Versions Compared

Old Version 20

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 21

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

...

The ScriptedAttribute AttributeDefinition constructs an output attribute via the execution of a JSR-223 script. Scripts are somewhat easier to write and maintain than native Java code, though they are slower. They can also be changed dynamically since the resolver is a ReloadableService.

Scripting

localtab-live
Localtabgroup
Expand
titleScript Context

The script "context" defines the execution environment for the script and provides the following variables:

  • resolutionContext

    • AttributeResolutionContext for the current resolution step, which exists within the tree of state information that tracks the current request

  • id

    • Variable which implements ScriptedIdPAttribute, whose name is the ID of the AttributeDefinition, and which will be the output of the script. Note: If an attribute of this same name occurs as a dependency (see below), then the attribute will be pre-populated with all the values of the dependent attribute.

  • profileContext

  • custom

    • Contains whatever bean was referenced by the customObjectRef XML Attribute

  • subjects

    • Array of Subject objects associated with this request. Note that these will only be present if the attribute resolution is associated with a completed authentication step (so is not present for back channel requests or certain other cases).

In addition, each defined dependency of the connector, it exists, will be present via an object which implements ScriptedIdPAttribute.

For an AttributeDefinition dependency, that IdPAttribute is supplied. For a DataConnector dependency, each IdPAttribute produced by that connector is supplied.

The variable's name will be the attribute ID of the attribute from the dependency. In the event that more than one dependency produces attributes with the same ID, the values of all of those attributes are merged and made available to the script.

Note that any changes made to these dependency objects within the script will not be reflected in the result of the resolution process. In contrast, changes made to other objects accessed by means of the other variables in most cases will cause side effects, and should usually be avoided.

localtab-live
Expand
titleScriptedtIdPAttribute Class

Wrapper Class

The attribute variables (both input and output) available to the scripting environment are exposed using a wrapper class, ScriptedIdPAttribute, which has the following methods:

  • Collection<Object> Collection<Object> getValues()

    • This returns the current values of the attribute (which may be empty).

    • As a convenience, values of type StringAttributeValue are available as simple Strings, but all other IdPAttributeValue subtypes are only available as their native type since their underlying data can only be accessed natively.

    • Values can be added and removed from this collection, but added values must be of type String or implement the IdPAttributeValue interface. This method cannot be called if getNativeAttribute() has been called on the same attribute in the same script.

  • IdPAttribute getNativeAttribute()

    • Provided for advanced use only, this returns a native IdPAttribute object instead of the wrapper class. This method cannot be called if getValues() has been called.

  • addValue(value)

    • This adds a value to the attribute. The parameter must either be a String or an implementation of IdPAttributeValue. See below for examples.

Adding Values

Values are added by calling the addValue() method. This must take either a String value or an object which implements IdPAttributeValue. The former is the most common case. A useful example of the latter is ScopedStringAttributeValue which has two constructor parameters - the value and scope, respectively. There are also other subclasses available.

Thus:

Adding a String Attribute Value (Rhino) 
Code Block
eduPersonEntitlement.addValue("urn:mace:dir:entitlement:common-lib-terms");
Adding a Scoped Attribute Value (Nashorn)
Code Block
languagejs
scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue");
eduPersonPrincipalName.addValue(new scopedValueType("user", "example.org"));
localtab-live
Expand
titleLocating Contexts

The standard way of locating other context types in the tree of state information is via context navigation. The following example shows how to locate a peer context and a child context (the actual context types shown are examples only):

Locating other contexts
Code Block
languagejs
child = resolutionContext.getSubcontext("net.shibboleth.idp.attribute.resolver.ChildContextType"); 
parent = resolutionContext.getParent();
peer = parent.getSubcontext("net.shibboleth.idp.attribute.resolver.PeerContextType");
localtab-live
Expand
titleLogging

The same logging framework used throughout the IdP (SLF4J) may be used for logging within a script. First import the package org.slf4j and then obtain an org.slf4j.Logger object from an org.slf4j.LoggerFactory. The logging category name used is arbitrary, but you may need to adjust the IdP's logging configuration to see particular results. Logging levels available are: error, warn, info, debug, trace.

The string passed to the LoggerFactory.getLogger method should be the name of an existing logger element, defined in logging.xml.

For more information on configuring logging within the IdP, see the LoggingConfiguration topic.

Logging (Rhino)
Code Block
languagejs
importPackage(Packages.org.slf4j);
 
logger = LoggerFactory.getLogger("net.shibboleth.idp.attribute");
Scripted.addValue("foo");
Scripted.addValue("bar");

logger.info("Values of scriptTest were: {} ", Scripted.getValues());
Logging (Nashorn)
Code Block
languagejs
logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");

Scripted.addValue("foo");
Scripted.addValue("bar");

logger.info("Values of scriptTest were: {} ", Scripted.getValues());

Reference

Localtabgroupexpand
Localtab live
titleSpecific XML Attributes

Name

Type

Default

Description

language

string

JavaScript

The default is ECMA script using either the Rhino (Java 7) or Nashorn (Java 8+) engines.

This situation is in flux due to the removal of Nashorn from future Java versions, and there are plans to provide a V4.1+ plugin that supplies one of these options in the future at the deployer's discretion.

customObjectRef

string

The name of a Spring Bean defined elsewhere. This bean will be made available to the script in a variable named "custom".

localtab-live
Specific
Expand
title
Specifix XML Elements

The following XML Elements are specific to this connector, and one of them must be supplied:

Name

Description

<Script>

The contents define the script to execute, usually wrapped in an XML CDATA block to avoid escaping

<ScriptFile>

The contents define a file which contains the script to execute

localtab-live
Expand
titleCommon XML Attributes
Include Page
AttributeDefinitionCommonAttributes
AttributeDefinitionCommonAttributes
localtab-live
Expand
titleCommon XML Elements
Include Page
AttributeDefinitionCommonChildElements
AttributeDefinitionCommonChildElements

V2 Compatibility

Warning

This support is deprecated and should have been removed in V4, however the change was not warned about sufficiently. This will be removed in V5.

...

Get eduPersonPrincipalName from LDAP or build one from uid

Variant 1: A "Prescoped" AttributeDefinition resolves existing eduPersonPrincipalName values from LDAP, then depends on a "ScriptedAttribute" definition to generate missing values. The Script also needs a dependency on the myLDAP DataConnector in order to have access to existing eduPersonPrincipalName and uid attribute values.

Minimal scripting, using Dependencies (Nashorn)

...