Problem when loading policy from DataBase

[Sylvain LF]

Hello,

We found an anomaly when loading policies from the database.

When we deploy a policy (with RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"), it is loaded in memory and in the database.

When we make a request, while the database is always loaded, we get a reply "PERMIT" (with our test set).

If we restart our program, and database, and we make same requests (with our test set), we got a reply "INDETERMINATE".

When we load policies from database through "XMLDataBasePersistenceManager" (org.herasaf.xacml.pdp.persistence.impl), method "getCombiningAlg()" of "Evaluatable" return "null", however the String return from DataBase is the same in the file that was deployed on DataBase.

loadAll() from XMLDataBasePersistenceManager :

Code:

for(String eval : evaluatablesXML){
                        // eval == File("myPolicy_insert_in_DataBase").toString()
try {
evaluatables.add(createEvaluatableFromString(eval));
                                //createEvaluatableFromString(eval).getCombiningAlg() == null;
} catch (SyntaxException e) {
throw new DataAccessException(e);
}
}

We do not know where the problem comes because the deployment of policy is through the same object PolicyConverter (method unmarshal(<?>))

The problem could come to the wrong encoding (file, database, ...)?

Regards,

SLF.

[René Eggenschwiler]

Hi Sylvain,

With your given information it is not possible for us to reproduce your issue.
We just had a look at the code. But can't find suspicious things.
Could you please attach a small example project or testcase, with which we can follow exactly the failure.
If you use Spring then please also attach your appCtx.

Regards,
René

[Erwan G]

Hello,

I have the same probleme, here a code sample that i used to reproduce the issue :

Code:

public class SimplePrototype
{
private ClassPathXmlApplicationContext ctx;
private PDP pdp;
long beginTime;

public SimplePrototype()
{
long tmpTime;
beginTime = System.currentTimeMillis();

System.out.println("chargement du context...");
ctx = new ClassPathXmlApplicationContext("context/ApplicationContext.ctx.xml");
tmpTime = (System.currentTimeMillis()- beginTime);
System.out.println("Context chargé [" + tmpTime + "ms]\n");

System.out.println("Instanciation du PDP...");
pdp = (PDP)ctx.getBean("pdp");
tmpTime = (System.currentTimeMillis()- beginTime);
System.out.println("PDP instancié   ["+tmpTime+"ms]\n");
}

public void deployAllPolicies()
{
long tmpTime;
List<Evaluatable> policyList = new ArrayList<Evaluatable>();
try
{
for(int i=1; i<=8; i++)
{
policyList.add(PolicyConverter.unmarshal(new File("src/test/resources/completeTest/StressTestPolicy00"+i+".xml")));
}

tmpTime = (System.currentTimeMillis()- beginTime);
System.out.println("policies unmarshaled : " + tmpTime);

pdp.deploy(policyList);

tmpTime = (System.currentTimeMillis()- beginTime);
System.out.println("policies deployed : " + tmpTime);

} catch (SyntaxException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (DataAccessException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (DataIntegrityException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}

private ArrayList<String> getFileNames() {
ArrayList<String> returnValue = new ArrayList<String>();

returnValue.add("src/test/resources/completeTest/StressTest001Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest002Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest003Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest004Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest005Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest006Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest007Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest008Request.xml");
returnValue.add("src/test/resources/completeTest/StressTest009Request.xml");
return returnValue;
}

public void evaluateAllRequest()
{
System.out.println("\nBegin of test requests evaluation ...\n");
ArrayList<String> arrayReq = getFileNames();
for(int i=0; i<arrayReq.size(); i++)
{
RequestCtx req;
try {
req = RequestCtxFactory.unmarshal(new File( arrayReq.get(i) ));
long beginEvaluateTime = System.currentTimeMillis();
System.out.println("Request n°" + i + ": " + arrayReq.get(i));
ResponseCtx resp = pdp.evaluate( req );
long tmpTime = System.currentTimeMillis() - beginEvaluateTime;
System.out.println("Response : " + resp.getResponse().getResults().get(0).getDecision());
System.out.println("Done in " + tmpTime + "ms\n");

} catch (SyntaxException e) {
System.out.println("Error when unmarshalling the request " + arrayReq.get(i));
e.printStackTrace();
}
}
System.out.println("\nEnd of test requests evaluation\n");

}

public static void main(String[] args)
{
SimplePrototype proto = new SimplePrototype();
//proto.deployAllPolicies();
proto.evaluateAllRequest();
}
}

For the first test, policies are deploy (uncomment the ligne : proto.deployAllPolicies()) and traces show expected results
For the second test, the ligne proto.deployAllPolicies() is commented. Policies are retreived when loading the context so same results should be expected
but all requests give a NOT APPLICABLE response.

I use a mySQL database and I join my configuration file to this post

Regards,

Erwan

[René Eggenschwiler]

Hi Erwan,

We just let your example running on our machines.
We can now reproduce your problem. We have the same behaviour.

We start investigation on the problem now and will come back to you as soon as we have found the problem.

Regards,
René

[Florian Huonder]

Hi all,

The problem is "only" a configuration issue in the ApplicationContext.
It works when the PDP-Bean in the ApplicationContext is adapted the following way:

Code:

<bean id="pdp" class="org.herasaf.xacml.pdp.impl.PDPImpl" depends-on="URNToRuleCombiningAlgorithmConverter,URNToPolicyCombiningAlgorithmConverter">
<property name="policyCombiningAlgorithm" ref="policyPermitOverridesAlgorithm" /><!-- The root combining algorithm -->
<property name="persistenceManager" ref="persistenceManager" />
<property name="evaluatablePreprocess" ref="evaluatablePreprocess" />
<property name="locator" ref="locator" />
<property name="referenceLoader" ref="referenceLoader" />
<property name="requestInformationFactory" ref="requestInformationFactory" />
<property name="attributeFinder" ref="herasafAttributeFinder" />
</bean>

See the new attribute depends-on.

The issue was that the PDP bean is loaded before the static-mapper of JAXB was loaded.
With the depends-on attribute we can force spring to initialize the converters (JAXB) before the PDP and then the PDP is able to resolve the combining-algorithms.

We created a JIRA task to fix this problem in the next release (http://jira.herasaf.org/browse/XACMLIMPL-84).

Regards,
Florian

[Erwan G]

Thank you for your answer and your reactivity,
it work now

Regards,
Erwan