- Added migration instructions for upcoming release.

- Fixed HTML doc formatting in pdp.xsd and improved content.

- Added migration instructions for upcoming release.
- Fixed HTML doc formatting in pdp.xsd and improved content.
ae127ba7 · cdanger · 2b8d2dad · ae127ba7 · ae127ba7 · ae127ba7
Commit ae127ba7 authored Jan 17, 2020 by cdanger
Hide whitespace changes
Inline Side-by-side

Showing with 483 additions and 509 deletions

MIGRATION.md MIGRATION.md +3 -0

README.md README.md +2 -2

pdp-engine/src/main/resources/pdp.xsd pdp-engine/src/main/resources/pdp.xsd +478 -507

No files found.
--- a/MIGRATION.md
+++ b/MIGRATION.md
+## Migration from v14.x to 15.x
+- Modify the PDP configuration (XML): replace the XML namespace `http://authzforce.github.io/core/xmlns/pdp/7.0` with `http://authzforce.github.io/core/xmlns/pdp/7`.
 ## Migration from v13.x to v14.x
 - Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
 - Modify the PDP configuration (XML):

--- a/README.md
+++ b/README.md
@@ -115,7 +115,7 @@ To give you an example on how to test a XACML Policy (or PolicySet) and Request,
 $ ./authzforce-ce-core-pdp-cli-14.0.0.jar pdp.xml IIA001/Request.xml
 ```
-* `pdp.xml`: PDP configuration file, that defines the location(s) of XACML policy(ies), among other PDP engine parameters; the content of this file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd), so you can read the documentation of every configuration parameter in that schema file; **Feel free to change the policy location to point to your own for testing.**
+* `pdp.xml`: PDP configuration file in XML format, that defines the location(s) of XACML policy(ies) and more; for more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1). **Feel free to change the policy location to point to your own for testing.**
 * `Request.xml`: XACML request in XACML 3.0/XML (core specification) format. **Feel free to replace with your own for testing.**
 If you want to test the JSON Profile of XACML 3.0, run it with extra option `-t XACML_JSON`:
@@ -147,7 +147,7 @@ Since this is a Maven artifact and it requires dependencies, you should build yo
 To get started using a PDP to evaluate XACML requests, the first step is to write/get a XACML 3.0 policy. Please refer to [XACML v3.0 - Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html) for the syntax. For a basic example, see [this one](pdp-testutils/src/test/resources/conformance/xacml-3.0-from-2.0-ct/mandatory/IIA001/IIA001Policy.xml). 
-Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. The content of such file is a XML document compliant with the PDP configuration [XML schema](pdp-engine/src/main/resources/pdp.xsd). This schema defines every configuration parameter with associated documentation. Here is a minimal example of configuration:
+Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#getInstance(String)](pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java#L663). The required parameter *confLocation* must be the location of the PDP configuration file. For more information about PDP configuration parameters, the configuration format is fully specified and documented in the [XML schema `pdp.xsd`](pdp-engine/src/main/resources/pdp.xsd), also available in a [more user-friendly HTML form](https://authzforce.github.io/pdp.xsd/7.1). Here is a minimal example of configuration:
   ```xml
   <?xml version="1.0" encoding="UTF-8"?>

--- a/pdp-engine/src/main/resources/pdp.xsd
+++ b/pdp-engine/src/main/resources/pdp.xsd
 <?xml version="1.0" encoding="UTF-8"?>
-<schema
+<xs:schema targetNamespace="http://authzforce.github.io/core/xmlns/pdp/7" elementFormDefault="qualified" version="7.1" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3" xmlns="http://www.w3.org/1999/xhtml">
-	xmlns="http://www.w3.org/2001/XMLSchema"
-	targetNamespace="http://authzforce.github.io/core/xmlns/pdp/7"
-	xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7"
-	elementFormDefault="qualified"
-	xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
-	xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"
-	version="7.1">
 	<import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
 	<import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" />
-	<annotation>
+	<xs:annotation id="testeststset">
-		<documentation xml:lang="en">
+		<xs:documentation xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
+		<p>
 			Data model of AuthZForce PDP configuration.
+			</p>
 			<p>
-				XML schema versioning: the 'version' attribute of the root
+				XML schema versioning: the <i>version</i> attribute of the root
-				'schema'
+				<i>schema</i>
-				element identifies the Major.Minor.Patch version of this
+				element identifies the <i>Major.Minor</i> version of this
-				schema. The
+				schema. The <i>Minor</i> version is used for any backwards-compatible change. The <i>Major</i> version is
-				Major.Minor part must match the Major.Minor part of
-				the
-				first
-				compatible version of authzforce-ce-core library. The Patch
-				version
-				is used for any
-				backwards-compatible change. The Minor
-				version is
 				incremented after any change that is NOT
-				backwards-compatible. (As a
+				backwards-compatible.
-				result, the authzforce-ce-core
+				The <i>Major</i> version part
-				library's
+				must be suffix of the target namespace - but
-				minor version is
-				incremented as well.)
-				The Major.Minor version part
-				must be part of the target namespace - but
 				not the
-				Patch
+				<i>Minor</i>
 				version - to
 				separate namespaces that
 				are not backwards-compatible.
 			</p>
-		</documentation>
+		</xs:documentation>
-	</annotation>
+	</xs:annotation>
-	<element
+	<xs:element name="pdp">
-		name="attributeProvider"
+	<xs:annotation>
-		type="authz-ext:AbstractAttributeProvider">
+			<xs:documentation>
-		<annotation>
+			PDP configuration
-			<documentation>
+			</xs:documentation>
-				<p>Attribute Provider that provides attributes not already provided
+		</xs:annotation>
-					in the XACML request by PEP, e.g. from external sources. There must
+		<xs:complexType>
-					be one and
+			<xs:sequence>
-					only one Java class - say
+				<xs:element name="attributeDatatype" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
-					'com.example.FooAttributeProviderFactory' - on the classpath
+					<xs:annotation>
-					implementing interface
+						<xs:documentation>
-					'org.ow2.authzforce.core.pdp.api.CloseableDesignatedAttributeProvider.Factory&lt;CONF_T&gt;'
+						<p>
-					with
+							URI of an XACML attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype,
-					zero-arg
-					constructor,
-					where
-					CONF_T is the JAXB type bound to
-					this
-					XML element type. This attribute
-					Provider may also depend on
-					previously defined
-					'attributeProviders', to find dependency
-					attributes, i.e.
-					attributes that
-					this
-					Provider does not support
-					itself, but requires to find its supported
-					attributes. Therefore, if
-					an 'attributeProvider' AFy
-					requires/depends on an
-					attribute
-					A that is
-					not to be provided
-					by the
-					PEP,
-					another 'attributeProvider' AFx
-					providing this attribute A must be
-					declared
-					before X.
-				</p>
-				<p>
-					Such configurations (XML instances of this schema)
-					may use placeholders enclosed between '${' and '}' for the following properties:
-					- the global property 'PARENT_DIR' for defining - in a generic
-					way - a path relative to the parent directory to the XML file where this is used;
-					- Java system properties;
-					- System environment variables.
-					Implementation classes can use
-					org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
-					to replace ${property_name} placeholders with such properties.
-					You may use '!' as a separating character
-					between the placeholder
-					property name
-					and a default value that is used if the property is undefined.
-					E.g. ${PARENT_DIR!/home/foo/conf} will be
-					replaced with
-					'/home/foo/conf' if PARENT_DIR is undefined.
-					In the location, you
-					may use placeholders enclosed between '${' and '}' for the following properties:
-					- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the
-					XML file where this is used;
-					- Java system properties;
-					- System environment variables.
-				</p>
-			</documentation>
-		</annotation>
-	</element>
-	<element name="pdp">
-		<complexType>
-			<sequence>
-				<element
-					name="attributeDatatype"
-					type="anyURI"
-					minOccurs="0"
-					maxOccurs="unbounded">
-					<annotation>
-						<documentation>
-							URI of an attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype,
 							there
-							must be one and only one Java class - say 'com.example.FooValueFactory' - on the classpath implementing interface
+							must be one and only one Java class on the classpath - say <i>com.example.FooValueFactory</i> - implementing interface
-							'org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory' with zero-arg
+							<i>org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory</i> with zero-arg
-							constructor, such that this URI equals: new com.example.FooValueFactory().getId().
+							constructor, and this URI must match the one returned by <i>new com.example.FooValueFactory().getId()</i>.
-						</documentation>
+							</p>
-					</annotation>
+							<p>More info about Attribute Data-types is available on <a href="https://github.com/authzforce/core/wiki/XACML-Data-Types">AuthzForce wiki</a>.</p>
-				</element>
+						</xs:documentation>
-				<element
+					</xs:annotation>
-					name="function"
+				</xs:element>
-					type="anyURI"
+				<xs:element name="function" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
-					minOccurs="0"
+					<xs:annotation>
-					maxOccurs="unbounded">
+						<xs:documentation>
-					<annotation>
+							URI of a XACML function to be added to supported functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by
-						<documentation>
+							<i>useStandardDatatypes</i> attribute, or custom ones declared in previous <i>attributeDatatype</i> elements; and there must be one and only one Java class - say
-							URI of a function to be added to supported functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by
+							<i>com.example.FooFunction</i> - on the
-							'useStandardDatatypes' attribute, or custom ones declared in previous 'attributeDatatype' elements; and there must be one and only one Java class - say
+							classpath implementing interface <i>org.ow2.authzforce.core.pdp.api.func.Function</i> with zero-arg constructor, and this URI must match the one returned by:
-							'com.example.FooFunction' - on the
+							<i>new com.example.FooFunction().getId()</i>.
-							classpath implementing interface 'org.ow2.authzforce.core.pdp.api.func.Function' with zero-arg constructor, such that this URI equals:
+							<p>More info about Functions is available on <a href="https://github.com/authzforce/core/wiki/XACML-Functions">AuthzForce wiki</a>.</p>
-							new com.example.FooFunction().getId().
+						</xs:documentation>
-						</documentation>
+					</xs:annotation>
-					</annotation>
+				</xs:element>
-				</element>
+				<xs:element name="combiningAlgorithm" type="xs:anyURI" minOccurs="0" maxOccurs="unbounded">
-				<element
+					<xs:annotation>
-					name="combiningAlgorithm"
+						<xs:documentation>
-					type="anyURI"
+							URI of a XACML policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say <i>com.example.FooCombiningAlg</i> - on the
-					minOccurs="0"
-					maxOccurs="unbounded">
-					<annotation>
-						<documentation>
-							URI of a policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say 'com.example.FooCombiningAlg' - on the
 							classpath
-							implementing interface 'org.ow2.authzforce.core.pdp.api.combining.CombiningAlg' with zero-arg constructor, such that this URI equals: new
+							implementing interface <i>org.ow2.authzforce.core.pdp.api.combining.CombiningAlg</i> with zero-arg constructor, and this URI must match the one returned by: <i>new
-							com.example.FooCombiningAlg().getId().
+							com.example.FooCombiningAlg().getId()</i>.
-						</documentation>
+							<p>More info about Policy and Rule Combining Algorithms is available on <a href="https://github.com/authzforce/core/wiki/XACML-Combining-Algorithms">AuthzForce wiki</a>.</p>
-					</annotation>
+						</xs:documentation>
-				</element>
+					</xs:annotation>
-				<element
+				</xs:element>
-					ref="tns:attributeProvider"
+				<xs:element ref="tns:attributeProvider" maxOccurs="unbounded" minOccurs="0" />
-					maxOccurs="unbounded"
+				<xs:element name="policyProvider" type="authz-ext:AbstractPolicyProvider" minOccurs="1" maxOccurs="1">
-					minOccurs="0" />
+					<xs:annotation>
-				<element
+						<xs:documentation>
-					name="policyProvider"
+							<p>
-					type="authz-ext:AbstractPolicyProvider"
+							XACML Policy Provider that resolves <i>Policy(Set)IdReference</i>s. There must be one and only one Java class on the classpath - say <i>com.example.FooPolicyProviderFactory</i> - implementing interface
-					minOccurs="1"
+							<i>org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory&lt;CONF_T&gt;</i> with zero-arg constructor, where <i>CONF_T</i> is the JAXB type bound
-					maxOccurs="1">
-					<annotation>
-						<documentation>
-							Policy Provider that resolves Policy(Set)IdReferences. There must be one and only one Java class - say 'com.example.FooPolicyProviderFactory' - on the classpath
-							implementing interface
-							'org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory&lt;CONF_T&gt;' with zero-arg constructor, where CONF_T is the JAXB type bound
 							to this XML element type.
+							</p>
+							<p>More info about Policy Providers (how to make/use one) is available on <a href="https://github.com/authzforce/core/wiki/Policy-Providers">AuthzForce wiki</a>.</p>
 							<p>
-								Implementation classes can use org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() to replace ${property_name} placeholders with such properties. You
+								Implementation classes can use <i>org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()</i> method to replace <i>${property_name}</i> placeholders with such properties. You
-								may use '!' as a
+								may use <i>!</i> (exclamation mark) as a
 								separating character between the placeholder property name and a default value that is used if the property is undefined. E.g.
-								${PARENT_DIR!/home/foo/conf} will be replaced with
+								<i>${PARENT_DIR!/home/foo/conf}</i> will be replaced with
-								'/home/foo/conf' if PARENT_DIR is undefined.
+								<i>/home/foo/conf</i> if <i>PARENT_DIR</i> is undefined.
-								In the location, you may use placeholders enclosed between '${' and '}' for the following properties: - the global property 'PARENT_DIR' for
+								In the location, you may use placeholders enclosed between <i>${</i> and <i>}</i> for the following properties: 
+								<ul>
+								<li>the global property <i>PARENT_DIR</i> for
 								defining - in a generic way
-								- a path relative to the parent directory to the XML file where this is used; - Java system properties; - System environment variables.
+								- a path relative to the parent directory to the XML file where this is used;
+								</li> 
+								<li>Java system properties;
+								</li>
+								<li>System environment variables.
+								</li>
+								</ul>
 							</p>
-						</documentation>
+						</xs:documentation>
-					</annotation>
+					</xs:annotation>
-				</element>
+				</xs:element>
-				<element
+				<xs:element name="rootPolicyRef" type="tns:TopLevelPolicyElementRef" minOccurs="0" maxOccurs="1">
-					name="rootPolicyRef"
+					<xs:annotation>
-					type="tns:TopLevelPolicyElementRef"
+						<xs:documentation>
-					minOccurs="0"
+							Identifies the root policy from which the policy evaluation begins. This identifier must be resolved by the Policy Provider configured previously (cf. <i>policyProvider</i>
-					maxOccurs="1">
+							element). In case this is not specified, the policy returned by the <i>PolicyProvider#getCandidateRootPolicy()</i> method is used as root policy. Refer to the respective PolicyProvider's documentation for more information.
-					<annotation>
+						</xs:documentation>
-						<documentation>
+					</xs:annotation>
-							Identifies the root policy from which the policy evaluation begins. This identifier must be resolved by the Policy Provider configured previously (cf. 'policyProvider'
+				</xs:element>
-							element). In case this is not specified, the policy returned by the PolicyProvider#getCandidateRootPolicy() method is used as root policy. Refer to the respective PolicyProvider's documentation for more information.
+				<xs:element name="decisionCache" minOccurs="0" maxOccurs="1" type="authz-ext:AbstractDecisionCache">
-						</documentation>
+					<xs:annotation>
-					</annotation>
+						<xs:documentation>
-				</element>
+						<p>
-				<element
+							Decision cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be
-					name="decisionCache"
-					minOccurs="0"
-					maxOccurs="1"
-					type="authz-ext:AbstractDecisionCache">
-					<annotation>
-						<documentation>
-							Decision Result cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be
 							one and
-							only one Java class - say 'com.example.FooDecisionCacheFactory' - on the classpath implementing interface
+							only one Java class on the classpath - say <i>com.example.FooDecisionCacheFactory</i> -implementing interface
-							'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;' with zero-arg
+							<i>org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;</i> with zero-arg
-							constructor, where CONF_T is the JAXB type bound to this XML element type.
+							constructor, where <i>CONF_T</i> is the JAXB type bound to this XML element type.
-						</documentation>
+							</p>
-					</annotation>
+							<p>More info about Decision Cache extensions is available on <a href="https://github.com/authzforce/core/wiki/Decision-Caches">AuthzForce wiki</a>.</p>
-				</element>
+						</xs:documentation>
-				<element
+					</xs:annotation>
-					name="ioProcChain"
+				</xs:element>
-					type="tns:InOutProcChain"
+				<xs:element name="ioProcChain" type="tns:InOutProcChain" minOccurs="0" maxOccurs="unbounded">
-					minOccurs="0"
+					<xs:annotation>
-					maxOccurs="unbounded">
+						<xs:documentation>
-					<annotation>
-						<documentation>
 							I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required. Each chain must handle a different input datatype. In
 							other words,
 							there is no more than one I/O processing chain per supported input type, e.g. one for XACML/XML input, another for XACML/JSON input.
-						</documentation>
+						</xs:documentation>
-					</annotation>
+					</xs:annotation>
-				</element>
+				</xs:element>
-			</sequence>
+			</xs:sequence>
-			<attribute
+			<xs:attribute name="version" type="xs:token" use="required">
-				name="version"
+				<xs:annotation>
-				type="token"
+					<xs:documentation>Version of the current schema for which the instance
-				use="required">
+						document is valid. Must match the <i>version</i> attribute value of the
-				<annotation>
-					<documentation>Version of the current schema for which the instance
-						document is valid. Must match the 'version' attribute value of the
 						root
-						'schema' element in the corresponding version
+						<i>schema</i> element in the corresponding version
 						of
 						this
 						schema.
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="useStandardDatatypes" type="xs:boolean" use="optional" default="true">
-				name="useStandardDatatypes"
+				<xs:annotation>
-				type="boolean"
+					<xs:documentation>Enable support for XACML core standard mandatory
-				use="optional"
+						datatypes. If <i>false</i>, only datatypes specified in <i>attributeDatatype</i> elements are available to the PDP, and therefore
-				default="true">
-				<annotation>
-					<documentation>Enable support for XACML core standard mandatory
-						datatypes. If 'false', only datatypes specified in 'attributeDatatype' elements are available to the PDP, and therefore
 						only these
 						datatypes may be be used in policies.
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="useStandardFunctions" type="xs:boolean" use="optional" default="true">
-				name="useStandardFunctions"
+				<xs:annotation>
-				type="boolean"
+					<xs:documentation>Enable support for XACML core standard mandatory
-				use="optional"
+						functions. Requires <i>useStandardDatatypes=true</i> if true; if false, only functions specified in <i>function</i> elements are
-				default="true">
-				<annotation>
-					<documentation>Enable support for XACML core standard mandatory
-						functions. Requires useStandardDatatypes=true if true; if 'false', only functions specified in 'function' elements are
 						available to
 						the PDP, and therefore only these
 						functions may be be used in policies.
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="useStandardCombiningAlgorithms" type="xs:boolean" use="optional" default="true">
-				name="useStandardCombiningAlgorithms"
+				<xs:annotation>
-				type="boolean"
+					<xs:documentation>Enable support for XACML core standard combining
-				use="optional"
+						algorithms. If false, only algorithms specified in <i>combiningAlgorithm</i> elements are available to the PDP, and therefore
-				default="true">
-				<annotation>
-					<documentation>Enable support for XACML core standard combining
-						algorithms. If 'false', only algorithms specified in 'combiningAlgorithm' elements are available to the PDP, and therefore
 						only these
 						algorithms may be be used in policies.
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="standardEnvAttributeSource" type="tns:StandardEnvironmentAttributeSource" use="optional" default="REQUEST_ELSE_PDP" />
-				name="standardEnvAttributeSource"
+			<xs:attribute name="enableXPath" type="xs:boolean" use="optional" default="false">
-				type="tns:StandardEnvironmentAttributeSource"
+				<xs:annotation>
-				use="optional"
+					<xs:documentation>Enable support for <i>AttributeSelectors</i>,
-				default="REQUEST_ELSE_PDP" />
+						<i>xpathExpression</i> datatype and <i>xpath-node-count</i> function. This
-			<attribute
+						overrides <i>useStandardDatatypes</i>
-				name="enableXPath"
+						parameter, i.e. <i>xpathExpression</i>
-				type="boolean"
-				use="optional"
-				default="false">
-				<annotation>
-					<documentation>Enable support for AttributeSelectors,
-						xpathExpression datatype and xpath-node-count function. This
-						overrides 'useStandardDatatypes'
-						parameter, i.e. xpathExpression
 						is
 						not
 						supported
-						anyway if 'enableXpath'
+						anyway if <i>enableXpath</i>
 						is false. This feature is
 						experimental (not to be used in
 						production) and
@@ -309,25 +191,21 @@
 						impact on performance. Use
 						with caution. For your
 						information,
-						AttributeSelector and
+						<i>AttributeSelector</i> and
-						xpathExpression
+						<i>xpathExpression</i>
 						datatype support is marked
 						as
 						optional in XACML 3.0 core specification.
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="strictAttributeIssuerMatch" type="xs:boolean" use="optional" default="false">
-				name="strictAttributeIssuerMatch"
+				<xs:annotation>
-				type="boolean"
+					<xs:documentation>
-				use="optional"
-				default="false">
-				<annotation>
-					<documentation>
 						<p>true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the
 							Issuer field.</p>
 						<p>
-							"Strict Attribute Issuer matching" means that an AttributeDesignator without Issuer only match request
+							<i>Strict Attribute Issuer matching</i> means that an AttributeDesignator without Issuer matches only request
 							Attributes without Issuer. This mode is not fully compliant with XACML 3.0,
 							§5.29, in the
 							case that
@@ -335,11 +213,11 @@
 							it performs better and is recommended when all AttributeDesignators have an Issuer (best
 							practice). Indeed, the XACML 3.0
 							Attribute Evaluation section
-							§5.29 says: "If the Issuer is not present in the AttributeDesignator, then the matching of the
+							§5.29 says: <i>If the Issuer is not present in the AttributeDesignator, then the matching of the
 							attribute to the named
 							attribute SHALL be governed by AttributeId and
-							DataType attributes alone."
+							DataType attributes alone.</i>
-							Therefore, if 'strictAttributeIssuerMatch' is false, since policies may use AttributeDesignators without
+							Therefore, if <i>strictAttributeIssuerMatch</i> is false, since policies may use <i>AttributeDesignator</i>s without
 							Issuer,
 							if the requests are using matching Attributes but with
 							none, one or more different Issuers, this PDP
@@ -347,67 +225,53 @@
 							matching Category/AttributeId but
 							with any Issuer or no Issuer. Therefore, in order
 							to stay compliant with §5.29 and still enforce best
-							practice, when strictAttributeIssuerMatch =
+							practice, when <i>strictAttributeIssuerMatch =
-							true, we also require that all
+							true</i>, we also require that all
 							AttributeDesignators set the Issuer field.</p>
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="maxIntegerValue" type="positiveInteger" use="optional" default="2147483647">
-				name="maxIntegerValue"
+				<xs:annotation>
-				type="positiveInteger"
+					<xs:documentation> Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type <i>http://www.w3.org/2001/XMLSchema#integer</i> (requires
-				use="optional"
+						<i>useStandardDatatypes
-				default="2147483647">
+						= true</i>). Decreasing this value as much
-				<annotation>
-					<documentation> Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type 'http://www.w3.org/2001/XMLSchema#integer' (requires
-						useStandardDatatypes
-						= true). Decreasing this value as much
 						as
 						possible helps the PDP engine optimize the processing of integer
 						values (lower memory consumption, faster computations).
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="maxVariableRefDepth" type="xs:nonNegativeInteger" use="optional">
-				name="maxVariableRefDepth"
+				<xs:annotation>
-				type="nonNegativeInteger"
+					<xs:documentation> Maximum depth of Variable reference chaining:
-				use="optional">
+						<i>VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...</i>; where
-				<annotation>
+						<i>-&gt;</i> represents a
-					<documentation> Maximum depth of Variable reference chaining:
-						VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...; where
-						'-&gt;' represents a
 						VariableReference. It is recommended to
 						specify a
 						value for this attribute in production for security/safety reasons.
 						Indeed, if not specified, no maximum is enforced (unlimited).
-					</documentation>
+					</xs:documentation>
-				</annotation>
+				</xs:annotation>
-			</attribute>
+			</xs:attribute>
-			<attribute
+			<xs:attribute name="maxPolicyRefDepth" type="xs:nonNegativeInteger" use="optional">