Dominic Messenger created SECURITY-669: ------------------------------------------ Summary: JBossResponseContext getResult() does not copy obligation assignments Key: SECURITY-669 URL: https://issues.jboss.org/browse/SECURITY-669 Project: PicketBox (JBoss Security and Identity Management) Issue Type: Bug Security Level: Public (Everyone can see) Components: JBossXACML Affects Versions: jbossxacml_2.0.6.Final Reporter: Dominic Messenger Assignee: Anil Saldhana Affects jbossxacml 2.0.8.Final and below. JBossresponseContext.getResult() copies obligations from the sunxacml result, but does not copy the attribute assignments: The code block (lines 156-164): ObligationsType obligationsType = new ObligationsType(); for(Obligation obl:obligationsSet) { ObligationType obType = new ObligationType(); obType.setObligationId(obl.getId().toASCIIString()); obType.setFulfillOn(EffectType.fromValue(Result.DECISIONS[obl.getFulfillOn()])); obligationsType.getObligation().add(obType); } Should read something like: ObligationsType obligationsType = new ObligationsType(); for(Obligation obl:obligationsSet) { ObligationType obType = new ObligationType(); obType.setObligationId(obl.getId().toASCIIString()); obType.setFulfillOn(EffectType.fromValue(Result.DECISIONS[obl.getFulfillOn()])); for(Object attrValue : obl.getAssignments()) { Attribute attr = (Attribute)attrValue; AttributeAssignmentType aaType = new AttributeAssignmentType(); aaType.setAttributeId(attr.getId().toASCIIString()); aaType.setDataType(attr.getType().toASCIIString()); aaType.getContent().add(attr.getValue()); obType.getAttributeAssignment().add(aaType); } obligationsType.getObligation().add(obType); } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira