Data model of AuthZForce PDP configuration. +
- XML schema versioning: the 'version' attribute of the root - 'schema' - element identifies the Major.Minor.Patch version of this - schema. The - Major.Minor part must match the Major.Minor part of - the - first - compatible version of authzforce-ce-core library. The Patch - version - is used for any - backwards-compatible change. The Minor - version is + XML schema versioning: the version attribute of the root + schema + element identifies the Major.Minor version of this + schema. The Minor version is used for any backwards-compatible change. The Major version is incremented after any change that is NOT - backwards-compatible. (As a - result, the authzforce-ce-core - library's - minor version is - incremented as well.) - The Major.Minor version part - must be part of the target namespace - but + backwards-compatible. + The Major version part + must be suffix of the target namespace - but not the - Patch + Minor version - to separate namespaces that are not backwards-compatible.
-Attribute Provider that provides attributes not already provided - in the XACML request by PEP, e.g. from external sources. There must - be one and - only one Java class - say - 'com.example.FooAttributeProviderFactory' - on the classpath - implementing interface - 'org.ow2.authzforce.core.pdp.api.CloseableDesignatedAttributeProvider.Factory<CONF_T>' - with - zero-arg - constructor, - where - CONF_T is the JAXB type bound to - this - XML element type. This attribute - Provider may also depend on - previously defined - 'attributeProviders', to find dependency - attributes, i.e. - attributes that - this - Provider does not support - itself, but requires to find its supported - attributes. Therefore, if - an 'attributeProvider' AFy - requires/depends on an - attribute - A that is - not to be provided - by the - PEP, - another 'attributeProvider' AFx - providing this attribute A must be - declared - before X. -
-- Such configurations (XML instances of this schema) - may use placeholders enclosed between '${' and '}' for the following properties: - - the global property 'PARENT_DIR' for defining - in a generic - way - a path relative to the parent directory to the XML file where this is used; - - Java system properties; - - System environment variables. - - Implementation classes can use - org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() - to replace ${property_name} placeholders with such properties. - You may use '!' as a separating character - between the placeholder - property name - and a default value that is used if the property is undefined. - E.g. ${PARENT_DIR!/home/foo/conf} will be - replaced with - '/home/foo/conf' if PARENT_DIR is undefined. - - In the location, you - may use placeholders enclosed between '${' and '}' for the following properties: - - the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the - XML file where this is used; - - Java system properties; - - System environment variables. - -
-+ URI of an XACML attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype, there - must be one and only one Java class - say 'com.example.FooValueFactory' - on the classpath implementing interface - 'org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory' with zero-arg - constructor, such that this URI equals: new com.example.FooValueFactory().getId(). -
More info about Attribute Data-types is available on AuthzForce wiki.
+ + + +More info about Functions is available on AuthzForce wiki.
+More info about Policy and Rule Combining Algorithms is available on AuthzForce wiki.
+ + + ++ XACML Policy Provider that resolves Policy(Set)IdReferences. There must be one and only one Java class on the classpath - say com.example.FooPolicyProviderFactory - implementing interface + org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory<CONF_T> with zero-arg constructor, where CONF_T is the JAXB type bound to this XML element type. +
+More info about Policy Providers (how to make/use one) is available on AuthzForce wiki.
- Implementation classes can use org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() to replace ${property_name} placeholders with such properties. You - may use '!' as a + Implementation classes can use org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() method to replace ${property_name} placeholders with such properties. You + may use ! (exclamation mark) as a separating character between the placeholder property name and a default value that is used if the property is undefined. E.g. - ${PARENT_DIR!/home/foo/conf} will be replaced with - '/home/foo/conf' if PARENT_DIR is undefined. + ${PARENT_DIR!/home/foo/conf} will be replaced with + /home/foo/conf if PARENT_DIR is undefined. - In the location, you may use placeholders enclosed between '${' and '}' for the following properties: - the global property 'PARENT_DIR' for + In the location, you may use placeholders enclosed between ${ and } for the following properties: +
+ Decision cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be one and - only one Java class - say 'com.example.FooDecisionCacheFactory' - on the classpath implementing interface - 'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory<CONF_T>' with zero-arg - constructor, where CONF_T is the JAXB type bound to this XML element type. -
More info about Decision Cache extensions is available on AuthzForce wiki.
+ + + +true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the Issuer field.
- "Strict Attribute Issuer matching" means that an AttributeDesignator without Issuer only match request + Strict Attribute Issuer matching means that an AttributeDesignator without Issuer matches only request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that @@ -335,11 +213,11 @@ it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Indeed, the XACML 3.0 Attribute Evaluation section - §5.29 says: "If the Issuer is not present in the AttributeDesignator, then the matching of the + §5.29 says: If the Issuer is not present in the AttributeDesignator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and - DataType attributes alone." - Therefore, if 'strictAttributeIssuerMatch' is false, since policies may use AttributeDesignators without + DataType attributes alone. + Therefore, if strictAttributeIssuerMatch is false, since policies may use AttributeDesignators without Issuer, if the requests are using matching Attributes but with none, one or more different Issuers, this PDP @@ -347,67 +225,53 @@ matching Category/AttributeId but with any Issuer or no Issuer. Therefore, in order to stay compliant with §5.29 and still enforce best - practice, when strictAttributeIssuerMatch = - true, we also require that all + practice, when strictAttributeIssuerMatch = + true, we also require that all AttributeDesignators set the Issuer field.
-XACML Attribute Provider that provides attributes not already provided + in the XACML request from PEP, e.g. from external sources. There must + be one and + only one Java class on the classpath - say + com.example.FooAttributeProviderFactory - + implementing interface + org.ow2.authzforce.core.pdp.api.CloseableDesignatedAttributeProvider.Factory<CONF_T> + with + zero-arg + constructor, + where + CONF_T is the JAXB type bound to + this + XML element type. This Attribute + Provider may also depend on + previously defined + attributeProviders, to find dependency + attributes, i.e. + attributes that + this + Provider does not support + itself, but requires to find its supported + attributes. Therefore, if + an attributeProvider AP1 + requires/depends on an + attribute + A that is + not to be provided in the XACML request from the PEP, + another attributeProvider AP2 + providing this attribute A must be + declared + before AP1. +
+More info about Attribute Providers (how to make/use one) is available on AuthzForce wiki.
++ Such configurations (XML instances of this schema) + may use placeholders enclosed between ${ and } for the following properties: +
+ Implementation classes can use + org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() + to replace ${property_name} placeholders with such properties. + You may use ! (exclamation mark) as a separating character + between the placeholder + property name + and a default value that is used if the property is undefined. + E.g. ${PARENT_DIR!/home/foo/conf} will be + replaced with + /home/foo/conf if PARENT_DIR is undefined. +
++ In the location, you + may use placeholders enclosed between ${ and } for the following properties: +
Defines the source for the standard environment attributes specified in §10.2.5: current-time, current-date and current-dateTime. The options are: -
Pair of compatible PDP input/output processors - resp. requestPreproc and resultPostproc - where compatible means: requestPreproc.getOutputRequestType() == + resultPostproc.getRequestType()
+URI of a XACML Request pre-processor to be enabled. A XACML Request preprocessor is a PDP extension that applies some processing of the request, such as @@ -575,33 +526,35 @@ the results (one per Individual Decision Request) may be combined by a Result postprocessor specified by next - attribute 'resultPostproc'. + attribute resultPostproc.
-There must be one and only one Java class - say - 'com.example.FooRequestPreproc' - on the classpath implementing +
There must be one and only one Java class on the classpath - say + com.example.FooRequestPreproc - implementing interface - 'org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor' with + org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor with zero-arg - constructor, such - that this URI equals: new - com.example.FooRequestPreproc().getId().
-If the configuration parameter 'enableXPath' is true, it is the + constructor, and this URI must match the one returned by: new + com.example.FooRequestPreproc().getId().
+If the configuration parameter enableXPath is true, it is the responsibility of the Request preprocessor to parse XACML Request/Attributes/Content nodes. If the configuration parameter - 'strictAttributeIssuerMatch' is true, it is the responsibility of + strictAttributeIssuerMatch is true, it is the responsibility of the Request preprocessor to keep values of Attributes with Issuer separate from values of Attributes without Issuer, in the attribute - map returned by getNamedAttributes() on + map returned by getNamedAttributes() on the IndividualDecisionRequests produced by the Request preprocessor.
-The following values of 'requestPreproc' are natively supported:
-"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax": + +
The following values of requestPreproc are natively supported: +
"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-strict": + 3.0 core spec, §7.3.3)
"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax": + performances)
"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-strict": + core spec, §7.3.3)
More info about Request Preprocessors is available on AuthzForce wiki.
+ + + +URI of a XACML decision Result post-processor to be enabled. A decision Result post-processor is a PDP extension that process the result(s) from the policy evaluation before @@ -662,36 +619,43 @@ multiple individual decisions - produced by the - 'requestPreproc' - to a + requestPreproc - to a single decision - Result if and only if the XACML Request's 'CombinedDecision' + Result if and only if the XACML Request's CombinedDecision is set to true, as defined in XACML Multiple Decision Profile specification, section 3. There must be one - and only one Java class + and only one Java class on the classpath - say - 'com.example.FooResultPostproc' - on the classpath + com.example.FooResultPostproc - implementing interface - 'org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor' with + org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor with zero-arg - constructor, such that this URI equals: + constructor, and this URI must match the one returned by: + new - com.example.FooResultPostproc().getId(). -
More info about Result Postprocessors is available on AuthzForce wiki.
+ + + + + -+ Policy(Set) Provider loading policies + statically from URLs. Any PolicyIdReference used in a PolicySet here must refer to a Policy loaded here as well. Besides, a PolicySet @@ -699,97 +663,104 @@ must be loaded before any other PolicySet P2 with a reference (PolicySetIdReference) to P1. As PolicySets are loaded in the order - of declaration of policyLocations, the order + of declaration of policyLocations, the order matters for PolicySetIdReference resolution. - This PolicyProvider implements the 'PolicyProvider#getCandidateRootPolicy()' - the method provides a default root policy to be used when the PDP's configuration parameter 'rootPolicyRef' is undefined - as follows: - - If there is one and only one XACML Policy provided (e.g. one or more 'policyLocations' are defined, pointing to one or more versions of the same XACML Policy), return the latest version of this Policy; - - Else apply the same rule to XACML PolicySet(s); - - Else no candidate (e.g. there is more than one XACML Policy and more than one XACML PolicySet, in which case the 'rootPolicyRef' must be explicitly defined in PDP's configuration to make the choice). -
+ Location of the XML file that is expected to contain the Policy or PolicySet element to be referenced by a Policy(Set)IdReference in the root PolicySet loaded by a root policy Provider. The location may also be a file pattern in the - form 'file://DIRECTORY_PATH/*SUFFIX' or 'file://DIRECTORY_PATH/**...*SUFFIX', etc. (arbitrarily long sequence of wildcard characters) in + form file://DIRECTORY_PATH/*SUFFIX or file://DIRECTORY_PATH/**...*SUFFIX, etc. (arbitrarily long sequence of wildcard characters) in which case the location is expanded to all regular files in the directory located at - DIRECTORY_PATH with suffix SUFFIX, not crossing directory boundaries if using a single wildcard; but crossing + DIRECTORY_PATH with suffix SUFFIX, not crossing directory boundaries if using a single wildcard; but crossing directory boundaries if using more than a single wildcard (there may not be a SUFFIX; in other words, SUFFIX may be an empty - string). The number of wildcards in the sequence '**....*' defines the + string). The number of wildcards in the sequence **....* defines the maximum number of directory levels to search. - - In the location, you may use placeholders enclosed between '${' and '}' for the following properties: - - the global property 'PARENT_DIR' for +
++ In the location, you may use placeholders enclosed between ${ and } for the following properties: +
+ You may use ! (exclamation mark) as a separating character between the placeholder property name and a default value that is used if the property is undefined. - E.g. ${PARENT_DIR!/home/foo/conf} will be + E.g. ${PARENT_DIR!/home/foo/conf} will be replaced with - '/home/foo/conf' if PARENT_DIR + /home/foo/conf if PARENT_DIR is undefined. -