Question about ResourceFilter
WULMS Alexander
Alexander.WULMS at swift.com
Mon Sep 19 10:51:29 BST 2011
I have tried with and without spaces. It does not make a difference. I have also tried to save properties file with DOS line terminators (CR/LF) and with Unix line terminators (only LF). It does not make a difference neither.
I have enabled log level ALL. According to the logging, the PropertyReplacementResourceFilter filter gets applied, though it does not show any details about macros being replaced:
11:25:46.994 - DEBUG [edu.internet2.middleware.shibboleth.common.config.BaseReloadableService:136] - Initializing shibboleth.AttributeFilterEngine service with resources: [C:\No_Backup\Apps\shibboleth\SWIFTConf\attribute-filter.xml]
11:25:46.994 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.AttributeFilterEngine
11:25:46.994 - DEBUG [org.opensaml.util.resource.AbstractFilteredResource:80] - Apply filter 'class org.opensaml.util.resource.PropertyReplacementResourceFilter' to resource 'C:\No_Backup\Apps\shibboleth\SWIFTConf\attribute-filter.xml'
11:25:46.994 - TRACE [org.opensaml.xml.parse.ClasspathResolver:77] - Attempting to resolve, within the classpath, the entity with the following system id: classpath:/schema/shibboleth-2.0-afp.xsd
11:25:46.994 - TRACE [org.opensaml.xml.parse.ClasspathResolver:94] - Entity resolved from classpath
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:77] - Attempting to resolve, within the classpath, the entity with the following system id: classpath:/schema/shibboleth-2.0-services.xsd
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:94] - Entity resolved from classpath
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:77] - Attempting to resolve, within the classpath, the entity with the following system id: classpath:/schema/shibboleth-2.0-resource.xsd
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:94] - Entity resolved from classpath
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:77] - Attempting to resolve, within the classpath, the entity with the following system id: classpath:/schema/xmldsig-core-schema.xsd
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:94] - Entity resolved from classpath
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:77] - Attempting to resolve, within the classpath, the entity with the following system id: classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
11:25:47.009 - TRACE [org.opensaml.xml.parse.ClasspathResolver:94] - Entity resolved from classpath
11:25:47.025 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeFilterPolicyGroup
11:25:47.025 - DEBUG [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyGroupBeanDefinitionParser:64] - Parsing attribute filter policy group ShibbolethFilterPolicy
11:25:47.025 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeFilterPolicy
11:25:47.025 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyBeanDefinitionParser:72] - Parsing configuration for attribute filter policy releaseAnyButSpecialSP
11:25:47.040 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}NOT
11:25:47.040 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}AttributeRequesterString
11:25:47.072 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeRule
11:25:47.072 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}ANY
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeFilterPolicy
11:25:47.087 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyBeanDefinitionParser:72] - Parsing configuration for attribute filter policy releaseSpecialSP
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}AttributeRequesterString
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeRule
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}ANY
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeRule
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}ANY
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeRule
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:109] - Attempting to find parser for element of type: {urn:mace:shibboleth:2.0:afp:mf:basic}ANY
11:25:47.087 - TRACE [edu.internet2.middleware.shibboleth.common.config.BaseSpringNamespaceHandler:115] - Attempting to find parser with element name: {urn:mace:shibboleth:2.0:afp}AttributeFilterPolicy
11:25:47.119 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.AttributeFilterEngine service loaded new configuration
Furthermore, the attribute filter does not log much useful stuff neither at the moment that the SAML Response is being built. It just logs that it is evaluating the filter policy and indicates whether the filter policy is applicable or not:
11:26:42.587 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.AttributeFilterEngine filtering 10 attributes for principal alex.wulms at swift.com
11:26:42.587 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseAnyButSpecialSP is active for principal alex.wulms at swift.com
11:26:42.587 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy releaseAnyButSpecialSP is not active for principal alex.wulms at swift.com
11:26:42.587 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseSpecialSP is active for principal alex.wulms at swift.com
11:26:42.587 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy releaseSpecialSP is not active for principal alex.wulms at swift.com
Any advice on how to further investigate this issue is appreciated.
Thanks and brs,
Alex
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Chad La Joie
Sent: Friday, September 16, 2011 5:35 PM
To: Shib Users
Subject: Re: Question about ResourceFilter
No, the resource filters should work on any text-based config file.
There are a couple quick things to try though.
First, it looks like you have a space after the '=' in the property,
try removing that. I *think* surrounding whitespace gets stripped but
I'm not 100% sure.
Second, try turning on trace for the filter package and see if it logs
the actual strings that are being compared.
On Fri, Sep 16, 2011 at 11:18, WULMS Alexander
<Alexander.WULMS at swift.com> wrote:
> Hi,
>
>
>
> I'm using Shibboleth Idp 2.3.3. I'm currently experimenting with the
> ResourceFilter tag in the services.xml in order to inject some environment
> specific info into the config files like the attribute-filter.xml.
>
>
>
> I have followed the instructions on
> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPProdConfigFiles but
> it currently does not work as expected.
>
>
>
> Before I applied the resource filter, I had a rule in the
> attribute-filter.xml that looked like:
>
> <afp:AttributeFilterPolicy id="myServiceProvider">
>
> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
> value="https://service-provider.domain.com" />
>
> <afp:AttributeRule attributeID="mySpSpecificAttribute">
>
> <afp:PermitValueRule xsi:type="basic:ANY" />
>
> </afp:AttributeRule>
>
> </afp:AttributeFilterPolicy>
>
>
>
> With this setup, the attribute mySpSpecificAttribute gets released into the
> SAML response for the service provider with entity-id
> https://service-provider.domain.com.
>
>
>
> With that working I have made some changes:
>
>
>
> 1) I have enabled a resourcefilter on the attribute-filter.xml in the
> services.xml file:
>
>
>
> <srv:Service id="shibboleth.AttributeFilterEngine"
> xsi:type="attribute-afp:ShibbolethAttributeFilteringEngine">
>
> <srv:ConfigurationResource
> file="C:\No_Backup\Apps\shibboleth\SWIFTConf/attribute-filter.xml"
> xsi:type="resource:FilesystemResource">
>
> <resource:ResourceFilter xsi:type="PropertyReplacement"
>
>
> xmlns="urn:mace:shibboleth:2.0:resource"
>
>
> propertyFile="C:\No_Backup\Apps\shibboleth\SWIFTConf\config.properties"/>
>
> </srv:ConfigurationResource>
>
> </srv:Service>
>
>
>
> 2) I have updated the attribute-filter.xml file to use a property instead of
> hardcoding the entity ID of the service provider:
>
> <afp:AttributeFilterPolicy id="myServiceProvider">
>
> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
> value="${serviceprovider.entityId}" />
>
> <afp:AttributeRule attributeID="mySpSpecificAttribute">
>
> <afp:PermitValueRule xsi:type="basic:ANY" />
>
> </afp:AttributeRule>
>
> </afp:AttributeFilterPolicy>
>
>
>
> 3) I have made a config.properties file with following contents:
>
> serviceprovider.entityId = https://service-provider.domain.com
>
>
>
> However, with this configuration, the attribute mySpSpecificAttribute no
> longer gets released into the SAML response
>
>
>
> Is the usage of the resource filter only applicable to a subset of the
> config files or only to a subset of the tags or a subset of the properties?
>
>
>
> Any help or pointers to more detailed documentation are welcome.
>
>
>
> Alex Wulms
> Lead Developer, Swift.com development
> Tel: + 32 2 655 3931
>
> S.W.I.F.T. SCRL
>
> This e-mail and any attachments thereto may contain information which is
> confidential and/or proprietary and intended for the sole use of the
> recipient(s) named above. If you have received this e-mail in error, please
> immediately notify the sender and delete the mail. Thank you for your
> co-operation. SWIFT reserves the right to retain e-mail messages on its
> systems and, under circumstances permitted by applicable law, to monitor and
> intercept e-mail messages to and from its systems.
>
>
> Please visit http://www.swift.com for more information about SWIFT.
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Chad La Joie
www.itumi.biz
trusted identities, delivered
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list