IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Information Point with custom attribute

Dean IvosevicFri January 29, 2021 01:31 PM

Dear community, I am trying to set-up a custom attribute to use in Access Control, which would be populated ...

Jon HarryFri January 29, 2021 02:11 PM

Hi Dean, Had to tell from that trace - seems like the PIP is failing to initialise. Maybe a syntax ...

1. Information Point with custom attribute

Dean Ivosevic

Posted Fri January 29, 2021 01:31 PM

Dear community,

I am trying to set-up a custom attribute to use in Access Control, which would be populated in the Javascript PIP.
I've followed the example found on Philip Nye's blog: https://philipnye.com/2015/01/13/isam-for-mobile-javascript-policy-information-points/

For some reason, when the access control rule gets triggered, I see an error in the runtime traces (see below), and the attribute is not populated.

Does anyone have an idea what could be wrong?
Am I missing some prerequisite configurations?

Thank you in advance!
Dean

[1/29/21 19:24:16:600 CET] 00000083 id=00000000 DelegatingXACMLProviderImpl                                  I configureCache( Properties ) CWRGS4237I Caching of XACML requests by the XACML4J evaluation engine has been disabled.
[1/29/21 19:24:16:728 CET] 00000083 id=00000000 com.tivoli.am.rba.extensions.PluginUtils                     3 trace worklight_pip_rule.hasAttribute(): entry
[1/29/21 19:24:16:729 CET] 00000083 id=00000000 com.tivoli.am.rba.extensions.PluginUtils                     3 trace worklight_pip_rule.hasAttribute(): Looking for ("null", "bnppf:session_scope", "http://www.w3.org/2001/XMLSchema#string"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject") in SUBJECT
[1/29/21 19:24:16:737 CET] 00000083 id=00000000 com.tivoli.am.rba.extensions.PluginUtils                     3 trace worklight_pip_rule.hasAttribute(): returning false
[1/29/21 19:24:16:738 CET] 00000083 id=00000000 com.tivoli.am.rba.pip.JavaScriptPIP                          I hasAttribute java.lang.RuntimeException: The JavaScriptPIP PIP instance is not initialize and couldn't run.
at com.tivoli.am.rba.pip.JavaScriptPIP.hasAttribute(JavaScriptPIP.java:172)
at com.tivoli.am.rba.pip.JavaScriptPIP.hasSubjectAttributes(JavaScriptPIP.java:482)
at com.ibm.tscc.rtss.authz.internal.finders.CustomAttributeFinder.hasSubjectAttributes(CustomAttributeFinder.java:213)
at com.ibm.tscc.rtss.authz.internal.finders.AttributeFinderDelegator.hasSubjectAttributes(AttributeFinderDelegator.java:240)
at com.ibm.sec.authz.xacml.provider.internal.RuntimeAttributeFinderManager.lookupAttributes(RuntimeAttributeFinderManager.java:127)
at com.ibm.sec.authz.xacml.provider.internal.DefaultRequestContext.getSubjectAttributes(DefaultRequestContext.java:198)
at com.ibm.sec.authz.xacml.policy.internal.SubjectAttributeDesignatorImpl.evaluateExpression(SubjectAttributeDesignatorImpl.java:96)
at com.ibm.sec.authz.xacml.policy.internal.functions.higherbag.AnyOfAnyFunction.performFunction(AnyOfAnyFunction.java:181)
at com.ibm.sec.authz.xacml.policy.internal.ApplyImpl.evaluateExpression(ApplyImpl.java:191)
at com.ibm.sec.authz.xacml.policy.internal.functions.logical.NotFunction.performFunction(NotFunction.java:72)
at com.ibm.sec.authz.xacml.policy.internal.ApplyImpl.evaluateExpression(ApplyImpl.java:191)
at com.ibm.sec.authz.xacml.policy.internal.functions.logical.AndFunction.performFunction(AndFunction.java:75)
at com.ibm.sec.authz.xacml.policy.internal.ApplyImpl.evaluateExpression(ApplyImpl.java:191)
at com.ibm.sec.authz.xacml.policy.internal.ConditionImpl.evaluateCondition(ConditionImpl.java:113)
at com.ibm.sec.authz.xacml.policy.internal.RuleImpl.evaluate(RuleImpl.java:205)
at com.ibm.sec.authz.xacml.provider.internal.normalize.NormalizedRule.evaluate(NormalizedRule.java:133)
at com.ibm.sec.authz.xacml.provider.internal.indexed.IndexedXACMLStrategy.evaluateRules(IndexedXACMLStrategy.java:571)
at com.ibm.sec.authz.xacml.provider.internal.indexed.IndexedXACMLStrategy.doEvaluateRequest(IndexedXACMLStrategy.java:371)
at com.ibm.sec.authz.xacml.provider.internal.DelegatingXACMLProviderImpl._evaluateRequest(DelegatingXACMLProviderImpl.java:387)
at com.ibm.sec.authz.xacml.provider.internal.DelegatingXACMLProviderImpl.evaluateRequest(DelegatingXACMLProviderImpl.java:330)
at com.ibm.tscc.rtss.authz.spif.AuthzRuntimeServiceImpl.evaluate(AuthzRuntimeServiceImpl.java:554)
at com.ibm.tscc.rtss.authz.spif.AuthzRuntimeServiceImpl.evaluateXACML(AuthzRuntimeServiceImpl.java:740)
at com.ibm.tscc.rtss.authz.ws.xacml.AuthzServiceRaw.invoke(AuthzServiceRaw.java:107)
at com.ibm.tscc.rtss.authz.ws.xacml.AuthzServiceRaw.invoke(AuthzServiceRaw.java:57)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178)
at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:72)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
at java.util.concurrent.FutureTask.run(FutureTask.java:277)
at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:107)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:212)
at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint.invoke(AbstractJaxWsWebEndpoint.java:181)
at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.handleRequest(LibertyJaxWsServlet.java:134)
at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.doPost(LibertyJaxWsServlet.java:93)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)
at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.service(LibertyJaxWsServlet.java:85)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1230)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:729)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:426)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1218)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1002)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:75)
at com.ibm.ws.webcontainer40.servlet.CacheServletWrapper40.handleRequest(CacheServletWrapper40.java:83)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:938)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1136)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:417)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:376)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:532)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:466)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:331)
at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:302)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1077)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:656)
at com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1803)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:954)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1043)
at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:812)

2. RE: Information Point with custom attribute

Jon Harry

Posted Fri January 29, 2021 02:11 PM

Hi Dean,

Had to tell from that trace - seems like the PIP is failing to initialise. Maybe a syntax error in the JavaScript or something fundamental like that?

Can you create something really simple and test - then build up? If simple one fails you could share code here so we can take a look?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message

Original Message:
Sent: Fri January 29, 2021 01:31 PM
From: Dean Ivosevic
Subject: Information Point with custom attribute

Dear community,

I am trying to set-up a custom attribute to use in Access Control, which would be populated in the Javascript PIP.
I've followed the example found on Philip Nye's blog: https://philipnye.com/2015/01/13/isam-for-mobile-javascript-policy-information-points/

For some reason, when the access control rule gets triggered, I see an error in the runtime traces (see below), and the attribute is not populated.

Does anyone have an idea what could be wrong?
Am I missing some prerequisite configurations?

Thank you in advance!
Dean

[1/29/21 19:24:16:600 CET] 00000083 id=00000000 DelegatingXACMLProviderImpl                                  I configureCache( Properties ) CWRGS4237I Caching of XACML requests by the XACML4J evaluation engine has been disabled.[1/29/21 19:24:16:728 CET] 00000083 id=00000000 com.tivoli.am.rba.extensions.PluginUtils                     3 trace worklight_pip_rule.hasAttribute(): entry[1/29/21 19:24:16:729 CET] 00000083 id=00000000 com.tivoli.am.rba.extensions.PluginUtils                     3 trace worklight_pip_rule.hasAttribute(): Looking for ("null", "bnppf:session_scope", "http://www.w3.org/2001/XMLSchema#string"urn:oasis:names:tc:xacml:1.0:subject-category:access-subject") in SUBJECT[1/29/21 19:24:16:737 CET] 00000083 id=00000000 com.tivoli.am.rba.extensions.PluginUtils                     3 trace worklight_pip_rule.hasAttribute(): returning false[1/29/21 19:24:16:738 CET] 00000083 id=00000000 com.tivoli.am.rba.pip.JavaScriptPIP                          I hasAttribute java.lang.RuntimeException: The JavaScriptPIP PIP instance is not initialize and couldn't run.at com.tivoli.am.rba.pip.JavaScriptPIP.hasAttribute(JavaScriptPIP.java:172)at com.tivoli.am.rba.pip.JavaScriptPIP.hasSubjectAttributes(JavaScriptPIP.java:482)at com.ibm.tscc.rtss.authz.internal.finders.CustomAttributeFinder.hasSubjectAttributes(CustomAttributeFinder.java:213)at com.ibm.tscc.rtss.authz.internal.finders.AttributeFinderDelegator.hasSubjectAttributes(AttributeFinderDelegator.java:240)at com.ibm.sec.authz.xacml.provider.internal.RuntimeAttributeFinderManager.lookupAttributes(RuntimeAttributeFinderManager.java:127)at com.ibm.sec.authz.xacml.provider.internal.DefaultRequestContext.getSubjectAttributes(DefaultRequestContext.java:198)at com.ibm.sec.authz.xacml.policy.internal.SubjectAttributeDesignatorImpl.evaluateExpression(SubjectAttributeDesignatorImpl.java:96)at com.ibm.sec.authz.xacml.policy.internal.functions.higherbag.AnyOfAnyFunction.performFunction(AnyOfAnyFunction.java:181)at com.ibm.sec.authz.xacml.policy.internal.ApplyImpl.evaluateExpression(ApplyImpl.java:191)at com.ibm.sec.authz.xacml.policy.internal.functions.logical.NotFunction.performFunction(NotFunction.java:72)at com.ibm.sec.authz.xacml.policy.internal.ApplyImpl.evaluateExpression(ApplyImpl.java:191)at com.ibm.sec.authz.xacml.policy.internal.functions.logical.AndFunction.performFunction(AndFunction.java:75)at com.ibm.sec.authz.xacml.policy.internal.ApplyImpl.evaluateExpression(ApplyImpl.java:191)at com.ibm.sec.authz.xacml.policy.internal.ConditionImpl.evaluateCondition(ConditionImpl.java:113)at com.ibm.sec.authz.xacml.policy.internal.RuleImpl.evaluate(RuleImpl.java:205)at com.ibm.sec.authz.xacml.provider.internal.normalize.NormalizedRule.evaluate(NormalizedRule.java:133)at com.ibm.sec.authz.xacml.provider.internal.indexed.IndexedXACMLStrategy.evaluateRules(IndexedXACMLStrategy.java:571)at com.ibm.sec.authz.xacml.provider.internal.indexed.IndexedXACMLStrategy.doEvaluateRequest(IndexedXACMLStrategy.java:371)at com.ibm.sec.authz.xacml.provider.internal.DelegatingXACMLProviderImpl._evaluateRequest(DelegatingXACMLProviderImpl.java:387)at com.ibm.sec.authz.xacml.provider.internal.DelegatingXACMLProviderImpl.evaluateRequest(DelegatingXACMLProviderImpl.java:330)at com.ibm.tscc.rtss.authz.spif.AuthzRuntimeServiceImpl.evaluate(AuthzRuntimeServiceImpl.java:554)at com.ibm.tscc.rtss.authz.spif.AuthzRuntimeServiceImpl.evaluateXACML(AuthzRuntimeServiceImpl.java:740)at com.ibm.tscc.rtss.authz.ws.xacml.AuthzServiceRaw.invoke(AuthzServiceRaw.java:107)at com.ibm.tscc.rtss.authz.ws.xacml.AuthzServiceRaw.invoke(AuthzServiceRaw.java:57)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)at java.lang.reflect.Method.invoke(Method.java:508)at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)at org.apache.cxf.jaxws.AbstractJAXWSMethodInvoker.invoke(AbstractJAXWSMethodInvoker.java:178)at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:72)at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:75)at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)at java.util.concurrent.FutureTask.run(FutureTask.java:277)at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:107)at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:212)at com.ibm.ws.jaxws.endpoint.AbstractJaxWsWebEndpoint.invoke(AbstractJaxWsWebEndpoint.java:181)at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.handleRequest(LibertyJaxWsServlet.java:134)at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.doPost(LibertyJaxWsServlet.java:93)at javax.servlet.http.HttpServlet.service(HttpServlet.java:706)at com.ibm.ws.jaxws.webcontainer.LibertyJaxWsServlet.service(LibertyJaxWsServlet.java:85)at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1230)at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:729)at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:426)at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1218)at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1002)at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:75)at com.ibm.ws.webcontainer40.servlet.CacheServletWrapper40.handleRequest(CacheServletWrapper40.java:83)at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:938)at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:279)at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:1136)at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.wrapHandlerAndExecute(HttpDispatcherLink.java:417)at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink.ready(HttpDispatcherLink.java:376)at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:532)at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.handleNewRequest(HttpInboundLink.java:466)at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.processRequest(HttpInboundLink.java:331)at com.ibm.ws.http.channel.internal.inbound.HttpInboundLink.ready(HttpInboundLink.java:302)at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.determineNextChannel(SSLConnectionLink.java:1077)at com.ibm.ws.channel.ssl.internal.SSLConnectionLink$MyReadCompletedCallback.complete(SSLConnectionLink.java:656)at com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1803)at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:503)at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:573)at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:954)at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1043)at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)at java.lang.Thread.run(Thread.java:812)

IBM Verify

IBM Verify

Information Point with custom attribute

Dean IvosevicFri January 29, 2021 01:31 PM

Jon HarryFri January 29, 2021 02:11 PM

1. Information Point with custom attribute

2. RE: Information Point with custom attribute

Additional
Resources

Office

Quick Links

IBM Verify

IBM Verify

Information Point with custom attribute

Dean IvosevicFri January 29, 2021 01:31 PM

Jon HarryFri January 29, 2021 02:11 PM

1. Information Point with custom attribute

2. RE: Information Point with custom attribute

Related Content

Proof Key For Code Exchange: Implementing PKCE through Advanced Mapping Rule In IBM Verify Access Relying Party

Webinar: IBM Verify Business Partner event (virtual only)

Verify Sessions at TechXChange 2023

Upcoming webinar "Secure Remote Access: OpenVPN with RADIUS and MFA using IBM Verify SaaS"

ISAM AAC OIDC errors in message.log

Additional Resources

Office

Quick Links

Additional
Resources