ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

JUEL expression error using string functions

book

Article ID: 213782

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

Configuring Partnership to set an attribute using an expression and
JUEL Expression, then the Assertion Generator fails and report stack :

smtracedefault.log :

  [04/19/2021][13:55:41.732][13:55:41][2033][140494688450304][AssertionGenerator.java][invoke][13f0af86-c817f801-c7943499-09e48437-32b3fca1-5e13][][][][][][][][][][][][][][][][][][][][Error happens in running Assertionhandler process(). Leaving Assertion Generator Framework.  Exception:
  com.ca.fedcommon.managerservices.FederationManagerServiceException: Error evaluating expression: #{attr["cn"].contains("jsmith")  ? 'true' :'false' }
   at com.ca.federation.uel.UELEvaluatorServiceHandler.evaluate(Unknown Source)
   at com.netegrity.assertiongenerator.ExpressionEvaluator.evaluate(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.processExpressionEvaluation(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.generateValue(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.SAMLSPEntitlementGenerator.getEntitlementsList(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(Unknown Source)
   at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
   at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)
  Caused by: javax.el.MethodNotFoundException: Cannot resolve method 'contains' in 'class java.lang.String'
   at de.odysseus.el.tree.impl.ast.AstMethod.resolveMethod(AstMethod.java:67)
   at de.odysseus.el.tree.impl.ast.AstMethod.eval(AstMethod.java:97)
   at de.odysseus.el.tree.impl.ast.AstChoice.eval(AstChoice.java:34)
   at de.odysseus.el.tree.impl.ast.AstEval.eval(AstEval.java:42)
   at de.odysseus.el.tree.impl.ast.AstNode.getValue(AstNode.java:28)
   at de.odysseus.el.TreeValueExpression.getValue(TreeValueExpression.java:121)
   ... 9 more

  ][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [04/19/2021][13:55:41.746][13:55:41][2033][140494688450304][SmJavaAPI.cpp:1248][JavaActiveExpression][][][][][][][][][][][][][NO][][][][][][][][Active Expression evaluated for SmJavaAPI: JavaActiveExpression successfully invoked.  Parameter and result follow:][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][com.netegrity.assertiongenerator.AssertionGenerator -AssertionHandler:SAML20 unspecified:isJsmith=<%userattr="juel:#{attr["cn"].contains("jsmith")  ? 'true' :'false' }"%>][][][][][][][]

 

Environment

 

Policy Server 12.8SP5 on RedHat 8;
CA Access Gateway (SPS) 12.8SP5 on RedHat 8;

 

Resolution

 

The federation JUEL expression doesn't support JSTL functions (String
functions like contains, startsWith ,substring etc..). So the given
expression

  #{attr["cn"].contains("jsmith")  ? 'true' :'false' }
  
evaluation failed with Caused by: javax.el.MethodNotFoundException:
Cannot resolve method 'toString' in 'class java.lang.String'.

As a work around :

In order to make this JUEL expression

  #{attr["cn"].contains("jsmith")  ? 'true' :'false' }

to work at present you have to use Named Expression in combination
with virtual attribute to evaluate "cn".contains("somestring") that
virtual attribute have to be used in JUEL expression to evaluate the
operation.

To illustate :

  #{attr["CNFILTER"]=="jsmith" ? 'true' : 'false' }

I created in the User Directory an Attribute Mapping :

  CNFILTER as Alias : cn

I created a Named Expression :

  #CNFILTER as Expression : GET(cn)

and I set the Partnership attribute like :

  isJsmith : #{attr["CNFILTER"]=="jsmith" ? 'true' : 'false' }

and I get the Federation Attribute isJsmith returning "yes" as value :

smtracedefault.log :

  </ns5:Response>][][][][][][][][Active Expression evaluated for SmJavaAPI:
  JavaActiveExpression successfully invoked.  Parameter and result follow:][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][]
  [com.netegrity.assertiongenerator.AssertionGenerator -AssertionHandler:SAML20
  unspecified:isJsmith=<%userattr="juel:#{attr["CNFILTER"]=="jsmith" ? 'true' : 'false' }"%>][][][][][][][]

  [04/28/2021][10:56:50.859][10:56:50][2174][139695793084160][SmActiveExpr.cpp:527]
  [CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][]
  [<ns5:Response xmlns:ns5="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"
  xmlns="http://www.w3.org/2009/xmlenc11#" ID="_da6bdeff97fb37cb8b21fecf30ad8806e345"
  InResponseTo="_4cd87959d0ed8e5d798ff9954c2b8dd294cbd9a007" Version="2.0"
  IssueInstant="2021-04-28T08:56:50.855Z" Destination="http://myremotesp.myremotesp.com/sso">

  [...]

   <ns2:AttributeStatement> <ns2:Attribute Name="isJsmith"
       NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
       <ns2:AttributeValue
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:xs="http://www.w3.org/2001/XMLSchema"
       xsi:type="xs:string">true</ns2:AttributeValue>
       </ns2:Attribute>