"Resolution failed for variable" Xpath with default namespace in Policy Server

Products

SITEMINDER

Issue/Introduction

When running Policy Server, and configuring a Web Service variable to get info about specific user from external SOAP service, the active expression fails and the Policy Server reports error:

Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript (<variable>=="3")' failed with error 'Resolution failed for variable: <variable>'

Cause

The Policy Server receives the xml document as:

<soap:Envelope

xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<soap:Body>

<AddResponse

xmlns="http://tempuri.org/">

<AddResult>

3

</AddResult>

</AddResponse>

</soap:Body>

</soap:Envelope>

From this sample, the default namespace is xmlns="http://tempuri.org/". This default namespace has no prefix.

When it comes to expression (Xpath), the context is given by the namespace. When setting a default namespace in the scope of the element search, then the value cannot be reached, as the default namespace is excluded from the context (1).

"In XSLT, an outermost expression (i.e. an expression that is not

part of another expression) gets its context as follows:

the set of namespace declarations are those in scope on the element

which has the attribute in which the expression occurs; this includes

the implicit declaration of the prefix xml required by the the XML

Namespaces Recommendation [XML Names];

the default namespace (as declared by xmlns) is not part of this set"

More, if the NameSpace does not have any prefix, then its namespace URI is null, which will not be part XPATH Evaluation hence that node will be returned as null (2).

"A QName in the node test is expanded into an expanded-name using

the namespace declarations from the expression context. This is

the same way expansion is done for element type names in start and

end-tags except that the default namespace declared with xmlns is

not used:

if the QName does not have a prefix, then the namespace URI is

null (this is the same way attribute names are expanded)."

Resolution

Setting the Xpath to:

//*[local-name()='AddResult']/text()

Then, the Policy Server can get the expected value.

Testing with the xmllint command, which uses libxml2 and Xpath 1.0, the value gets returned too:

# xmllint --debug --debugent --xpath "//*[local-name()='AddResult']/text()" default-ns.xml
new input from file: default-ns.xml

3
DOCUMENT
No entities in internal subset
No entities in external subset

# cat default-ns.xml
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<AddResponse xmlns="http://tempuri.org/">
<AddResult>
3
</AddResult>
</AddResponse>
</soap:Body>
</soap:Envelope>

Then, having the Web Service variable configured as:

Name: <variable>
Variable Type: Web Service

URL: http://www.example.com/
XPath: //*[local-name()='AddResult']/text()

SOAP Body
<tem:Add xmlns:tem="http://tempuri.org/">
<tem:intA xmlns:tem="http://tempuri.org/">1</tem:intA>
<tem:intB xmlns:tem="http://tempuri.org/">2</tem:intB>
</tem:Add>

Now, the Policy Server can get the value "3":

  April 23, 2024 10:17:40.797 AM[1586845078:I] Created Active Expression instance for class: com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript
  April 23, 2024 10:17:40.814 AM[1586845078:Active Script] Invoked with parameter: "(<variable>=="3")"
  April 23, 2024 10:17:40.900 AM[1586845078:Active Script] Initial resolved variables: null 
  unresolved variables: <UVARS><Var name="<variable>" vtype="WebService" rtype="3"><![CDATA[<WebServiceVariableDefn xmlns:NeteWS="http://www.netegrity.com/2003/SM6.0"><NeteWS:RemoteURL>http://www.example.com/</NeteWS:RemoteURL><NeteWS:RemoteMethod>POST</NeteWS:RemoteMethod><NeteWS:ResultQuery>//*[local-name()='AddResult']/text()</NeteWS:ResultQuery><NeteWS:Document><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Header></soap:Header><soap:Body>      <tem:Add xmlns:tem="http://tempuri.org/">
           <tem:intA xmlns:tem="http://tempuri.org/">1</tem:intA>
           <tem:intB xmlns:tem="http://tempuri.org/">2</tem:intB>
        </tem:Add>
  </soap:Body></soap:Envelope></NeteWS:Document></WebServiceVariableDefn>]]></Var><Var name="3" vtype="Static" rtype="3"><![CDATA[3]]></Var></UVARS>

  April 23, 2024 10:17:42.397 AM[1586845078:AEC Variable Resolution] After resolution resolved variables: <RVARS><Var name="<variable>" rtype="3"><![CDATA[3]]></Var><Var name="<3>" rtype="3"><![CDATA[3]]></Var></RVARS> 
  unresolved variables: null
  April 23, 2024 10:17:42.695 AM[1586845078:Active Script] Successfully evaluated parameter: "(<variable>==3)"     result: true     script engine took: 297.0 milliseconds
  April 23, 2024 10:17:42.695 AM[1586845078:Active Expression Context] Elapsed time to process invoke on class: com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript is: 1897.0 milliseconds

and the user gets authorized:

[Active Expression evaluated for SmJavaAPI: JavaActiveExpression successfully invoked. Parameter and result follow:][10:17:42.696][SmJavaAPI.cpp:1248][][][04/23/2024][10:17:42][JavaActiveExpression][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript (<variable>=="3")][][][][][][][][][][]
[Evaluating OnAccessAccept policy in the realm ][10:17:42.698][IsAuthorized.cpp:806][][][04/23/2024][10:17:42][CSm_Az_Message::IsAuthorized][][<name>][][webservicevariable][webservicevariable][][][][][][s16/r5][][][][][][][][][][][][][][][][][][][cn=<name>,dc=example,dc=com][][][][][][][][][][][][][][OnAccessAccept][][][][][][][][][][][][][][]