Circular dependency in attribute resolver

Christopher Bongaarts cab at umn.edu
Wed May 11 18:00:49 EDT 2016 

On 5/11/2016 4:36 PM, Christopher Bongaarts wrote:
> BTW, I tried the change above (Dependency on umnLDAP) and it worked.  
> It just makes the IdP do extra work in copying all those attributes.

So "worked" may have been too strong a word.  It does indeed work for 
users who have umnCareerOffice populated in LDAP.  But if you don't have 
the attribute populated, the attribute resolver throws an exception.

2016-05-11 16:07:02,635 - DEBUG 
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:272] - 
Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 
'umnCampusMail' produced an attribute with 0 values
2016-05-11 16:07:02,635 - DEBUG 
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:372] - 
Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies 
for 'umnCareerOffice'
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:372] - 
Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies 
for 'umnCareerOfficeExpanded'
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:372] - 
Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies 
for 'umnCareerOfficeSplit'
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:388] - 
Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving 
dependencies for 'umnCareerOfficeSplit'
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedAttributeDefinition:210] 
- Attribute Definition 'umnCareerOfficeSplit': adding to-be-populated 
attribute to script context
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedAttributeDefinition:216] 
- Attribute Definition 'umnCareerOfficeSplit': adding contexts to script 
context
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedAttributeDefinition:226] 
- Attribute Definition 'umnCareerOfficeSplit': adding emulated V2 
request context to script context
2016-05-11 16:07:02,636 - DEBUG 
[net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedAttributeDefinition:231] 
- Attribute Definition 'umnCareerOfficeSplit': adding dependent 
attribute 'umnOTRSuppress' with the following values to the script 
context: [StringAttributeValue{value=TRUE}]
[....etc...]
2016-05-11 16:07:02,641 - DEBUG 
[net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedAttributeDefinition:231] 
- Attribute Definition 'umnCareerOfficeSplit': adding dependent 
attribute 'umnModemAccess' with the following values to the script 
context: [StringAttributeValue{value=FALSE}]
2016-05-11 16:07:02,651 - ERROR 
[net.shibboleth.idp.profile.impl.ResolveAttributes:257] - Profile Action 
ResolveAttributes: Error resolving attributes
net.shibboleth.idp.attribute.resolver.ResolutionException: Attribute 
Definition 'umnCareerOfficeSplit': unable to execute script
         at 
net.shibboleth.idp.attribute.resolver.ad.impl.ScriptedAttributeDefinition.doAttributeDefinitionResolve(ScriptedAttributeDefinition.java:169)
Caused by: javax.script.ScriptException: ReferenceError: 
"umnCareerOffice" is not defined in nashorn:mozilla_compat.js at line 
number 67
         at 
jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:467)
Caused by: jdk.nashorn.internal.runtime.ECMAException: ReferenceError: 
"umnCareerOffice" is not defined
         at 
jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57)

This is with the configuration where umnCareerOfficeSplit has a 
Dependency on umnLDAP (the data connector), with a sourceAttributeID of 
umnCareerOffice.  Yes, the first line of the Script is: 
load("nashorn:mozilla_compat.js");

I'll try it again without specifying the sourceAttributeID (since for 
Script, it's pulling in all the LDAP attributes anyway...)

I'd bet that converting the script to use the V3 conventions would also 
mitigate (or at least change) this behavior.

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160511/48d89d73/attachment.html>

More information about the users mailing list