Commit c50402b1 authored by cdanger's avatar cdanger

* Changed PDP XSD: 'requestFilter' attribute now has default value

"urn:thalesgroup:xacml:request-filter:default-lax" and possible values
for requestFilter extensions natively supported:
 * "urn:thalesgroup:xacml:request-filter:default-lax": implements only
XACML 3.0 Core (NO support for Multiple Decision) and allows duplicate
<Attribute> with same meta-data in the same <Attributes> element of a
Request (complying with XACML 3.0 core spec, §7.3.3)
 * "urn:thalesgroup:xacml:request-filter:default-strict": implements
only XACML 3.0 Core (NO support for Multiple Decision) and does not
allow duplicate <Attribute> with same meta-data in the same <Attributes>
element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3,
but better performances)
 *  "urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-lax":
implements Multiple Decision Profile, section 2.3 (repeated attribute
categories), and allows duplicate <Attribute> with same meta-data in the
same <Attributes> element of a Request (complying with XACML 3.0 core
spec, §7.3.3)
 * "urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-strict":
same as previous one, except it does not allow duplicate <Attribute>
with same meta-data in the same <Attributes> element of a Request (NOT
complying with XACML 3.0 core spec, §7.3.3, but better performances)
parent 8707fbc6
......@@ -19,6 +19,7 @@
package org.ow2.authzforce.core.pdp.impl.policy;
import java.util.AbstractMap.SimpleImmutableEntry;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
......@@ -32,6 +33,7 @@ import org.ow2.authzforce.core.pdp.api.PolicyVersion;
*/
public final class StaticApplicablePolicyView implements Iterable<Entry<String, PolicyVersion>>
{
private static final IllegalArgumentException ILLEGAL_ARGUMENTS_EXCEPTION = new IllegalArgumentException("Null root policy ID/version");
private static final UnsupportedOperationException UNSUPPORTED_REMOVE_OPERATION_EXCEPTION = new UnsupportedOperationException();
private final Entry<String, PolicyVersion> rootPolicyEntry;
private final Map<String, PolicyVersion> refPolicies;
......@@ -89,8 +91,13 @@ public final class StaticApplicablePolicyView implements Iterable<Entry<String,
public StaticApplicablePolicyView(String rootPolicyId, PolicyVersion rootPolicyVersion,
Map<String, PolicyVersion> refPolicies)
{
if (rootPolicyId == null || rootPolicyVersion == null)
{
throw ILLEGAL_ARGUMENTS_EXCEPTION;
}
this.rootPolicyEntry = new SimpleImmutableEntry<>(rootPolicyId, rootPolicyVersion);
this.refPolicies = refPolicies;
this.refPolicies = refPolicies == null ? Collections.<String, PolicyVersion> emptyMap() : refPolicies;
}
/**
......@@ -114,7 +121,7 @@ public final class StaticApplicablePolicyView implements Iterable<Entry<String,
}
/**
* Policies referenced directly or indirectly from the root policy
* Policies referenced directly or indirectly from the root policy; empty map if none
*
* @return referenced policies (by policy ID)
*/
......@@ -123,6 +130,9 @@ public final class StaticApplicablePolicyView implements Iterable<Entry<String,
return this.refPolicies;
}
/**
* The root policy entry is always the first item in the iteration
*/
@Override
public Iterator<Entry<String, PolicyVersion>> iterator()
{
......
org.ow2.authzforce.core.pdp.impl.policy.CoreRootPolicyProviderModule$Factory
org.ow2.authzforce.core.pdp.impl.policy.CoreRefPolicyProviderModule$Factory
org.ow2.authzforce.core.pdp.impl.policy.CoreRefBasedRootPolicyProviderModule$Factory
org.ow2.authzforce.core.pdp.impl.DefaultRequestFilter$LaxFilterFactory
org.ow2.authzforce.core.pdp.impl.DefaultRequestFilter$StrictFilterFactory
org.ow2.authzforce.core.pdp.impl.MultiDecisionRequestFilter$LaxFilterFactory
org.ow2.authzforce.core.pdp.impl.MultiDecisionRequestFilter$StrictFilterFactory
\ No newline at end of file
......@@ -159,12 +159,13 @@
</restriction>
</simpleType>
</attribute>
<attribute name="requestFilter" type="anyURI" use="optional">
<attribute name="requestFilter" type="anyURI" use="optional" default="urn:thalesgroup:xacml:request-filter:default-lax">
<annotation>
<documentation>
<p>URI of a XACML Request filter to be enabled. A XACML Request filter is a PDP extension that applies some processing of the request, such as validation and transformation, prior to the policy
evaluation. As an example of validation, a Request filter may reject a request containing an unsupported XACML element. As an example of transformation, it may support the MultiRequests
element, and more generally the Multiple Decision Profile or Hierarchical Resource Profile by creating multiple Individual Decision Requests from the original XACML request, as defined in XACML
element, and more generally the Multiple Decision Profile or Hierarchical Resource Profile by creating multiple
Individual Decision Requests from the original XACML request, as defined in XACML
Multiple Decision Profile specification, section 2; and then call the policy evaluation engine for each Individual Decision Request. At the end, the results (one per Individual Decision
Request) may be combined by a DecisionCombiner specified by next attribute 'decisionCombiner'.
</p>
......@@ -176,6 +177,15 @@
separate from values of Attributes without Issuer, in the attribute
map returned by getNamedAttributes() on
the IndividualDecisionRequests produced by the RequestFilter.</p>
<p>The following values of 'requestFilter' are natively supported:</p>
<p>"urn:thalesgroup:xacml:request-filter:default-lax": implements only XACML 3.0 Core (NO support for Multiple Decision) and allows duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request
(complying with XACML 3.0 core spec, §7.3.3)</p>
<p>"urn:thalesgroup:xacml:request-filter:default-strict": implements only XACML 3.0 Core (NO support for Multiple Decision) and does not allow duplicate &lt;Attribute&gt; with same meta-data in the same &lt;Attributes&gt; element of a Request
(NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)</p>
<p>"urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-lax": implements Multiple Decision Profile, section 2.3 (repeated attribute categories), and allows duplicate &lt;Attribute&gt; with same meta-data in the same
&lt;Attributes&gt; element of a Request (complying with XACML 3.0 core spec, §7.3.3)</p>
<p>"urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-strict": same as previous one, except it does not allow duplicate &lt;Attribute&gt; with same meta-data in the same
&lt;Attributes&gt; element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)</p>
</documentation>
</annotation>
</attribute>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment