pdp.xsd 32.6 KB
Newer Older
1
<?xml version="1.0" encoding="UTF-8"?>
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
<schema
	xmlns="http://www.w3.org/2001/XMLSchema"
	targetNamespace="http://authzforce.github.io/core/xmlns/pdp/6.0"
	xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/6.0"
	elementFormDefault="qualified"
	xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
	xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"
	version="6.0.0">
	<import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
	<import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" />
	<annotation>
		<documentation xml:lang="en">
			Data model of AuthZForce PDP configuration.
			<p>
				XML schema versioning: the 'version' attribute of the root
				'schema'
				element identifies the Major.Minor.Patch version of this
				schema. The
				Major.Minor part must match the Major.Minor part of
				the
				first compatible version of authzforce-ce-core library. The Patch
				version
				is used for any
				backwards-compatible change. The Minor
				version is
				incremented after any change that is NOT
				backwards-compatible. (As a result, the authzforce-ce-core
				library's
				minor version is
				incremented as well.)
				The Major.Minor version part
				must be part of the target namespace - but
				not the
				Patch
				version - to
				separate namespaces that are not backwards-compatible.
			</p>
		</documentation>
	</annotation>
	<element
		name="attributeProvider"
		type="authz-ext:AbstractAttributeProvider">
		<annotation>
			<documentation>
				<p>Attribute Provider that provides attributes not already provided
					in the XACML request by PEP, e.g. from external sources. There must
					be one and
					only one Java class - say
					'com.example.FooAttributeProviderFactory' - on the classpath
					implementing interface
					'org.ow2.authzforce.core.pdp.api.CloseableDesignatedAttributeProvider.Factory&lt;CONF_T&gt;'
					with
					zero-arg
					constructor,
					where
					CONF_T is the JAXB type bound to
					this
					XML element type. This attribute
					Provider may also depend on
					previously defined
					'attributeProviders', to find dependency
					attributes, i.e.
					attributes that
					this
					Provider does not support
					itself, but requires to find its supported
					attributes. Therefore, if
					an 'attributeProvider' AFy
					requires/depends on an
					attribute
					A that is
					not to be provided by the
					PEP,
					another 'attributeProvider' AFx
					providing this attribute A must be
					declared
					before X.
				</p>
				<p>
81 82 83 84 85 86 87
					Such configurations (XML instances of this schema)
					may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.
					
					Implementation classes can use
88
					org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
89 90 91 92 93
					to replace ${property_name} placeholders with such properties. 
					You may use '!' as a separating character
					between the placeholder property name
					and a default value that is used if the property is undefined.
					E.g. ${PARENT_DIR!/home/foo/conf} will be
94 95
					replaced with
					'/home/foo/conf' if PARENT_DIR is undefined.
96 97 98 99 100 101
					
					In the location, you may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.
					
102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203
				</p>
			</documentation>
		</annotation>
	</element>
	<element name="pdp">
		<complexType>
			<sequence>
				<element
					name="attributeDatatype"
					type="anyURI"
					minOccurs="0"
					maxOccurs="unbounded">
					<annotation>
						<documentation>URI of an attribute datatype to be added to
							supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every
							datatype, there must be one and only one Java class -
							say
							'com.example.FooValueFactory' - on the classpath
							implementing
							interface
							'org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory' with
							zero-arg
							constructor,
							such that this URI equals: new
							com.example.FooValueFactory().getId().
						</documentation>
					</annotation>
				</element>
				<element
					name="function"
					type="anyURI"
					minOccurs="0"
					maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a function to be added to supported
							functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by
							'useStandardDatatypes' attribute, or custom ones declared in previous 'attributeDatatype' elements; and there must be one and only one Java class - say
							'com.example.FooFunction' -
							on the classpath implementing
							interface
							'org.ow2.authzforce.core.pdp.api.func.Function' with zero-arg constructor, such
							that this URI equals: new
							com.example.FooFunction().getId().
						</documentation>
					</annotation>
				</element>
				<element
					name="combiningAlgorithm"
					type="anyURI"
					minOccurs="0"
					maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a policy/rule-combining algorithm to be
							added to supported algorithms. There must be one and only one
							Java class - say
							'com.example.FooCombiningAlg' - on the
							classpath
							implementing interface
							'org.ow2.authzforce.core.pdp.api.combining.CombiningAlg' with
							zero-arg
							constructor,
							such that this URI equals: new
							com.example.FooCombiningAlg().getId().
						</documentation>
					</annotation>
				</element>
				<element
					ref="tns:attributeProvider"
					maxOccurs="unbounded"
					minOccurs="0" />
				<element
					name="refPolicyProvider"
					type="authz-ext:AbstractPolicyProvider"
					minOccurs="0"
					maxOccurs="1">
					<annotation>
						<documentation>Referenced
							Policy Provider that resolves Policy(Set)IdReferences. There must
							be one and only one Java class - say
							'com.example.FooRefPolicyProviderFactory' - on
							the
							classpath
							implementing
							interface
							'org.ow2.authzforce.core.pdp.api.policy.CLoseableRefPolicyProvider.Factory&lt;CONF_T&gt;'
							with zero-arg constructor, where CONF_T is the JAXB type bound
							to
							this XML
							element
							type. This referenced policy Provider may also
							use any of the
							'refPolicyProvider' previously defined, if any, for
							Policy(Set)IdReference resolution; as some IdReferences
							may
							not be
							supported by this Provider. This element is not required if root
							policies
							found
							by the 'rootPolicyProvider' are always Policy
							elements, and
							not PolicySet elements.
							<p>
204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
								Such configurations (XML instances of this schema)
					may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.
					
					Implementation classes can use
					org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
					to replace ${property_name} placeholders with such properties. 
					You may use '!' as a separating character
					between the placeholder property name
					and a default value that is used if the property is undefined.
					E.g. ${PARENT_DIR!/home/foo/conf} will be
					replaced with
					'/home/foo/conf' if PARENT_DIR is undefined.
					
					In the location, you may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.
224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257
							</p>
						</documentation>
					</annotation>
				</element>
				<element
					name="rootPolicyProvider"
					type="authz-ext:AbstractPolicyProvider">
					<annotation>
						<documentation>Root/top-level
							policy Provider that provides the root/top-level Policy(Set) to
							PDP for evaluation. There must be one and only one Java class -
							say
							'com.example.FooRootPolicyProviderFactory' - on
							the
							classpath implementing interface
							'org.ow2.authzforce.core.pdp.api.policy.RootPolicyProvider.Factory&lt;CONF_T&gt;'
							with
							zero-arg
							constructor, where CONF_T is the JAXB type bound to
							this XML element type.
							This class may also implement
							'org.ow2.authzforce.core.pdp.api.policy.CloseableRefPolicyProvider.Factory&lt;CONF_T&gt;'
							to
							be used
							as
							'refPolicyProvider' as well.
							This policy Provider may
							also use
							any of the
							'refPolicyProvider' previously defined, if any,
							for
							Policy(Set)IdReference
							resolution.
							<p>
258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277
								Such configurations (XML instances of this schema)
					may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.
					
					Implementation classes can use
					org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
					to replace ${property_name} placeholders with such properties. 
					You may use '!' as a separating character
					between the placeholder property name
					and a default value that is used if the property is undefined.
					E.g. ${PARENT_DIR!/home/foo/conf} will be
					replaced with
					'/home/foo/conf' if PARENT_DIR is undefined.
					
					In the location, you may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.
278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753
							</p>
						</documentation>
					</annotation>
				</element>
				<element
					name="decisionCache"
					minOccurs="0"
					maxOccurs="1"
					type="authz-ext:AbstractDecisionCache">
					<annotation>
						<documentation>Decision Result cache that, for a given request,
							provides the XACML policy evaluation result from a cache if there is a cached
							result for the
							given request. There must be
							one and
							only one
							Java class - say 'com.example.FooDecisionCacheFactory' - on the
							classpath implementing interface
							'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;'
							with
							zero-arg constructor,
							where
							CONF_T is the JAXB type bound to
							this XML
							element type.
						</documentation>
					</annotation>
				</element>
				<element
					name="ioProcChain"
					type="tns:InOutProcChain"
					minOccurs="0"
					maxOccurs="unbounded">
					<annotation>
						<documentation>I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required. Each chain must handle a different input datatype. In
							other words, there is no more than one I/O processing chain per supported input type, e.g. one for
							XACML/XML input, another for XACML/JSON input.
						</documentation>
					</annotation>
				</element>
			</sequence>
			<attribute
				name="version"
				type="token"
				use="required">
				<annotation>
					<documentation>Version of the current schema for which the instance
						document is valid. Must match the 'version' attribute value of the
						root
						'schema' element in the corresponding version
						of
						this
						schema.
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="useStandardDatatypes"
				type="boolean"
				use="optional"
				default="true">
				<annotation>
					<documentation>Enable support for XACML core standard mandatory
						datatypes. If 'false', only datatypes specified in 'attributeDatatype' elements are available to the PDP, and therefore
						only these datatypes may be be used in policies.
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="useStandardFunctions"
				type="boolean"
				use="optional"
				default="true">
				<annotation>
					<documentation>Enable support for XACML core standard mandatory
						functions. Requires useStandardDatatypes=true if true; if 'false', only functions specified in 'function' elements are
						available to the PDP, and therefore only these
						functions may be be used in policies.
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="useStandardCombiningAlgorithms"
				type="boolean"
				use="optional"
				default="true">
				<annotation>
					<documentation>Enable support for XACML core standard combining
						algorithms. If 'false', only algorithms specified in 'combiningAlgorithm' elements are available to the PDP, and therefore
						only these algorithms may be be used in policies.
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="standardEnvAttributeSource"
				type="tns:StandardEnvironmentAttributeSource"
				use="optional"
				default="REQUEST_ELSE_PDP" />
			<attribute
				name="enableXPath"
				type="boolean"
				use="optional"
				default="false">
				<annotation>
					<documentation>Enable support for AttributeSelectors,
						xpathExpression datatype and xpath-node-count function. This
						overrides 'useStandardDatatypes'
						parameter, i.e. xpathExpression
						is
						not
						supported anyway if 'enableXpath'
						is false. This feature is
						experimental (not to be used in
						production) and
						may have a negative
						impact on performance. Use
						with caution. For your
						information,
						AttributeSelector and xpathExpression
						datatype support is marked
						as
						optional in XACML 3.0 core specification.
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="strictAttributeIssuerMatch"
				type="boolean"
				use="optional"
				default="false">
				<annotation>
					<documentation>
						<p>true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the
							Issuer field.</p>
						<p>
							"Strict Attribute Issuer matching" means that an AttributeDesignator without Issuer only match request
							Attributes without Issuer. This mode is not fully compliant with XACML 3.0,
							§5.29, in the case that
							the Issuer is not present in the Attribute Designator, but
							it performs better and is recommended when all AttributeDesignators have an Issuer (best
							practice). Indeed, the XACML 3.0 Attribute Evaluation section
							§5.29 says: "If the Issuer is not present in the AttributeDesignator, then the matching of the
							attribute to the named
							attribute SHALL be governed by AttributeId and DataType attributes alone."
							Therefore, if 'strictAttributeIssuerMatch' is false, since policies may use AttributeDesignators without
							Issuer,
							if the requests are using matching Attributes but with none, one or more different Issuers, this PDP
							engine has to gather all the values from all the attributes with
							matching Category/AttributeId but
							with any Issuer or no Issuer. Therefore, in order to stay compliant with §5.29 and still enforce best
							practice, when strictAttributeIssuerMatch =
							true, we also require that all
							AttributeDesignators set the Issuer field.</p>
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="maxIntegerValue"
				type="positiveInteger"
				use="optional"
				default="2147483647">
				<annotation>
					<documentation> Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type 'http://www.w3.org/2001/XMLSchema#integer' (requires
						useStandardDatatypes
						= true). Decreasing this value as much
						as
						possible helps the PDP engine optimize the processing of integer
						values (lower memory consumption, faster computations).
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="maxVariableRefDepth"
				type="nonNegativeInteger"
				use="optional">
				<annotation>
					<documentation> Maximum depth of Variable reference chaining:
						VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...; where
						'-&gt;' represents a
						VariableReference. It is recommended to
						specify a value for this attribute in production for security/safety reasons.
						Indeed, if not specified, no maximum is enforced (unlimited).
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="maxPolicyRefDepth"
				type="nonNegativeInteger"
				use="optional">
				<annotation>
					<documentation>Maximum depth of Policy(Set) reference chaining:
						PolicySet1 -&gt; PolicySet2 -&gt; ... -&gt; Policy(Set)N; where
						'-&gt;' represents
						a Policy(Set)IdReference. It is
						recommended to specify a value for this attribute in production for security/safety reasons.
						Indeed, if not specified, no maximum is enforced (unlimited).
					</documentation>
				</annotation>
			</attribute>
			<attribute
				name="clientRequestErrorVerbosityLevel"
				type="nonNegativeInteger"
				use="optional"
				default="0">
				<annotation>
					<documentation>Level of verbosity of the error message trace returned in case of client request errors, e.g. invalid requests. Increasing this value
						usually helps the clients better
						pinpoint the
						issue with their Requests. This parameter is relevant to the Result postprocessor ('resultPostproc' parameter) which is expected to
						enforce this verbosity level when
						returning
						Indeterminate Results due to client request errors. The Result postprocessor must return all error messages in the Java stacktrace up to the same level as this parameter's
						value if
						the stacktrace is bigger, else the full stacktrace.
					</documentation>
				</annotation>
			</attribute>
		</complexType>
		<key name="datatypeKey">
			<selector xpath="tns:attributeDatatype" />
			<field xpath="." />
		</key>
		<key name="functionKey">
			<selector xpath="tns:function" />
			<field xpath="." />
		</key>
		<key name="algorithmKey">
			<selector xpath="tns:combiningAlgorithm" />
			<field xpath="." />
		</key>
		<key name="refPolicyProviderKey">
			<selector xpath="tns:refPolicyProvider" />
			<field xpath="@id" />
		</key>
		<key name="attributeProviderKey">
			<selector xpath="tns:attributeProvider" />
			<field xpath="@id" />
		</key>
		<key name="requestPreprocKey">
			<selector xpath="tns:ioProcChain/tns:requestPreproc" />
			<field xpath="." />
		</key>
	</element>
	<simpleType name="StandardEnvironmentAttributeSource">
		<annotation>
			<documentation>
				Defines the source for the standard environment attributes specified
				in §10.2.5: current-time, current-date and current-dateTime.
				The
				options are:
				<ul>
					<li>REQUEST_ELSE_PDP: the default choice, that complies with the
						XACML standard (§10.2.5): "If
						values for these attributes are not
						present in the
						decision request,
						then their
						values MUST be
						supplied
						by the context handler". In our case, "context handler" means the
						PDP. In other words, the
						attribute values come from request by
						default, or from the PDP
						if (and *only if* in
						this case) they are
						not set in the request.
						More precisely, if
						any of these standard environment attributes is provided in the request,
						none of the PDP values is used, even if some
						policy requires one that is
						missing from the request.
						Indeed, this is to avoid such case when the decision request
						specifies at least one date/time attribute, e.g.
						current-time,
						but not
						all of them, e.g. not current-dateTime, and the policy
						requires both the one(s) provided and the one(s) not provided.
						In this case, if the PDP provides its own value(s)
						for the missing
						attributes (e.g. current-dateTime), this may cause some
						inconsistencies since we
						end up having date/time attributes coming
						from two different sources/environments (current-time and
						current-dateTime for instance).
						In short, since this option introduces some ambiguities with regards to the XACMl specification, we strongly recommend to use
						the other options
						below.</li>
					<li>REQUEST_ONLY: always use the value from the request, or nothing
						if the value is not set in the request, in which case this results
						in
						Indeterminate (missing attribute) if the
						policy
						evaluation
						requires it.</li>
					<li>PDP_ONLY: always use the values from the PDP. In other words,
						Request values are simply ignored; PDP values systematically
						override the ones
						from the request.
						This also guarantees that
						they
						are always set (by the PDP).
						NB: note that the XACML standard
						(§10.2.5) says: "If
						values for these
						attributes are not present in
						the decision request,
						then their
						values MUST be supplied
						by the
						context handler" but it does NOT
						say "If AND ONLY IF
						values..." So
						this option could still be considered XACML compliant in a strict
						sense.</li>
				</ul>
			</documentation>
		</annotation>
		<restriction base="string">
			<enumeration value="REQUEST_ELSE_PDP"></enumeration>
			<enumeration value="REQUEST_ONLY"></enumeration>
			<enumeration value="PDP_ONLY"></enumeration>
		</restriction>
	</simpleType>
	<complexType name="InOutProcChain">
		<annotation>
			<documentation>Pair of compatible PDP input/output processors - resp. 'requestPreproc' and 'resultPostproc' - where 'compatible' means: requestPreproc.getOutputRequestType() ==
				resultPostproc.getRequestType()
			</documentation>
		</annotation>
		<sequence>
			<element
				name="requestPreproc"
				type="anyURI">
				<annotation>
					<documentation>
						<p>URI of a XACML Request pre-processor to be enabled. A XACML Request
							preprocessor is a PDP extension that applies some processing of the
							request, such as
							validation and
							transformation, prior to
							the
							policy
							evaluation. As an example of validation, a Request preprocessor
							may reject a
							request containing an
							unsupported XACML element. As
							an example of
							transformation, it may support
							the MultiRequests
							element, and more generally the Multiple Decision
							Profile or
							Hierarchical
							Resource Profile by creating multiple
							Individual
							Decision
							Requests from the original
							XACML request, as defined in
							XACML
							Multiple Decision Profile specification, section 2; and then
							call the
							policy evaluation engine for each Individual
							Decision
							Request. At
							the end,
							the results (one per Individual Decision
							Request) may be combined by a Result postprocessor specified by next
							attribute 'resultPostproc'.
						</p>
						<p>There must be one and only one Java class - say
							'com.example.FooRequestPreproc' - on the classpath implementing
							interface
							'org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor' with
							zero-arg
							constructor, such
							that this URI equals: new
							com.example.FooRequestPreproc().getId().</p>
						<p>If the configuration parameter 'enableXPath' is true, it is the
							responsibility of the Request preprocessor to parse XACML
							Request/Attributes/Content
							nodes. If the configuration
							parameter
							'strictAttributeIssuerMatch' is true, it is the responsibility of
							the Request preprocessor to keep values of
							Attributes with Issuer
							separate from values of Attributes
							without Issuer, in
							the
							attribute
							map returned by getNamedAttributes() on
							the
							IndividualDecisionRequests produced by the Request preprocessor.</p>
						<p>The following values of 'requestPreproc' are natively supported:</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax":
							implements only XACML 3.0 Core (NO support for Multiple Decision)
							and allows
							duplicate &lt;Attribute&gt; with
							same
							meta-data in the
							same &lt;Attributes&gt; element of a Request
							(complying with XACML
							3.0 core spec, §7.3.3)</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-strict":
							implements only XACML 3.0 Core (NO support for Multiple Decision)
							and does not
							allow duplicate
							&lt;Attribute&gt;
							with
							same meta-data
							in the same &lt;Attributes&gt; element of a
							Request
							(NOT complying
							with XACML 3.0 core spec,
							§7.3.3, but better
							performances)</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax":
							implements Multiple Decision Profile, section 2.3
							(repeated
							attribute
							categories), and
							allows duplicate &lt;Attribute&gt; with
							same meta-data in the same
							&lt;Attributes&gt; element of a Request
							(complying with XACML 3.0
							core spec, §7.3.3)</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-strict":
							same as previous one, except it does not allow
							duplicate
							&lt;Attribute&gt;
							with same
							meta-data in the same
							&lt;Attributes&gt; element of a Request (NOT complying with XACML
							3.0 core spec,
							§7.3.3, but better performances)</p>
					</documentation>
				</annotation>
			</element>
			<element
				name="resultPostproc"
				type="anyURI"
				minOccurs="0">
				<annotation>
					<documentation>URI of a XACML decision Result post-processor to be enabled.
						A decision Result post-processor is a PDP extension that process the
						result(s) from the
						policy evaluation before
						the final
						XACML
						Response is created (and returned back to the requester). For
						example, a
						typical Result post-processor may combine
						multiple individual
						decisions -
						produced by the
						'requestPreproc' - to a
						single decision
						Result if and only if the XACML Request's 'CombinedDecision'
						is
						set to
						true, as defined in XACML Multiple Decision Profile
						specification,
						section 3.
						There must be one
						and only one Java class
						-
						say
						'com.example.FooResultPostproc' - on the classpath
						implementing interface
						'org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor' with
						zero-arg
						constructor, such that this URI equals:
						new
						com.example.FooResultPostproc().getId().
					</documentation>
				</annotation>
			</element>
		</sequence>
754

755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770
	</complexType>
	<complexType name="StaticRootPolicyProvider">
		<annotation>
			<documentation>PolicyProvider loading root policies statically from
				URLs.
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<attribute
					name="policyLocation"
					type="anyURI"
					use="required">
					<annotation>
						<documentation> Location of a XML file that is expected to contain
							the root (aka top-level) Policy or PolicySet. The location may be either a "classpath:" pseudo URL, a "file:" URL,
771 772 773 774 775 776 777 778 779 780 781 782 783
							or a plain file path. 
							
							In the location, you may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.

					You may use '!' as a separating character
					between the placeholder property name
					and a default value that is used if the property is undefined.
					E.g. ${PARENT_DIR!/home/foo/conf} will be
					replaced with
					'/home/foo/conf' if PARENT_DIR is undefined.
784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831
						</documentation>
					</annotation>
				</attribute>
			</extension>
		</complexContent>
	</complexType>
	<complexType name="StaticRefPolicyProvider">
		<annotation>
			<documentation>Policy(Set)IdReference Provider loading policies
				statically from URLs. Any PolicyIdReference used in a PolicySet here
				must refer to a
				Policy loaded here as well. Besides, a
				PolicySet
				P1
				must be loaded before any other PolicySet P2 with a reference
				(PolicySetIdReference) to P1. As
				PolicySets are loaded in the order
				of declaration of policyLocations, the order
				matters for
				PolicySetIdReference resolution.
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<sequence>
					<element
						name="policyLocation"
						type="anyURI"
						minOccurs="1"
						maxOccurs="unbounded">
						<annotation>
							<documentation> Location of the XML file that is expected to
								contain the Policy or PolicySet element to be referenced by a
								Policy(Set)IdReference in the root PolicySet loaded by a
								root
								policy
								Provider. The location may also be a file pattern in the
								form 'file://DIRECTORY_PATH/*SUFFIX' or 'file://DIRECTORY_PATH/**...*SUFFIX', etc. (arbitrarily long sequence of wildcard characters) in
								which case the location is
								expanded to all
								regular
								files in
								the directory located at
								DIRECTORY_PATH with suffix SUFFIX, not crossing directory boundaries if using a single wildcard; but crossing directory boundaries if using more than a single wildcard (there
								may not be
								a SUFFIX; in
								other words, SUFFIX may be an empty
								string). The number of wildcards in the sequence '**....*' defines the maximum number of directory levels to search.
832 833 834 835 836 837 838 839 840 841 842 843
								
								In the location, you may use placeholders enclosed between '${' and '}' for the following properties:
								- the global property 'PARENT_DIR' for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
								- Java system properties;
								- System environment variables.

					You may use '!' as a separating character
					between the placeholder property name
					and a default value that is used if the property is undefined.
					E.g. ${PARENT_DIR!/home/foo/conf} will be
					replaced with
					'/home/foo/conf' if PARENT_DIR is undefined.
844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879
							</documentation>
						</annotation>
					</element>
				</sequence>
				<attribute
					name="ignoreOldVersions"
					type="boolean"
					use="optional" default="false">
					<annotation>
						<documentation>true iff all versions of any policy must be ignored except the last, i.e. whenever there are multiple versions for the same policy ID, do as if only the last one exists.
						</documentation>
					</annotation>
				</attribute>
			</extension>
		</complexContent>
	</complexType>
	<complexType name="StaticRefBasedRootPolicyProvider">
		<annotation>
			<documentation>
				Static Root Policy Provider based on the
				RefPolicyProvider, i.e. the root
				policy is a PolicySet retrieved
				using the RefPolicyProvider
				(mandatory in this case).
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<sequence>
					<element
						name="policyRef"
						type="xacml:IdReferenceType" />
				</sequence>
			</extension>
		</complexContent>
	</complexType>
cdanger's avatar
cdanger committed
880
</schema>