LocalDynamic + MetadataFilters = possible bug?

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: LocalDynamic + MetadataFilters = possible bug?

Mak, Steve
        > This case seems weirder because I think Steve is saying it only happens some of the time.  But not sure if that's confirmed.

I can confirm that it only happens some of the time. We haven't been able to isolate any signs to predict when it will happen through our environment monitoring.

        > The example seems obfuscated with an "always true" predicate and dummy entity attribute value.

The always-true condition is the real condition we use for production. We globally apply the label to all md files in the subdirectory at load time for filter policies. The dummy attribute values are simply a Penn scoped urn with something very unexciting like "default", "internalapp", or "newvendor". We run about 8 or 9 subdirectories like this, all with the same logic but different attributeValue.

I put in dummy attribute values because they are not important to the problem as far as we can tell.

        > maybe the condition is failing in some intermittent way

We had suspected maybe this was the cause as we were originally using a global bean that resolved to always-true. We removed that global bean with the newer shibboleth.Conditions.TRUE to take that global bean out of the picture.

        > It seems like there must be a race condition somewhere.

This was the only thing that made logical sense to us as well, we just couldn't prove it with logs because it only happens in production and there are far too many logs if we turn on debug. I might be able to enable debug for just the metadata provider class that is doing the loading, but that seemed unnecessary at this time.

- Steve

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: LocalDynamic + MetadataFilters = possible bug?

Cantor, Scott E.
In reply to this post by Cantor, Scott E.
Steve,

The bug report that just came in was around MDQ, but in his case, he found the error I hit a while ago, and you would see the same thing in your logs, something including this:

2021-01-15 11:41:52,043 - ERROR [org.opensaml.saml.metadata.resolver.filter.impl.EntityAttributesFilter:233] - Error cloning AttributeValue
org.opensaml.core.xml.io.MarshallingException: Unable to root namespaces of cached DOM element, {urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue

The indication here is that this is happening intermittently, which I don't understand yet, but hoping it might apply to LocalDynamic too.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
12