5.4, 10.0.0-EA, 10.0.0
    • 9.5.5, 10.0.1, 10.1.0-Xpress
    • entitlements
    • Rank:
      1|hzn52f:

      Description

      When using entitlements with Resource Attributes and evaluating entitlements with the REST-service, the following StackTrace is thrown in the Entitlement debug-log on the OpenAM server:

      ERROR: StaticAttribute.setState
      org.json.JSONException: JSONObject["pResponseProviderName"] not found.
      at org.json.JSONObject.get(JSONObject.java:516)
      at org.json.JSONObject.getString(JSONObject.java:687)
      at com.sun.identity.entitlement.StaticAttributes.setState(StaticAttributes.java:120)
      at com.sun.identity.entitlement.Privilege.getResourceAttributes(Privilege.java:400)
      at com.sun.identity.entitlement.Privilege.getInstance(Privilege.java:372)
      at com.sun.identity.entitlement.opensso.DataStore.searchPrivileges(DataStore.java:894)
      at com.sun.identity.entitlement.opensso.DataStore.search(DataStore.java:850)
      at com.sun.identity.entitlement.opensso.OpenSSOIndexStore$SearchTask.run(OpenSSOIndexStore.java:926)
      at com.sun.identity.entitlement.SequentialThreadPool.submit(SequentialThreadPool.java:38)
      at com.sun.identity.entitlement.opensso.OpenSSOIndexStore.search(OpenSSOIndexStore.java:411)
      at com.sun.identity.entitlement.opensso.OpenSSOIndexStore.search(OpenSSOIndexStore.java:379)
      at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:279)
      at com.sun.identity.entitlement.PrivilegeEvaluator.evaluate(PrivilegeEvaluator.java:263)
      at com.sun.identity.entitlement.Evaluator.evaluate(Evaluator.java:180)
      at com.sun.identity.policy.PolicyEvaluator.getResourceResultsE(PolicyEvaluator.java:1438)
      at com.sun.identity.policy.PolicyEvaluator.getResourceResults(PolicyEvaluator.java:1371)
      at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyRequest(PolicyRequestHandler.java:421)
      at com.sun.identity.policy.remote.PolicyRequestHandler.processPolicyServiceRequest(PolicyRequestHandler.java:230)
      at com.sun.identity.policy.remote.PolicyRequestHandler.processRequest(PolicyRequestHandler.java:185)
      at com.sun.identity.policy.remote.PolicyRequestHandler.process(PolicyRequestHandler.java:126)
      at com.iplanet.services.comm.server.PLLRequestServlet.handleRequest(PLLRequestServlet.java:180)
      at com.iplanet.services.comm.server.PLLRequestServlet.doPost(PLLRequestServlet.java:134)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:394)
      at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:294)
      at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:183)
      at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:169)
      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
      at java.lang.Thread.run(Thread.java:662)

      There is one exception thrown for every entitlement each time the evaluation is run.

      The 'setState(String s)' method in 'com.sun.identity.entitlement.StaticAttributes.java' expects the 'pResponseProviderName' to be set:

      /**

      • Sets the state of the object.
        *
      • @param s state of the object.
        */
        public void setState(String s) {
        if ((s != null) && (s.trim().length() > 0))
        Unknown macro: { try { JSONObject json = new JSONObject(s); propertyName = json.getString("propertyName"); propertyValues = JSONUtils.getSet(json, "propertyValues"); pResponseProviderName = json.getString("pResponseProviderName"); } catch (JSONException ex) { PrivilegeManager.debug.error("StaticAttribute.setState", ex); } }

        }

      But the javadoc for the get and set methods for 'pResponseProviderName' says that this is releavant only when StaticAttributes was created from OpenSSO policy Subject.

      /**

      • Sets OpenSSO policy response provider name of the object
      • @param pResponseProviderName response provider name as used in OpenSSO
      • policy, this is releavant only when StaticAttributes was created
      • from OpenSSO policy Subject
        */
        public void setPResponseProviderName(String pResponseProviderName) { this.pResponseProviderName = pResponseProviderName; }

      /**

      • Returns OpenSSO policy response provider name of the object
      • @return response provider name as used in OpenSSO policy,
      • this is releavant only when StaticAttributes was created from
      • OpenSSO policy Subject
        */
        public String getPResponseProviderName() { return pResponseProviderName; }

      I guess that the 'setState(String s)' should have a 'json.has("pResponseProviderName")' check before trying to get the String.

      Steps to reproduce:

      • Create an Entitlement policy in the beta-console.
      • Add a Resource Attribute to the policy e.g. foo=bar.
      • Use the Entitlement-REST service to evaluate authorisation for a resource that matches the policy.

        Attachments

          Activity

            People

            vrg.hu vrg.hu
            johnerikhalse johnerikhalse
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: