Package org.ow2.authzforce.core.pdp.api.io

Class BaseXacmlJaxbRequestPreprocessor

    • Field Detail

      • UNSUPPORTED_REQUEST_DEFAULTS_EXCEPTION

        protected static final IndeterminateEvaluationException UNSUPPORTED_REQUEST_DEFAULTS_EXCEPTION
        Indeterminate exception to be thrown iff RequestDefaults element not supported by the request preprocessor

      • UNSUPPORTED_MULTI_REQUESTS_EXCEPTION

        protected static final IndeterminateEvaluationException UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
        Indeterminate exception to be thrown iff MultiRequests element not supported by the request preprocessor

    • Constructor Detail

      • BaseXacmlJaxbRequestPreprocessor

        protected BaseXacmlJaxbRequestPreprocessor​(AttributeValueFactoryRegistry attributeValueFactoryRegistry,
                                           boolean strictAttributeIssuerMatch,
                                           boolean allowAttributeDuplicates,
                                           boolean requireContentForXPath,
                                           net.sf.saxon.s9api.Processor xmlProcessor,
                                           Set<String> extraPdpFeatures)
                                    throws UnsupportedOperationException
        Creates instance of request pre-processor.
        Parameters:
        attributeValueFactoryRegistry - registry of datatype-specific attribute value parsers
        strictAttributeIssuerMatch - true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with the XACML 3.0 Attribute Evaluation: "If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."
        allowAttributeDuplicates - true iff the pre-processor should allow defining multi-valued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). Indeed, not allowing this is not fully compliant with the XACML spec according to a discussion on the xacml-dev mailing list (see {@linkplain "https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html"}), referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same <Attribute> with same meta-data but different values should be considered equivalent to a single <Attribute> element with same meta-data and merged values (multi-valued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the <AttributeDesignator>.

        Setting this parameter to false is not fully compliant, but provides better performance, especially if you know the Requests to be well-formed, i.e. all AttributeValues of a given Attribute are grouped together in the same <Attribute> element. Combined with strictAttributeIssuerMatch == true, this is the most efficient alternative (although not fully compliant).

        requireContentForXPath - true iff Attributes/Content parsing (into XDM) for XPath evaluation is required
        xmlProcessor - XML processor for parsing Attributes/Content elements into XDM for XPath evaluation. May be null if requireContentForXPath is false.
        extraPdpFeatures - extra - non-mandatory per XACML 3.0 core specification - features supported by PDP engine. Any feature requested by any request is checked against this before processing the request further. If some feature is not supported, an Indeterminate Result is returned.
        Throws:
        UnsupportedOperationException - if strictAttributeIssuerMatch == false && allowAttributeDuplicates == false which is not supported

    • Method Detail

      • process

        public abstract List<IndividualXacmlJaxbRequest> process​(List<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> attributesList,
                                                         SingleCategoryXacmlAttributesParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> xacmlAttrsParser,
                                                         boolean isApplicablePolicyIdListReturned,
                                                         boolean combinedDecision,
                                                         net.sf.saxon.s9api.XPathCompiler xPathCompiler,
                                                         Map<String,​String> namespaceURIsByPrefix)
                                                  throws IndeterminateEvaluationException
        Pre-processes (validates and/or transforms) a Request, may result in multiple individual decision requests, e.g. if implementing the Multiple Decision Profile or Hierarchical Resource profile
        Parameters:
        attributesList - list of XACML Request Attributes elements
        xacmlAttrsParser - XACML Attributes element Parser instance, used to parse each Attributes in attributesList.
        isApplicablePolicyIdListReturned - XACML Request's property returnPolicyIdList.
        combinedDecision - XACML Request's property isCombinedDecision
        xPathCompiler - xpathExpression compiler, corresponding to the XACML RequestDefaults element, or null if no RequestDefaults element.
        namespaceURIsByPrefix - namespace prefix-URI mappings (e.g. "... xmlns:prefix=uri") in the original XACML Request bound to req, used as part of the context for XPath evaluation
        Returns:
        individual decision requests, as defined in Multiple Decision Profile, e.g. a singleton list if no multiple decision requested or supported by the pre-processor

        Return a Collection and not array to make it easy for the implementer to create a defensive copy with Collections#unmodifiableList() and alike.

        Throws:
        IndeterminateEvaluationException - if some feature requested in the Request is not supported by this pre-processor

      • process

        public final List<IndividualXacmlJaxbRequest> process​(oasis.names.tc.xacml._3_0.core.schema.wd_17.Request jaxbRequest,
                                                      Map<String,​String> namespaceURIsByPrefix)
                                               throws IndeterminateEvaluationException
        Description copied from interface: DecisionRequestPreprocessor
        Pre-processes a decision request, may result in multiple individual decision requests, e.g. if implementing the Multiple Decision Profile
        Specified by:
        process in interface DecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,​IndividualXacmlJaxbRequest>
        Parameters:
        jaxbRequest - input Request
        namespaceURIsByPrefix - namespace prefix-URI mappings (e.g. "... xmlns:prefix=uri") in the original XACML Request bound to req, used as part of the context for XPath evaluation; may be null if such mapping defined
        Returns:
        individual decision requests, as defined in Multiple Decision Profile, e.g. a singleton list if no multiple decision requested or supported by this

        Return a Collection and not array to make it easy for the implementer to create a defensive copy with Collections#unmodifiableList() and alike.

        Throws:
        IndeterminateEvaluationException - if some feature requested in the Request is not supported by this