OES SM Returning An Extraneous "Unknown" Attribute When Condition Is Used

(Doc ID 2318954.1)

Last updated on OCTOBER 19, 2017

Applies to:

Oracle Entitlements Server - Version and later
Information in this document applies to any platform.


On : version, Security Modules

Why does SM return an extraneous "Unknown" attribute when condition is used?


An authorization policy that includes a condition on an attribute, 'uid':

uid = gsaae01

When testing a request against the policy, can get a Permit, but in the OES SM logging, notice that the attribute seems to be returning as two values.

Here is the log:

== Start Of Policy Evaluation Info ==========
Application: test

Requested Resource Type: foo2

Requested Resource: test_ldap_param

Requested Resource Present: false

Requested Action: GET

Request Subject Principals:
  class weblogic.security.principal.WLSUserImpl:CN=Extuser2 gsaae01, OU=People, OU=oracle, O=com

Effective Roles Granted: [authenticated-role]

Role-Mapping Policies: NONE

Static Role Grants: NONE

Denied Static Role Grants: NONE

Authorization Policies:
  Matched Policy Principals:
  class oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl:authenticated-role
  Policy Principals Semantics: OR
  Matched Policy Resource-Actions:
  Resource = /test_ldap_param, Action = ANY
  Policy Obligations: NONE
  Policy Evaluation Result: GRANT
  Policy Rules:
  Rule Effect: GRANT
  Rule Condition: (uid = gsaae01)
  Evaluated Rule Attributes and Functions:
  uid(Dynamic, String) = gsaae01
  uid(Unknown, String) =
  Rule Evaluation Result: GRANT

Notice that the attribute appears twice:

  uid(Dynamic, String) = gsaae01
  uid(Unknown, String) =

Both WS SM and Java SM have the same issue


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms