Hello Andreas, All,


>
> So, can you find a StringIndexOutOfBoundsException in the logs? That
> would mean the corresponding policy has no such substring "Policies".
> It is unfortunately rather easy to feed OpenAM syntactically invalid
> policies, perhaps this has happened in your case, too.
>


OpenAM seems to perform  DTD based XML validation, and doesn't accept
invalid syntax.

<!DOCTYPE Policies PUBLIC \"-//Sun Java System Access Manager7.1 2006Q3
 Admin CLI DTD//EN\" \"jar://com/sun/identity/policy/policyAdmin.dtd\">

We've found the DOCTYPE  statement _must_ be present in the XML post-ed,
otherwise the XML is rejected.   What is interesting, if one retrieves the
XML of an existing policy from the server, it _does_not_ contain the
DOCTYPE statement, and attempt to import it in another server fails, just
because of the missing DOCTYPE .  Adding it resolves the problem.

We have developed a client (https://github.com/vedina/opentox-aa-cli) ,
allowing to archive policy XMLs from a server, given user and password,  and
later import them into another instance.  Hope this could be useful for the
migration into a newer OpenAM version .
This is also a generic OpenTox AA java client library (used in ambit
services and an older version of it in Bioclipse)

The modified version of Policy service is also available at
https://github.com/vedina/Pol

1) table structure slightly modified
2) added connection pool (c3p0) for handling MySQL connection
3) the presence of tokens is verified first, then all other actions are
taken (this solves the issue reported by Vedrin)
4) improved exception handling
5) refactored as a maven project (besides all the maven goodies, now one can
test it locally by running mvn tomcat:run , without explicitly installing a
servlet container)
6) other minor refactoring for better readability

To summarize, an improved version of OpenTox AA (with the newest OpenAM and
policies extracted from the current setup and imported into the new one) can
be setup in few days, and will have a better response time and scalability
than currently.  There is still a problem with increased latency of bulk
delete of policies (bulk means deleting several tens of thousands policies)
, but as far as I understood, for few tens of policies  (as is in the
validation use case), there is no such problem.  Vedrin will be sending more
details about the outcome from the extensive OpenAM experiments he is
performing since the last week.

Regards,
Nina





> Andreas
> _______________________________________________
> Development mailing list
> Development at opentox.org
> http://www.opentox.org/mailman/listinfo/development
>