Merge branch 'release/14.0.0'

CHANGELOG.md

@@ -3,9 +3,27 @@ All notable changes to this project are documented in this file following the [K
 
 ## Issue references
 - Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. 
-- Issues reported on [OW2's JIRA](https://jira.ow2.org/browse/AUTHZFORCE/) are referenced in the form of `[JIRA-N]`, where N is the issue number.
 - Issues reported on [OW2's GitLab](https://gitlab.ow2.org/authzforce/core/issues) are referenced in the form of `[GL-N]`, where N is the issue number.
 
+
+## 14.0.0
+### Changed
+- [GH-28]: simplified the PolicyProvider model, i.e. changed the following:
+  - **PDP configuration format** (XML Schema 'pdp.xsd') v7.0.0 (more info in [migration guide](MIGRATION.md) )
+	- Replaced 'refPolicyProvider' and 'rootPolicyProvider' XML elements with 'policyProvider' and 'rootPolicyRef'.
+	- StaticRootPolicyProvider and StaticRefPolicyProvider XML types replaced by one StaticPolicyProvider type.
+  - **PolicyProvider extension API** (interfaces): 
+    - Upgraded core-pdp-api dependency version: 16.0.0 (more info in [core-pdp-api's changelog](https://github.com/authzforce/core-pdp-api/blob/develop/CHANGELOG.md#1600) ):
+      - Replaced CloseableRefPolicyProvider and BaseStaticRefPolicyProvider classes with CloseablePolicyProvider and BaseStaticPolicyProvider
+- pdp-testutils module's dependency 'jackson-databind' upgraded to v2.9.10 (CVE fix)
+
+### Fixed
+- CVE-2019-14439
+
+### Added
+- Support for **Multiple Decision Profile when used with XACML/JSON Profile** (JSON input)
+
+
 ## 13.3.1
 ### Fixed
 - CVE affecting Spring v4.3.18: upgraded dependencies to depend on
@@ -55,7 +73,7 @@ properties and environment variables (enclosed between '${...}') with default va
   - authzforce-ce-xacml-json-model: 2.0.0
    
 ### Fixed
-- Fixed #13: changed pdp-testutils module's dependencies: 
+- [GH-13]: changed pdp-testutils module's dependencies: 
   - mongo-java-driver: 2.14.12 -> 3.5.0
   - jongo: 1.3.0 -> 1.4.0
 

MIGRATION.md

+## Migration from v13.x to v14.x
+- Make sure all your custom PolicyProviders implement the new PolicyProvider interfaces, i.e. BaseStaticPolicyProvider or, as fallback option, CloseableStaticPolicyProvider
+- Modify the PDP configuration (XML):
+  - Merge 'rootPolicyProvider' and 'refPolicyprovider' into one 'policyProvider' using the new 'StaticPolicyProvider' type if you were using 'StaticRefPolicyprovider' or 'StaticRootPolicyProvider', else your new custom PolicyProvider types if you were using custom ones.
+  - Add 'rootPolicyRef' element with policyId of the root policy.
\ No newline at end of file

README.md

@@ -41,16 +41,16 @@ AuthzForce Core may be used in the following ways:
 * Optional **strict multivalued attribute parsing**: if enabled, multivalued attributes must be formed by grouping all `AttributeValue` elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with [XACML 3.0 Core specification of Multivalued attributes (§7.3.3)](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047176), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
 * Optional **strict attribute Issuer matching**: if enabled, `AttributeDesignators` without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: *If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.*);
 * Extensibility points:
-  * **Attribute Datatypes**: you may extend the PDP engine with custom XACML attribute datatypes;
-  * **Functions**: you may extend the PDP engine with custom XACML functions;
-  * **Combining Algorithms**: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
-  * **Attribute Providers a.k.a. PIPs** (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation; 
-  * **Request Preprocessor**: you may customize the processing of XACML Requests before evaluation by the PDP core engine, e.g. used for supporting new XACML Request formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334);
-  * **Result Postprocessor**: you may customize the processing of XACML Results after evaluation by the PDP engine, e.g. used for supporting new XACML Response formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890);
+  * **[Attribute Datatypes](https://github.com/authzforce/core/wiki/XACML-Data-Types)**: you may extend the PDP engine with custom XACML attribute datatypes;
+  * **[Functions](https://github.com/authzforce/core/wiki/XACML-Functions)**: you may extend the PDP engine with custom XACML functions;
+  * **[Combining Algorithms](https://github.com/authzforce/core/wiki/XACML-Combining-Algorithms)**: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
+  * **[Attribute Providers a.k.a. PIPs](https://github.com/authzforce/core/wiki/Attribute-Providers)** (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation; 
+  * **[Request Preprocessor](https://github.com/authzforce/core/wiki/XACML-Request-Preprocessors)**: you may customize the processing of XACML Requests before evaluation by the PDP core engine, e.g. used for supporting new XACML Request formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334);
+  * **[Result Postprocessor](https://github.com/authzforce/core/wiki/XACML-Result-Postprocessors)**: you may customize the processing of XACML Results after evaluation by the PDP engine, e.g. used for supporting new XACML Response formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890);
   * **Root Policy Provider**: you may plug custom policy providers into the PDP engine to allow it to retrieve the root policy from specific sources (e.g. remote service);
-  * **Policy-by-reference Provider**: you may plug custom policy providers into the PDP engine to allow it to resolve `PolicyIdReference` or `PolicySetIdReference`;
+  * **[Policy-by-reference Provider](https://github.com/authzforce/core/wiki/Policy-Providers)**: you may plug custom policy providers into the PDP engine to allow it to resolve `PolicyIdReference` or `PolicySetIdReference`;
   * **Decision Cache**: you may extend the PDP engine with a custom XACML decision cache, allowing the PDP to skip evaluation and retrieve XACML decisions from cache for recurring XACML Requests;
-  * Java extension mechanism to switch HashMap/HashSet implementations (e.g. to get different performance results).
+  * Java [extension mechanism to switch HashMap/HashSet implementations](https://github.com/authzforce/core/wiki/Hashed-Collections) (e.g. to get different performance results).
 * PIP (Policy Information Point): AuthzForce provides XACML PIP features in the form of extensions called *Attribute Providers*. More information in the previous list of *Extensibility points*.
 
 
@@ -131,7 +131,7 @@ Then instantiate a PDP engine configuration with method [PdpEngineConfiguration#
 
    ```xml
    <?xml version="1.0" encoding="UTF-8"?>
-   <pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
+   <pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0" version="7.0.0">
 	   <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
    </pdp>
    ```

pdp-cli/pom.xml

@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-core</artifactId>
-      <version>13.3.1</version>
+      <version>14.0.0</version>
       <relativePath>..</relativePath>
    </parent>
    <artifactId>authzforce-ce-core-pdp-cli</artifactId>
@@ -30,12 +30,12 @@
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-engine</artifactId>
-         <version>13.3.1</version>
+         <version>14.0.0</version>
       </dependency>
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-io-xacml-json</artifactId>
-         <version>13.3.1</version>
+         <version>14.0.0</version>
       </dependency>
       <dependency>
          <groupId>org.testng</groupId>
@@ -46,7 +46,7 @@
       <dependency>
          <groupId>org.ow2.authzforce</groupId>
          <artifactId>authzforce-ce-core-pdp-testutils</artifactId>
-         <version>13.3.1</version>
+         <version>14.0.0</version>
          <scope>test</scope>
       </dependency>
    </dependencies>

pdp-cli/src/test/resources/conformance/xacml-3.0-core/mandatory/pdp.xml

 <?xml version="1.0" encoding="UTF-8"?>
-<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
-   <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/IIA001/Policy.xml" />
-   <ioProcChain>
-      <requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
-      <resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
-   </ioProcChain>
+<pdp
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns="http://authzforce.github.io/core/xmlns/pdp/7.0"
+	version="7.0.0">
+	<policyProvider
+		id="rootPolicyProvider"
+		xsi:type="StaticPolicyProvider">
+		<policyLocation>${PARENT_DIR}/IIA001/Policy.xml</policyLocation>
+	</policyProvider>
+	<rootPolicyRef>urn:oasis:names:tc:xacml:2.0:conformance-test:IIA1:policy</rootPolicyRef>
+	<ioProcChain>
+		<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
+		<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
+	</ioProcChain>
 </pdp>
 

pdp-engine/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-core</artifactId>
-		<version>13.3.1</version>
+		<version>14.0.0</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>authzforce-ce-core-pdp-engine</artifactId>

pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/ModularAttributeProvider.java

@@ -42,7 +42,7 @@ import com.google.common.collect.ListMultimap;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.AttributeDesignatorType;
 
 /**
- * AttributeProvider that tries to resolve attributes in current request context first, else delegates to {@link DesignatedAttributeProvider}s.
+ * AttributeProvider that tries to resolve attributes in current request context first, else delegates to {@link NamedAttributeProvider}s.
  *
  * @version $Id: $
  */
@@ -97,7 +97,8 @@ public class ModularAttributeProvider implements AttributeProvider
 		if (selectedAttributeSupport == null)
 		{
 			designatorModsByAttrId = attributeProviderModulesByAttributeId;
-		} else
+		}
+		else
 		{
 			final ListMultimap<AttributeFqn, NamedAttributeProvider> mutableModsByAttrIdMap = ArrayListMultimap.create(selectedAttributeSupport.size(), 1);
 			for (final AttributeDesignatorType requiredAttr : selectedAttributeSupport)
@@ -206,7 +207,8 @@ public class ModularAttributeProvider implements AttributeProvider
 			LOGGER.debug("Values of attribute {}, type={} returned by attribute Provider module #{} (cached in context): {}", attributeFqn, datatype, attrProviders, result);
 			issuedToNonIssuedAttributeCopyMode.process(attributeFqn, result, context);
 			return result;
-		} catch (final IndeterminateEvaluationException e)
+		}
+		catch (final IndeterminateEvaluationException e)
 		{
 			/*
 			 * This error does not necessarily matter, it depends on whether the attribute is required, i.e. MustBePresent=true for AttributeDesignator/Selector So we let
@@ -248,7 +250,8 @@ public class ModularAttributeProvider implements AttributeProvider
 			 */
 			context.putNamedAttributeValueIfAbsent(attributeFqn, result);
 			return result;
-		} catch (final UnsupportedOperationException e)
+		}
+		catch (final UnsupportedOperationException e)
 		{
 			/*
 			 * Should not happen, this is highly unexpected and should be considered a fatal error (it means the AttributeProvider does not respect its contract)

pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpEngineConfiguration.java

@@ -54,8 +54,9 @@ import org.ow2.authzforce.core.pdp.api.expression.ExpressionFactory;
 import org.ow2.authzforce.core.pdp.api.func.FirstOrderFunction;
 import org.ow2.authzforce.core.pdp.api.func.Function;
 import org.ow2.authzforce.core.pdp.api.io.XacmlJaxbParsingUtils;
-import org.ow2.authzforce.core.pdp.api.policy.CloseableRefPolicyProvider;
-import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider;
+import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
+import org.ow2.authzforce.core.pdp.api.policy.PolicyVersionPatterns;
+import org.ow2.authzforce.core.pdp.api.policy.TopLevelPolicyElementType;
 import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory;
 import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
 import org.ow2.authzforce.core.pdp.api.value.Datatype;
@@ -73,6 +74,7 @@ import org.ow2.authzforce.core.pdp.impl.func.StandardFunction;
 import org.ow2.authzforce.core.xmlns.pdp.InOutProcChain;
 import org.ow2.authzforce.core.xmlns.pdp.Pdp;
 import org.ow2.authzforce.core.xmlns.pdp.StandardEnvironmentAttributeSource;
+import org.ow2.authzforce.core.xmlns.pdp.TopLevelPolicyElementRef;
 import org.ow2.authzforce.xacml.identifiers.XacmlDatatypeId;
 import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
 import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
@@ -95,7 +97,7 @@ public final class PdpEngineConfiguration
 	private static final IllegalArgumentException ILLEGAL_USE_STD_FUNCTIONS_ARGUMENT_EXCEPTION = new IllegalArgumentException(
 	        "useStandardFunctions = true not allowed if useStandardDatatypes = false");
 
-	private static final IllegalArgumentException NULL_ROOTPOLICYPROVIDER_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined rootPolicyProvider");
+	private static final IllegalArgumentException NULL_POLICYPROVIDER_ARGUMENT_EXCEPTION = new IllegalArgumentException("Undefined policyProvider");
 
 	// the logger we'll use for all messages
 	private static final Logger LOGGER = LoggerFactory.getLogger(BasePdpEngine.class);
@@ -132,21 +134,13 @@ public final class PdpEngineConfiguration
 		return attrProviderModBuilder.getInstance(jaxbConf, envProps);
 	}
 
-	private static <JAXB_CONF extends AbstractPolicyProvider> CloseableRefPolicyProvider newRefPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
+	private static <JAXB_CONF extends AbstractPolicyProvider> CloseablePolicyProvider<?> newPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
 	        final int maxPolicySetRefDepth, final ExpressionFactory xacmlExprFactory, final CombiningAlgRegistry combiningAlgRegistry, final EnvironmentProperties envProps)
 	{
-		final CloseableRefPolicyProvider.Factory<JAXB_CONF> refPolicyProviderModFactory = PdpExtensions.getRefPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
+		final CloseablePolicyProvider.Factory<JAXB_CONF> refPolicyProviderModFactory = PdpExtensions.getRefPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
 		return refPolicyProviderModFactory.getInstance(jaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExprFactory, combiningAlgRegistry, envProps);
 	}
 
-	private static <JAXB_CONF extends AbstractPolicyProvider> RootPolicyProvider newRootPolicyProvider(final JAXB_CONF jaxbConf, final XmlnsFilteringParserFactory xacmlParserFactory,
-	        final ExpressionFactory xacmlExprFactory, final CombiningAlgRegistry combiningAlgRegistry, final Optional<CloseableRefPolicyProvider> refPolicyProvider,
-	        final EnvironmentProperties envProps)
-	{
-		final RootPolicyProvider.Factory<JAXB_CONF> rootPolicyProviderFactory = PdpExtensions.getRootPolicyProviderFactory((Class<JAXB_CONF>) jaxbConf.getClass());
-		return rootPolicyProviderFactory.getInstance(jaxbConf, xacmlParserFactory, xacmlExprFactory, combiningAlgRegistry, refPolicyProvider, envProps);
-	}
-
 	private static <JAXB_CONF extends AbstractDecisionCache> DecisionCache newDecisionCache(final JAXB_CONF jaxbConf, final AttributeValueFactoryRegistry attValFactories,
 	        final EnvironmentProperties envProps)
 	{
@@ -159,7 +153,13 @@ public final class PdpEngineConfiguration
 
 	private final ExpressionFactory xacmlExpressionFactory;
 
-	private final RootPolicyProvider rootPolicyProvider;
+	private final CloseablePolicyProvider<?> policyProvider;
+
+	private final String rootPolicyId;
+
+	private final Optional<TopLevelPolicyElementType> rootPolicyElementType;
+
+	private final Optional<PolicyVersionPatterns> rootPolicyVersionPatterns;
 
 	private final boolean strictAttributeIssuerMatch;
 
@@ -189,12 +189,12 @@ public final class PdpEngineConfiguration
 		 * Check required args
 		 */
 		/*
-		 * Root policy provider
+		 * Policy provider
 		 */
-		final AbstractPolicyProvider rootPolicyProviderJaxbConf = pdpJaxbConf.getRootPolicyProvider();
+		final AbstractPolicyProvider rootPolicyProviderJaxbConf = pdpJaxbConf.getPolicyProvider();
 		if (rootPolicyProviderJaxbConf == null)
 		{
-			throw NULL_ROOTPOLICYPROVIDER_ARGUMENT_EXCEPTION;
+			throw NULL_POLICYPROVIDER_ARGUMENT_EXCEPTION;
 		}
 
 		/*
@@ -221,11 +221,13 @@ public final class PdpEngineConfiguration
 			if (datatypeExtensionIdentifiers.isEmpty())
 			{
 				attValFactoryRegistry = stdRegistry;
-			} else
+			}
+			else
 			{
 				attValFactoryRegistry = new ImmutableAttributeValueFactoryRegistry(HashCollections.newImmutableSet(stdRegistry.getExtensions(), datatypeExtensions));
 			}
-		} else
+		}
+		else
 		{
 			attValFactoryRegistry = new ImmutableAttributeValueFactoryRegistry(datatypeExtensions);
 		}
@@ -255,7 +257,8 @@ public final class PdpEngineConfiguration
 		try
 		{
 			maxVarRefDepth = bigMaxVarRefDepth == null ? -1 : bigMaxVarRefDepth.intValueExact();
-		} catch (final ArithmeticException e)
+		}
+		catch (final ArithmeticException e)
 		{
 			throw new IllegalArgumentException("Invalid maxVariableRefDepth: " + bigMaxVarRefDepth, e);
 		}
@@ -292,12 +295,14 @@ public final class PdpEngineConfiguration
 			if (nonGenericFunctionExtensionIdentifiers.isEmpty())
 			{
 				functionRegistry = stdRegistry;
-			} else
+			}
+			else
 			{
 				functionRegistry = new ImmutableFunctionRegistry(HashCollections.newImmutableSet(stdRegistry.getNonGenericFunctions(), nonGenericFunctionExtensions),
 				        stdRegistry.getGenericFunctionFactories());
 			}
-		} else
+		}
+		else
 		{
 			functionRegistry = new ImmutableFunctionRegistry(nonGenericFunctionExtensions, null);
 		}
@@ -331,11 +336,13 @@ public final class PdpEngineConfiguration
 			if (algExtensions.isEmpty())
 			{
 				combiningAlgRegistry = StandardCombiningAlgorithm.REGISTRY;
-			} else
+			}
+			else
 			{
 				combiningAlgRegistry = new ImmutableCombiningAlgRegistry(HashCollections.newImmutableSet(StandardCombiningAlgorithm.REGISTRY.getExtensions(), algExtensions));
 			}
-		} else
+		}
+		else
 		{
 			combiningAlgRegistry = new ImmutableCombiningAlgRegistry(algExtensions);
 		}
@@ -348,7 +355,8 @@ public final class PdpEngineConfiguration
 		try
 		{
 			maxPolicySetRefDepth = bigMaxPolicyRefDepth == null ? -1 : bigMaxPolicyRefDepth.intValueExact();
-		} catch (final ArithmeticException e)
+		}
+		catch (final ArithmeticException e)
 		{
 			throw new IllegalArgumentException("Invalid maxPolicyRefDepth: " + bigMaxPolicyRefDepth, e);
 		}
@@ -359,29 +367,29 @@ public final class PdpEngineConfiguration
 		xacmlExpressionFactory = new DepthLimitingExpressionFactory(attValFactoryRegistry, functionRegistry, attProviderFactories, maxVarRefDepth, enableXPath, strictAttributeIssuerMatch);
 
 		/*
-		 * Policy Reference processing - Policy-by-reference Provider
+		 * Policy Provider
 		 */
-		final AbstractPolicyProvider refPolicyProviderJaxbConf = pdpJaxbConf.getRefPolicyProvider();
-		final Optional<CloseableRefPolicyProvider> refPolicyProvider;
-		if (refPolicyProviderJaxbConf == null)
-		{
-			refPolicyProvider = Optional.empty();
-		} else
-		{
-			refPolicyProvider = Optional.of(newRefPolicyProvider(refPolicyProviderJaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExpressionFactory, combiningAlgRegistry, envProps));
-		}
+		final AbstractPolicyProvider policyProviderJaxbConf = pdpJaxbConf.getPolicyProvider();
+		policyProvider = newPolicyProvider(policyProviderJaxbConf, xacmlParserFactory, maxPolicySetRefDepth, xacmlExpressionFactory, combiningAlgRegistry, envProps);
 
+		final TopLevelPolicyElementRef rootPolicyRef = pdpJaxbConf.getRootPolicyRef();
 		/*
-		 * Root Policy Provider
+		 * PDP XSD assumed to ensure rootPolicyRef is defined
 		 */
-		rootPolicyProvider = newRootPolicyProvider(rootPolicyProviderJaxbConf, xacmlParserFactory, xacmlExpressionFactory, combiningAlgRegistry, refPolicyProvider, envProps);
+		assert rootPolicyRef != null;
+		final Boolean mustBePolicySet = rootPolicyRef.isPolicySet();
+		this.rootPolicyElementType = mustBePolicySet == null ? Optional.empty()
+		        : mustBePolicySet.booleanValue() ? Optional.of(TopLevelPolicyElementType.POLICY_SET) : Optional.of(TopLevelPolicyElementType.POLICY);
+		this.rootPolicyId = rootPolicyRef.getValue();
+		this.rootPolicyVersionPatterns = Optional.ofNullable(new PolicyVersionPatterns(rootPolicyRef.getVersion(), null, null));
 
 		// Decision cache
 		final AbstractDecisionCache decisionCacheJaxbConf = pdpJaxbConf.getDecisionCache();
 		if (decisionCacheJaxbConf == null)
 		{
 			decisionCache = Optional.empty();
-		} else
+		}
+		else
 		{
 			decisionCache = Optional.of(newDecisionCache(decisionCacheJaxbConf, attValFactoryRegistry, envProps));
 		}
@@ -391,7 +399,8 @@ public final class PdpEngineConfiguration
 		try
 		{
 			this.clientReqErrVerbosityLevel = clientReqErrVerbosityBigInt == null ? 0 : clientReqErrVerbosityBigInt.intValueExact();
-		} catch (final ArithmeticException e)
+		}
+		catch (final ArithmeticException e)
 		{
 			throw new IllegalArgumentException("Invalid clientRequestErrorVerbosityLevel: " + clientReqErrVerbosityBigInt, e);
 		}
@@ -401,7 +410,8 @@ public final class PdpEngineConfiguration
 		if (inoutProcChains.isEmpty())
 		{
 			this.ioProcChainsByInputType = Collections.emptyMap();
-		} else
+		}
+		else
 		{
 			final Map<Class<?>, Entry<DecisionRequestPreprocessor<?, ?>, DecisionResultPostprocessor<?, ?>>> mutableInoutProcChainsByInputType = HashCollections
 			        .newUpdatableMap(inoutProcChains.size());
@@ -414,7 +424,8 @@ public final class PdpEngineConfiguration
 				if (resultPostprocId == null)
 				{
 					decisionResultPostproc = null;
-				} else
+				}
+				else
 				{
 					final DecisionResultPostprocessor.Factory<?, ?> resultPostprocFactory = PdpExtensions.getExtension(DecisionResultPostprocessor.Factory.class, resultPostprocId);
 					decisionResultPostproc = resultPostprocFactory.getInstance(clientReqErrVerbosityLevel);
@@ -464,7 +475,8 @@ public final class PdpEngineConfiguration
 		try
 		{
 			pdpJaxbConf = modelHandler.unmarshal(confXmlSrc, Pdp.class);
-		} catch (final JAXBException e)
+		}
+		catch (final JAXBException e)
 		{
 			throw new IllegalArgumentException("Invalid PDP configuration file", e);
 		}
@@ -546,7 +558,8 @@ public final class PdpEngineConfiguration
 		{
 			final File confFile = ResourceUtils.getFile(confLocation);
 			return getInstance(confFile, modelHandler);
-		} catch (final FileNotFoundException e)
+		}
+		catch (final FileNotFoundException e)
 		{
 			if (LOGGER.isInfoEnabled())
 			{
@@ -563,7 +576,8 @@ public final class PdpEngineConfiguration
 		try
 		{
 			confUrl = ResourceUtils.getURL(confLocation);
-		} catch (final FileNotFoundException e)
+		}
+		catch (final FileNotFoundException e)
 		{
 			throw new IllegalArgumentException("Invalid PDP configuration location (neither a file in the file system nor a valid URL): " + confLocation, e);
 		}
@@ -603,19 +617,19 @@ public final class PdpEngineConfiguration
 	 * 	<xs:import namespace="http://authzforce.github.io/core/xmlns/test/3" />
 	 * </xs:schema>
 	 * 			}
-	 *            </pre>
+	 * </pre>
 	 *
-	 *            In this example, the file at {@code catalogLocation} must define the schemaLocation for the imported namespace above using a line like this (for an XML-formatted catalog):
+	 * In this example, the file at {@code catalogLocation} must define the schemaLocation for the imported namespace above using a line like this (for an XML-formatted catalog):
 	 * 
-	 *            <pre>
+	 * <pre>
 	 *            {@literal
 	 *            <uri name="http://authzforce.github.io/core/xmlns/test/3" uri=
 	 * 	"classpath:org.ow2.authzforce.core.test.xsd" />
 	 *            }
-	 *            </pre>
+	 * </pre>
 	 * 
-	 *            We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider' (that extends 'AbstractPdpExtension' like all other extension base
-	 *            types) in this case.
+	 * We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider' (that extends 'AbstractPdpExtension' like all other extension base types) in this
+	 * case.
 	 * @param catalogLocation
 	 *            location of XML catalog for resolving XSDs imported by the extension XSD specified as 'extensionXsdLocation' argument (may be null if 'extensionXsdLocation' is null)
 	 * @return PDP instance
@@ -656,19 +670,19 @@ public final class PdpEngineConfiguration
 	 * 	<xs:import namespace="http://authzforce.github.io/core/xmlns/test/3" />
 	 * </xs:schema>
 	 * 			}
-	 *            </pre>
+	 * </pre>
 	 *
-	 *            In this example, the file at {@code catalogLocation} must define the schemaLocation for the imported namespace above using a line like this (for an XML-formatted catalog):
+	 * In this example, the file at {@code catalogLocation} must define the schemaLocation for the imported namespace above using a line like this (for an XML-formatted catalog):
 	 * 
-	 *            <pre>
+	 * <pre>
 	 *            {@literal
 	 *            <uri name="http://authzforce.github.io/core/xmlns/test/3" uri=
 	 * 	"classpath:org.ow2.authzforce.core.test.xsd" />
 	 *            }
-	 *            </pre>
+	 * </pre>
 	 * 
-	 *            We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider' (that extends 'AbstractPdpExtension' like all other extension base
-	 *            types) in this case.
+	 * We assume that this XML type is an extension of one the PDP extension base types, 'AbstractAttributeProvider' (that extends 'AbstractPdpExtension' like all other extension base types) in this
+	 * case.
 	 * @param catalogLocation
 	 *            location of XML catalog for resolving XSDs imported by the extension XSD specified as 'extensionXsdLocation' argument (may be null if 'extensionXsdLocation' is null)
 	 * @return PDP instance
@@ -735,9 +749,39 @@ public final class PdpEngineConfiguration
 	 * 
 	 * @return the Root Policy Provider
 	 */
-	public RootPolicyProvider getRootPolicyProvider()
+	public CloseablePolicyProvider<?> getPolicyProvider()
+	{
+		return policyProvider;
+	}
+
+	/**
+	 * Returns the type of the root policy element where the evaluation starts
+	 * 
+	 * @return type of the root policy element (XACML Policy or XACML PolicySet)
+	 */
+	public Optional<TopLevelPolicyElementType> getRootPolicyElementType()
+	{
+		return rootPolicyElementType;
+	}
+
+	/**
+	 * Returns ID of policy where to start the evaluation
+	 * 
+	 * @return root policy ID
+	 */
+	public String getRootPolicyId()
+	{
+		return rootPolicyId;
+	}
+
+	/**
+	 * Returns the version matching rules for the root policy
+	 * 
+	 * @return the version or version matching rules for the root policy
+	 */
+	public Optional<PolicyVersionPatterns> getRootPolicyVersionPatterns()
 	{
-		return rootPolicyProvider;
+		return rootPolicyVersionPatterns;
 	}
 
 	/**

pdp-engine/src/main/java/org/ow2/authzforce/core/pdp/impl/PdpExtensions.java

@@ -32,8 +32,7 @@ import org.ow2.authzforce.core.pdp.api.JaxbBoundPdpExtension;
 import org.ow2.authzforce.core.pdp.api.PdpExtension;
 import org.ow2.authzforce.core.pdp.api.combining.CombiningAlg;
 import org.ow2.authzforce.core.pdp.api.func.Function;
-import org.ow2.authzforce.core.pdp.api.policy.CloseableRefPolicyProvider;
-import org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider;
+import org.ow2.authzforce.core.pdp.api.policy.CloseablePolicyProvider;
 import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory;
 import org.ow2.authzforce.xmlns.pdp.ext.AbstractAttributeProvider;
 import org.ow2.authzforce.xmlns.pdp.ext.AbstractDecisionCache;
@@ -97,7 +96,8 @@ public final class PdpExtensions
 				}
 
 				isValidExt = true;
-			} else
+			}
+			else
 			{
 				for (final Class<? extends PdpExtension> extClass : NON_JAXB_BOUND_EXTENSION_CLASSES)
 				{
@@ -229,7 +229,7 @@ public final class PdpExtensions
 	 * @throws java.lang.IllegalArgumentException
 	 *             if there is no extension of type {@link org.ow2.authzforce.core.pdp.api.policy.CloseableRefPolicyProvider.Factory} supporting {@code jaxbPdpExtensionClass}
 	 */
-	public static <REF_POLICY_PROVIDER_CONF extends AbstractPolicyProvider> CloseableRefPolicyProvider.Factory<REF_POLICY_PROVIDER_CONF> getRefPolicyProviderFactory(
+	public static <REF_POLICY_PROVIDER_CONF extends AbstractPolicyProvider> CloseablePolicyProvider.Factory<REF_POLICY_PROVIDER_CONF> getRefPolicyProviderFactory(
 	        final Class<REF_POLICY_PROVIDER_CONF> jaxbConfClass) throws IllegalArgumentException
 	{
 		final JaxbBoundPdpExtension<REF_POLICY_PROVIDER_CONF> ext = (JaxbBoundPdpExtension<REF_POLICY_PROVIDER_CONF>) JAXB_BOUND_EXTENSIONS_BY_JAXB_CLASS.get(jaxbConfClass);
@@ -238,43 +238,43 @@ public final class PdpExtensions
 			throw new IllegalArgumentException("No PDP extension found supporting JAXB (configuration) type: " + jaxbConfClass + ". Expected types: " + JAXB_BOUND_EXTENSIONS_BY_JAXB_CLASS.keySet());
 		}
 
-		if (!(ext instanceof CloseableRefPolicyProvider.Factory))
+		if (!(ext instanceof CloseablePolicyProvider.Factory))