* This class represents a port range as specified in the <code>dnsName</code> and <code>ipAddress</code> datatypes. The range may have upper and lower bounds,
* be specified by a single port number, or may be unbound.
*
* @author cdangerv
* This class represents a port range as specified in the <code>dnsName</code> and <code>ipAddress</code> datatypes. The range may have upper and lower bounds, be specified by a single port number, or
* may be unbound.
*
* @version $Id: $
*/
publicfinalclassPortRange
...
...
@@ -53,8 +52,7 @@ public final class PortRange
}
/**
* Creates a <code>PortRange</code> with upper and lower bounds. Either of the parameters may have the value <code>UNBOUND</code> meaning that there is no
* bound at the respective end.
* Creates a <code>PortRange</code> with upper and lower bounds. Either of the parameters may have the value <code>UNBOUND</code> meaning that there is no bound at the respective end.
*
* @param lowerBound
* the lower-bound port number or <code>UNBOUND</code>
...
...
@@ -116,8 +114,8 @@ public final class PortRange
}
/**
* Returns the lower-bound port value. If the range is not lower-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port
* number, then this returns the same value as <code>getUpperBound</code>.
* Returns the lower-bound port value. If the range is not lower-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port number, then this returns the same value as
* <code>getUpperBound</code>.
*
* @return the upper-bound
*/
...
...
@@ -127,8 +125,8 @@ public final class PortRange
}
/**
* Returns the upper-bound port value. If the range is not upper-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port
* number, then this returns the same value as <code>getLowerBound</code>.
* Returns the upper-bound port value. If the range is not upper-bound, then this returns <code>UNBOUND</code>. If the range is actually a single port number, then this returns the same value as
* <code>getLowerBound</code>.
*
* @return the upper-bound
*/
...
...
@@ -168,8 +166,7 @@ public final class PortRange
}
/**
* Returns whether the range is unbound, which means that it specifies no port number or range. This is typically used with addresses that include no port
* information.
* Returns whether the range is unbound, which means that it specifies no port number or range. This is typically used with addresses that include no port information.
*
* @return true if the range is unbound, false otherwise
* Determines whether this <code>AnyOf</code> matches the input request (whether it is applicable). If all the AllOf values is No_Match so it's a No_Match.
* If all matches it's a Match. If None matches and at least one “Indeterminate�? it's Indeterminate
* Determines whether this <code>AnyOf</code> matches the input request (whether it is applicable). If all the AllOf values is No_Match so it's a No_Match. If all matches it's a Match. If None
* matches and at least one “Indeterminate�? it's Indeterminate
*
* <pre>
* AllOf values AnyOf value
...
...
@@ -151,8 +150,7 @@ public class AnyOfEvaluator
}
// No Match and at least one Indeterminate (lastIndeterminate != null) -> Indeterminate
@@ -105,10 +101,9 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
}
/**
* Evaluates to AttributeAssignments Section 5.39 and 5.40 of XACML 3.0 core spec: If an AttributeAssignmentExpression evaluates to an atomic attribute
* value, then there MUST be one resulting AttributeAssignment which MUST contain this single attribute value. If the AttributeAssignmentExpression
* evaluates to a bag, then there MUST be a resulting AttributeAssignment for each of the values in the bag. If the bag is empty, there shall be no
* AttributeAssignment from this AttributeAssignmentExpression
* Evaluates to AttributeAssignments Section 5.39 and 5.40 of XACML 3.0 core spec: If an AttributeAssignmentExpression evaluates to an atomic attribute value, then there MUST be one resulting
* AttributeAssignment which MUST contain this single attribute value. If the AttributeAssignmentExpression evaluates to a bag, then there MUST be a resulting AttributeAssignment for each of the
* values in the bag. If the bag is empty, there shall be no AttributeAssignment from this AttributeAssignmentExpression
*
* @param context
* evaluation context
...
...
@@ -127,21 +122,20 @@ public class AttributeAssignmentExpressionEvaluator extends AttributeAssignmentE
// result is a bag
finalBag<?>bag=(Bag<?>)result;
/*
* Bag may be empty, in particular if AttributeDesignator/AttributeSelector with MustBePresent=False evaluates to empty bag. Sections 5.30/5.40 of
* XACML core spec says: "If the bag is empty, there shall be no <AttributeAssignment> from this <AttributeAssignmentExpression>."
* Bag may be empty, in particular if AttributeDesignator/AttributeSelector with MustBePresent=False evaluates to empty bag. Sections 5.30/5.40 of XACML core spec says:
* "If the bag is empty, there shall be no <AttributeAssignment> from this <AttributeAssignmentExpression>."
@@ -58,15 +56,13 @@ public final class BaseDecisionResult implements DecisionResult
privatefinalDecisionTypedecision;
/**
* Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could
* have occurred if there would not have been an error causing the “Indeterminate”</i>. We use the following
* convention:
* Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could have occurred if there would not have been an error causing the
* “Indeterminate”</i>. We use the following convention:
* <ul>
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>Null means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and
* therefore any extended Indeterminate value should be ignored</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* </ul>
*
*/
...
...
@@ -94,8 +90,7 @@ public final class BaseDecisionResult implements DecisionResult
@@ -120,8 +114,7 @@ public final class BaseDecisionResult implements DecisionResult
* <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
* <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
* <li>{@link DecisionType#INDETERMINATE} means "Indeterminate{DP}"</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not
* Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
* </ul>
* @param status
* reason/code for Indeterminate
...
...
@@ -132,8 +125,7 @@ public final class BaseDecisionResult implements DecisionResult
}
/**
* Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to
* Indeterminate{DP}
* Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to Indeterminate{DP}
*
* @param status
* reason/code for Indeterminate
...
...
@@ -144,9 +136,7 @@ public final class BaseDecisionResult implements DecisionResult
}
/**
* Instantiates a Permit/Deny decision with optional obligations and advice. See
* {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for
* NotApplicable.
* Instantiates a Permit/Deny decision with optional obligations and advice. See {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for NotApplicable.
*
* @param decision
* decision
...
...
@@ -166,8 +156,7 @@ public final class BaseDecisionResult implements DecisionResult
@@ -110,8 +109,8 @@ public class BasePdpExtensionRegistry<T extends PdpExtension> implements PdpExte
}
/**
* Constructor that sets a "base registry" from which this inherits all the extensions. Used for instance to build a new registry based on a standard one
* like the StandardFunctionRegistry for standard functions).
* Constructor that sets a "base registry" from which this inherits all the extensions. Used for instance to build a new registry based on a standard one like the StandardFunctionRegistry for
* standard functions).
*
* @param baseRegistry
* the base/parent registry on which this one is based or null
* The sub-modules may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore,
* you are required to call {@link #close()} when you no longer need an instance - especially before replacing with a new instance (with different modules) - in
* order to make sure these resources are released properly by each underlying module (e.g. close the attribute caches).
* The sub-modules may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore, you are required to call
* {@link #close()} when you no longer need an instance - especially before replacing with a new instance (with different modules) - in order to make sure these resources are released properly by each
* underlying module (e.g. close the attribute caches).
@@ -107,21 +106,19 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
privateSet<ModuleAdapter>moduleClosers;
/**
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the
* requested attribute ID, if any.
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the requested attribute ID, if any.
*
* @param attributeFactory
* (mandatory) attribute value factory
*
* @param jaxbAttributeProviderConfs
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static
* expression evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression evaluation (out of context), in
* which case AttributeSelectors/AttributeDesignators are not supported
* @throws IllegalArgumentException
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict
* with another one already registered to provide the same or part of the same attributes.
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict with another one already registered to
* provide the same or part of the same attributes.
* @throws IOException
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an
* {@link IllegalArgumentException} is raised
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
@@ -130,24 +127,21 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
}
/**
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the
* requested attribute ID, if any.
* Instantiates attribute Provider that tries to find attribute values in evaluation context, then, if not there, query the {@code module} providing the requested attribute ID, if any.
*
* @param attributeFactory
* (mandatory) attribute value factory
* @param jaxbAttributeProviderConfs
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static
* expression evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
* (optional) XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression evaluation (out of context), in
* which case AttributeSelectors/AttributeDesignators are not supported
* @return instance of this class
* @throws java.lang.IllegalArgumentException
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict
* with another one already registered to provide the same or part of the same attributes.
* If any of attribute Provider modules created from {@code jaxbAttributeProviderConfs} does not provide any attribute; or it is in conflict with another one already registered to
* provide the same or part of the same attributes.
* @throws java.io.IOException
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an
* {@link IllegalArgumentException} is raised
* error closing the attribute Provider modules created from {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
* Each AttributeProviderModule is given a read-only AttributeProvider - aka "dependency attribute Provider" - to find any attribute they
* require (dependency), based on the attribute Provider modules that provide these required attributes (set above); read-only so that
* modules use this attribute Provider only to get required attributes, nothing else. Create this dependency attribute Provider.
* Each AttributeProviderModule is given a read-only AttributeProvider - aka "dependency attribute Provider" - to find any attribute they require (dependency), based on the
* attribute Provider modules that provide these required attributes (set above); read-only so that modules use this attribute Provider only to get required attributes, nothing
* else. Create this dependency attribute Provider.
*/
finalAttributeProviderdepAttrProvider;
if(requiredAttrs==null)
...
...
@@ -195,8 +188,7 @@ public final class CloseableAttributeProvider extends ModularAttributeProvider i
if(modulesByAttributeId.containsKey(attrGUID))
{
moduleAdapter.close();
thrownewIllegalArgumentException("Conflict: "+moduleAdapter+" providing the same AttributeDesignator ("+attrGUID
+") as another already registered.");
thrownewIllegalArgumentException("Conflict: "+moduleAdapter+" providing the same AttributeDesignator ("+attrGUID+") as another already registered.");
* Factory for this type of request filter that allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request
* (complying with XACML 3.0 core spec, §7.3.3).
* Factory for this type of request filter that allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0 core spec,
@@ -74,8 +73,8 @@ public final class DefaultRequestFilter extends BaseRequestFilter
/**
*
* Factory for this type of request filter that does NOT allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a
* Factory for this type of request filter that does NOT allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (NOT complying fully with XACML
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we keep track of
* attribute categories to check duplicates.
* No support for Multiple Decision Profile -> no support for repeated categories as specified in Multiple Decision Profile. So we keep track of attribute categories to check duplicates.
thrownewIndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='"+categoryName+"'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)",StatusHelper.STATUS_SYNTAX_ERROR);
thrownewIndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='"+categoryName
+"'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)",StatusHelper.STATUS_SYNTAX_ERROR);
* An {@link EvaluationContext} associated to an XACML Individual Decision Request, i.e. for evaluation to a single authorization decision Result (see Multiple
* Decision Profile spec for more information on Individual Decision Request as opposed to Multiple Decision Request).
* An {@link EvaluationContext} associated to an XACML Individual Decision Request, i.e. for evaluation to a single authorization decision Result (see Multiple Decision Profile spec for more
* information on Individual Decision Request as opposed to Multiple Decision Request).
* Corresponds to Attributes/Content (by attribute category) marshalled to XPath data model for XPath evaluation: AttributeSelector evaluation, XPath-based
* functions, etc. This may be null if no Content in Request or no feature requiring XPath evaluation against Content is supported/enabled.
* Corresponds to Attributes/Content (by attribute category) marshalled to XPath data model for XPath evaluation: AttributeSelector evaluation, XPath-based functions, etc. This may be null if no
* Content in Request or no feature requiring XPath evaluation against Content is supported/enabled.
* Constructs a new <code>IndividualDecisionRequestContext</code> based on the given request attributes and extra contents with support for XPath evaluation
* against Content element in Attributes
* Constructs a new <code>IndividualDecisionRequestContext</code> based on the given request attributes and extra contents with support for XPath evaluation against Content element in Attributes
*
* @param namedAttributeMap
* mutable named attribute map (attribute key and value pairs) from the original Request; null iff none. An attribute key is a global ID based on
* attribute category,issuer,id. An attribute value is a bag of primitive values.
* mutable named attribute map (attribute key and value pairs) from the original Request; null iff none. An attribute key is a global ID based on attribute category,issuer,id. An
* attribute value is a bag of primitive values.
* @param extraContentsByAttributeCategory
* extra contents by attribute category (equivalent to XACML Attributes/Content elements); null iff no Content in the attribute category.
* @param returnApplicablePolicyIdList
* true iff list of IDs of policies matched during evaluation must be returned
+" in context is different from expected/requested ("
+attributeDatatype
+"). May be caused by refering to the same Attribute Category/Id/Issuer with different Datatypes in different policy elements and/or attribute providers, which is not allowed.",
thrownewIndeterminateEvaluationException("Datatype ("+bagResult.getElementDatatype()+") of AttributeDesignator "+attributeGUID
+" in context is different from expected/requested ("+attributeDatatype
+"). May be caused by refering to the same Attribute Category/Id/Issuer with different Datatypes in different policy elements and/or attribute providers, which is not allowed.",
StatusHelper.STATUS_SYNTAX_ERROR);
}
...
...
@@ -143,9 +133,9 @@ public class IndividualDecisionRequestContext implements EvaluationContext
if(namedAttributes.containsKey(attributeGUID))
{
/*
* This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no
* further call to putAttributeDesignatorResultIfAbsent() in this case. In any case, we do not support setting a different result for same id (but
* different datatype URI/datatype class) in the same context
* This should never happen, as getAttributeDesignatorResult() should have been called first (for same id) and returned this oldResult, and no further call to
* putAttributeDesignatorResultIfAbsent() in this case. In any case, we do not support setting a different result for same id (but different datatype URI/datatype class) in the same
* context
*/
LOGGER.warn("Attempt to override value of AttributeDesignator {} already set in evaluation context. Overriding value: {}",attributeGUID,result);
returnfalse;
...
...
@@ -179,8 +169,8 @@ public class IndividualDecisionRequestContext implements EvaluationContext
returnexpectedDatatype.cast(val);
}catch(ClassCastExceptione)
{
thrownewIndeterminateEvaluationException("Datatype of variable '"+variableId+"' in context does not match expected datatype: "
