Package org.ow2.authzforce.core.pdp.api
Interface DecisionResult
-
- All Superinterfaces:
ExtendedDecision
- All Known Implementing Classes:
BaseDecisionResult
public interface DecisionResult extends ExtendedDecision
Result of evaluation ofDecidable
(Policy, Rule...) with PEP actions (Obligations/Advice).
-
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description com.google.common.collect.ImmutableList<PrimaryPolicyMetadata>
getApplicablePolicies()
Get the list of the "applicable" policy elements (XACML Policy/PolicySet elements) that contributed to this decision.com.google.common.collect.ImmutableList<PepAction>
getPepActions()
Get PEP actions (Obligations/Advices), may be empty - but not null - if the decision is neither Permit or Deny-
Methods inherited from interface org.ow2.authzforce.core.pdp.api.ExtendedDecision
getCauseForIndeterminate, getDecision, getExtendedIndeterminate, getStatus
-
-
-
-
Method Detail
-
getPepActions
com.google.common.collect.ImmutableList<PepAction> getPepActions()
Get PEP actions (Obligations/Advices), may be empty - but not null - if the decision is neither Permit or Deny- Returns:
- PEP actions
-
getApplicablePolicies
com.google.common.collect.ImmutableList<PrimaryPolicyMetadata> getApplicablePolicies()
Get the list of the "applicable" policy elements (XACML Policy/PolicySet elements) that contributed to this decision.The XACML specification is ambiguous about what is considered an "applicable" policy, especially it does not state clearly which policies should be added to the PolicyIdentifierList in the final XACML Result. See the discussion here for more info: https://lists.oasis-open.org/archives/xacml-comment/201605/msg00004.html. Here we define an "applicable" policy more explicitly:
A policy is "applicable" if and only if its evaluation result is different from NotApplicable (not NotApplicable means Applicable, shouldn't it?), and one of these two conditions is met:
- The policy/policy reference has no enclosing policy, i.e. it is the root policy in PDP's evaluation.
- The policy has an enclosing policy and the enclosing policy is "applicable". (This definition is recursive.)
isApplicable(policy) iff evaluate(policy) != NotApplicable && (policy.parent == null || isApplicable(policy.parent))
- Returns:
- identifiers of policies found applicable for the decision request. Must be null if and only if the decision is NotApplicable. In particular, if the decision is different from NotApplicable but no applicable policy is returned (e.g. it was not requested to return such a list in the request), the returned list must be an empty list, not null.
-
-