Metadata Typo Causes Integration Headaches

[Brent Putman]

On 9/20/18 8:01 AM, Marvin Addison wrote:
>>  I think that the MetadataCredentialResolver was fundamentally unable to "see" the KeyInfo data, since it could not have been unmarshalled correctly.  I think you would see log output from the below about an unknown child XMLObject from the KeyDescriptorUnmarshaller:
>> log.debug("Ignoring unknown child element {}", childXMLObject.getElementQName());
>>
>> ... and I think this should have resulted in some output from the KeyInfoCredentialResolver (used by the MCR) like so:
>> log.info("KeyInfo was null, any credentials will be resolved by post-processing hooks only");
> I don't see either of those log lines over an entire day, which
> included both metadata reloads and a Jetty restart.

Ok. I could be not remembering correctly the processing flow.  But in
general the point I was trying to make was that if the XML had wrong
namespaces, it wouldn't have been unmarshalled correctly, leading to it
then not being processable later on.  It might also help to know exactly
what the namespace mistakes were and where, if you still have the bad
metadata.  For example, if the KeyInfo element namespace was correct but
some of the children were wrong that would be different than the KeyInfo
element being wrong.


>
>> And then later, also from the KICR:
>> log.debug("A total of {} credentials were resolved", credentials.size());
> I do see that, but only in the success case after I had corrected my
> XML namespace mistake. I've cleaned up logs for both a full failure
> flow and success flow to facilitate comparison and further review:
>
> https://gist.github.com/serac/2cb0b152afddfdbb3fcd16d1742bc998
>

I'll try and take a look when I have some time vis-a-vis getting the
release out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180921/3dcdc803/attachment.html>