000022424 - Integer attribute not evaluated correctly as Integer user property in RSA ClearTrust Smart Rule

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022424
Applies ToMicrosoft Active Directory
RSA ClearTrust 5.5.3 Authorization Server (AServer)
Property Provider API
Created new RSA ClearTrust Smart Rule based on an Integer attribute in Microsoft Active Directory that was extracted using an External Property Provider
IssueInteger attribute not evaluated correctly as Integer user property in RSA ClearTrust Smart Rule

RSA ClearTrust Authorization Server in debug mode throws the following exception:

19:12:01:832 [*] [MUXWORKER-86] - java.lang.ClassCastException: java.lang.Integer
java.lang.ClassCastException: java.lang.Integer
at sirrus.da.auth.Entity.getExternalProperty(Entity.java(Compiled Code))
at sirrus.da.auth.Entity.getProperty(Entity.java(Compiled Code))
at sirrus.authserver.SmartRuleAuthorizationStep$AbstractSmartRuleEvaluator.evaluateSmartRules(SmartRuleAuthorizationStep.java:222)

RSA ClearTrust Smart Rule based on an Integer property value was not evaluated. The AServer log files indicated that the resource was not allowed:

sequence_number=256,2005-10-27 17:26:38:159 CDT,messageID=1011,user=xxxxx,webserver=www.rsa.com,URI=/test/*,client_ip_address=xxx.xxx.xxx.xxx,client_port=xxxx,result_code=11,result_action=Authorization Failure,result_reason=No Entitlement

ResolutionWhen creating the user property for the Integer attribute in the RSA ClearTrust Entitlements Manager (Admin GUI), create the user property as a string rather than as an Integer. The External Property Provider can then pass the Integer attribute correctly as a string value. In the Smart Rule, you can still use evaluators such as "is equal to" with the string value.

NOTE: The ClearTrust External Property Provider API is not designed to handle the integer type. For most purposes, string values are more flexible, and should be used in place of Integer types within the property provider interface. Attributes defined in the LDAP store as Integers may still be read by the Property Provider, but they should be stored as a string.
Legacy Article IDa28399