Bug 5544 – Interceptor initializes twice

Bug 5544 - Interceptor initializes twice

Summary:

Interceptor initializes twice

Status:	RESOLVED FIXED

Product:	Java WS Security
Component:	Authorization
Version:	4.0.4
Platform:	All All

Importance:	P3 normal
Target Milestone:	4.0.6
Assigned To:	Rachana Ananthakrishnan

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-11 08:18 by Tom Scavo
Modified:	2008-01-16 16:38 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Tom Scavo 2007-09-11 08:18:17

Two invocations of an interceptor in an authz chain causes the interceptor to
initialize twice.  See this thread for details:

http://www.globus.org/mail_archive/gt-dev/2007/06/msg00021.html

------- Comment #1 From Rachana Ananthakrishnan 2007-09-11 10:50:57 -------

I don't see the existing system to be faulty, but appreciate that there are use
cases for not initializing the PDPs with same scope twice. I think this
behavior should be configurable.

But I am not inclined to make this change in 4.0.x branch. If added,
initializing only once should not be the default behavior and an additional
configuration to override this behavior will be required so old configuration
can work seamlessly. Given, this can be worked-around in the PDP code, I am not
sure we need to change this in 4.0.x. 

I will review the code in trunk and incorporate this change in 4.1.x.

------- Comment #2 From Tom Scavo 2007-09-11 12:03:45 -------

I respect your decision regarding 4.0.x vs. 4.1.x, but I'm not sure how this
can be worked around in 4.0.x PDP code, as you claim.  If you could show or
tell me how to do this, I'd appreciate it.

------- Comment #3 From Tim Freeman 2007-09-11 12:20:31 -------

How about adding a "has been initialized" field to the interceptor that can be
checked at the top of the initialize method?

------- Comment #4 From Rachana Ananthakrishnan 2007-09-11 15:52:06 -------

Here is one suggestion based on the fact that configuration object is shared
across the authorization chain. Say you have foo:pdp1, bar:pdp1, foo:pdp1. In
pdp1#initialize(PDPConfig config...), the following should help.

Boolean init = config.getProperty("foo", "initialized");
if ((init != null) && (Boolean.TRUE.equals(init)) {
 // don't initialize, return
} 

// initialize
config.setProperty("foo", "initialized", Boolean.TRUE);

------- Comment #5 From Rachana Ananthakrishnan 2007-10-04 10:41:28 -------

Looking at this issue some more, it seems like more than initializing once: the
framework should probably create a single instance of the interceptor if scope
is the same. Also, I am inclined towards not making this configurable: if
initialziation is required twice, then it is as easily configurable with
different scope.

------- Comment #6 From Tom Scavo 2007-10-04 10:44:37 -------

I agree.  The reason I focused on initialization is that's the first effect you
observe when starting the container.

Thanks for looking into this.

------- Comment #7 From Rachana Ananthakrishnan 2007-10-04 21:46:57 -------

Trunk code has been modified to create only one instance of an interceptor if
scope and FQDN are the same. The same instance occurs in the chain each time is
repeated in configuration. This change has been made to bootstrap PIPs, PIPs
and PDPs. Javadocs for AbstractEngine has been updated and an updated
atchitecture document has been committed to 4.2 draft CVS.
(http://www.globus.org/toolkit/docs/development/4.2-drafts/security/authzframe/gtJavaAuthzEngine.pdf)

Tom, thanks for bringing this to our attention.