Class BaseXacmlJaxbRequestPreprocessor
- java.lang.Object
-
- org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbRequestPreprocessor
-
- All Implemented Interfaces:
DecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
public abstract class BaseXacmlJaxbRequestPreprocessor extends Object implements DecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
Convenient base class forDecisionRequestPreprocessor
implementations supporting core XACML-schema-defined XML input handled by JAXB framework
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
BaseXacmlJaxbRequestPreprocessor.Factory
Convenient base class forDecisionRequestPreprocessor.Factory
implementations supporting core XACML-schema-defined XML input handled by JAXB framework
-
Field Summary
Fields Modifier and Type Field Description protected static IndeterminateEvaluationException
UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
Indeterminate exception to be thrown iff MultiRequests element not supported by the request preprocessorprotected static IndeterminateEvaluationException
UNSUPPORTED_REQUEST_DEFAULTS_EXCEPTION
Indeterminate exception to be thrown iff RequestDefaults element not supported by the request preprocessor
-
Constructor Summary
Constructors Modifier Constructor Description protected
BaseXacmlJaxbRequestPreprocessor(AttributeValueFactoryRegistry attributeValueFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, net.sf.saxon.s9api.Processor xmlProcessor, Set<String> extraPdpFeatures)
Creates instance of request pre-processor.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description Class<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request>
getInputRequestType()
Returns the type of input requestsClass<IndividualXacmlJaxbRequest>
getOutputRequestType()
Returns the type of output individual decision requestsabstract List<IndividualXacmlJaxbRequest>
process(List<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> attributesList, SingleCategoryXacmlAttributesParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, net.sf.saxon.s9api.XPathCompiler xPathCompiler, Map<String,String> namespaceURIsByPrefix)
Pre-processes (validates and/or transforms) a Request, may result in multiple individual decision requests, e.g.List<IndividualXacmlJaxbRequest>
process(oasis.names.tc.xacml._3_0.core.schema.wd_17.Request jaxbRequest, Map<String,String> namespaceURIsByPrefix)
Pre-processes a decision request, may result in multiple individual decision requests, e.g.
-
-
-
Field Detail
-
UNSUPPORTED_REQUEST_DEFAULTS_EXCEPTION
protected static final IndeterminateEvaluationException UNSUPPORTED_REQUEST_DEFAULTS_EXCEPTION
Indeterminate exception to be thrown iff RequestDefaults element not supported by the request preprocessor
-
UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
protected static final IndeterminateEvaluationException UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
Indeterminate exception to be thrown iff MultiRequests element not supported by the request preprocessor
-
-
Constructor Detail
-
BaseXacmlJaxbRequestPreprocessor
protected BaseXacmlJaxbRequestPreprocessor(AttributeValueFactoryRegistry attributeValueFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, net.sf.saxon.s9api.Processor xmlProcessor, Set<String> extraPdpFeatures) throws UnsupportedOperationException
Creates instance of request pre-processor.- Parameters:
attributeValueFactoryRegistry
- registry of datatype-specific attribute value parsersstrictAttributeIssuerMatch
- true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with the XACML 3.0 Attribute Evaluation: "If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."allowAttributeDuplicates
- true iff the pre-processor should allow defining multi-valued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). Indeed, not allowing this is not fully compliant with the XACML spec according to a discussion on the xacml-dev mailing list (see {@linkplain "https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html"}), referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same <Attribute> with same meta-data but different values should be considered equivalent to a single <Attribute> element with same meta-data and merged values (multi-valued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the <AttributeDesignator>.Setting this parameter to
false
is not fully compliant, but provides better performance, especially if you know the Requests to be well-formed, i.e. all AttributeValues of a given Attribute are grouped together in the same <Attribute> element. Combined withstrictAttributeIssuerMatch == true
, this is the most efficient alternative (although not fully compliant).requireContentForXPath
- true iff Attributes/Content parsing (into XDM) for XPath evaluation is requiredxmlProcessor
- XML processor for parsing Attributes/Content elements into XDM for XPath evaluation. May be null ifrequireContentForXPath
is false.extraPdpFeatures
- extra - non-mandatory per XACML 3.0 core specification - features supported by PDP engine. Any feature requested by any request is checked against this before processing the request further. If some feature is not supported, an Indeterminate Result is returned.- Throws:
UnsupportedOperationException
- ifstrictAttributeIssuerMatch == false && allowAttributeDuplicates == false
which is not supported
-
-
Method Detail
-
getInputRequestType
public final Class<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request> getInputRequestType()
Description copied from interface:DecisionRequestPreprocessor
Returns the type of input requests- Specified by:
getInputRequestType
in interfaceDecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
- Returns:
INPUT_DECISION_REQUEST
class.
-
getOutputRequestType
public final Class<IndividualXacmlJaxbRequest> getOutputRequestType()
Description copied from interface:DecisionRequestPreprocessor
Returns the type of output individual decision requests- Specified by:
getOutputRequestType
in interfaceDecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
- Returns:
OUTPUT_INDIVIDUAL_DECISION_REQUEST
class.
-
process
public abstract List<IndividualXacmlJaxbRequest> process(List<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> attributesList, SingleCategoryXacmlAttributesParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, net.sf.saxon.s9api.XPathCompiler xPathCompiler, Map<String,String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
Pre-processes (validates and/or transforms) a Request, may result in multiple individual decision requests, e.g. if implementing the Multiple Decision Profile or Hierarchical Resource profile- Parameters:
attributesList
- list of XACML Request Attributes elementsxacmlAttrsParser
- XACML Attributes element Parser instance, used to parse each Attributes inattributesList
.isApplicablePolicyIdListReturned
- XACML Request's propertyreturnPolicyIdList
.combinedDecision
- XACML Request's propertyisCombinedDecision
xPathCompiler
- xpathExpression compiler, corresponding to the XACML RequestDefaults element, or null if no RequestDefaults element.namespaceURIsByPrefix
- namespace prefix-URI mappings (e.g. "... xmlns:prefix=uri") in the original XACML Request bound toreq
, used as part of the context for XPath evaluation- Returns:
- individual decision requests, as defined in Multiple Decision Profile, e.g. a singleton list if no multiple decision requested or supported by the pre-processor
Return a Collection and not array to make it easy for the implementer to create a defensive copy with Collections#unmodifiableList() and alike.
- Throws:
IndeterminateEvaluationException
- if some feature requested in the Request is not supported by this pre-processor
-
process
public final List<IndividualXacmlJaxbRequest> process(oasis.names.tc.xacml._3_0.core.schema.wd_17.Request jaxbRequest, Map<String,String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
Description copied from interface:DecisionRequestPreprocessor
Pre-processes a decision request, may result in multiple individual decision requests, e.g. if implementing the Multiple Decision Profile- Specified by:
process
in interfaceDecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
- Parameters:
jaxbRequest
- input RequestnamespaceURIsByPrefix
- namespace prefix-URI mappings (e.g. "... xmlns:prefix=uri") in the original XACML Request bound toreq
, used as part of the context for XPath evaluation; may be null if such mapping defined- Returns:
- individual decision requests, as defined in Multiple Decision Profile, e.g. a singleton list if no multiple decision requested or supported by this
Return a Collection and not array to make it easy for the implementer to create a defensive copy with Collections#unmodifiableList() and alike.
- Throws:
IndeterminateEvaluationException
- if some feature requested in the Request is not supported by this
-
-