Commit 438ce239 authored by cdanger's avatar cdanger
Browse files

- Added support of OASIS XACML Committee's 2.0 version of conformance

tests upgraded to conform to the XACML 3.0 standard. Most of them have
been submitted to the OASIS XACML Committee in April 2014 by AT&T.
The original files are available on the xacml-comment mailing list: 
https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html
and on AT&T's Github repository (MIT License): 
https://github.com/att/XACML/wiki/XACML-TEST-Project-Information
except IIA010, IIA012, IIA024, IID029, IID030 and III.C (test 1 is the
only one support in this latter category)
- Added feature with unit test: Policy Reference depth control and
circular reference detection
- Added feature with unit test: Variable Reference depth control and
circular reference detection
- Added option to enable/disable XPath support (xpathExpression
datatype, AttributeSelector and xpath functions)
- Added support of xpathExpressions in Request with support of
namespace-prefix mappings extracted from XML document
(...xmlns:prefix="uri"...) where the xpathExpression is defined, i.e.
XACML Request or Policy(Set), in native policy finders
- Added support of xpath-node-count function (optional XACML feature)
- Added support of optional XACML features: RequestDefaults/XPathVersion
for evaluation of xpathExpressions in Request, and ReturnPolicyIdList to
return identifiers of policies found applicable for the Request
- New modes of request parsing/filtering for enforce best practices and
tweak performances of Request processing:
1) strictAttributeIssuerMatch: parsing so that AttributeDesignator
without Issuer only match request Attributes without Issuer (better
performance if all Attributes have an Issuer which is recommended, but
not fully XACML (§5.29) compliant)
2) allowAttributeDuplicates: allow defining multi-valued attributes by
repeating the same XACML Attribute (same AttributeId) within a XACML
Attributes element (same Category). Indeed, not allowing this is not
fully compliant with the XACML spec according to a discussion on the
xacml-dev mailing list (see {@linkplain
"https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html"}),
referring to the XACML 3.0  core spec, §7.3.3, that indicates that
multiple occurrences of the same <Attribute> with same meta-data
but different values should be considered equivalent to a single
<Attribute> element with same meta-data and merged values
(multi-valued Attribute). Moreover, the XACML 3.0 conformance test
'IIIA024' expects this behavior: the multiple subject-id Attributes are
expected to result in a multi-value bag during evaluation of the
<AttributeDesignator>. Setting this parameter to {@code false} is
not fully compliant, but provides better performance, especially if you
know the Requests to be well-formed, i.e. all AttributeValues of a given
Attribute are grouped together in the same <Attribute> element.
Combined with strictAttributeIssuerMatch == true, this is the most
efficient alternative (although not fully compliant).
- Fixed non-compliance of Request Content parsing for XPath eval (use
the single child element of Content node as XML input doc to XPath eval,
NOT the Content node itself) -> removed useless need of JAXBContext and
creating JAXBSource for parsing into XDMnode -> perf improved
- Fixed AttributeSelector evaluation for XPath to XML attribute value
(return the attribute value as a string instead of an Attribute
node/entry "attributeName=attributeValue"
- Fixed VariableReferenceDepth control (reference chain was not updated
properly)
- Fixed PolicySetIdReference Depth control (reference chain was not
updated properly)
- Use of new immutable version of xacml-model where all XACML/JAXB
objects are immutable -> significant changes in way to create these
objects during evaluation, esp. Obligations and Advices
- Fix ordering of obligations/advices when merging a given Policy(Set)'s
obligations/advices with the child elements' (Policy/Rule) ones
- Fixed static pre-eval on <Apply> with xpathExpression (should not
pre-eval statically, i.e. out of context, since xpathExpression value
depends on context
- Replaced RELEASE-NOTES.md with CHANGELOG.md to adopt conventions from
keepachangelog.com
- Improved unit tests: ability to plug the TestAttributeProviderModule
configured with a file XXXAttributeProvider.xml to the PDP for specific
tests, also to plug referenced Policies for the RefPolicyFinder of the
PDP with 'refPolicies' directory containing Policy(Set)files; and
ability to test for Policy or Request syntax error checking only (no
Request evaluation by PDP)
- Improved test class TestUtils to create a PDP instance with XPath
support disabled/enabled and specific request filter ID on the PDP
- Improved TestAttributeProviderModule supports any static configuration
of Attributes (with contant values); same format as in XACML Requests
- Removed license header of Apache2 (replaced with GPL)
- Removed NOTICE.txt obsolete ("Apache AuthZForce" does not exist)
- Conformance tests split in 'mandatory' and 'optional' folder to
distinguish XACML mandatory feature from optional feature testing
- Change logback dependency scope from 'compile' to 'test' as we need it
only for tests, not for compiling -> simplifies dependencies
- Replaced dependency spring-xml (obsolete) with spring-core because we
only use org.springframework.util.* -> simplifies dependencies 
- Fix header plugin that was missing path to header license, and
'format' goals
- Refactor - extracted PDP interface and moved default implementation to
PDPImpl class, to hide internals from potential PDP API client and
improve genericity
- Refactor - extracted RequestFilter interface from abstract class and
moved abstract class code to BaseRequestFilter class to hide internals
from potential RequestFilter API client and improve genericity; and to
merge common code between DefaultRequestFilter and
MultiDecisionRequestFilter
- Refactor - extracted IndividualDecisionRequest interface from abstract
class and moved abstract class code to MutableIndividualDecisionRequest
and ImmutableIndividualDecisionRequest classes, to hide internals from
potential RequestFilter API client and improve genericity
- Made BasePdpExtensionRegistry mutable to allow adding extensions after
creating instance from an exiting one
- DecisionResult renamed to more explicit name PolicyDecisionResult
- Moved old README content to another project (rest-service) since does
not apply anymore, and replaced with proper content.
parent ce305116

Too many changes to show.

To preserve performance only 1000 of 1000+ files are displayed.
# Change log
All notable changes to this project are documented in this file following the conventions at keepachangelog.com.
This project adheres to [Semantic Versioning](http://semver.org).
## Unreleased
## 3.5.5
- License changed to GPLV3
## 3.5.2
- Bug fixed when there were more than one AnyOf and AllOf.
- Only the Match element was evaluated with the "match(context)" function
- Unitary tests were added to complete and prevent that from happening again
## 3.4.2
- Fixing bugs on deny-unless-permit and permit-unless-deny rule combining algorithms (misplaced cast)
## 3.4.0
- Implementation working with XACML 3.0 requests and policies compliant with OASIS XACML model (xsd)
- Artifact name refactored => authzforce-core-authzforce
- Partial implementation of the Multiple Decision Profile. The MultiRequests scheme is not implemented yet
- Functionnal tests added for XACML 3.0 model. This is actually the OASIS functional tests translated to a v3.O model.
- Implementation of the "IncludeInResult" attribute
- Full support of obligations
- Full support of advices
- Apache 2.0 licence headers added to every source file
- XACML 3.0 Combining algorithms implemented: deny-unless-permit, deny-unless-permit, permit-unless-deny, permit-unless-deny
- XACML 3.0 Functions implemented: string-starts-with, string-ends-with, string-contains, string-substring,
## 2.1.4
- Stable version working with XACML 2.0
Apache AuthZForce
Copyright 2013 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
\ No newline at end of file
AuthZForce - Authorization Server
=================================
# INSTALLATION GUIDE
## Version
Version | Date | Comment |
---------|:------:|:--------------:|
1.0 | 23/02/2012 | Initialisation |
2.0 | 20/09/2013 | Update for the 3.0 version of the PDP |
# AuthZForce Core
PDP engine implementation of the XACML 3.0 Core and part of the Multiple Decision Profile (section 2.3, i.e. repetition of attribute categories) specifications. For further details on what is actually supported with regards to the specifications, please refer to `src/test/resources/conformance/xacml-3.0-from-2.0-ct/README.md`.
# Summary
* Version
* [Prerequisites](#prerequisites)
* [Sun Java JDK](#sun-java-jdk)
* [Tomcat Installation](#tomcat-installation)
* [Installing the Authorization Server](#installing-the-authorization-server)
* [Unitary Tests](#unitary-tests)
* [Conformance Tests](#conformance-tests)
* [Installation](#installation)
* [Installation Checking](#installation-checking)
* [Authorization Server Configuration](#authorization-server-configuration)
* [Policy Finder Configuration](#policy-finder-configuration)
* [Attribute Finder Configuration File](#attribute-finder-configuration-file)
* [JDBC](#jdbc)
* [LDAP](#ldap)
* [Fortress](#fortress)
* [JWT](#jwt)
* [String Map](#string-map)
* [JSON Path](#json-path)
* [RestFul](#restful)
* [Calling the PDP](#calling-the-pdp)
* [Test the PDP from a REST client](#test-the-pdp-from-a-rest-client)
## Getting started
To get started using a PDP to evaluate XACML requests, instantiate a new PDP instance with one of the methods: `org.ow2.authzforce.core.PdpConfigurationParser#getPDP(...)`. The parameters are:
# Prerequisites
## Sun Java JDK
The authorization server run on Java, so it is prerequisite to have java running on the server. For compatibility reasons, it is highly recommended to use Sun java instead of the Open Java that is now default for some Linux distributions.
1. location of the configuration file (mandatory): this file must be an XML document compliant with schema `src/main/resources/pdp.xsd`. You can read the documentation of every configuration parameter in that file.
1. location of the XML catalog (optional, required only if using one or more XML-schema-defined PDP extensions): used to resolve the PDP configuration schema and other imported schemas/DTDs, and schemas of any PDP extension namespace used in the configuration file. An example of such file is located at `src/main/resources/catalog.xml`. This is the one used by default if none specified.
1. location of the PDP extensions schema file (optional, required only if using one or more PDP extensions): contains imports of namespaces corresponding to XML schemas of all XML-schema-defined PDP extensions to be used in the configuration file. Used for validation of PDP extensions configuration. The actual schema locations are resolved by the XML catalog parameter.
## Tomcat Installation
To run the Policy decision Point, you also need a Tomcat Server to deploy the AuthZForce-REST-[VERSION].war (Tomcat 6/0 was our testing version but tomcat 7 can be used too).
# Installing the Authorization Server
## Unitary Tests
TODO
## Conformance Tests
TODO
## Installation
* /etc/AuthZForce/conf Configuration files
* log4j.properties: PDP log4j configuration file
* config.xml: PDP configuration file
* /etc/AuthZForce/policies Contains an example policy
* /etc/AuthZForce/logs Logs files
* pdp.log: PDP system logs
* pdp-audit.log: Authorization decision audit logs
### Copy the default configuration file in this directory:
## Installation Checking
Start the server by running this command:
```bash
[root@ authzforce ~]# /opt/apache-tomcat-6.0.35/bin/catalina.sh start
````
Test that the PDP and the REST interface is running by doing a GET request to the
```bash
[root@ authzforce ~]# curl -X GET http://@IP:8080/AuthZForce-REST-[VERSION]/pdp/service
```
The Server should respond by a 200 status code and display "It Works !"
# Authorization Server Configuration
The authorization server configuration file is located in
> /etc/AuthZForce/conf/config.xml
You can find below and example of configuration and a description of the different element. You can modify this configuration according to your situation:
```xml
<config defaultPDP="PDPDemo" defaultAttributeFactory="attr"
defaultCombiningAlgFactory="comb" defaultFunctionFactory="func">
<pdp name="PDPDemo">
<!--******************Declaration of the Policy Finder******************************** -->
<policyFinderModule class="com.sun.xacml.finder.impl.FilePolicyModule">
<list>
<string>/etc/AuthZForce/policies/policy-example.xml</string>
</list>
</policyFinderModule>
<!--******************Declaration of the Attribute Finder****************************** -->
<attributeFinderModule class="com.sun.xacml.finder.impl.LdapAttributeFinder">
<map>
<url>ldap://11.6.207.31</url>
<username>CN=Administrator,DC=TEST,DC=COM</username>
<password>secret</password>
<baseDN>OU=Users, DC=TEST,DC=COM </baseDN>
<attributeSupportedId>subject-job</attributeSupportedId>
<ldapAttribute>jobtitle</ldapAttribute>
<substituteValue>urn:oasis:names:tc:xacml:1.0:subject:subject-id</substituteValue>
<cache class="com.sun.xacml.CacheManager">
<activate>false</activate>
<maxElementsInMemory>10000</maxElementsInMemory>
<overflowToDisk>false</overflowToDisk>
<eternal>true</eternal>
</cache>
</map>
</attributeFinderModule>
<!--******************Cache Configuration**************************************** -->
<cache class="com.sun.xacml.CacheManager">
<map>
<activate>true</activate>
<maxElementsInMemory>10000</maxElementsInMemory>
<overflowToDisk>false</overflowToDisk>
<eternal>false</eternal>
</map>
</cache>
</pdp>
<attributeFactory name="attr" useStandardDatatypes="true"/>
<combiningAlgFactory name="comb" useStandardAlgorithms="true"/>
<functionFactory name="func" useStandardFunctions="true">
</functionFactory>
</config>
````
## Policy Finder Configuration
The Policy Decision Point has the ability to load XACML policies from different locations and types of stores. In this version, policies correspond to a single file located on the server.
```xml
<!--******************Declaration of the Policy Finder******************************** -->
<policyFinderModule class="com.sun.xacml.finder.impl.FilePolicyModule">
<list>
<string>/etc/AuthZForce/policies/policy-example.xml</string>
<string>/etc/AuthZForce/policies/policy-example-2.xml</string>
</list>
</policyFinderModule>
````
Once you have created your own policy, you will need to change this path to point to your policy file.
## Attribute Finder Configuration File
During an evaluation, the PDP may require other attributes that are not provided as part of the XACML request. To get those the PDP will ask the attribute finder(s) (configured below) to provide missing information. In this version, we provided two generic attribute finders that allow you to retrieve information from a LDAP directory and from a database.
### JDBC
```xml
<attributeFinderModule class="com.sun.xacml.finder.impl.AttributeDBFinder">
<map>
<url>jdbc:mysql://mysqlServer.opencloudware.org:3306/</url>
<username>mysql</username>
<password>password</password>
<dbName>Customer </dbName>
<driver>com.mysql.jdbc.Driver</driver>
<attributeSupportedId>customer-id</attributeSupportedId>
<sqlRequest>SELECT customer-id as $alias where sales-manager=$filter</sqlRequest>
<substituteValue>urn:oasis:names:tc:xacml:1.0:subject-id:subject-id</substituteValue>
<cache class="com.sun.xacml.CacheManager">
<activate>false</activate>
<maxElementsInMemory>10000</maxElementsInMemory>
<overflowToDisk>false</overflowToDisk>
<eternal>true</eternal>
</cache>
</map>
</attributeFinderModule>
````
The possible configuration elements defined for this configuration type are:
Name | description |
---------|:------:|
url | Address of the Database server|
username | Database username|
password | Database password |
dbName | Database name|
driver | Driver used to access the Database|
attributeSupportedId | Attribute that is supported by this attribute finder for retrieval. |
sqlRequest | Request used to fetch the attribute. $filter is the variable part used to make a filter in the SQL query mapped to the AttributeValue in the XACML request defined with the substituteValue option. $alias is used to map easily the request’s result with the attributeSupportedId in order to have a more logical output |
substituteValue|Value extracted from the XACML request (Mandatory in the XACML request)|
Cache|cache configuration for this attribute finder, (Optional, false by default)|
activate|cache activation, true or false|
maxElementInMemory|max element that are stored in the cache memory, integer|
overflowToDisk|if cache can write on the disk if the memory is full, true or false|
eternal|do we store eternally the elements, true or false|
timeToLiveSeconds|time to live of the stored elements, integer, (Optional)|
timeToIdleSeconds|time to idle for the stored elements, integer, (Optional) |
### LDAP
```xml
<attributeFinderModule class="com.sun.xacml.finder.impl.LdapAttributeFinder">
<map>
<url>ldap://10.222.148.102</url>
<username>cn=Manager,c=gb</username>
<password>secret</password>
<baseDn>ou=people,dc=authzforce,dc=com</baseDn>
<ldapAttribute>title</ldapAttribute>
<attributeSupportedId>jobtitle</attributeSupportedId>
<substituteValue>urn:oasis:names:tc:xacml:1.0:subject:subject-id</substituteValue>
<cache class="com.sun.xacml.CacheManager">
<activate>false</activate>
<maxElementsInMemory>10000</maxElementsInMemory>
<overflowToDisk>false</overflowToDisk>
<eternal>true</eternal>
</cache>
</map>
</attributeFinderModule>
````
The possible configuration elements defined for this configuration type are:
Name | description |
---------|:------:|
url|Address of the LDAP directory|
username|Username to access the directory|
password|Password to access the directory|
baseDN|Specifies the DN of the node where the search would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. |
ldapAttribute|The name of the entry's attribute that we are going to get the value from. |
attributeSupportedId|Attribute that is supported by this attribute finder for retrieval. |
substituteValue|Value extracted from the XACML request (Mandatory in the XACML request)|
Cache|cache configuration for this attribute finder, (Optional, false by default)|
activate|cache activation, true or false|
maxElementInMemory|max element that are stored in the cache memory, integer|
overflowToDisk|if cache can write on the disk if the memory is full, true or false|
eternal|do we store eternally the elements, true or false|
timeToLiveSeconds|time to live of the stored elements, integer, (Optional)|
timeToIdleSeconds|time to idle for the stored elements, integer, (Optional) |
### Fortress
TODO
### JWT
TODO
### String Map
TODO
### JSON Path
TODO
### RESTFul
TODO
# Calling the PDP
## Test the PDP from a REST client
1. To test the REST API with AuthZForce you need to get an REST Client like this one for Firefox
> [Rest Client](https://addons.mozilla.org/en-US/firefox/addon/restclient/)
2. Prepare an XACML request fitting your Policy and paste it into your body's request, for us it looks like this:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<RequestType xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medicalReccord#81325</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medicalReccord#75903</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Write</AttributeValue>
</Attribute>
</Attributes>
</RequestType>
````
3. Set the Headers' request with:
> Content-type : application/xml
4. Send it using a POST request to your PDP's interface
> http://@IP:8080/AuthZForce-REST-[VERSION]/pdp/service).
The response should look like this:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<ResponseType xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
<StatusDetail />
</Status>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medicalReccord#81325</AttributeValue>
</Attribute>
</Attributes>
</Result>
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
<StatusDetail />
</Status>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medicalReccord#75903</AttributeValue>
</Attribute>
</Attributes>
</Result>
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
<StatusDetail />
</Status>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medicalReccord#81325</AttributeValue>
</Attribute>
</Attributes>
</Result>
<Result>
<Decision>Deny</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
<StatusDetail />
</Status>
<Obligations>
<Obligation ObligationId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIIA014:policyset:obligation-3">
<AttributeAssignment AttributeId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIIA014:policyset:assignment2" DataType="http://www.w3.org/2001/XMLSchema#string">assignment2</AttributeAssignment>
</Obligation>
</Obligations>
<AssociatedAdvice />
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">medicalReccord#75903</AttributeValue>
</Attribute>
</Attributes>
</Result>
</ResponseType>
```
It’s of course a snippet of the response. That can be much more complex if you have Obligations or Advices in your policies. Check the Oasis specification for more explanation on these objects.
Once you have a PDP instance. You can evaluate a XACML request by calling one of the `PDP#evaluate(...)` methods.
-------------------------
AuthZForce CORE version @version- Release Notes
-------------------------
-------------------
-- Version @version
-------------------
-------------------
-- Version 3.5.5-SNAPSHOT
-------------------
License changed to GPLV3
-------------------
-- Version 3.5.2-SNAPSHOT
-------------------
Bug fixed when there were more than one AnyOf and AllOf.
Only the Match element was evaluated with the "match(context)" function
Unitary tests were added to complete and prevent that from happening again
-------------------
-- Version 3.4.2
-------------------
Fixing bug on Rule Algorithm:
- DenyUnlessPermitRuleAlg.java
- PermitUnlessDenyRuleAlg.java.
=> A cast was misplaced and an error occured on the combination of rules
-------------------
-- Version 3.4.0
-------------------
Implementation working with XACML 3.0 requests and policies. Based on OASIS model (xsd)
Artifact name refactored => authzforce-core-authzforce in order to be more clear in the Nexus repository
Partial implementation of the Multi Decision Request. The Multi Request is not implemented yet
Functionnal tests added for XACML 3.0 model. This is actually the OASIS functionnal tests translated to a v3.O model
BasicV3 => OK
BasicFunctionV3 => OK
ConformanceV3 => OK
Implementation of the "Include in result" attribute
Full support of obligations
Full support of advices
Apache 2.0 licence headers added to every source file
Audit log based on annotations for Rule and Policies.
Use @Audit(type = [RULE || POLICY]) over a method returning a result. You can also use @Audit(type = DISPLAY) to display and clear the logs.
Non exhaustif list of improvement and implementation
Combining algorithm
OK urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit
OK urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit
OK urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-unless-deny
OK urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
Functions
OK urn:oasis:names:tc:xacml:3.0:function:string-starts-with
OK urn:oasis:names:tc:xacml:3.0:function:string-ends-with
OK urn:oasis:names:tc:xacml:3.0:function:string-contains
OK urn:oasis:names:tc:xacml:3.0:function:string-substring
-------------------
-- Version 2.1.4
-------------------
Stable version working with XACML 2.0
Copyright (C) ${inceptionYear}-${currentYear} ${copyrightOwner} - All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
\ No newline at end of file
This diff is collapsed.
Copyright (C) ${inceptionYear}-${currentYear} ${copyrightOwner}. All rights reserved. No warranty, explicit or implicit, provided.
\ No newline at end of file
......@@ -42,16 +42,14 @@
<dependencies>
<!-- Third-party dependencies -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
<dependency>
<!-- For redirecting Spring logs to slf4j -->
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.ws</groupId>
<artifactId>spring-xml</artifactId>
<!-- Needed for org.springframework.util.ResourceUtils,SystemPropertyUtils,FileCopyUtils, etc. -->
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
</dependency>
<dependency>
<!-- For loading XML schemas with OASIS catalog (CatalogManager) -->
......@@ -87,6 +85,11 @@
<!-- /Authzforce dependencies -->
<!-- Test dependencies -->
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
......@@ -137,25 +140,30 @@
<groupId>com.mycila</groupId>
<artifactId>license-maven-plugin</artifactId>
<configuration>
<excludes>
<exclude>**/*.html</exclude>
<exclude>**/*.xml</exclude>
<exclude>**/*.txt</exclude>
<exclude>**/*.ec</exclude>
<exclude>**/*.log</exclude>
<exclude>**/*.css</exclude>
<exclude>**/*.js</exclude>
<exclude>**/*.jsp</exclude>
<exclude>**/*.md</exclude>
<exclude>**/*.properties</exclude>
<exclude>**/*.gitignore</exclude>
</excludes>
<header>license/thales-gpl.header.txt</header>
<skipExistingHeaders>true</skipExistingHeaders>
<includes>
<include>src/main/java/org/ow2/authzforce/core/**</include>
<!-- Include test files also -->
<include>src/test/java/**</include>
</includes>
</configuration>
<executions>
<execution>
<id>format-sources-license</id>
<phase>process-sources</phase>
<goals>
<goal>format</goal>
</goals>
</execution>
<execution>
<id>format-test-sources-license</id>
<phase>process-test-sources</phase>
<goals>
<goal>format</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
......
......@@ -52,9 +52,11 @@ public final class NotFunction extends FirstOrderFunction.SingleParameterTyped<B
public static final String NAME_NOT = XACML_NS_1_0 + "not";
/**
* Creates a new <code>NotFunction</code> object.
* Singleton instance of "not" logical function
*/
public NotFunction()
public static final NotFunction INSTANCE = new NotFunction();
private NotFunction()
{
super(NAME_NOT, DatatypeConstants.BOOLEAN.TYPE, false, Collections.singletonList(DatatypeConstants.BOOLEAN.TYPE));
}
......
......@@ -23,346 +23,43 @@
*/
package com.sun.xacml;
import java.io.Closeable;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import javax.xml.datatype.XMLGregorianCalendar;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
import org.ow2.authzforce.core.DecisionCache;
import org.ow2.authzforce.core.DecisionResult;
import org.ow2.authzforce.core.DecisionResultFilter;
import org.ow2.authzforce.core.IndeterminateEvaluationException;
import org.ow2.authzforce.core.IndividualDecisionRequest;
import org.ow2.authzforce.core.IndividualDecisionRequestEvaluator;
import org.ow2.authzforce.core.PdpExtensionLoader;
import org.ow2.authzforce.core.RequestFilter;
import org.ow2.authzforce.core.StatusHelper;
import org.ow2.authzforce.core.combining.CombiningAlgRegistry;
import org.ow2.authzforce.core.expression.AttributeGUID;
import org.ow2.authzforce.core.func.FunctionRegistry;
import org.ow2.authzforce.core.policy.RootPolicyEvaluator;
import org.ow2.authzforce.core.value.Bag;
import org.ow2.authzforce.core.value.Bags;
import org.ow2.authzforce.core.value.DatatypeConstants;
import org.ow2.authzforce.core.value.DatatypeFactoryRegistry;
import org.ow2.authzforce.core.value.DateTimeValue;
import org.ow2.authzforce.core.value.DateValue;
import org.ow2.authzforce.core.value.TimeValue;
import org.ow2.authzforce.xacml.identifiers.XACMLAttributeId;
import org.ow2.authzforce.xacml.identifiers.XACMLCategory;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This is the core class for the XACML engine, providing the starting point for request evaluation. To build an XACML policy engine, you start by instantiating
* this object.
* <p>
* This class implements {@link Closeable} because it depends on various modules - e.g. the root policy Provider, an optional decision cache - that may very
* likely hold resources such as network resources and caches to get: the root policy or policies referenced by the root policy; or to get attributes used in