Commit ae127ba7 authored by cdanger's avatar cdanger

- Added migration instructions for upcoming release.

- Fixed HTML doc formatting in pdp.xsd and improved content.
parent 2b8d2dad
## Migration from v14.x to 15.x
- Modify the PDP configuration (XML): replace the XML namespace `http://authzforce.github.io/core/xmlns/pdp/7.0` with `http://authzforce.github.io/core/xmlns/pdp/7`.
## Migration from v13.x to v14.x ## Migration from v13.x to v14.x
- Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider - Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
- Modify the PDP configuration (XML): - Modify the PDP configuration (XML):
......
...@@ -115,7 +115,7 @@ To give you an example on how to test a XACML Policy (or PolicySet) and Request, ...@@ -115,7 +115,7 @@ To give you an example on how to test a XACML Policy (or PolicySet) and Request,
$ ./authzforce-ce-core-pdp-cli-14.0.0.jar pdp.xml IIA001/Request.xml $ ./authzforce-ce-core-pdp-cli-14.0.0.jar pdp.xml IIA001/Request.xml
``` ```
* `pdp.xml`: PDP configuration file, that defines the location(s) of XACML policy(ies), among other PDP engine parameters; the content of this file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd), so you can read the documentation of every configuration parameter in that schema file; **Feel free to change the policy location to point to your own for testing.** * `pdp.xml`: PDP configuration file in XML format, that defines the location(s) of XACML policy(ies) and more; for more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1). **Feel free to change the policy location to point to your own for testing.**
* `Request.xml`: XACML request in XACML 3.0/XML (core specification) format. **Feel free to replace with your own for testing.** * `Request.xml`: XACML request in XACML 3.0/XML (core specification) format. **Feel free to replace with your own for testing.**
If you want to test the JSON Profile of XACML 3.0, run it with extra option `-t XACML_JSON`: If you want to test the JSON Profile of XACML 3.0, run it with extra option `-t XACML_JSON`:
...@@ -147,7 +147,7 @@ Since this is a Maven artifact and it requires dependencies, you should build yo ...@@ -147,7 +147,7 @@ Since this is a Maven artifact and it requires dependencies, you should build yo
To get started using a PDP to evaluate XACML requests, the first step is to write/get a XACML 3.0 policy. Please refer to [XACML v3.0 - Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) for the syntax. For a basic example, see [this one](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/mandatory/IIA001/IIA001Policy.xml). To get started using a PDP to evaluate XACML requests, the first step is to write/get a XACML 3.0 policy. Please refer to [XACML v3.0 - Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) for the syntax. For a basic example, see [this one](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/mandatory/IIA001/IIA001Policy.xml).
Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. The content of such file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd). This schema defines every configuration parameter with associated documentation. Here is a minimal example of configuration: Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. For more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1). Here is a minimal example of configuration:
```xml ```xml
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
......
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<schema <xs:schema targetNamespace="http://authzforce.github.io/core/xmlns/pdp/7" elementFormDefault="qualified" version="7.1" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3" xmlns="http://www.w3.org/1999/xhtml">
xmlns="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://authzforce.github.io/core/xmlns/pdp/7"
xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7"
elementFormDefault="qualified"
xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"
version="7.1">
<import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" /> <import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
<import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" /> <import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" />
<annotation> <xs:annotation id="testeststset">
<documentation xml:lang="en"> <xs:documentation xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
<p>
Data model of AuthZForce PDP configuration. Data model of AuthZForce PDP configuration.
</p>
<p> <p>
XML schema versioning: the 'version' attribute of the root XML schema versioning: the <i>version</i> attribute of the root
'schema' <i>schema</i>
element identifies the Major.Minor.Patch version of this element identifies the <i>Major.Minor</i> version of this
schema. The schema. The <i>Minor</i> version is used for any backwards-compatible change. The <i>Major</i> version is
Major.Minor part must match the Major.Minor part of
the
first
compatible version of authzforce-ce-core library. The Patch
version
is used for any
backwards-compatible change. The Minor
version is
incremented after any change that is NOT incremented after any change that is NOT
backwards-compatible. (As a backwards-compatible.
result, the authzforce-ce-core The <i>Major</i> version part
library's must be suffix of the target namespace - but
minor version is
incremented as well.)
The Major.Minor version part
must be part of the target namespace - but
not the not the
Patch <i>Minor</i>
version - to version - to
separate namespaces that separate namespaces that
are not backwards-compatible. are not backwards-compatible.
</p> </p>
</documentation> </xs:documentation>
</annotation> </xs:annotation>
<element <xs:element name="pdp">
name="attributeProvider" <xs:annotation>
type="authz-ext:AbstractAttributeProvider"> <xs:documentation>
<annotation> PDP configuration
<documentation> </xs:documentation>
<p>Attribute Provider that provides attributes not already provided </xs:annotation>
in the XACML request by PEP, e.g. from external sources. There must <xs:complexType>
be one and <xs:sequence>
only one Java class - say <xs:element name="attributeDatatype" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
'com.example.FooAttributeProviderFactory' - on the classpath <xs:annotation>
implementing interface <xs:documentation>
'org.ow2.authzforce.core.pdp.api.CloseableDesignatedAttributeProvider.Factory&lt;CONF_T&gt;' <p>
with URI of an XACML attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype,
zero-arg
constructor,
where
CONF_T is the JAXB type bound to
this
XML element type. This attribute
Provider may also depend on
previously defined
'attributeProviders', to find dependency
attributes, i.e.
attributes that
this
Provider does not support
itself, but requires to find its supported
attributes. Therefore, if
an 'attributeProvider' AFy
requires/depends on an
attribute
A that is
not to be provided
by the
PEP,
another 'attributeProvider' AFx
providing this attribute A must be
declared
before X.
</p>
<p>
Such configurations (XML instances of this schema)
may use placeholders enclosed between '${' and '}' for the following properties:
- the global property 'PARENT_DIR' for defining - in a generic
way - a path relative to the parent directory to the XML file where this is used;
- Java system properties;
- System environment variables.
Implementation classes can use
org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
to replace ${property_name} placeholders with such properties.
You may use '!' as a separating character
between the placeholder
property name
and a default value that is used if the property is undefined.
E.g. ${PARENT_DIR!/home/foo/conf} will be
replaced with
'/home/foo/conf' if PARENT_DIR is undefined.
In the location, you
may use placeholders enclosed between '${' and '}' for the following properties:
- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the
XML file where this is used;
- Java system properties;
- System environment variables.
</p>
</documentation>
</annotation>
</element>
<element name="pdp">
<complexType>
<sequence>
<element
name="attributeDatatype"
type="anyURI"
minOccurs="0"
maxOccurs="unbounded">
<annotation>
<documentation>
URI of an attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype,
there there
must be one and only one Java class - say 'com.example.FooValueFactory' - on the classpath implementing interface must be one and only one Java class on the classpath - say <i>com.example.FooValueFactory</i> - implementing interface
'org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory' with zero-arg <i>org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory</i> with zero-arg
constructor, such that this URI equals: new com.example.FooValueFactory().getId(). constructor, and this URI must match the one returned by <i>new com.example.FooValueFactory().getId()</i>.
</documentation> </p>
</annotation> <p>More info about Attribute Data-types is available on <a href="https://github.com/authzforce/core/wiki/XACML-Data-Types">AuthzForce wiki</a>.</p>
</element> </xs:documentation>
<element </xs:annotation>
name="function" </xs:element>
type="anyURI" <xs:element name="function" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
minOccurs="0" <xs:annotation>
maxOccurs="unbounded"> <xs:documentation>
<annotation> URI of a XACML function to be added to supported functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by
<documentation> <i>useStandardDatatypes</i> attribute, or custom ones declared in previous <i>attributeDatatype</i> elements; and there must be one and only one Java class - say
URI of a function to be added to supported functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by <i>com.example.FooFunction</i> - on the
'useStandardDatatypes' attribute, or custom ones declared in previous 'attributeDatatype' elements; and there must be one and only one Java class - say classpath implementing interface <i>org.ow2.authzforce.core.pdp.api.func.Function</i> with zero-arg constructor, and this URI must match the one returned by:
'com.example.FooFunction' - on the <i>new com.example.FooFunction().getId()</i>.
classpath implementing interface 'org.ow2.authzforce.core.pdp.api.func.Function' with zero-arg constructor, such that this URI equals: <p>More info about Functions is available on <a href="https://github.com/authzforce/core/wiki/XACML-Functions">AuthzForce wiki</a>.</p>
new com.example.FooFunction().getId(). </xs:documentation>
</documentation> </xs:annotation>
</annotation> </xs:element>
</element> <xs:element name="combiningAlgorithm" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
<element <xs:annotation>
name="combiningAlgorithm" <xs:documentation>
type="anyURI" URI of a XACML policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say <i>com.example.FooCombiningAlg</i> - on the
minOccurs="0"
maxOccurs="unbounded">
<annotation>
<documentation>
URI of a policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say 'com.example.FooCombiningAlg' - on the
classpath classpath
implementing interface 'org.ow2.authzforce.core.pdp.api.combining.CombiningAlg' with zero-arg constructor, such that this URI equals: new implementing interface <i>org.ow2.authzforce.core.pdp.api.combining.CombiningAlg</i> with zero-arg constructor, and this URI must match the one returned by: <i>new
com.example.FooCombiningAlg().getId(). com.example.FooCombiningAlg().getId()</i>.
</documentation> <p>More info about Policy and Rule Combining Algorithms is available on <a href="https://github.com/authzforce/core/wiki/XACML-Combining-Algorithms">AuthzForce wiki</a>.</p>
</annotation> </xs:documentation>
</element> </xs:annotation>
<element </xs:element>
ref="tns:attributeProvider" <xs:element ref="tns:attributeProvider" maxOccurs="unbounded" minOccurs="0" />
maxOccurs="unbounded" <xs:element name="policyProvider" type="authz-ext:AbstractPolicyProvider" minOccurs="1" maxOccurs="1">
minOccurs="0" /> <xs:annotation>
<element <xs:documentation>
name="policyProvider" <p>
type="authz-ext:AbstractPolicyProvider" XACML Policy Provider that resolves <i>Policy(Set)IdReference</i>s. There must be one and only one Java class on the classpath - say <i>com.example.FooPolicyProviderFactory</i> - implementing interface
minOccurs="1" <i>org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory&lt;CONF_T&gt;</i> with zero-arg constructor, where <i>CONF_T</i> is the JAXB type bound
maxOccurs="1">
<annotation>
<documentation>
Policy Provider that resolves Policy(Set)IdReferences. There must be one and only one Java class - say 'com.example.FooPolicyProviderFactory' - on the classpath
implementing interface
'org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory&lt;CONF_T&gt;' with zero-arg constructor, where CONF_T is the JAXB type bound
to this XML element type. to this XML element type.
</p>
<p>More info about Policy Providers (how to make/use one) is available on <a href="https://github.com/authzforce/core/wiki/Policy-Providers">AuthzForce wiki</a>.</p>
<p> <p>
Implementation classes can use org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() to replace ${property_name} placeholders with such properties. You Implementation classes can use <i>org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()</i> method to replace <i>${property_name}</i> placeholders with such properties. You
may use '!' as a may use <i>!</i> (exclamation mark) as a
separating character between the placeholder property name and a default value that is used if the property is undefined. E.g. separating character between the placeholder property name and a default value that is used if the property is undefined. E.g.
${PARENT_DIR!/home/foo/conf} will be replaced with <i>${PARENT_DIR!/home/foo/conf}</i> will be replaced with
'/home/foo/conf' if PARENT_DIR is undefined. <i>/home/foo/conf</i> if <i>PARENT_DIR</i> is undefined.
In the location, you may use placeholders enclosed between '${' and '}' for the following properties: - the global property 'PARENT_DIR' for In the location, you may use placeholders enclosed between <i>${</i> and <i>}</i> for the following properties:
<ul>
<li>the global property <i>PARENT_DIR</i> for
defining - in a generic way defining - in a generic way
- a path relative to the parent directory to the XML file where this is used; - Java system properties; - System environment variables. - a path relative to the parent directory to the XML file where this is used;
</li>
<li>Java system properties;
</li>
<li>System environment variables.
</li>
</ul>
</p> </p>
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</element> </xs:element>
<element <xs:element name="rootPolicyRef" type="tns:TopLevelPolicyElementRef" minOccurs="0" maxOccurs="1">
name="rootPolicyRef" <xs:annotation>
type="tns:TopLevelPolicyElementRef" <xs:documentation>
minOccurs="0" Identifies the root policy from which the policy evaluation begins. This identifier must be resolved by the Policy Provider configured previously (cf. <i>policyProvider</i>
maxOccurs="1"> element). In case this is not specified, the policy returned by the <i>PolicyProvider#getCandidateRootPolicy()</i> method is used as root policy. Refer to the respective PolicyProvider's documentation for more information.
<annotation> </xs:documentation>
<documentation> </xs:annotation>
Identifies the root policy from which the policy evaluation begins. This identifier must be resolved by the Policy Provider configured previously (cf. 'policyProvider' </xs:element>
element). In case this is not specified, the policy returned by the PolicyProvider#getCandidateRootPolicy() method is used as root policy. Refer to the respective PolicyProvider's documentation for more information. <xs:element name="decisionCache" minOccurs="0" maxOccurs="1" type="authz-ext:AbstractDecisionCache">
</documentation> <xs:annotation>
</annotation> <xs:documentation>
</element> <p>
<element Decision cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be
name="decisionCache"
minOccurs="0"
maxOccurs="1"
type="authz-ext:AbstractDecisionCache">
<annotation>
<documentation>
Decision Result cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be
one and one and
only one Java class - say 'com.example.FooDecisionCacheFactory' - on the classpath implementing interface only one Java class on the classpath - say <i>com.example.FooDecisionCacheFactory</i> -implementing interface
'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;' with zero-arg <i>org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;</i> with zero-arg
constructor, where CONF_T is the JAXB type bound to this XML element type. constructor, where <i>CONF_T</i> is the JAXB type bound to this XML element type.
</documentation> </p>
</annotation> <p>More info about Decision Cache extensions is available on <a href="https://github.com/authzforce/core/wiki/Decision-Caches">AuthzForce wiki</a>.</p>
</element> </xs:documentation>
<element </xs:annotation>
name="ioProcChain" </xs:element>
type="tns:InOutProcChain" <xs:element name="ioProcChain" type="tns:InOutProcChain" minOccurs="0" maxOccurs="unbounded">
minOccurs="0" <xs:annotation>
maxOccurs="unbounded"> <xs:documentation>
<annotation>
<documentation>
I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required. Each chain must handle a different input datatype. In I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required. Each chain must handle a different input datatype. In
other words, other words,
there is no more than one I/O processing chain per supported input type, e.g. one for XACML/XML input, another for XACML/JSON input. there is no more than one I/O processing chain per supported input type, e.g. one for XACML/XML input, another for XACML/JSON input.
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</element> </xs:element>
</sequence> </xs:sequence>
<attribute <xs:attribute name="version" type="xs:token" use="required">
name="version" <xs:annotation>
type="token" <xs:documentation>Version of the current schema for which the instance
use="required"> document is valid. Must match the <i>version</i> attribute value of the
<annotation>
<documentation>Version of the current schema for which the instance
document is valid. Must match the 'version' attribute value of the
root root
'schema' element in the corresponding version <i>schema</i> element in the corresponding version
of of
this this
schema. schema.
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="useStandardDatatypes" type="xs:boolean" use="optional" default="true">
name="useStandardDatatypes" <xs:annotation>
type="boolean" <xs:documentation>Enable support for XACML core standard mandatory
use="optional" datatypes. If <i>false</i>, only datatypes specified in <i>attributeDatatype</i> elements are available to the PDP, and therefore
default="true">
<annotation>
<documentation>Enable support for XACML core standard mandatory
datatypes. If 'false', only datatypes specified in 'attributeDatatype' elements are available to the PDP, and therefore
only these only these
datatypes may be be used in policies. datatypes may be be used in policies.
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="useStandardFunctions" type="xs:boolean" use="optional" default="true">
name="useStandardFunctions" <xs:annotation>
type="boolean" <xs:documentation>Enable support for XACML core standard mandatory
use="optional" functions. Requires <i>useStandardDatatypes=true</i> if true; if false, only functions specified in <i>function</i> elements are
default="true">
<annotation>
<documentation>Enable support for XACML core standard mandatory
functions. Requires useStandardDatatypes=true if true; if 'false', only functions specified in 'function' elements are
available to available to
the PDP, and therefore only these the PDP, and therefore only these
functions may be be used in policies. functions may be be used in policies.
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="useStandardCombiningAlgorithms" type="xs:boolean" use="optional" default="true">
name="useStandardCombiningAlgorithms" <xs:annotation>
type="boolean" <xs:documentation>Enable support for XACML core standard combining
use="optional" algorithms. If false, only algorithms specified in <i>combiningAlgorithm</i> elements are available to the PDP, and therefore
default="true">
<annotation>
<documentation>Enable support for XACML core standard combining
algorithms. If 'false', only algorithms specified in 'combiningAlgorithm' elements are available to the PDP, and therefore
only these only these
algorithms may be be used in policies. algorithms may be be used in policies.
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="standardEnvAttributeSource" type="tns:StandardEnvironmentAttributeSource" use="optional" default="REQUEST_ELSE_PDP" />
name="standardEnvAttributeSource" <xs:attribute name="enableXPath" type="xs:boolean" use="optional" default="false">
type="tns:StandardEnvironmentAttributeSource" <xs:annotation>
use="optional" <xs:documentation>Enable support for <i>AttributeSelectors</i>,
default="REQUEST_ELSE_PDP" /> <i>xpathExpression</i> datatype and <i>xpath-node-count</i> function. This
<attribute overrides <i>useStandardDatatypes</i>
name="enableXPath" parameter, i.e. <i>xpathExpression</i>
type="boolean"
use="optional"
default="false">
<annotation>
<documentation>Enable support for AttributeSelectors,
xpathExpression datatype and xpath-node-count function. This
overrides 'useStandardDatatypes'
parameter, i.e. xpathExpression
is is
not not
supported supported
anyway if 'enableXpath' anyway if <i>enableXpath</i>
is false. This feature is is false. This feature is
experimental (not to be used in experimental (not to be used in
production) and production) and
...@@ -309,25 +191,21 @@ ...@@ -309,25 +191,21 @@
impact on performance. Use impact on performance. Use
with caution. For your with caution. For your
information, information,
AttributeSelector and <i>AttributeSelector</i> and
xpathExpression <i>xpathExpression</i>
datatype support is marked datatype support is marked
as as
optional in XACML 3.0 core specification. optional in XACML 3.0 core specification.
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="strictAttributeIssuerMatch" type="xs:boolean" use="optional" default="false">
name="strictAttributeIssuerMatch" <xs:annotation>
type="boolean" <xs:documentation>
use="optional"
default="false">
<annotation>
<documentation>
<p>true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the <p>true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the
Issuer field.</p> Issuer field.</p>
<p> <p>
"Strict Attribute Issuer matching" means that an AttributeDesignator without Issuer only match request <i>Strict Attribute Issuer matching</i> means that an AttributeDesignator without Issuer matches only request
Attributes without Issuer. This mode is not fully compliant with XACML 3.0, Attributes without Issuer. This mode is not fully compliant with XACML 3.0,
§5.29, in the §5.29, in the
case that case that
...@@ -335,11 +213,11 @@ ...@@ -335,11 +213,11 @@
it performs better and is recommended when all AttributeDesignators have an Issuer (best it performs better and is recommended when all AttributeDesignators have an Issuer (best
practice). Indeed, the XACML 3.0 practice). Indeed, the XACML 3.0
Attribute Evaluation section Attribute Evaluation section
§5.29 says: "If the Issuer is not present in the AttributeDesignator, then the matching of the §5.29 says: <i>If the Issuer is not present in the AttributeDesignator, then the matching of the
attribute to the named attribute to the named
attribute SHALL be governed by AttributeId and attribute SHALL be governed by AttributeId and
DataType attributes alone." DataType attributes alone.</i>
Therefore, if 'strictAttributeIssuerMatch' is false, since policies may use AttributeDesignators without Therefore, if <i>strictAttributeIssuerMatch</i> is false, since policies may use <i>AttributeDesignator</i>s without
Issuer, Issuer,
if the requests are using matching Attributes but with if the requests are using matching Attributes but with
none, one or more different Issuers, this PDP none, one or more different Issuers, this PDP
...@@ -347,67 +225,53 @@ ...@@ -347,67 +225,53 @@
matching Category/AttributeId but matching Category/AttributeId but
with any Issuer or no Issuer. Therefore, in order with any Issuer or no Issuer. Therefore, in order
to stay compliant with §5.29 and still enforce best to stay compliant with §5.29 and still enforce best
practice, when strictAttributeIssuerMatch = practice, when <i>strictAttributeIssuerMatch =
true, we also require that all true</i>, we also require that all
AttributeDesignators set the Issuer field.</p> AttributeDesignators set the Issuer field.</p>
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="maxIntegerValue" type="positiveInteger" use="optional" default="2147483647">
name="maxIntegerValue" <xs:annotation>
type="positiveInteger" <xs:documentation> Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type <i>http://www.w3.org/2001/XMLSchema#integer</i> (requires
use="optional" <i>useStandardDatatypes
default="2147483647"> = true</i>). Decreasing this value as much
<annotation>
<documentation> Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type 'http://www.w3.org/2001/XMLSchema#integer' (requires
useStandardDatatypes
= true). Decreasing this value as much
as as
possible helps the PDP engine optimize the processing of integer possible helps the PDP engine optimize the processing of integer
values (lower memory consumption, faster computations). values (lower memory consumption, faster computations).
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="maxVariableRefDepth" type="xs:nonNegativeInteger" use="optional">
name="maxVariableRefDepth" <xs:annotation>
type="nonNegativeInteger" <xs:documentation> Maximum depth of Variable reference chaining:
use="optional"> <i>VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...</i>; where
<annotation> <i>-&gt;</i> represents a
<documentation> Maximum depth of Variable reference chaining:
VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...; where
'-&gt;' represents a
VariableReference. It is recommended to VariableReference. It is recommended to
specify a specify a
value for this attribute in production for security/safety reasons. value for this attribute in production for security/safety reasons.
Indeed, if not specified, no maximum is enforced (unlimited). Indeed, if not specified, no maximum is enforced (unlimited).
</documentation> </xs:documentation>
</annotation> </xs:annotation>
</attribute> </xs:attribute>
<attribute <xs:attribute name="maxPolicyRefDepth" type="xs:nonNegativeInteger" use="optional">