pdp.xsd 27.4 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707
<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://authzforce.github.io/core/xmlns/pdp/5.0" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/5.0"
	elementFormDefault="qualified" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3"
	version="5.0.0">
	<import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
	<import namespace="http://authzforce.github.io/xmlns/pdp/ext/3" />
	<annotation>
		<documentation xml:lang="en">
			Data model of AuthZForce PDP configuration.
			<p>
				XML schema versioning: the 'version' attribute of the root
				'schema'
				element identifies the Major.Minor.Patch version of this
				schema. The
				Major.Minor part must match the Major.Minor part of
				the
				first compatible version of authzforce-ce-core library. The Patch
				version
				is used for any
				backwards-compatible change. The Minor
				version is
				incremented after any change that is NOT
				backwards-compatible. (As a result, the authzforce-ce-core
				library's
				minor version is
				incremented as well.)
				The Major.Minor version part
				must be part of the target namespace - but
				not the
				Patch
				version - to
				separate namespaces that are not backwards-compatible.
			</p>
		</documentation>
	</annotation>
	<element name="attributeProvider" type="authz-ext:AbstractAttributeProvider">
		<annotation>
			<documentation>
				<p>Attribute Provider that provides attributes not already provided
					in the XACML request by PEP, e.g. from external sources. There must
					be one and
					only one Java class - say
					'com.example.FooAttributeProviderModuleFactory' - on the classpath
					implementing interface
					'org.ow2.authzforce.core.pdp.api.AttributeProviderModule.Factory&lt;CONF_T&gt;'
					with zero-arg
					constructor,
					where
					CONF_T is the JAXB type bound to
					this
					XML element type. This attribute
					Provider may also depend on
					previously defined
					'attributeProviders', to find dependency
					attributes, i.e.
					attributes that
					this
					Provider does not support
					itself, but requires to find its supported
					attributes. Therefore, if
					an 'attributeProvider' AFy
					requires/depends on an
					attribute A that is
					not to be provided by the
					PEP,
					another 'attributeProvider' AFx
					providing this attribute A must be
					declared
					before X.
				</p>
				<p>
					AttributeProvider configurations (XML instances of this schema)
					may use the variable
					'PARENT_DIR' as the path to the parent
					directory of this
					PDP
					configuration file, so that
					AttributeProvider
					implementations can use
					org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
					to
					replace ${PARENT_DIR} placeholder with this
					value, and therefore
					use
					file paths relative to the PDP configuration file. If
					the
					location to the
					configuration file is not resolved to a file on
					the
					file system, 'PARENT_DIR' is undefined. You may use the
					colon ':' as
					a separating character
					between the placeholder variable
					and an
					associated default value, if PARENT_DIR is initially undefined.
					E.g. ${PARENT_DIR:/home/foo/conf} will be
					replaced with
					'/home/foo/conf' if PARENT_DIR is undefined.
				</p>
			</documentation>
		</annotation>
	</element>
	<element name="pdp">
		<complexType>
			<sequence>
				<element name="attributeDatatype" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of an attribute datatype to be added to
							supported datatypes. There must be one and only one Java class -
							say
							'com.example.FooValueFactory' - on the classpath
							implementing
							interface 'org.ow2.authzforce.core.value.DatatypeFactory' with
							zero-arg
							constructor,
							such that this URI equals: new
							com.example.FooValueFactory().getId().
						</documentation>
					</annotation>
				</element>
				<element name="function" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a function to be added to supported
							functions. There must be one and only one Java class - say
							'com.example.FooFunction' -
							on the classpath implementing
							interface
							'org.ow2.authzforce.core.pdp.api.func.Function' with zero-arg constructor, such
							that this URI equals: new
							com.example.FooFunction().getId().
						</documentation>
					</annotation>
				</element>
				<element name="combiningAlgorithm" type="anyURI" minOccurs="0" maxOccurs="unbounded">
					<annotation>
						<documentation>URI of a policy/rule-combining algorithm to be
							added to supported algorithms. There must be one and only one
							Java class - say
							'com.example.FooCombiningAlg' - on the
							classpath
							implementing interface
							'org.ow2.authzforce.core.pdp.api.combining.CombiningAlg' with
							zero-arg
							constructor,
							such that this URI equals: new
							com.example.FooCombiningAlg().getId().
						</documentation>
					</annotation>
				</element>
				<element ref="tns:attributeProvider" maxOccurs="unbounded" minOccurs="0" />
				<element name="refPolicyProvider" type="authz-ext:AbstractPolicyProvider" minOccurs="0" maxOccurs="1">
					<annotation>
						<documentation>Referenced
							Policy Provider that resolves Policy(Set)IdReferences. There must
							be one and only one Java class - say
							'com.example.FooRefPolicyProviderModuleFactory' - on
							the
							classpath
							implementing interface
							'org.ow2.authzforce.core.pdp.api.policy.RefPolicyProviderModule.Factory&lt;CONF_T&gt;'
							with zero-arg constructor, where CONF_T is the JAXB type bound
							to
							this XML
							element type. This referenced policy Provider may also
							use any of the
							'refPolicyProvider' previously defined, if any, for
							Policy(Set)IdReference resolution; as some IdReferences
							may
							not be
							supported by this Provider. This element is not required if root
							policies
							found
							by the 'rootPolicyProvider' are always Policy
							elements, and
							not PolicySet elements.
							<p>
								Such configurations (XML instances of this schema) may use the
								variable 'PARENT_DIR' as the path to the parent directory of
								this
								PDP
								configuration file, so that Policy Provider
								implementations can use
								org.ow2.authzforce.pdp.api.EnvironmentProperties#replacePlaceholders()
								to
								replace ${PARENT_DIR} placeholder with this
								value, and
								therefore use file paths
								relative to the PDP configuration file.
								If
								the location to the
								configuration file is not resolved to a
								file on
								the file system, 'PARENT_DIR' is undefined. You may use
								the
								colon
								':' as a separating character
								between the placeholder
								variable
								and an associated default value, if PARENT_DIR is
								initially
								undefined. E.g. ${PARENT_DIR:/home/foo/conf} will be
								replaced with '/home/foo/conf' if PARENT_DIR is undefined.
							</p>
						</documentation>
					</annotation>
				</element>
				<element name="rootPolicyProvider" type="authz-ext:AbstractPolicyProvider">
					<annotation>
						<documentation>Root/top-level
							policy Provider that provides the root/top-level Policy(Set) to
							PDP for evaluation. There must be one and only one Java class -
							say
							'com.example.FooRootPolicyProviderModuleFactory' - on the
							classpath implementing interface
							'org.ow2.authzforce.core.pdp.api.policy.RootPolicyProviderModule.Factory&lt;CONF_T&gt;'
							with
							zero-arg
							constructor, where CONF_T is the JAXB type bound to
							this XML element type.
							This class may also implement
							'org.ow2.authzforce.core.pdp.api.policy.RefPolicyProviderModule.Factory&lt;CONF_T&gt;'
							to
							be used
							as
							'refPolicyProvider' as well. This policy Provider may
							also use
							any of the
							'refPolicyProvider' previously defined, if any,
							for
							Policy(Set)IdReference
							resolution.
							<p>
								Such configurations (XML instances of this schema) may use the
								variable 'PARENT_DIR' as the path to the parent directory of
								this
								PDP
								configuration file, so that Policy Provider
								implementations can use
								org.ow2.authzforce.pdp.api.EnvironmentProperties#replacePlaceholders()
								to
								replace ${PARENT_DIR} placeholder with this
								value, and
								therefore use file paths
								relative to the PDP configuration file.
								If
								the location to the
								configuration file is not resolved to a
								file on
								the file system, 'PARENT_DIR' is undefined. You may use
								the
								colon
								':' as a separating character
								between the placeholder
								variable
								and an associated default value, if PARENT_DIR is
								initially
								undefined. E.g. ${PARENT_DIR:/home/foo/conf} will be
								replaced with '/home/foo/conf' if PARENT_DIR is undefined.
							</p>
						</documentation>
					</annotation>
				</element>
				<element name="decisionCache" minOccurs="0" maxOccurs="1" type="authz-ext:AbstractDecisionCache">
					<annotation>
						<documentation>Decision Response cache that, for a given request,
							provides the XACML response from a cache if there is a cached
							response for the
							given request. There must be one and
							only one
							Java class - say 'com.example.FooDecisionCacheFactory' - on the
							classpath implementing interface
							'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory&lt;CONF_T&gt;'
							with
							zero-arg constructor,
							where
							CONF_T is the JAXB type bound to
							this XML
							element type.
						</documentation>
					</annotation>
				</element>
			</sequence>
			<attribute name="version" type="token" use="required">
				<annotation>
					<documentation>Version of the current schema for which the instance
						document is valid. Must match the 'version' attribute value of the
						root
						'schema' element in the corresponding version
						of this
						schema.
					</documentation>
				</annotation>
			</attribute>
			<attribute name="useStandardDatatypes" type="boolean" use="optional" default="true">
				<annotation>
					<documentation>Enable support for XACML core standard attribute
						datatypes. If 'false', only dataypes specified in 'attributeDatatype' elements are available to the PDP, and therefore only these datatypes may be be used in policies.
					</documentation>
				</annotation>
			</attribute>
			<attribute name="useStandardFunctions" type="boolean" use="optional" default="true">
				<annotation>
					<documentation>Enable support for XACML core standard mandatory
						functions. If 'false', only functions specified in 'function' elements are available to the PDP, and therefore only these functions may be be used in policies.
					</documentation>
				</annotation>
			</attribute>
			<attribute name="useStandardCombiningAlgorithms" type="boolean" use="optional" default="true">
				<annotation>
					<documentation>Enable support for XACML core standard combining
						algorithms. If 'false', only algorithms specified in 'combiningAlgorithm' elements are available to the PDP, and therefore only these algorithms may be be used in policies.
					</documentation>
				</annotation>
			</attribute>
			<attribute name="standardEnvAttributeSource" type="tns:StandardEnvironmentAttributeSource" use="optional" default="REQUEST_ELSE_PDP" />
			<attribute name="enableXPath" type="boolean" use="optional" default="false">
				<annotation>
					<documentation>Enable support for AttributeSelectors,
						xpathExpression datatype and xpath-node-count function. This
						overrides 'useStandardDatatypes'
						parameter, i.e. xpathExpression
						is
						not supported anyway if 'enableXpath'
						is false. This feature is
						experimental (not to be used in
						production) and
						may have a negative
						impact on performance. Use
						with caution. For your
						information,
						AttributeSelector and xpathExpression
						datatype support is marked
						as
						optional in XACML 3.0 core specification.
					</documentation>
				</annotation>
			</attribute>
			<attribute name="strictAttributeIssuerMatch" type="boolean" use="optional" default="false">
				<annotation>
					<documentation><p>true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the
	             Issuer field.</p><p>
	             "Strict Attribute Issuer matching" means that an AttributeDesignator without Issuer only match request
	             Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that
	             the Issuer is not present in the Attribute Designator, but
	             it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Indeed, the XACML 3.0 Attribute Evaluation section
	             §5.29 says: "If the Issuer is not present in the AttributeDesignator, then the matching of the
	             attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone." 
	             Therefore, if 'strictAttributeIssuerMatch' is false, since policies may use AttributeDesignators without Issuer,
	             if the requests are using matching Attributes but with none, one or more different Issuers, this PDP
	             engine has to gather all the values from all the attributes with matching Category/AttributeId but
	             with any Issuer or no Issuer. Therefore, in order to stay compliant with §5.29 and still enforce best
	             practice, when strictAttributeIssuerMatch = true, we also require that all
	             AttributeDesignators set the Issuer field.</p>
					</documentation>
				</annotation>
			</attribute>
			<attribute name="maxVariableRefDepth" type="nonNegativeInteger" use="optional">
				<annotation>
					<documentation> Maximum depth of Variable reference chaining:
						VariableDefinition1 -&gt; VariableDefinition2 -&gt; ...; where
						'-&gt;' represents a
						VariableReference. It is recommended to specify a value for this attribute in production for security/safety reasons.
					Indeed, if not specified, no maximum is enforced (unlimited). 
					</documentation>
				</annotation>
			</attribute>
			<attribute name="maxPolicyRefDepth" type="nonNegativeInteger" use="optional">
				<annotation>
					<documentation>Maximum depth of Policy(Set) reference chaining:
						PolicySet1 -&gt; PolicySet2 -&gt; ... -&gt; Policy(Set)N; where
						'-&gt;' represents
						a Policy(Set)IdReference. It is recommended to specify a value for this attribute in production for security/safety reasons.
					Indeed, if not specified, no maximum is enforced (unlimited). 
					</documentation>
				</annotation>
			</attribute>
			<attribute name="requestFilter" type="anyURI" use="optional" default="urn:ow2:authzforce:feature:pdp:request-filter:default-lax">
				<annotation>
					<documentation>
						<p>URI of a XACML Request filter to be enabled. A XACML Request
							filter is a PDP extension that applies some processing of the
							request, such as
							validation and transformation, prior to
							the
							policy
							evaluation. As an example of validation, a Request filter
							may reject a
							request containing an
							unsupported XACML element. As
							an example of
							transformation, it may support
							the MultiRequests
							element, and more generally the Multiple Decision
							Profile or
							Hierarchical
							Resource Profile by creating multiple
							Individual
							Decision Requests from the original
							XACML request, as defined in
							XACML
							Multiple Decision Profile specification, section 2; and then
							call the
							policy evaluation engine for each Individual Decision
							Request. At
							the end,
							the results (one per Individual Decision
							Request) may be combined by a ResultFilter specified by next
							attribute 'resultFilter'.
						</p>
						<p>There must be one and only one Java class - say
							'com.example.FooRequestFilter' - on the classpath implementing
							interface
							'org.ow2.authzforce.core.pdp.api.RequestFilter' with
							zero-arg
							constructor, such
							that this URI equals: new
							com.example.FooRequestFilter().getId().</p>
						<p>If the configuration parameter 'enableXPath' is true, it is the
							responsibility of the RequestFilter to parse XACML
							Request/Attributes/Content
							nodes. If the configuration parameter
							'strictAttributeIssuerMatch' is true, it is the responsibility of
							the RequestFilter to keep values of
							Attributes with Issuer
							separate from values of Attributes without Issuer, in
							the
							attribute
							map returned by getNamedAttributes() on
							the
							IndividualDecisionRequests produced by the RequestFilter.</p>
						<p>The following values of 'requestFilter' are natively supported:</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:default-lax":
							implements only XACML 3.0 Core (NO support for Multiple Decision)
							and allows
							duplicate &lt;Attribute&gt; with same
							meta-data in the
							same &lt;Attributes&gt; element of a Request
							(complying with XACML
							3.0 core spec, §7.3.3)</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:default-strict":
							implements only XACML 3.0 Core (NO support for Multiple Decision)
							and does not
							allow duplicate &lt;Attribute&gt;
							with same meta-data
							in the same &lt;Attributes&gt; element of a
							Request
							(NOT complying
							with XACML 3.0 core spec,
							§7.3.3, but better
							performances)</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax":
							implements Multiple Decision Profile, section 2.3
							(repeated
							attribute categories), and
							allows duplicate &lt;Attribute&gt; with
							same meta-data in the same
							&lt;Attributes&gt; element of a Request
							(complying with XACML 3.0
							core spec, §7.3.3)</p>
						<p>"urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-strict":
							same as previous one, except it does not allow
							duplicate
							&lt;Attribute&gt; with same
							meta-data in the same
							&lt;Attributes&gt; element of a Request (NOT complying with XACML
							3.0 core spec,
							§7.3.3, but better performances)</p>
					</documentation>
				</annotation>
			</attribute>
			<attribute name="resultFilter" type="anyURI" use="optional">
				<annotation>
					<documentation>URI of a XACML decision Result filter to be enabled.
						A decision Result filter is a PDP extension that process the
						result(s) from the
						policy evaluation before the final
						XACML
						Response is created (and returned back to the requester). For
						example, a
						typical Result filter may combine
						multiple individual
						decisions -
						produced by the 'requestFilter' - to a
						single decision
						Result if and only if the XACML Request's 'CombinedDecision'
						is
						set to
						true, as defined in XACML Multiple Decision Profile
						specification,
						section 3. There must be one
						and only one Java class
						-
						say
						'com.example.FooDecisionResultFilter' - on the classpath
						implementing interface
						'org.ow2.authzforce.core.pdp.api.DecisionResultFilter' with
						zero-arg
						constructor, such that this URI equals:
						new
						com.example.FooDecisionResultFilter().getId().
					</documentation>
				</annotation>
			</attribute>
			<attribute name="badRequestStatusDetailLevel" type="nonNegativeInteger" use="optional" default="0">
				<annotation>
					<documentation>Level of detail in the StatusDetail returned in the Indeterminate Result when the Request
						format/syntax is invalid. Increasing this value usually helps better pinpoint the issue with the Request. 
					</documentation>
				</annotation>
			</attribute>
		</complexType>
		<key name="datatypeKey">
			<selector xpath="tns:attributeDatatype" />
			<field xpath="." />
		</key>
		<key name="functionKey">
			<selector xpath="tns:function" />
			<field xpath="." />
		</key>
		<key name="functionSetKey">
			<selector xpath="tns:functionSet" />
			<field xpath="." />
		</key>
		<key name="algorithmKey">
			<selector xpath="tns:combiningAlgorithm" />
			<field xpath="." />
		</key>
		<key name="refPolicyProviderKey">
			<selector xpath="tns:refPolicyProvider" />
			<field xpath="@id" />
		</key>
		<key name="attributeProviderKey">
			<selector xpath="tns:attributeProvider" />
			<field xpath="@id" />
		</key>
	</element>
	<simpleType name="StandardEnvironmentAttributeSource">
		<annotation>
			<documentation>
				Defines the source for the standard environment attributes specified
				in §10.2.5: current-time, current-date and current-dateTime.
				The
				options are:
				<ul>
					<li>REQUEST_ELSE_PDP: the default choice, that complies with the
						XACML standard (§10.2.5): "If
						values for these attributes are not
						present in the
						decision request,
						then their
						values MUST be supplied
						by the context handler". In our case, "context handler" means the
						PDP. In other words, the
						attribute values come from request by
						default, or from the PDP
						if (and *only if* in this case) they are
						not set in the request.
						More precisely, if
						any of these standard environment attributes is provided in the request,
						none of the PDP values is used, even if some policy requires one that is
						missing from the request.
						Indeed, this is to avoid such case when the decision request
						specifies at least one date/time attribute, e.g.
						current-time,
						but not all of them, e.g. not current-dateTime, and the policy
						requires both the one(s) provided and the one(s) not provided.
						In this case, if the PDP provides its own value(s)
						for the missing attributes (e.g. current-dateTime), this may cause some
						inconsistencies since we
						end up having date/time attributes coming
						from two different sources/environments (current-time and current-dateTime for instance).
						In short, since this option introduces some ambiguities with regards to the XACMl specification, we strongly recommend to use
						the other options
						below.</li>
					<li>REQUEST_ONLY: always use the value from the request, or nothing
						if the value is not set in the request, in which case this results
						in
						Indeterminate (missing attribute) if the
						policy evaluation
						requires it.</li>
					<li>PDP_ONLY: always use the values from the PDP. In other words,
						Request values are simply ignored; PDP values systematically
						override the ones
						from the request.
						This also guarantees that they
						are always set (by the PDP).
						NB: note that the XACML standard
						(§10.2.5) says: "If
						values for these
						attributes are not present in
						the decision request,
						then their
						values MUST be supplied
						by the
						context handler" but it does NOT
						say "If AND ONLY IF
						values..." So
						this option could still be considered XACML compliant in a strict
						sense.</li>
				</ul>
			</documentation>
		</annotation>
		<restriction base="string">
			<enumeration value="REQUEST_ELSE_PDP"></enumeration>
			<enumeration value="REQUEST_ONLY"></enumeration>
			<enumeration value="PDP_ONLY"></enumeration>
		</restriction>
	</simpleType>
	<complexType name="StaticRootPolicyProvider">
		<annotation>
			<documentation>PolicyProvider loading root policies statically from
				URLs.
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<attribute name="policyLocation" type="anyURI" use="required">
					<annotation>
						<documentation> Location of a XML file that is expected to contain
							the root (aka top-level) Policy or PolicySet. Use the global
							property
							'PARENT_DIR' for paths under the parent
							directory to the
							XML file where this is used.
						</documentation>
					</annotation>
				</attribute>
			</extension>
		</complexContent>
	</complexType>
	<complexType name="StaticRefPolicyProvider">
		<annotation>
			<documentation>Policy(Set)IdReference Provider loading policies
				statically from URLs. Any PolicyIdReference used in a PolicySet here
				must refer to a
				Policy loaded here as well. Besides, a
				PolicySet
				P1
				must be loaded before any other PolicySet P2 with a reference
				(PolicySetIdReference) to P1. As
				PolicySets are loaded in the order
				of declaration of policyLocations, the order
				matters for
				PolicySetIdReference resolution.
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<sequence>
					<element name="policyLocation" type="anyURI" minOccurs="1" maxOccurs="unbounded">
						<annotation>
							<documentation> Location of the XML file that is expected to
								contain the Policy or PolicySet element to be referenced by a
								Policy(Set)IdReference in the root PolicySet loaded by a
								root
								policy
								Provider. The location may also be a file pattern in the
								following form:
								"file://DIRECTORY_PATH/*SUFFIX", using wilcard
								character '*'; in
								which case the location is
								expanded to all
								regular
								files
								(not
								subdirectories)
								in
								directory located at
								DIRECTORY_PATH with suffix SUFFIX (there may not be
								a SUFFIX; in
								other words, SUFFIX may be an empty
								string). The files are
								NOT
								searched
								recursively on
								sub-directories. Use the global property
								'PARENT_DIR' for defining - in a
								generic way - a path relative to
								the parent
								directory
								to the XML file where this is used.
							</documentation>
						</annotation>
					</element>
				</sequence>
			</extension>
		</complexContent>
	</complexType>
	<complexType name="StaticRefBasedRootPolicyProvider">
		<annotation>
			<documentation>
				Static Root Policy Provider based on the
				RefPolicyProvider, i.e. the root
				policy is a PolicySet retrieved
				using the RefPolicyProvider
				(mandatory in this case).
			</documentation>
		</annotation>
		<complexContent>
			<extension base="authz-ext:AbstractPolicyProvider">
				<sequence>
					<element name="policyRef" type="xacml:IdReferenceType" />
				</sequence>
			</extension>
		</complexContent>
	</complexType>
</schema>