Unexpected behaviour of specified - but missing - filter plugin

Description

An attribute-policy.xml file containing nothing but the AttributePolicyGroup tags with no children, will lead to all attributes/values being filtered out, as expected, since we're not explicitly allowing anything through. But if the attribute-policy.xml file is simply missing (but configured in shibboleth2.xml), then all attributes/values are allowed through - which is not what I would expect. I would expect a configured but missing policy and a configured policy that is present but essentially empty (i.e. only the childless AttributePolicyGroup tag) to be functionally equivalent.

So the behaviour that makes most sense would be that if there is a filter plugin specified, but it fails to load, a deny-all policy should be put in place.

Environment

None

Activity

Scott Cantor December 17, 2010 at 2:39 PM

Closing after release.

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Created December 7, 2010 at 12:56 PM
Updated June 22, 2021 at 9:04 PM
Resolved December 7, 2010 at 4:46 PM