Hi Rachana, The PIP is at location
http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/java/source/src-proxies/4.0/org/globus/gridshib/SAMLAssertionPushPIP.java?view=log&pathrev=gridshib_gt_0_6_0_branch It's implementation is at location http://viewcvs.globus.org/viewcvs.cgi/gridshib/gt/interceptors/java/source/src/org/globus/gridshib/gt/authorization/SAMLAssertionPushPIPImpl.java?view=log&pathrev=gridshib_gt_0_6_0_branch The security descriptors consist of the authz chains I posted earlier and nothing else (except for the service descriptor, which has an <auth-method> element). Finally, here's the log output you asked for: http://dev.globus.org/images/e/e3/Gt-container-log-output-20071030-more.txt Hope this helps, Tom On 10/30/07, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote: > Tom, > > Can you send me pointers to the PIP source code, your service and container > security descriptor? Also, can you please set logging to DEBUG for the > following package and send me logs? > > org.globus.wsrf.impl.security.authorization > > Thanks, > Rachana > > > -----Original Message----- > > From: Tom Scavo [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, October 30, 2007 5:26 PM > > To: Rachana Ananthakrishnan > > Cc: gt-user > > Subject: Re: [gt-user] authz chains at both the container and service > > levels > > > > On 10/29/07, Rachana Ananthakrishnan <[EMAIL PROTECTED]> wrote: > > > For 4.0.x, look at section 3.1 in > > > http://www.globus.org/toolkit/docs/4.0/security/authzframe/developer- > > index.h > > > tml#s-authzframe-developer-archdes. Pasting relevant piece here: > > > > > > "A chain of PDPs and PIPs, with relevant configuration information, can > > be > > > configured at resource, service or container level. If no chain is > > specified > > > at resource level, service level is used; if nothing is specified at > > service > > > level, the container level configuration is used. The engine evaluates > > each > > > PDP and PIP in the order specified and a deny-override mechanism is used > > to > > > render a decision. If one PDP returns a deny, the decision rendered is > > > deny." > > > > This doesn't seem to work as advertised. I have the following authz > > chains specified at both the container and service levels (resp.): > > > > <authz value="global:org.globus.gridshib.SAMLAssertionPushPIP"/> > > <authz value="secctxecho:org.globus.gridshib.SAMLAssertionPushPIP"/> > > > > The latter initializes first (Bug 5545) but the container PIP is > > invoked when I request the service. See this log output: > > > > http://dev.globus.org/images/c/c8/Gt-container-log-output-20071030.txt > > > > Look for the following debug output (in order): > > > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl > > (secctxecho) initializing... > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global) > > initializing... > > org.globus.gridshib.gt.authorization.SAMLAssertionPushPIPImpl (global) > > collecting attributes... > > > > Is this bug related to Bug 5545 or is this something new? > > > > Tom > >
