JBossResponseContext getResult strips multiple obligations from the evaluation response. ---------------------------------------------------------------------------------------- Key: SECURITY-561 URL: https://issues.jboss.org/browse/SECURITY-561 Project: PicketBox (JBoss Security and Identity Management) Issue Type: Bug Security Level: Public (Everyone can see) Components: PicketBox Affects Versions: 2.0.2.CR12 Environment: N/A Reporter: Brian Krisler Assignee: Anil Saldhana The getResult() method in JBossResponseContext prevents multiple Obligations from getting returned to the PEP. The code block: //Obligations Set<Obligation> obligationsSet = result.getObligations(); if(obligationsSet != null) { for(Obligation obl:obligationsSet) { ObligationType obType = new ObligationType(); obType.setObligationId(obl.getId().toASCIIString()); obType.setFulfillOn(EffectType.fromValue(Result.DECISIONS[obl.getFulfillOn()])); ObligationsType obligationsType = new ObligationsType(); obligationsType.getObligation().add(obType); resultType.setObligations(obligationsType); } } Causes the obligations to constantly get overwritten with the last one read in. --> resultType.setObligations(obligationsType) To fix, do something more like: // Obligations Set<Obligation> obligationsSet = result.getObligations(); if (obligationsSet != null && obligationsSet.size() > 0) { ObligationsType obligationsType = new ObligationsType(); for (Obligation obl : obligationsSet) { ObligationType obType = new ObligationType(); obType.setObligationId(obl.getId().toASCIIString()); obType.setFulfillOn(EffectType.fromValue(Result.DECISIONS[obl.getFulfillOn()])); obligationsType.getObligation().add(obType); } resultType.setObligations(obligationsType); } -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira