Tom, Can you send me pointers to the PIP source code, your service and container security descriptor? Also, can you please set logging to DEBUG for the following package and send me logs?
org.globus.wsrf.impl.security.authorization Thanks, Rachana > -----Original Message----- > From: Tom Scavo [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 30, 2007 5:26 PM > To: Rachana Ananthakrishnan > Cc: gt-user > Subject: Re: [gt-user] authz chains at both the container and service > levels > > On 10/29/07, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote: > > For 4.0.x, look at section 3.1 in > > http://www.globus.org/toolkit/docs/4.0/security/authzframe/developer- > index.h > > tml#s-authzframe-developer-archdes. Pasting relevant piece here: > > > > "A chain of PDPs and PIPs, with relevant configuration information, can > be > > configured at resource, service or container level. If no chain is > specified > > at resource level, service level is used; if nothing is specified at > service > > level, the container level configuration is used. The engine evaluates > each > > PDP and PIP in the order specified and a deny-override mechanism is used > to > > render a decision. If one PDP returns a deny, the decision rendered is > > deny." > > This doesn't seem to work as advertised. I have the following authz > chains specified at both the container and service levels (resp.): > > <authz value="global:org.globus.gridshib.SAMLAssertionPushPIP"/> > <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/> > > The latter initializes first (Bug 5545) but the container PIP is > invoked when I request the service. See this log output: > > http://dev.globus.org/images/c/c8/Gt-container-log-output-20071030.txt > > Look for the following debug output (in order): > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl > (secctxecho) initializing... > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global) > initializing... > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global) > collecting attributes... > > Is this bug related to Bug 5545 or is this something new? > > Tom
