Commit eb7b94ef authored by Romain Ferrari's avatar Romain Ferrari

Preparing merge

parent 5465c89e
......@@ -22,12 +22,6 @@
<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
<url>${scm.baseUrl}/core</url>
</scm>
<properties>
<!-- JDK versions for AspectJ -->
<jdk.source>1.7</jdk.source>
<jdk.target>1.7</jdk.target>
<debug>false</debug>
</properties>
<dependencies>
<dependency>
<!-- Used only to do Strings.join() in StandardFactory's init debug messages -->
......@@ -57,20 +51,53 @@
<artifactId>xml-resolver</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<!-- For validation of XACML RFC822Name (email address) -->
<groupId>com.sun.mail</groupId>
<artifactId>javax.mail</artifactId>
<version>1.5.4</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</dependency>
<dependency>
<!-- For validating IP addresses (XACML IPAdress datatype), Domain names (XACML DNSName datatype),
etc. without any DNS resolution -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>18.0</version>
</dependency>
<dependency>
<!-- For XACML AttributeSelector evaluation and XPath-based functions (making reference to [XF]) -->
<groupId>net.sf.saxon</groupId>
<artifactId>Saxon-HE</artifactId>
<version>9.6.0-5</version>
</dependency>
<dependency>
<!-- Used for DOM parsing / XPath evaluation -->
<groupId>com.thalesgroup.appsec</groupId>
<artifactId>thales-appsec-common-utils</artifactId>
</dependency>
<!-- Authzforce dependencies -->
<!-- xml-ns-model and xacml-model dependencies are declared here only to work around maven-jaxb2-plugin bug: cannot resolve
episodes from indirect dependencies with useDependenciesAsEpisodes option. -->
<dependency>
<groupId>com.thalesgroup.authzforce</groupId>
<artifactId>authzforce-core-model</artifactId>
<artifactId>authzforce-xml-ns-model</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>com.thalesgroup.authzforce</groupId>
<artifactId>authzforce-xacml-model</artifactId>
<version>3.0.3</version>
</dependency>
<dependency>
<groupId>com.thalesgroup.authzforce</groupId>
<artifactId>authzforce-pdp-ext-model</artifactId>
<version>3.2.7</version>
</dependency>
<!-- /Authzforce dependencies -->
<!-- Test dependencies -->
......@@ -90,6 +117,39 @@
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.5</version>
<configuration>
<targetJdk>1.7</targetJdk>
<excludeRoots>
<excludeRoot>target/generated-sources</excludeRoot>
<excludeRoot>target/generated-test-sources</excludeRoot>
</excludeRoots>
</configuration>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>3.0.1</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<!-- Apache license Headers -->
<groupId>com.mycila</groupId>
......@@ -121,19 +181,8 @@
<exclude>**/*.md</exclude>
<exclude>**/*.properties</exclude>
<exclude>**/*.gitignore</exclude>
<exclude>src/main/java/com/sun/xacml/cond/xacmlv3/Apply.java</exclude>
</excludes>
<includes>
<include>src/main/java/com/sun/xacml/xacmlv3/**</include>
<include>src/main/java/com/sun/xacml/cond/xacmlv3/**</include>
<include>src/main/java/com/sun/xacml/ctx/xacmlv3/**</include>
<include>src/main/java/com/sun/xacml/CacheManager.java</include>
<include>src/main/java/com/sun/xacml/ObligationExpressions.java</include>
<include>src/main/java/com/sun/xacml/combine/PermitUnlessDenyPolicyAlg</include>
<include>src/main/java/com/sun/xacml/combine/PermitUnlessDenyRuleAlg</include>
<include>src/main/java/com/sun/xacml/combine/DenyUnlessPermitPolicyAlg</include>
<include>src/main/java/com/sun/xacml/combine/DenyUnlessPermitRuleAlg</include>
<include>src/main/java/com/sun/xacml/finder/impl/MultipleResourceFinder.java</include>
<include>src/main/java/com/thalesgroup/authzforce/core/**</include>
<!-- Include test files also -->
<include>src/test/java/**</include>
......@@ -186,21 +235,6 @@
<extension>true</extension>
<useDependenciesAsEpisodes>true</useDependenciesAsEpisodes>
<strict>false</strict>
<!-- Episodes: Only episodes for schemas referenced (imported/included) by schema(s) in schemaDirectory
can be listed here. If not possible, just create an empty schema in schemaDirectory which imports all
the episode elements but does nothing with them. -->
<!-- <episodes> -->
<!-- </episodes> -->
<!-- <plugins> -->
<!-- <plugin> -->
<!-- <groupId>com.thalesgroup.ktd.scis</groupId> -->
<!-- <artifactId>oasis-xacml-model</artifactId> -->
<!-- </plugin> -->
<!-- <plugin> -->
<!-- <groupId>com.thalesgroup.authzforce</groupId> -->
<!-- <artifactId>authzforce-core-model</artifactId> -->
<!-- </plugin> -->
<!-- </plugins> -->
<catalog>src/main/jaxb/catalog.xml</catalog>
<removeOldOutput>true</removeOldOutput>
<bindingDirectory>src/main/jaxb</bindingDirectory>
......@@ -234,42 +268,7 @@
</configuration>
</execution>
</executions>
</plugin>
<!-- Maven compiler configuration -->
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<executions>
<execution>
<id>default-testCompile</id>
<phase>test-compile</phase>
<goals>
<goal>testCompile</goal>
</goals>
<configuration>
<verbose>${debug}</verbose>
<showWeaveInfo>${debug}</showWeaveInfo>
<outxml>${debug}</outxml>
<source>${jdk.source}</source>
<target>${jdk.target}</target>
</configuration>
</execution>
<execution>
<id>default-compile</id>
<phase>compile</phase>
<goals>
<goal>compile</goal>
</goals>
<configuration>
<source>${jdk.source}</source>
<target>${jdk.target}</target>
</configuration>
</execution>
</executions>
<configuration>
<source>${jdk.source}</source>
<target>${jdk.target}</target>
</configuration>
</plugin>
</plugin>
<!-- Test configuration -->
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
......
......@@ -67,7 +67,7 @@ import com.sun.xacml.cond.xacmlv3.EvaluationResult;
import com.sun.xacml.finder.AttributeFinder;
import com.thalesgroup.appsec.util.Utils;
import com.thalesgroup.authzforce.core.PdpModelHandler;
import com.thalesgroup.authzforce.xacml.schema.XACMLCategory;
import com.thalesgroup.authzforce.xacml._3_0.identifiers.XACMLCategory;
/**
* A basic implementation of <code>EvaluationCtx</code> that is created from an XACML Request and
......
......@@ -60,7 +60,7 @@ import com.sun.xacml.finder.PolicyFinderResult;
import com.sun.xacml.finder.ResourceFinder;
import com.sun.xacml.finder.ResourceFinderResult;
import com.thalesgroup.appsec.util.Utils;
import com.thalesgroup.authzforce.xacml.schema.XACMLCategory;
import com.thalesgroup.authzforce.xacml._3_0.identifiers.XACMLCategory;
/**
* This is the core class for the XACML engine, providing the starting point for request evaluation.
......
......@@ -39,7 +39,7 @@ import com.sun.xacml.combine.CombiningAlgFactory;
import com.sun.xacml.combine.CombiningAlgFactoryProxy;
import com.sun.xacml.cond.FunctionFactory;
import com.sun.xacml.cond.FunctionFactoryProxy;
import com.thalesgroup.authzforce.xacml.schema.XACMLVersion;
import com.thalesgroup.authzforce.xacml._3_0.identifiers.XACMLVersion;
/**
......
......@@ -57,7 +57,7 @@ import com.sun.xacml.cond.Evaluatable;
import com.sun.xacml.cond.xacmlv3.EvaluationResult;
import com.sun.xacml.ctx.Status;
import com.thalesgroup.authzforce.core.PdpModelHandler;
import com.thalesgroup.authzforce.xacml.schema.XACMLCategory;
import com.thalesgroup.authzforce.xacml._3_0.identifiers.XACMLCategory;
public class AttributeDesignator extends AttributeDesignatorType implements Evaluatable
{
......
......@@ -35,7 +35,6 @@ package com.sun.xacml.finder;
import com.sun.xacml.EvaluationCtx;
import com.sun.xacml.attr.xacmlv3.AttributeValue;
import com.thalesgroup.authz.model.ext._3.AbstractResourceFinder;
import com.thalesgroup.authzforce.core.IPdpExtension;
......
......@@ -33,8 +33,7 @@ import com.sun.xacml.Indenter;
import com.sun.xacml.ParsingException;
import com.sun.xacml.PolicyMetaData;
import com.sun.xacml.ctx.Attribute;
import com.thalesgroup.authzforce.xacml.schema.XACMLAttributeId;
import com.thalesgroup.authzforce.xacml.schema.XACMLVersion;
import com.thalesgroup.authzforce.xacml._3_0.identifiers.XACMLAttributeId;
/**
* Represents the AttributesType XML type found in the context schema.
......
......@@ -20,10 +20,8 @@ package com.thalesgroup.authzforce.core;
import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
......@@ -32,25 +30,33 @@ import java.util.Map;
import javax.xml.bind.JAXBException;
import javax.xml.transform.Source;
import net.sf.ehcache.Cache;
import net.sf.ehcache.store.MemoryStoreEvictionPolicy;
import org.apache.commons.jxpath.Functions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;
import org.springframework.xml.transform.ResourceSource;
import com.sun.xacml.PDP;
import com.sun.xacml.PDPConfig;
import com.sun.xacml.UnknownIdentifierException;
import com.sun.xacml.attr.AttributeFactory;
import com.sun.xacml.attr.AttributeProxy;
import com.sun.xacml.attr.BaseAttributeFactory;
import com.sun.xacml.attr.StandardAttributeFactory;
import com.sun.xacml.combine.BaseCombiningAlgFactory;
import com.sun.xacml.combine.CombiningAlgFactory;
import com.sun.xacml.combine.CombiningAlgorithm;
import com.sun.xacml.combine.StandardCombiningAlgFactory;
import com.sun.xacml.cond.BaseFunctionFactory;
import com.sun.xacml.cond.BasicFunctionFactoryProxy;
import com.sun.xacml.cond.Function;
import com.sun.xacml.cond.FunctionFactory;
import com.sun.xacml.cond.FunctionFactoryProxy;
import com.sun.xacml.cond.StandardFunctionFactory;
import com.sun.xacml.cond.cluster.FunctionCluster;
import com.sun.xacml.finder.AttributeFinder;
import com.sun.xacml.finder.AttributeFinderModule;
import com.sun.xacml.finder.PolicyFinder;
......@@ -63,23 +69,7 @@ import com.sun.xacml.support.finder.StaticPolicyFinderModule;
import com.sun.xacml.support.finder.StaticRefPolicyFinderModule;
import com.thalesgroup.authz.model.ext._3.AbstractAttributeFinder;
import com.thalesgroup.authz.model.ext._3.AbstractPolicyFinder;
import com.thalesgroup.authz.model.ext._3.AbstractResourceFinder;
import com.thalesgroup.authz.model.ext._3.Cache;
import com.thalesgroup.authz.model.ext._3.CacheMemoryStoreEvictionPolicy;
import com.thalesgroup.authzforce.pdp.model._2014._12.AttributeFactory;
import com.thalesgroup.authzforce.pdp.model._2014._12.AttributeSelectorXPathFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.CombiningAlgFactory;
import com.thalesgroup.authzforce.pdp.model._2014._12.CombiningAlgFactory.Algorithm;
import com.thalesgroup.authzforce.pdp.model._2014._12.CurrentDateTimeFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.FunctionFactory;
import com.thalesgroup.authzforce.pdp.model._2014._12.Functions;
import com.thalesgroup.authzforce.pdp.model._2014._12.Functions.Function;
import com.thalesgroup.authzforce.pdp.model._2014._12.Functions.FunctionCluster;
import com.thalesgroup.authzforce.pdp.model._2014._12.PDP;
import com.thalesgroup.authzforce.pdp.model._2014._12.Pdps;
import com.thalesgroup.authzforce.pdp.model._2014._12.StaticPolicyFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.StaticRefPolicyFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.XacmlFeatureIdToImplementation;
/**
* XML-based Configuration manager using XML schema and JAXB to load PDP configurations
......
......@@ -52,11 +52,6 @@ import org.w3c.dom.NodeList;
import com.blogspot.illegalargumentexception.NamespaceContextMap;
import com.thalesgroup.appsec.util.Utils;
import com.thalesgroup.authzforce.pdp.model._2014._12.AttributeSelectorXPathFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.CurrentDateTimeFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.Pdps;
import com.thalesgroup.authzforce.pdp.model._2014._12.StaticPolicyFinder;
import com.thalesgroup.authzforce.pdp.model._2014._12.StaticRefPolicyFinder;
/**
* PDP Engine XML configuration handler
......
<?xml version="1.0" encoding="UTF-8"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
<!-- For Maven JAXB plugin -->
<system systemId="http://www.w3.org/2001/xml.xsd" uri="maven:com.thalesgroup.ktd.scis:xml-ns-model:jar!/xml.xsd" />
<system systemId="http://www.w3.org/2001/xml.xsd" uri="maven:com.thalesgroup.authzforce:authzforce-xml-ns-model:jar!/xml.xsd" />
<public publicId="http://thalesgroup.com/authz/model/ext/3.0"
uri="maven:com.thalesgroup.authzforce:authzforce-core-model:jar!/authz-ext-base.xsd" />
uri="maven:com.thalesgroup.authzforce:authzforce-pdp-ext-model:jar!/authz-ext-base.xsd" />
<public publicId="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
uri="maven:com.thalesgroup.ktd.scis:oasis-xacml-model:jar!/xacml-core-v3-schema-wd-17.xsd" />
</catalog>
\ No newline at end of file
uri="maven:com.thalesgroup.authzforce:authzforce-xacml-model:jar!/xacml-core-v3-schema-wd-17.xsd" />
</catalog>
<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://thalesgroup.com/authzforce/pdp/model/2014/12"
xmlns:tns="http://thalesgroup.com/authzforce/pdp/model/2014/12" elementFormDefault="qualified"
<schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://thalesgroup.com/authzforce/pdp/model/2015/06"
xmlns:tns="http://thalesgroup.com/authzforce/pdp/model/2015/06" elementFormDefault="qualified"
xmlns:authz-ext="http://thalesgroup.com/authz/model/ext/3.0">
<!-- XACML XSD import only necessary to fix bug in maven jaxb2 plugin used for generating Java class
from this schema -->
<import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" />
<import namespace="http://thalesgroup.com/authz/model/ext/3.0" />
<annotation>
<documentation xml:lang="en">
Data model of AuthZForce PDP configuration
Data model of AuthZForce PDP configuration.
<p>
For any such configuration (XML) file (instance of this schema) loaded, AuthZForce PDP
configuration handler sets the
global variable 'PARENT_DIR' to the path to the parent directory
of this XML configuration file, so
that any placeholder ${PARENT_DIR} is replaced with this
value, and may be used in text nodes to
specify file paths relative to the configuration file for
instance.
If the location to the
configuration file is not resolved to a file on the file system,
'PARENT_DIR' is undefined.
You
may use the colon ':' as a separating character between the
placeholder variable and an
associated default value, if PARENT_DIR is initially undefined.
E.g.
${PARENT_DIR:/home/foo/conf}
will be replaced with '/home/foo/conf' if PARENT_DIR is undefined.
</p>
</documentation>
</annotation>
<element name="pdps">
<element name="pdp">
<complexType>
<sequence>
<element minOccurs="1" maxOccurs="unbounded" name="pdp" type="tns:PDP">
<element name="attributeDatatype" type="anyURI" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>URI of an attribute datatype to be added to supported datatypes. There must be
one and only one
Java class - say 'com.example.FooValueFactory' - on the classpath
implementing
interface
'com.thalesgroup.authzforce.core.attr.AttributeValue.Factory' with
zero-arg constructor,
such that this URI equals:
new com.example.FooValueFactory().getId().
</documentation>
</annotation>
</element>
<element name="function" type="anyURI" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>URI of a function to be added to supported functions.
There must be one and only
one
Java class - say 'com.example.FooFunction' - on the classpath implementing
interface
'com.sun.xacml.cond.Function' with zero-arg constructor, such that this URI equals:
new
com.example.FooFunction().getId(). Whenever possible, extension implementers should
implement
sub-class 'com.sun.xacml.cond.BaseFunction' actually, instead of implementing
'com.sun.xacml.cond.Function' directly.
</documentation>
</annotation>
</element>
<element name="functionSet" type="anyURI" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>URI of a set of functions to be added to supported functions.
There must be one
and only one
Java class - say 'com.example.FooFunctionSet' - on the classpath implementing
interface
'com.thalesgroup.authzforce.core.func.FunctionSet' with zero-arg constructor, such
that this
URI equals:
new com.example.FooFunctionSet().getId().
</documentation>
</annotation>
</element>
<element name="combiningAlgorithm" type="anyURI" minOccurs="0" maxOccurs="unbounded">
<annotation>
<documentation>URI of a policy/rule-combining algorithm to be added to supported algorithms.
There must be one and only one Java class - say 'com.example.FooCombiningAlg' - on the
classpath implementing
interface
'com.sun.xacml.combine.CombiningAlgorithm' with zero-arg
constructor, such that this URI equals:
new com.example.FooCombiningAlg().getId().
</documentation>
</annotation>
</element>
<element name="attributeFactory" type="tns:AttributeFactory" maxOccurs="unbounded"
minOccurs="1">
<key name="datatypeKey">
<selector xpath="tns:datatype" />
<field xpath="@id" />
</key>
<element name="attributeFinder" type="authz-ext:AbstractAttributeFinder" maxOccurs="unbounded"
minOccurs="0">
<annotation>
<documentation>Attribute finder that provides attributes not already provided in the XACML
request by PEP, e.g. from external sources.
There must be one and only
one Java class - say
'com.example.FooAttributeFinderModuleFactory' - on the classpath
implementing
interface
'com.sun.xacml.finder.AttributeFinderModule.Factory&lt;CONF_T&gt;'
with zero-arg
constructor,
where CONF_T is the JAXB type bound to this XML
element type.
This
attribute finder
may also
depend on previously defined
'attributeFinders', to find dependency
attributes, i.e.
attributes
that this finder does not support itself, but requires to find
its
supported
attributes.
Therefore, if an 'attributeFinder' AFy requires/depends on an attribute A that is
not to be
provided by the PEP, another 'attributeFinder' AFx providing this attribute A must
be
declared
before X.
</documentation>
</annotation>
</element>
<element name="combiningAlgFactory" type="tns:CombiningAlgFactory" minOccurs="1"
maxOccurs="unbounded">
<key name="algorithmKey">
<selector xpath="tns:algorithm" />
<field xpath="@class" />
</key>
<element name="refPolicyFinder" type="authz-ext:AbstractPolicyFinder" minOccurs="0"
maxOccurs="1">
<annotation>
<documentation>Referenced policy finder that resolves Policy(Set)IdReferences.
There must be
one
and only
one Java class - say 'com.example.FooRefPolicyFinderModuleFactory' - on the
classpath
implementing
interface
'com.thalesgroup.authzforce.core.policy.ReferencedPolicyFinderModule.Factory&lt;CONF_T&gt;'
with zero-arg constructor, where CONF_T is the JAXB type bound to this XML element
type.
This
referenced policy finder may also use any of the 'refPolicyFinder' previously
defined, if any,
for Policy(Set)IdReference resolution; as some IdReferences may not be
supported by this
finder.
This element is not required if root policies found by the 'rootPolicyFinder' are
always Policy elements, and not PolicySet elements.
</documentation>
</annotation>
</element>
<element name="functionFactory" type="tns:FunctionFactory" maxOccurs="unbounded"
minOccurs="1">
<key name="functionKey">
<selector xpath="tns:target/tns:function|tns:condition/tns:function|tns:general/tns:function" />
<field xpath="@class" />
</key>
<key name="functionClusterKey">
<selector
xpath="tns:target/tns:functionCluster|tns:condition/tns:functionCluster|tns:general/tns:functionCluster" />
<field xpath="@class" />
</key>
<key name="abstractFunctionKey">
<selector
xpath="tns:target/tns:abstractFunction|tns:condition/tns:abstractFunction|tns:general/tns:abstractFunction" />
<field xpath="@id" />
</key>
<element name="rootPolicyFinder" type="authz-ext:AbstractPolicyFinder">
<annotation>
<documentation>Root/top-level policy finder that provides the root/top-level Policy(Set) to
PDP for evaluation.
There must be one and only
one Java class - say
'com.example.FooRootPolicyFinderModuleFactory' - on the classpath
implementing
interface
'com.thalesgroup.authzforce.core.policy.RootPolicyFinderModule.Factory&lt;CONF_T&gt;'
with
zero-arg constructor, where CONF_T is the JAXB type bound to this XML
element type.
This
class
may also implement
'com.thalesgroup.authzforce.core.policy.ReferencedPolicyFinderModule.Factory&lt;CONF_T&gt;'
to be used as 'refPolicyFinder' as well.
This policy finder may also use any of the
'refPolicyFinder' previously defined, if any, for Policy(Set)IdReference resolution.
</documentation>
</annotation>
</element>
<element name="decisionCache" minOccurs="0" maxOccurs="1" type="authz-ext:AbstractDecisionCache">
<annotation>
<documentation>Decision Response cache that, for a given request, provides the XACML response
from a cache if there is a cached response for the given request. There must be one and only
one Java class -
say
'com.example.FooDecisionCacheFactory' - on the classpath
implementing
interface
'com.thalesgroup.authzforce.core.DecisionCache.Factory&lt;CONF_T&gt;'
with zero-arg
constructor, where CONF_T is the JAXB type bound to this XML
element type.
</documentation>
</annotation>
</element>
</sequence>
<attribute name="defaultPDP" type="NCName" use="required"></attribute>
<attribute name="defaultAttributeFactory" type="NCName"></attribute>
<attribute name="defaultFunctionFactory" type="NCName"></attribute>
<attribute name="defaultCombiningAlgFactory" type="NCName"></attribute>
<attribute name="useStandardDatatypes" type="boolean" use="optional" default="true">
<annotation>
<documentation>Enable support for XACML core standard mandatory attribute datatypes.
</documentation>
</annotation>
</attribute>
<attribute name="useStandardFunctions" type="boolean" use="optional" default="true">
<annotation>
<documentation>Enable support for XACML core standard mandatory functions.
</documentation>
</annotation>
</attribute>
<attribute name="useStandardCombiningAlgorithms" type="boolean" use="optional" default="true">
<annotation>
<documentation>Enable support for XACML core standard combining algorithms.
</documentation>
</annotation>
</attribute>
<attribute name="enableAttributeSelectors" type="boolean" use="optional" default="false">
<annotation>
<documentation>Enable support for AttributeSelectors. This feature is experimental (not to be
used in production). Use with caution.
For your information, AttributeSelector support is
marked as optional in XACML 3.0 core specification.
</documentation>
</annotation>
</attribute>
<attribute name="maxVariableRefDepth" use="optional" default="0">
<annotation>
<documentation>
Maximum depth of Variable reference chaining: VariableDefinition1 -&gt;
VariableDefinition2 -&gt; ...; where '-&gt;' represents a VariableReference.
</documentation>
</annotation>
<simpleType>
<restriction base="nonNegativeInteger">
<minInclusive value="0"></minInclusive>
<maxInclusive value="100"></maxInclusive>
</restriction>
</simpleType>
</attribute>
<attribute name="maxPolicySetRefDepth" use="optional" default="0">
<annotation>
<documentation>Maximum depth of PolicySet reference chaining: PolicySet1 -&gt; PolicySet2 -&gt;
...; where '-&gt;' represents a PolicySetIdReference.
</documentation>
</annotation>
<simpleType>
<restriction base="nonNegativeInteger">
<minInclusive value="0"></minInclusive>
<maxInclusive value="100"></maxInclusive>
</restriction>
</simpleType>
</attribute>
<attribute name="requestFilter" type="anyURI" use="optional">
<annotation>
<documentation>
<p>URI of a XACML Request filter to be enabled. A XACML Request filter is a PDP
extension
that
applies some processing of the request, such as validation and transformation, prior to the
policy evaluation.
As an example of validation, a Request
filter may reject a request containing an
unsupported XACML element. As an example of transformation, it may support the
MultiRequests element, and more generally the
Multiple
Decision
Profile by creating multiple
Individual Decision Requests (EvaluationCtx) from
the
original
XACML
request, as defined in
XACML Multiple Decision Profile specification, section
2; and
then
call
the policy evaluation
engine for each Individual Decision Request.
At the end,
the
results
(one per Individual
Decision
Request) may be combined by a DecisionCombiner specified
by next
attribute
'decisionCombiner'.
</p>
<p>There must be one and
only one Java class - say 'com.example.FooRequestFilter' - on
the
classpath implementing
interface 'com.thalesgroup.authzforce.core.RequestFilter' with
zero-arg
constructor, such
that this URI equals: new
com.example.FooRequestFilter().getId().</p>
</documentation>
</annotation>
</attribute>
<attribute name="resultFilter" type="anyURI" use="optional">
<annotation>
<documentation>URI of a XACML decision Result filter to be enabled. A decision Result filter is a PDP
extension
that process the result(s) from the policy evaluation before the final XACML Response is created (and returned back to the requester).
For example, a typical Result filter may combine multiple individual decisions - produced by
the 'requestFilter' - to a single
decision Result if and only if the XACML Request's 'CombinedDecision' is set
to true,
as defined in XACML
Multiple Decision Profile specification,
section 3.
There must be one and
only
one
Java class - say
'com.example.FooDecisionResultFilter'
- on
the classpath implementing
interface
'com.thalesgroup.authzforce.core.DecisionResultFilter' with
zero-arg constructor, such
that this URI
equals:
new
com.example.FooDecisionResultFilter().getId().
</documentation>
</annotation>
</attribute>
</complexType>
<key name="pdpKey">
<selector xpath="tns:pdp" />
<field xpath="@name" />
<key name="datatypeKey">
<selector xpath="tns:attributeDatatype" />
<field xpath="." />
</key>
<keyref name="pdpKeyRef" refer="tns:pdpKey">
<selector xpath="." />
<field xpath="@defaultPDP" />
</keyref>
<key name="attributeFactoryKey">
<selector xpath="tns:attributeFactory" />
<field xpath="@name" />
<key name="functionKey">
<selector xpath="tns:function" />
<field xpath="." />
</key>
<keyref name="attributeFactoryKeyRef" refer="tns:attributeFactoryKey">
<selector xpath="." />
<field xpath="@defaultAttributeFactory" />
</keyref>
<key name="combiningAlgFactoryKey">
<selector xpath="tns:combiningAlgFactory" />
<field xpath="@name" />
<key name="functionSetKey">
<selector xpath="tns:functionSet" />
<field xpath="." />
</key>
<keyref name="combiningAlgFactoryKeyRef" refer="tns:combiningAlgFactoryKey">
<selector xpath="." />
<field xpath="@defaultCombiningAlgFactory" />
</keyref>
<key name="functionFactoryKey">
<selector xpath="tns:functionFactory" />
<field xpath="@name" />
<key name="algorithmKey">
<selector xpath="tns:combiningAlgorithm" />
<field xpath="." />
</key>
<key name="refPolicyFinderKey">
<selector xpath="tns:refPolicyFinder" />
<field xpath="@id" />
</key>