* Copyright 2003-2004 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
*
* 1. Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
*
* 2. Redistribution in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or
* other materials provided with the distribution.
*
* Neither the name of Sun Microsystems, Inc. or the names of contributors may be used to endorse or promote products derived from this software without
* specific prior written permission.
*
* This software is provided "AS IS," without a warranty of any kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
* WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN") AND ITS LICENSORS
* SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS DERIVATIVES. IN NO EVENT WILL
* SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE, EVEN IF SUN HAS BEEN ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGES.
*
* You acknowledge that this software is not designed or intended for use in the design, construction, operation or maintenance of any nuclear facility.
* This class implements the time-in-range function, which takes three time values and returns true if the first value falls between the second and the third
* value. This function was introduced in XACML 2.0.
* This class implements the time-in-range function, which takes three time values and returns true if the first value falls between the second and the third value. This function was introduced in
* XACML 2.0.
* <p>
* Note that this function allows any time ranges less than 24 hours. In other words, it is not bound by normal day boundries (midnight GMT), but by the minimum
* time in the range. This means that ranges like 9am-5pm are supported, as are ranges like 5pm-9am.
* Note that this function allows any time ranges less than 24 hours. In other words, it is not bound by normal day boundries (midnight GMT), but by the minimum time in the range. This means that
* ranges like 9am-5pm are supported, as are ranges like 5pm-9am.
*
* @since 2.0
* @author seth proctor
...
...
@@ -90,14 +90,16 @@ public final class TimeInRangeFunction extends FirstOrderFunction.SingleParamete
}
/**
* Evaluates the time-in-range function, which takes three <code>TimeAttributeValue</code> values. This function return true if the first value falls
* between the second and third values (ie., on or after the second time and on or before the third time). If no time zone is specified for the second
* and/or third time value, then the timezone from the first time value is used. This lets you say time-in-range(current-time, 9am, 5pm) and always have
* the evaluation happen in your current-time timezone.
* Evaluates the time-in-range function, which takes three <code>TimeAttributeValue</code> values. This function return true if the first value falls between the second and third values (ie.,
* on or after the second time and on or before the third time). If no time zone is specified for the second and/or third time value, then the timezone from the first time value is used. This
* lets you say time-in-range(current-time, 9am, 5pm) and always have the evaluation happen in your current-time timezone.
*
* @param arg
* time to be checked against the lower and upper bounds
* @param lowerBound
* lower time bound
* @param upperBound
* upper time bound
* @return true iff arg is in range [lowerBound, upperBound]
*
*
...
...
@@ -127,9 +129,8 @@ public final class TimeInRangeFunction extends FirstOrderFunction.SingleParamete
*/
setSameDate(calCheckedWhetherInRange,startCal);
/*
* Now we date does not matter in calendar comparison, we only compare times of the day so ignoring the date, the checked time of the day might be
* before the lower time bound but still be in range if considered this is the time on the next day. In this case, startCal is on day N, and
* calCheckedWhetherInRange on day N+1.
* Now we date does not matter in calendar comparison, we only compare times of the day so ignoring the date, the checked time of the day might be before the lower time bound but still be
* in range if considered this is the time on the next day. In this case, startCal is on day N, and calCheckedWhetherInRange on day N+1.
*/
/*
* Boolean below says whether the checked time is strictly after the start time if considered on the *same day*, i.e. in terms of time of day.
...
...
@@ -138,16 +139,15 @@ public final class TimeInRangeFunction extends FirstOrderFunction.SingleParamete
if(startCal.after(endCal))
{
/**
* start time of the day > end time of the day, for instance 02:00:00 > 01:00:00 so we consider the end time (01:00:00) on the next day (later
* than the second argument - end time - by less than 24h, the spec says). So we interpret the time interval as the date interval [startTime on
* day N, endTime on day N+1]. If checked time of day < start time of day (compared on the same day), then checked time can only be on day after
* to be in range
* start time of the day > end time of the day, for instance 02:00:00 > 01:00:00 so we consider the end time (01:00:00) on the next day (later than the second argument - end time - by
* less than 24h, the spec says). So we interpret the time interval as the date interval [startTime on day N, endTime on day N+1]. If checked time of day < start time of day (compared
* on the same day), then checked time can only be on day after to be in range
*/
if(isCheckedDayTimeStrictlyBeforeStartDayTime)
{
/*
* time checked is strictly before start time if considered on the same day, so not in range unless considered on day N+1 So let's compared
* with end time after considering them on the same day
* time checked is strictly before start time if considered on the same day, so not in range unless considered on day N+1 So let's compared with end time after considering them on
* args.poll() returns the first element and remove it from the stack, so that next poll() returns the next element (and removes it from the stack),
* etc.
* args.poll() returns the first element and remove it from the stack, so that next poll() returns the next element (and removes it from the stack), etc.
* XACML Match evaluator. This is the part of the Target that actually evaluates whether the specified attribute values in the Target match the corresponding
* attribute values in the request context.
* XACML Match evaluator. This is the part of the Target that actually evaluates whether the specified attribute values in the Target match the corresponding attribute values in the request context.
"Invalid inputs (Expressions) to the Match (validated using the equivalent standard 'any-of' function definition): "+anyOfFuncInputs,e);
thrownewIllegalArgumentException("Invalid inputs (Expressions) to the Match (validated using the equivalent standard 'any-of' function definition): "+anyOfFuncInputs,e);
}
}
...
...
@@ -112,6 +110,7 @@ public class MatchEvaluator
*
* @return true iff the context matches
* @throws IndeterminateEvaluationException
* error occurred evaluating the Match element in this evaluation {@code context}
* JavaBean for the PDP to be used/called as JNDI resource.
*
* In JEE application servers such as Glassfish, you could use class org.glassfish.resources.custom.factory.JavaBeanFactory for registering the custom JNDI
* resource. More info: http://docs.oracle.com/cd/E26576_01/doc.312/e24930/jndi.htm#giywi
* In JEE application servers such as Glassfish, you could use class org.glassfish.resources.custom.factory.JavaBeanFactory for registering the custom JNDI resource. More info:
* For Tomcat, see http://tomcat.apache.org/tomcat-7.0-doc/jndi-resources-howto.html# Adding_Custom_Resource_Factories.
*
...
...
@@ -56,30 +51,30 @@ public final class PdpBean implements PDP
privateStringcatalogLocation=null;
/**
* Configuration file. Only the 'defaultPDP' configuration will be loaded, i.e. 'pdp' element with 'name' matching the 'defaultPDP' attribute of the root
* 'config' element
* Configuration file. Only the 'defaultPDP' configuration will be loaded, i.e. 'pdp' element with 'name' matching the 'defaultPDP' attribute of the root 'config' element
*
* @param filePath
* configuration file path used as argument to {@link org.springframework.core.io.DefaultResourceLoader#getResource(String)} to resolve the
* resource; any placeholder ${...} in the path will be replaced with the corresponding system property value
* @throws JAXBException
* configuration file path used as argument to {@link org.springframework.core.io.DefaultResourceLoader#getResource(String)} to resolve the resource; any placeholder ${...} in the path
* will be replaced with the corresponding system property value
* @throws IllegalArgumentException
* if there is an unresolvable placeholder in {@code filePath}
* Configuration schema file. Used only for validating XML configurations (enclosed with 'xml' tag) of PDP extension modules in PDP configuration file set
* with {@link #setConfigFile(String)}
* Configuration schema file. Used only for validating XML configurations (enclosed with 'xml' tag) of PDP extension modules in PDP configuration file set with {@link #setConfigFile(String)}
*
* @param filePath
* configuration file path used as argument to {@link org.springframework.core.io.DefaultResourceLoader#getResource(String)} to resolve the
* resource; any placeholder ${...} in the path will be replaced with the corresponding system property value
* @throws JAXBException
* configuration file path used as argument to {@link org.springframework.core.io.DefaultResourceLoader#getResource(String)} to resolve the resource; any placeholder ${...} in the path
* will be replaced with the corresponding system property value
* @throws IllegalArgumentException
* if there is an unresolvable placeholder in {@code filePath}
@@ -89,27 +84,22 @@ public final class PdpBean implements PDP
* Set XML catalog for resolving XML entities used in XML schema
*
* @param filePath
* @throws JAXBException
* configuration file path used as argument to {@link org.springframework.core.io.DefaultResourceLoader#getResource(String)} to resolve the resource; any placeholder ${...} in the path
* will be replaced with the corresponding system property value
* @throws IllegalArgumentException
* if there is an unresolvable placeholder in {@code filePath}
LOGGER.info("Loading PDP configuration from file {} with extension schema location '{}' and XML catalog location '{}'",newObject[]{
confLocation,extSchemaLocation,catalogLocation});
LOGGER.info("Loading PDP configuration from file {} with extension schema location '{}' and XML catalog location '{}'",newObject[]{confLocation,extSchemaLocation,catalogLocation});
* Load Configuration model handler. Parameters here are locations to XSD files. Locations can be any resource string supported by Spring ResourceLoader.
* More info: http://docs.spring.io/spring/docs/current/spring-framework-reference/html/resources.html
* Load Configuration model handler. Parameters here are locations to XSD files. Locations can be any resource string supported by Spring ResourceLoader. More info:
* For example: classpath:com/myapp/aaa.xsd, file:///data/bbb.xsd, http://myserver/ccc.xsd...
*
*
* @param extensionXsdLocation
* location of user-defined extension XSD (may be null if no extension to load), if exists; in such XSD, there must be a XSD import for each
* extension schema. Only import the namespace, do not define the actual schema location here. Use the catalog specified by the
* <code>catalogLocation</code> parameter to specify the schema location. For example:
* location of user-defined extension XSD (may be null if no extension to load), if exists; in such XSD, there must be a XSD import for each extension schema. Only import the namespace,
* do not define the actual schema location here. Use the catalog specified by the <code>catalogLocation</code> parameter to specify the schema location. For example:
*
* <pre>
* {@literal
...
...
@@ -86,8 +85,7 @@ public class PdpModelHandler
* </pre>
*
* @param catalogLocation
* location of XML catalog for resolving XSDs imported by the pdp.xsd (PDP configuration schema) and the extensions XSD specified as
* 'extensionXsdLocation' argument (may be null)
* location of XML catalog for resolving XSDs imported by the pdp.xsd (PDP configuration schema) and the extensions XSD specified as 'extensionXsdLocation' argument (may be null)
@@ -103,10 +101,10 @@ public class PdpModelHandler
}
/*
* JAXB classes of extensions are generated separately from the extension base type XSD. Therefore no @XmlSeeAlso to link to the base type. Therefore
* any JAXB provider cannot (un)marshall documents using the extension base type XSD, unless it is provided with the list of the extra JAXB classes
* based on the new extension XSD. For instance, this is the case for JAXB providers used by REST/SOAP frameworks: Apache CXF, Metro, etc. So we need to
* add to the JAXBContext all the extensions' model (JAXB-generated) classes. These have been collected by the PdpExtensionLoader.
* JAXB classes of extensions are generated separately from the extension base type XSD. Therefore no @XmlSeeAlso to link to the base type. Therefore any JAXB provider cannot (un)marshall
* documents using the extension base type XSD, unless it is provided with the list of the extra JAXB classes based on the new extension XSD. For instance, this is the case for JAXB providers
* used by REST/SOAP frameworks: Apache CXF, Metro, etc. So we need to add to the JAXBContext all the extensions' model (JAXB-generated) classes. These have been collected by the
thrownewUnsupportedOperationException("XML configuration unmarshalling is not supported for "+clazz
+"; supported JAXB type for root configuration elements is: "+SUPPORTED_ROOT_CONF_ELEMENT_JAXB_TYPE);
thrownewUnsupportedOperationException("XML configuration unmarshalling is not supported for "+clazz+"; supported JAXB type for root configuration elements is: "
* XML schema handler that can load schema file(s) from location(s) supported by {@link ResourceUtils} using any OASIS catalog at any location supported by
* {@link ResourceUtils} as well.
* XML schema handler that can load schema file(s) from location(s) supported by {@link ResourceUtils} using any OASIS catalog at any location supported by {@link ResourceUtils} as well.
*
*/
publicclassSchemaHandler
...
...
@@ -100,8 +99,8 @@ public class SchemaHandler
}
}catch(IOExceptionex)
{
finalStringerrMsg="Unable to resolve schema-required entity with XML catalog (location='"+catalogLocation+"'): type="+type
finalStringerrMsg="Unable to resolve schema-required entity with XML catalog (location='"+catalogLocation+"'): type="+type+", namespaceURI="+namespaceURI
* This is quite similar to org.apache.cxf.catalog.OASISCatalogManager, except it is much simplified as we don't need as many features. We are not using
* CXF's OASISCatalogManager class directly because it is part of cxf-core which drags many classes and dependencies on CXF we don't need. It would make
* more sense if OASISCatalogManager was part of a cxf common utility package, but it is not the case as of writing (December 2014).
* This is quite similar to org.apache.cxf.catalog.OASISCatalogManager, except it is much simplified as we don't need as many features. We are not using CXF's OASISCatalogManager class directly
* because it is part of cxf-core which drags many classes and dependencies on CXF we don't need. It would make more sense if OASISCatalogManager was part of a cxf common utility package, but it
* is not the case as of writing (December 2014).
*/
privatestaticclassOASISCatalogManager
{
...
...
@@ -199,8 +198,7 @@ public class SchemaHandler
}
}catch(IOExceptione)
{
_LOGGER.warn(
"Error resolving resource needed by org.apache.xml.resolver.CatalogResolver for OASIS CatalogManager with URL: {}",e);
_LOGGER.warn("Error resolving resource needed by org.apache.xml.resolver.CatalogResolver for OASIS CatalogManager with URL: {}",e);
}
}
returns;
...
...
@@ -235,8 +233,7 @@ public class SchemaHandler
if(catalog==null)
{
_LOGGER.warn("Catalog found at {} but no org.apache.xml.resolver.CatalogManager was found. Check the classpatch for an xmlresolver jar.",
catalogURL);
_LOGGER.warn("Catalog found at {} but no org.apache.xml.resolver.CatalogManager was found. Check the classpatch for an xmlresolver jar.",catalogURL);
}else
{
catalog.parseCatalog(catalogURL);
...
...
@@ -330,8 +327,7 @@ public class SchemaHandler
publicfinalReadergetCharacterStream()
{
/*
* No character stream, only byte streams are allowed. Do not throw exception, otherwise the resolution of the resource fails, even if byte stream
* OK
* No character stream, only byte streams are allowed. Do not throw exception, otherwise the resolution of the resource fails, even if byte stream OK
*/
returnnull;
// throw new UnsupportedOperationException();
...
...
@@ -381,8 +377,7 @@ public class SchemaHandler
publicfinalStringgetBaseURI()
{
/*
* No base URI, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even for
* absolute URIs
* No base URI, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even for absolute URIs
*/
returnnull;
// throw new UnsupportedOperationException();
...
...
@@ -398,8 +393,7 @@ public class SchemaHandler
publicfinalStringgetEncoding()
{
/*
* No encoding override, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even
* if encoding specified in other way
* No encoding override, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even if encoding specified in other way
*/
returnnull;
// throw new UnsupportedOperationException();
...
...
@@ -429,7 +423,7 @@ public class SchemaHandler
privateStringcatalogLocation;
/**
* Default empty constructor, needed for instanciation by Spring framework
* Default empty constructor, needed for instantiation by Spring framework
*/
publicSchemaHandler()
{
...
...
@@ -439,6 +433,7 @@ public class SchemaHandler
* Sets (Spring-supported) locations to XML schema files
* This is mostly similar to org.apache.cxf.jaxrs.utils.schemas.SchemaHandler#createSchema(), except we are using Spring ResourceUtils class to get
* Resource URLs and we don't use any Bus object. We are not using CXF's SchemaHandler class directly because it is part of cxf-rt-frontend-jaxrs which
* drags many dependencies on CXF we don't need, the full CXF JAX-RS framework actually. It would make more sense if SchemaHandler was part of some cxf
* common utility package, but it is not the case as of writing (December 2014).
* This is mostly similar to org.apache.cxf.jaxrs.utils.schemas.SchemaHandler#createSchema(), except we are using Spring ResourceUtils class to get Resource URLs and we don't use any Bus
* object. We are not using CXF's SchemaHandler class directly because it is part of cxf-rt-frontend-jaxrs which drags many dependencies on CXF we don't need, the full CXF JAX-RS framework
* actually. It would make more sense if SchemaHandler was part of some cxf common utility package, but it is not the case as of writing (December 2014).
* Combining algorithm set. Allows to group combining algorithms, especially when it is actually the same generic algorithm but with different IDs, such as most
* standard algorithms which are the same for policy combining and rule combining algorithm IDs.
* Combining algorithm set. Allows to group combining algorithms, especially when it is actually the same generic algorithm but with different IDs, such as most standard algorithms which are the same
* for policy combining and rule combining algorithm IDs.
*
* TODO: consider making it a PdpExtension like FunctionSet, or generic PdpExtensionSet
*/
...
...
@@ -40,6 +40,7 @@ public class CombiningAlgSet
* Creates set from multiple combining algorithms
*
* @param algorithms
* XACML policy/rule combining algorithms added to the set
* Returns a single instance of each of the functions supported by some class. The <code>Set</code> must contain instances of <code>Function</code>, and it
* must be both non-null and non-empty. It may contain only a single <code>Function</code>.
* Returns a single instance of each of the functions supported by some class. The <code>Set</code> must contain instances of <code>Function</code>, and it must be both non-null and non-empty. It
* may contain only a single <code>Function</code>.
@@ -73,24 +71,20 @@ public final class Apply<V extends Value> extends ApplyType implements Expressio
* @param xacmlApply
* XACML Apply element
* @param xPathCompiler
* Enclosing Policy(Set)'s default XPath compiler, corresponding to the Policy(Set)'s default XPath version specified in {@link DefaultsType}
* element.
* Enclosing Policy(Set)'s default XPath compiler, corresponding to the Policy(Set)'s default XPath version specified in {@link DefaultsType} element.
* @param expFactory
* expression factory for instantiating Apply's parameters
* @param longestVarRefChain
* Longest chain of VariableReference references leading to this Apply, when evaluating a VariableDefinitions, i.e. list of VariableIds, such
* that V1-> V2 ->... -> Vn -> <code>this</code>, where "V1 -> V2" means: the expression in VariableDefinition of V1 contains a VariableReference
* to V2. This is used to detect exceeding depth of VariableReference reference when a new VariableReference occurs in a VariableDefinition's
* expression. May be null, if this expression does not belong to any VariableDefinition.
* Longest chain of VariableReference references leading to this Apply, when evaluating a VariableDefinitions, i.e. list of VariableIds, such that V1-> V2 ->... -> Vn ->
* <code>this</code>, where "V1 -> V2" means: the expression in VariableDefinition of V1 contains a VariableReference to V2. This is used to detect exceeding depth of VariableReference
* reference when a new VariableReference occurs in a VariableDefinition's expression. May be null, if this expression does not belong to any VariableDefinition.
* @return Apply instance
*
* @throws IllegalArgumentException
* if {@code xacmlApply} is invalid or {@code expFactory} is null; or function ID not supported/unknown; if {@code xprs} are invalid
* expressions, or invalid arguments for this function; or if all {@code xprs} are static but calling the function statically (with these static
* arguments) failed
* if {@code xacmlApply} is invalid or {@code expFactory} is null; or function ID not supported/unknown; if {@code xprs} are invalid expressions, or invalid arguments for this
* function; or if all {@code xprs} are static but calling the function statically (with these static arguments) failed
@@ -221,8 +210,7 @@ public final class Apply<V extends Value> extends ApplyType implements Expressio
staticEvalResult=funcCall.evaluate(null);
}catch(IndeterminateEvaluationExceptione)
{
thrownewIllegalArgumentException("Invalid Apply[Description = "+description+"]: function "+function
+" is not applicable to arguments (all static): "+xprs,e);
thrownewIllegalArgumentException("Invalid Apply[Description = "+description+"]: function "+function+" is not applicable to arguments (all static): "+xprs,e);
}
/*
...
...
@@ -259,14 +247,14 @@ public final class Apply<V extends Value> extends ApplyType implements Expressio
}
/**
* Evaluates the apply object using the given function. This will in turn call evaluate on all the given parameters, some of which may be other
* <code>Apply</code> objects.
* Evaluates the apply object using the given function. This will in turn call evaluate on all the given parameters, some of which may be other <code>Apply</code> objects.
*
* @param context
* the representation of the request
*
* @return the result of trying to evaluate this apply object
* @throws IndeterminateEvaluationException
* if any evaluation error occured when evaluating the Apply expression in the given {@context}
@@ -275,8 +263,8 @@ public final class Apply<V extends Value> extends ApplyType implements Expressio
}
/**
* Returns the type of attribute that this object will return on a call to <code>evaluate</code> . In practice, this will always be the same as the result
* of calling <code>getReturnType</code> on the function used by this object.
* Returns the type of attribute that this object will return on a call to <code>evaluate</code> . In practice, this will always be the same as the result of calling <code>getReturnType</code> on
* the function used by this object.
*
* @return the type returned by <code>evaluate</code>
@@ -56,8 +63,8 @@ public class BaseFunctionSet implements FunctionSet
}
/**
* Returns a single instance of each of the functions supported by some class. The <code>Set</code> must contain instances of <code>Function</code>, and it
* must be both non-null and non-empty. It may contain only a single <code>Function</code>.
* Returns a single instance of each of the functions supported by some class. The <code>Set</code> must contain instances of <code>Function</code>, and it must be both non-null and non-empty. It
* may contain only a single <code>Function</code>.
* Constructor that sets a "base registry" from which this inherits all the extensions. Used for instance to build a new registry based on a standard one
* (e.g. {@link StandardFunctionRegistry} for standard functions).
* Constructor that sets a "base registry" from which this inherits all the extensions. Used for instance to build a new registry based on a standard one (e.g. {@link StandardFunctionRegistry} for
* standard functions).
*
* @param baseRegistry
* the base/parent registry on which this one is based or null
