Merge branch 'release/3.8.0'

.gitignore

@@ -11,3 +11,4 @@
 *.log
 /.pmd
 /.eclipse-pmd
+/.pmdruleset.xml

CHANGELOG.md

 # Change log
 All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. 
 
+## 3.8.0
+### Changed
+- PDP XML schema: maxVariableRefDepth and maxPolicyRefDepth attributes made optional (instead of required)
+
+### Added
+- PDP XML schema: 'requestFilter' attribute (RequestFilter extension): 
+	- Added documentation about natively supported values, with '-lax' suffix meaning that duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request is allowed (in compliance with XACML 3.0 core spec, §7.3.3), and '-strict' suffix meaning that it is not allowed (not strictly compliant with XACML 3.0 Core, section 7.3.3):
+		- 'urn:ow2:authzforce:xacml:request-filter:default-lax' and 'urn:ow2:authzforce:xacml:request-filter:default-strict': default requestFilter limited to what is specified in XACML 3.0 Core specification
+		- 'urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax' and 'urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-strict': implement Multiple Decision Profile, section 2.3 (repeated attribute categories)
+	- Added XSD-defined default value for this 'requestFilter' attribute: 'urn:ow2:authzforce:xacml:request-filter:default-lax'
+- Support for Extended Indeterminate values (XACML 3.0 Core specification, section 7.10-7.14, appendix C: combining algorithms)
+- PdpImpl#getStaticApplicablePolicies() method that provides all the PDP's applicable policies (root and referenced - directly or indirectly - from the root policy) if all are statically resolved. This allows PDP clients to know all the policies (if statically resolved) possibly used by the PDP during the evaluation.
+
+
 ## 3.7.0
 ### Added
 - Root policy provider module based on any policy-by-reference provider (parameter is the root policy reference to be resolved by the policy-by-reference provider)

CONTRIBUTING.md

 # Contribution Rules
-  - No SNAPSHOT dependencies on "develop" and obviously "master" branches
\ No newline at end of file
+1. No SNAPSHOT dependencies on "develop" and obviously "master" branches
+
+# Releases  
+1. Start a release: `$ mvn jgitflow:release-start`
+2. Remove any SNAPSHOT dependency
+3. Update the CHANGELOG.md
+4. Finish a release: `$ mvn jgitflow:release-finish`
+
+More info on jgitflow: http://jgitflow.bitbucket.org/

pom.xml

@@ -6,7 +6,7 @@
 		<version>3.3.7</version>
 	</parent>
 	<artifactId>authzforce-ce-core</artifactId>
-	<version>3.7.0</version>
+	<version>3.8.0</version>
 	<name>${project.groupId}:${project.artifactId}</name>
 	<description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
 	<url>https://tuleap.ow2.org/projects/authzforce</url>
@@ -55,8 +55,8 @@
 		<dependency>
 			<groupId>${project.groupId}</groupId>
 			<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
-			<!-- Major/minor version should match this artifact major/minor version to respect Semantic Versioning; -->
-			<version>3.6.1</version>
+			<!-- Major/minor version should match this artifact major/minor version to respect Semantic Versioning -->
+			<version>3.7.0</version>
 		</dependency>
 		<!-- /Authzforce dependencies -->
 
@@ -232,6 +232,9 @@
 				<version>2.12.4</version>
 				<configuration>
 					<skipTests>false</skipTests>
+					<systemPropertyVariables>
+						<javax.xml.accessExternalSchema>all</javax.xml.accessExternalSchema>
+					</systemPropertyVariables>
 					<includes>
 						<include>**/MainTest.java</include>
 					</includes>

src/main/java/org/ow2/authzforce/core/pdp/impl/BaseDecisionResult.java

@@ -35,7 +35,8 @@ import org.ow2.authzforce.core.pdp.api.PepActions;
  */
 public final class BaseDecisionResult implements DecisionResult
 {
-	private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined Decision");
+	private static final IllegalArgumentException ILLEGAL_DECISION_ARGUMENT_EXCEPTION = new IllegalArgumentException(
+			"Undefined Decision");
 
 	/**
 	 * NotApplicable decision result
@@ -54,6 +55,21 @@ public final class BaseDecisionResult implements DecisionResult
 
 	private final DecisionType decision;
 
+	/**
+	 * Extended Indeterminate value, as defined in section 7.10 of XACML 3.0 core: <i>potential effect value which could
+	 * have occurred if there would not have been an error causing the “Indeterminate”</i>. We use the following
+	 * convention:
+	 * <ul>
+	 * <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
+	 * <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
+	 * <li>Null means "Indeterminate{DP}"</li>
+	 * <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not Indeterminate, and
+	 * therefore any extended Indeterminate value should be ignored</li>
+	 * </ul>
+	 * 
+	 */
+	private final DecisionType extIndeterminate;
+
 	private final Status status;
 
 	// initialized non-null
@@ -67,6 +83,8 @@ public final class BaseDecisionResult implements DecisionResult
 	 * 
 	 * @param decision
 	 *            decision
+	 * @param extendedIndeterminate
+	 *            Extended Indeterminate value, null if {@code decision !=  DecisionType.INDETERMINATE}
 	 * @param status
 	 *            status
 	 * @param pepActions
@@ -74,7 +92,8 @@ public final class BaseDecisionResult implements DecisionResult
 	 * @param policyIdentifierList
 	 *            list of matched policy identifiers
 	 */
-	public BaseDecisionResult(DecisionType decision, Status status, PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
+	public BaseDecisionResult(DecisionType decision, DecisionType extendedIndeterminate, Status status,
+			PepActions pepActions, List<JAXBElement<IdReferenceType>> policyIdentifierList)
 	{
 		if (decision == null)
 		{
@@ -82,26 +101,51 @@ public final class BaseDecisionResult implements DecisionResult
 		}
 
 		this.decision = decision;
+		this.extIndeterminate = extendedIndeterminate;
 		this.status = status;
 		this.pepActions = pepActions == null ? new BasePepActions(null, null) : pepActions;
-		this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>() : policyIdentifierList;
+		this.applicablePolicyIdList = policyIdentifierList == null ? new ArrayList<JAXBElement<IdReferenceType>>()
+				: policyIdentifierList;
 
 	}
 
 	/**
 	 * Instantiates a Indeterminate Decision result with a given error status
 	 * 
+	 * @param extendedIndeterminate
+	 *            Extended Indeterminate value (XACML 3.0 Core, section 7.10). We use the following convention:
+	 *            <ul>
+	 *            <li>{@link DecisionType#DENY} means "Indeterminate{D}"</li>
+	 *            <li>{@link DecisionType#PERMIT} means "Indeterminate{P}"</li>
+	 *            <li>{@link DecisionType#INDETERMINATE} means "Indeterminate{DP}"</li>
+	 *            <li>{@link DecisionType#NOT_APPLICABLE} is the default value and means the decision is not
+	 *            Indeterminate, and therefore any extended Indeterminate value should be ignored</li>
+	 *            </ul>
+	 * 
+	 * @param status
+	 *            reason/code for Indeterminate
+	 */
+	public BaseDecisionResult(Status status, DecisionType extendedIndeterminate)
+	{
+		this(DecisionType.INDETERMINATE, extendedIndeterminate, status, null, null);
+	}
+
+	/**
+	 * Instantiates a Indeterminate Decision result with a given error status and extended Indeterminate set to
+	 * Indeterminate{DP}
+	 * 
 	 * @param status
 	 *            reason/code for Indeterminate
 	 */
 	public BaseDecisionResult(Status status)
 	{
-		this(DecisionType.INDETERMINATE, status, null, null);
+		this(DecisionType.INDETERMINATE, DecisionType.INDETERMINATE, status, null, null);
 	}
 
 	/**
-	 * Instantiates a Permit/Deny decision with optional obligations and advice. See {@link #BaseDecisionResult(Status)} for Indeterminate, and
-	 * {@link #NOT_APPLICABLE} for NotApplicable.
+	 * Instantiates a Permit/Deny decision with optional obligations and advice. See
+	 * {@link #BaseDecisionResult(Status, DecisionType)} for Indeterminate, and {@link #NOT_APPLICABLE} for
+	 * NotApplicable.
 	 * 
 	 * @param decision
 	 *            decision
@@ -110,7 +154,7 @@ public final class BaseDecisionResult implements DecisionResult
 	 */
 	public BaseDecisionResult(DecisionType decision, PepActions pepActions)
 	{
-		this(decision, null, pepActions, null);
+		this(decision, DecisionType.NOT_APPLICABLE, null, pepActions, null);
 	}
 
 	private transient volatile int hashCode = 0;
@@ -120,7 +164,8 @@ public final class BaseDecisionResult implements DecisionResult
 	{
 		if (hashCode == 0)
 		{
-			hashCode = Objects.hash(this.decision, this.status, this.pepActions, this.applicablePolicyIdList);
+			hashCode = Objects.hash(this.decision, this.extIndeterminate, this.status, this.pepActions,
+					this.applicablePolicyIdList);
 		}
 
 		return hashCode;
@@ -145,6 +190,11 @@ public final class BaseDecisionResult implements DecisionResult
 			return false;
 		}
 
+		if (this.extIndeterminate != other.getExtendedIndeterminate())
+		{
+			return false;
+		}
+
 		// Status is optional in XACML
 		if (this.status == null)
 		{
@@ -218,7 +268,8 @@ public final class BaseDecisionResult implements DecisionResult
 	}
 
 	/**
-	 * Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy or child Policies of PolicySet
+	 * Merge extra PEP actions and/or matched policy identifiers. Used when combining results from child Rules of Policy
+	 * or child Policies of PolicySet
 	 * 
 	 * @param newPepActions
 	 *            new PEP actions
@@ -242,8 +293,14 @@ public final class BaseDecisionResult implements DecisionResult
 	@Override
 	public String toString()
 	{
-		return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions + ", applicablePolicyIdList=" + applicablePolicyIdList
-				+ "]";
+		return "Result [decision=" + decision + ", status=" + status + ", pepActions=" + pepActions
+				+ ", applicablePolicyIdList=" + applicablePolicyIdList + "]";
+	}
+
+	@Override
+	public DecisionType getExtendedIndeterminate()
+	{
+		return this.extIndeterminate;
 	}
 
 }

src/main/java/org/ow2/authzforce/core/pdp/impl/DefaultRequestFilter.java

@@ -19,10 +19,6 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
-import net.sf.saxon.s9api.Processor;
-import net.sf.saxon.s9api.XPathCompiler;
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
-
 import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
 import org.ow2.authzforce.core.pdp.api.DatatypeFactoryRegistry;
 import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
@@ -32,6 +28,10 @@ import org.ow2.authzforce.core.pdp.api.RequestFilter;
 import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
 import org.ow2.authzforce.core.pdp.api.StatusHelper;
 
+import net.sf.saxon.s9api.Processor;
+import net.sf.saxon.s9api.XPathCompiler;
+import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
+
 /**
  * Default Request filter for Individual Decision Requests only (no support of Multiple Decision Profile in particular)
  * 
@@ -46,7 +46,10 @@ public final class DefaultRequestFilter extends BaseRequestFilter
 	 */
 	public static final class LaxFilterFactory implements RequestFilter.Factory
 	{
-		private static final String ID = "urn:thalesgroup:xacml:request-filter:default-lax";
+		/**
+		 * Request filter ID, as returned by {@link #getId()}
+		 */
+		public static final String ID = "urn:ow2:authzforce:xacml:request-filter:default-lax";
 
 		@Override
 		public String getId()
@@ -55,8 +58,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
 		}
 
 		@Override
-		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
-				Processor xmlProcessor)
+		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
 		{
 			return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
 		}
@@ -76,7 +78,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
 	 */
 	public static final class StrictFilterFactory implements RequestFilter.Factory
 	{
-		private static final String ID = "urn:thalesgroup:xacml:request-filter:default-strict";
+		private static final String ID = "urn:ow2:authzforce:xacml:request-filter:default-strict";
 
 		@Override
 		public String getId()
@@ -85,23 +87,19 @@ public final class DefaultRequestFilter extends BaseRequestFilter
 		}
 
 		@Override
-		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
-				Processor xmlProcessor)
+		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
 		{
 			return new DefaultRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
 		}
 	}
 
-	private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates,
-			boolean requireContentForXPath, Processor xmlProcessor)
+	private DefaultRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Processor xmlProcessor)
 	{
 		super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
 	}
 
 	@Override
-	public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser,
-			boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix)
-			throws IndeterminateEvaluationException
+	public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
 	{
 
 		/*
@@ -123,9 +121,7 @@ public final class DefaultRequestFilter extends BaseRequestFilter
 			final String categoryName = jaxbAttributes.getCategory();
 			if (!attrCategoryNames.add(categoryName))
 			{
-				throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName
-						+ "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)",
-						StatusHelper.STATUS_SYNTAX_ERROR);
+				throw new IndeterminateEvaluationException("Unsupported repetition of Attributes[@Category='" + categoryName + "'] (feature 'urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories' is not supported)", StatusHelper.STATUS_SYNTAX_ERROR);
 			}
 
 			final SingleCategoryAttributes<?> categorySpecificAttributes = xacmlAttrsParser.parseAttributes(jaxbAttributes, xPathCompiler);

src/main/java/org/ow2/authzforce/core/pdp/impl/MultiDecisionRequestFilter.java

@@ -22,10 +22,6 @@ import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Queue;
 
-import net.sf.saxon.s9api.Processor;
-import net.sf.saxon.s9api.XPathCompiler;
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
-
 import org.ow2.authzforce.core.pdp.api.BaseRequestFilter;
 import org.ow2.authzforce.core.pdp.api.DatatypeFactoryRegistry;
 import org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException;
@@ -35,8 +31,12 @@ import org.ow2.authzforce.core.pdp.api.RequestFilter;
 import org.ow2.authzforce.core.pdp.api.SingleCategoryAttributes;
 import org.ow2.authzforce.core.pdp.api.StatusHelper;
 
+import net.sf.saxon.s9api.Processor;
+import net.sf.saxon.s9api.XPathCompiler;
+import oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes;
+
 /**
- * Request filter implementing Multiple Decision Request, section 2.3 (repeated attribute categories). Other schems are not supported.
+ * Request filter implementing Multiple Decision Profile, section 2.3 (repeated attribute categories). Other schemes are not supported.
  * 
  */
 public final class MultiDecisionRequestFilter extends BaseRequestFilter
@@ -49,7 +49,10 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
 	 */
 	public static final class LaxFilterFactory implements RequestFilter.Factory
 	{
-		private static final String ID = "urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-lax";
+		/**
+		 * Request filter ID, returned by {@link #getId()}
+		 */
+		public static final String ID = "urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax";
 
 		@Override
 		public String getId()
@@ -58,8 +61,7 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
 		}
 
 		@Override
-		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
-				Processor xmlProcessor)
+		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
 		{
 			return new MultiDecisionRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, true, requireContentForXPath, xmlProcessor);
 		}
@@ -73,7 +75,10 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
 	 */
 	public static final class StrictFilterFactory implements RequestFilter.Factory
 	{
-		private static final String ID = "urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-strict";
+		/**
+		 * Request filter ID, returned by {@link #getId()}
+		 */
+		public static final String ID = "urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-strict";
 
 		@Override
 		public String getId()
@@ -82,8 +87,7 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
 		}
 
 		@Override
-		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath,
-				Processor xmlProcessor)
+		public RequestFilter getInstance(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean requireContentForXPath, Processor xmlProcessor)
 		{
 			return new MultiDecisionRequestFilter(datatypeFactoryRegistry, strictAttributeIssuerMatch, false, requireContentForXPath, xmlProcessor);
 		}
@@ -91,16 +95,13 @@ public final class MultiDecisionRequestFilter extends BaseRequestFilter
 
 	// private static Logger LOGGER = LoggerFactory.getLogger(MultiDecisionRequestFilter.class);
 
-	private MultiDecisionRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates,
-			boolean requireContentForXPath, Processor xmlProcessor)
+	private MultiDecisionRequestFilter(DatatypeFactoryRegistry datatypeFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Processor xmlProcessor)
 	{
 		super(datatypeFactoryRegistry, strictAttributeIssuerMatch, allowAttributeDuplicates, requireContentForXPath, xmlProcessor);
 	}
 
 	@Override
-	public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser,
-			boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix)
-			throws IndeterminateEvaluationException
+	public List<? extends IndividualDecisionRequest> filter(List<Attributes> attributesList, JaxbXACMLAttributesParser xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, XPathCompiler xPathCompiler, Map<String, String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
 	{
 		/*
 		 * Parse Request attributes and group possibly repeated categories to implement Multiple Decision Profile, §2.3.

src/main/java/org/ow2/authzforce/core/pdp/impl/PDPImpl.java

@@ -25,11 +25,6 @@ import java.util.Set;
 
 import javax.xml.datatype.XMLGregorianCalendar;
 
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
-
 import org.ow2.authzforce.core.pdp.api.AttributeGUID;
 import org.ow2.authzforce.core.pdp.api.Bag;
 import org.ow2.authzforce.core.pdp.api.Bags;
@@ -46,6 +41,7 @@ import org.ow2.authzforce.core.pdp.api.StatusHelper;
 import org.ow2.authzforce.core.pdp.api.XMLUtils;
 import org.ow2.authzforce.core.pdp.impl.func.FunctionRegistry;
 import org.ow2.authzforce.core.pdp.impl.policy.RootPolicyEvaluator;
+import org.ow2.authzforce.core.pdp.impl.policy.StaticApplicablePolicyView;
 import org.ow2.authzforce.core.pdp.impl.value.DatatypeConstants;
 import org.ow2.authzforce.core.pdp.impl.value.DateTimeValue;
 import org.ow2.authzforce.core.pdp.impl.value.DateValue;
@@ -58,6 +54,11 @@ import org.ow2.authzforce.xmlns.pdp.ext.AbstractPolicyProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import oasis.names.tc.xacml._3_0.core.schema.wd_17.DecisionType;
+import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
+import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
+import oasis.names.tc.xacml._3_0.core.schema.wd_17.Result;
+
 /**
  * This is the core XACML PDP engine implementation. To build an XACML policy engine, you start by instantiating this object directly or in a easier and
  * preferred way, using {@link PdpConfigurationParser}.
@@ -97,8 +98,7 @@ public class PDPImpl implements CloseablePDP
 		// the logger we'll use for all messages
 		private static final Logger _LOGGER = LoggerFactory.getLogger(CachingIndividualRequestEvaluator.class);
 
-		private static final Result INVALID_DECISION_CACHE_RESULT = new Result(DecisionType.INDETERMINATE, new StatusHelper(
-				StatusHelper.STATUS_PROCESSING_ERROR, "Internal error"), null, null, null, null);
+		private static final Result INVALID_DECISION_CACHE_RESULT = new Result(DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_PROCESSING_ERROR, "Internal error"), null, null, null, null);
 
 		private final DecisionCache decisionCache;
 
@@ -120,14 +120,15 @@ public class PDPImpl implements CloseablePDP
 				return Collections.singletonList(INVALID_DECISION_CACHE_RESULT);
 			}
 
-			// At least check that we have as many results from cache as input requests
-			// (For each request with no result in cache, there must still be an entry with value
+			// At least check that we have as many results from cache as input
+			// requests
+			// (For each request with no result in cache, there must still be an
+			// entry with value
 			// null.)
 			if (cachedResultsByRequest.size() != individualDecisionRequests.size())
 			{
 				// error, return indeterminate result as only result
-				_LOGGER.error("Invalid decision cache result: number of returned decision results ({}) != number of input (individual) decision requests ({})",
-						cachedResultsByRequest.size(), individualDecisionRequests.size());
+				_LOGGER.error("Invalid decision cache result: number of returned decision results ({}) != number of input (individual) decision requests ({})", cachedResultsByRequest.size(), individualDecisionRequests.size());
 				return Collections.singletonList(INVALID_DECISION_CACHE_RESULT);
 			}
 
@@ -144,8 +145,7 @@ public class PDPImpl implements CloseablePDP
 					final IndividualDecisionRequest individuaDecisionRequest = cachedRequestResultPair.getKey();
 					if (individuaDecisionRequest == null)
 					{
-						throw new RuntimeException("One of the entry keys (individual decision request) returned by the decision cache implementation '"
-								+ decisionCache + "' is invalid (null).");
+						throw new RuntimeException("One of the entry keys (individual decision request) returned by the decision cache implementation '" + decisionCache + "' is invalid (null).");
 					}
 
 					finalResult = super.evaluate(individuaDecisionRequest, pdpIssuedAttributes);
@@ -172,22 +172,17 @@ public class PDPImpl implements CloseablePDP
 	 * Indeterminate response iff CombinedDecision element not supported because the request parser does not support any scheme from MultipleDecisionProfile
 	 * section 2.
 	 */
-	private static final Response UNSUPPORTED_COMBINED_DECISION_RESPONSE = new Response(Collections.<Result> singletonList(new Result(
-			DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_SYNTAX_ERROR, "Unsupported feature: CombinedDecision='true'"), null, null, null,
-			null)));
+	private static final Response UNSUPPORTED_COMBINED_DECISION_RESPONSE = new Response(Collections.<Result> singletonList(new Result(DecisionType.INDETERMINATE, new StatusHelper(StatusHelper.STATUS_SYNTAX_ERROR, "Unsupported feature: CombinedDecision='true'"), null, null, null, null)));
 
-	private static final AttributeGUID ENVIRONMENT_CURRENT_TIME_ATTRIBUTE_GUID = new AttributeGUID(
-			XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value());
+	private static final AttributeGUID ENVIRONMENT_CURRENT_TIME_ATTRIBUTE_GUID = new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_TIME.value());
 
-	private static final AttributeGUID ENVIRONMENT_CURRENT_DATE_ATTRIBUTE_GUID = new AttributeGUID(
-			XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value());
+	private static final AttributeGUID ENVIRONMENT_CURRENT_DATE_ATTRIBUTE_GUID = new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATE.value());
 
-	private static final AttributeGUID ENVIRONMENT_CURRENT_DATETIME_ATTRIBUTE_GUID = new AttributeGUID(
-			XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value());
+	private static final AttributeGUID ENVIRONMENT_CURRENT_DATETIME_ATTRIBUTE_GUID = new AttributeGUID(XACMLCategory.XACML_3_0_ENVIRONMENT_CATEGORY_ENVIRONMENT.value(), null, XACMLAttributeId.XACML_1_0_ENVIRONMENT_CURRENT_DATETIME.value());
 
 	private static final DecisionResultFilter DEFAULT_RESULT_FILTER = new DecisionResultFilter()
 	{
-		private static final String ID = "urn:thalesgroup:xacml:result-filter:default";
+		private static final String ID = "urn:ow2:authzforce:xacml:result-filter:default";
 
 		@Override
 		public String getId()
@@ -209,7 +204,7 @@ public class PDPImpl implements CloseablePDP
 
 	};
 
-	private final RootPolicyEvaluator rootPolicyProvider;
+	private final RootPolicyEvaluator rootPolicyEvaluator;
 	private final DecisionCache decisionCache;
 	private final RequestFilter reqFilter;
 	private final IndividualDecisionRequestEvaluator individualReqEvaluator;
@@ -226,7 +221,8 @@ public class PDPImpl implements CloseablePDP
 	 *            XML/JAXB configurations of Attribute Providers for AttributeDesignator/AttributeSelector evaluation; may be null for static expression
 	 *            evaluation (out of context), in which case AttributeSelectors/AttributeDesignators are not supported
 	 * @param maxVariableReferenceDepth
-	 *            max depth of VariableReference chaining: VariableDefinition -> VariableDefinition ->... ('->' represents a VariableReference)
+	 *            max depth of VariableReference chaining: VariableDefinition -> VariableDefinition ->... ('->' represents a VariableReference); strictly
+	 *            negative value means no limit
 	 * @param enableXPath
 	 *            allow XPath evaluation, i.e. AttributeSelectors and xpathExpressions (experimental, not for production, use with caution)
 	 * @param requestFilterId
@@ -243,7 +239,8 @@ public class PDPImpl implements CloseablePDP
 	 *            policy-by-reference Provider's XML/JAXB configuration, for resolving policies referred to by Policy(Set)IdReference in policies found by root
 	 *            policy Provider
 	 * @param maxPolicySetRefDepth
-	 *            max allowed PolicySetIdReference chain: PolicySet1 (PolicySetIdRef1) -> PolicySet2 (PolicySetIdRef2) -> ...
+	 *            max allowed PolicySetIdReference chain: PolicySet1 (PolicySetIdRef1) -> PolicySet2 (PolicySetIdRef2) -> ...; a strictly negative value means
+	 *            no limit
 	 * @param strictAttributeIssuerMatch
 	 *            true iff strict Attribute Issuer matching is enabled, i.e. AttributeDesignators without Issuer only match request Attributes without Issuer
 	 *            (and same AttributeId, Category...). This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present
@@ -264,29 +261,21 @@ public class PDPImpl implements CloseablePDP
 	 *             {@code jaxbAttributeProviderConfs}, when and before an {@link IllegalArgumentException} is raised
 	 * 
 	 */
-	public PDPImpl(DatatypeFactoryRegistry attributeFactory, FunctionRegistry functionRegistry, List<AbstractAttributeProvider> jaxbAttributeProviderConfs,
-			int maxVariableReferenceDepth, boolean enableXPath, CombiningAlgRegistry combiningAlgRegistry, AbstractPolicyProvider jaxbRootPolicyProviderConf,
-			AbstractPolicyProvider jaxbRefPolicyProviderConf, int maxPolicySetRefDepth, String requestFilterId, boolean strictAttributeIssuerMatch,
-			DecisionResultFilter decisionResultFilter, AbstractDecisionCache jaxbDecisionCacheConf, EnvironmentProperties environmentProperties)
-			throws IllegalArgumentException, IOException
+	public PDPImpl(DatatypeFactoryRegistry attributeFactory, FunctionRegistry functionRegistry, List<AbstractAttributeProvider> jaxbAttributeProviderConfs, int maxVariableReferenceDepth, boolean enableXPath, CombiningAlgRegistry combiningAlgRegistry, AbstractPolicyProvider jaxbRootPolicyProviderConf, AbstractPolicyProvider jaxbRefPolicyProviderConf, int maxPolicySetRefDepth, String requestFilterId, boolean strictAttributeIssuerMatch, DecisionResultFilter decisionResultFilter, AbstractDecisionCache jaxbDecisionCacheConf, EnvironmentProperties environmentProperties) throws IllegalArgumentException, IOException
 	{
-		final RequestFilter.Factory requestFilterFactory = requestFilterId == null ? DefaultRequestFilter.LaxFilterFactory.INSTANCE : PdpExtensionLoader
-				.getExtension(RequestFilter.Factory.class, requestFilterId);
+		final RequestFilter.Factory requestFilterFactory = requestFilterId == null ? DefaultRequestFilter.LaxFilterFactory.INSTANCE : PdpExtensionLoader.getExtension(RequestFilter.Factory.class, requestFilterId);
 
-		final RequestFilter requestFilter = requestFilterFactory.getInstance(attributeFactory, strictAttributeIssuerMatch, enableXPath,
-				XMLUtils.SAXON_PROCESSOR);
+		final RequestFilter requestFilter = requestFilterFactory.getInstance(attributeFactory, strictAttributeIssuerMatch, enableXPath, XMLUtils.SAXON_PROCESSOR);
 
-		final RootPolicyEvaluator.Base candidateRootPolicyProvider = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry,
-				jaxbAttributeProviderConfs, maxVariableReferenceDepth, enableXPath, combiningAlgRegistry, jaxbRootPolicyProviderConf,
-				jaxbRefPolicyProviderConf, maxPolicySetRefDepth, strictAttributeIssuerMatch, environmentProperties);
+		final RootPolicyEvaluator.Base candidateRootPolicyEvaluator = new RootPolicyEvaluator.Base(attributeFactory, functionRegistry, jaxbAttributeProviderConfs, maxVariableReferenceDepth, enableXPath, combiningAlgRegistry, jaxbRootPolicyProviderConf, jaxbRefPolicyProviderConf, maxPolicySetRefDepth, strictAttributeIssuerMatch, environmentProperties);
 		// Use static resolution if possible
-		final RootPolicyEvaluator staticRootPolicyProvider = candidateRootPolicyProvider.toStatic();
-		if (staticRootPolicyProvider == null)
+		final RootPolicyEvaluator staticRootPolicyEvaluator = candidateRootPolicyEvaluator.toStatic();
+		if (staticRootPolicyEvaluator == null)
 		{
-			this.rootPolicyProvider = candidateRootPolicyProvider;
+			this.rootPolicyEvaluator = candidateRootPolicyEvaluator;
 		} else
 		{
-			this.rootPolicyProvider = staticRootPolicyProvider;
+			this.rootPolicyEvaluator = staticRootPolicyEvaluator;
 		}
 
 		this.reqFilter = requestFilter;
@@ -297,13 +286,11 @@ public class PDPImpl implements CloseablePDP
 			this.decisionCache = null;
 		} else
 		{
-			final DecisionCache.Factory<AbstractDecisionCache> responseCacheStoreFactory = PdpExtensionLoader.getJaxbBoundExtension(
-					DecisionCache.Factory.class, jaxbDecisionCacheConf.getClass());
+			final DecisionCache.Factory<AbstractDecisionCache> responseCacheStoreFactory = PdpExtensionLoader.getJaxbBoundExtension(DecisionCache.Factory.class, jaxbDecisionCacheConf.getClass());
 			this.decisionCache = responseCacheStoreFactory.getInstance(jaxbDecisionCacheConf);
 		}
 
-		this.individualReqEvaluator = this.decisionCache == null ? new NonCachingIndividualDecisionRequestEvaluator(rootPolicyProvider)
-				: new CachingIndividualRequestEvaluator(rootPolicyProvider, this.decisionCache);
+		this.individualReqEvaluator = this.decisionCache == null