[jboss-jira] [JBoss JIRA] Created: (SECURITY-561) JBossResponseContext getResult strips multiple obligations from the evaluation response.

Brian Krisler (JIRA) jira-events at lists.jboss.org
Wed Feb 2 21:50:39 EST 2011 

JBossResponseContext getResult strips multiple obligations from the evaluation response.
----------------------------------------------------------------------------------------

                 Key: SECURITY-561
                 URL: https://issues.jboss.org/browse/SECURITY-561
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: PicketBox
    Affects Versions: 2.0.2.CR12
         Environment: N/A
            Reporter: Brian Krisler
            Assignee: Anil Saldhana


The getResult() method in JBossResponseContext prevents multiple Obligations from getting returned to the PEP. The code block:
//Obligations
Set<Obligation> obligationsSet = result.getObligations();
if(obligationsSet != null)
{
  for(Obligation obl:obligationsSet)
  {
    ObligationType obType = new ObligationType();
    obType.setObligationId(obl.getId().toASCIIString());                  
    obType.setFulfillOn(EffectType.fromValue(Result.DECISIONS[obl.getFulfillOn()]));
            
    ObligationsType obligationsType = new ObligationsType();
    obligationsType.getObligation().add(obType);
    resultType.setObligations(obligationsType);  
  }
}

Causes the obligations to constantly get overwritten with the last one read in.
  --> resultType.setObligations(obligationsType)

To fix, do something more like:
// Obligations
Set<Obligation> obligationsSet = result.getObligations(); 
if (obligationsSet != null && obligationsSet.size() > 0) {
  ObligationsType obligationsType = new ObligationsType();
  for (Obligation obl : obligationsSet) {
   ObligationType obType = new ObligationType();
   obType.setObligationId(obl.getId().toASCIIString());
   obType.setFulfillOn(EffectType.fromValue(Result.DECISIONS[obl.getFulfillOn()]));
   obligationsType.getObligation().add(obType);
  }				
  resultType.setObligations(obligationsType);
}

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list