'Re: Metadata Typo Causes Integration Headaches'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Metadata Typo Causes Integration Headaches
From:       Brent Putman <putmanb () georgetown ! edu>
Date:       2018-09-21 18:51:22
Message-ID: dacb0eb7-0bbe-8da4-08b2-5187fa345595 () georgetown ! edu
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On 9/20/18 8:01 AM, Marvin Addison wrote:
> > I think that the MetadataCredentialResolver was fundamentally unable to "see" the \
> > KeyInfo data, since it could not have been unmarshalled correctly.  I think you \
> > would see log output from the below about an unknown child XMLObject from the \
> > KeyDescriptorUnmarshaller: log.debug("Ignoring unknown child element {}", \
> > childXMLObject.getElementQName()); 
> > ... and I think this should have resulted in some output from the \
> > KeyInfoCredentialResolver (used by the MCR) like so: log.info("KeyInfo was null, \
> > any credentials will be resolved by post-processing hooks only");
> I don't see either of those log lines over an entire day, which
> included both metadata reloads and a Jetty restart.

Ok. I could be not remembering correctly the processing flow.  But in
general the point I was trying to make was that if the XML had wrong
namespaces, it wouldn't have been unmarshalled correctly, leading to it
then not being processable later on.  It might also help to know exactly
what the namespace mistakes were and where, if you still have the bad
metadata.  For example, if the KeyInfo element namespace was correct but
some of the children were wrong that would be different than the KeyInfo
element being wrong.


> 
> > And then later, also from the KICR:
> > log.debug("A total of {} credentials were resolved", credentials.size());
> I do see that, but only in the success case after I had corrected my
> XML namespace mistake. I've cleaned up logs for both a full failure
> flow and success flow to facilitate comparison and further review:
> 
> https://gist.github.com/serac/2cb0b152afddfdbb3fcd16d1742bc998
> 

I'll try and take a look when I have some time vis-a-vis getting the
release out.


[Attachment #5 (text/html)]

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p><br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 9/20/18 8:01 AM, Marvin Addison
      wrote:</div>
    <blockquote type="cite"
cite="mid:CANRrHwj6P2hh35+DJmvNiFvkqMR45FaJnkSyyje=B+QbUXxXBQ@mail.gmail.com">
      <blockquote type="cite">
        <pre wrap=""> I think that the MetadataCredentialResolver was fundamentally \
unable to "see" the KeyInfo data, since it could not have been unmarshalled \
correctly.  I think you would see log output from the below about an unknown child \
XMLObject from the KeyDescriptorUnmarshaller: log.debug("Ignoring unknown child \
element {}", childXMLObject.getElementQName());

... and I think this should have resulted in some output from the \
KeyInfoCredentialResolver (used by the MCR) like so: log.info("KeyInfo was null, any \
credentials will be resolved by post-processing hooks only"); </pre>
      </blockquote>
      <pre wrap="">
I don't see either of those log lines over an entire day, which
included both metadata reloads and a Jetty restart.</pre>
    </blockquote>
    <br>
    Ok. I could be not remembering correctly the processing flow.  But
    in general the point I was trying to make was that if the XML had
    wrong namespaces, it wouldn't have been unmarshalled correctly,
    leading to it then not being processable later on.  It might also
    help to know exactly what the namespace mistakes were and where, if
    you still have the bad metadata.  For example, if the KeyInfo
    element namespace was correct but some of the children were wrong
    that would be different than the KeyInfo element being wrong.<br>
    <br>
    <br>
    <blockquote type="cite"
cite="mid:CANRrHwj6P2hh35+DJmvNiFvkqMR45FaJnkSyyje=B+QbUXxXBQ@mail.gmail.com">
      <pre wrap="">

</pre>
      <blockquote type="cite">
        <pre wrap="">And then later, also from the KICR:
log.debug("A total of {} credentials were resolved", credentials.size());
</pre>
      </blockquote>
      <pre wrap="">
I do see that, but only in the success case after I had corrected my
XML namespace mistake. I've cleaned up logs for both a full failure
flow and success flow to facilitate comparison and further review:

<a class="moz-txt-link-freetext" \
href="https://gist.github.com/serac/2cb0b152afddfdbb3fcd16d1742bc998">https://gist.github.com/serac/2cb0b152afddfdbb3fcd16d1742bc998</a>


</pre>
    </blockquote>
    <br>
    I'll try and take a look when I have some time vis-a-vis getting the
    release out.<br>
  </body>
</html>



-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic