Package org.ow2.authzforce.core.pdp.api.io

Class NonIssuedLikeIssuedStrictXacmlAttributeParser<INPUT_ATTRIBUTE>

  • Type Parameters:
    INPUT_ATTRIBUTE - type of raw input attribute object (not yet parsed into AuthzForce internal model), typically from original XACML Request, e.g. JAXB-annotated Attribute for XACML/XML request, or JSON object for XACML/JSON request
    public final class NonIssuedLikeIssuedStrictXacmlAttributeParser<INPUT_ATTRIBUTE>
extends XacmlRequestAttributeParser<INPUT_ATTRIBUTE,​AttributeBag<?>>
    On the contrary to IssuedToNonIssuedCopyingLaxXacmlAttributeParser, this XACML Attribute parser does not copy the values of Attributes having an Issuer to the corresponding Attributes without Issuer (same Category, AttributeId...) in the resulting attribute map. Therefore it does not comply with what XACML 3.0, §5.29 says on <AttributeDesignator> evaluation. However, it is more performant. In this implementation, an Attribute with no Issuer is handled like an attribute with an Issuer, except the Issuer has the special value "null". Therefore, an AttributeDesignator with "null" Issuer (undefined) will still match any attribute in the request with "null" Issuer (but not any other Attribute with same AttributeId but a defined/non-null Issuer, for which a different AttributeDesignator with a defined Issuer must be used).

    "Strict" means it does not allow defining multi-valued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). This is not fully compliant with the XACML spec according to a discussion on the xacml-dev mailing list (see {@linkplain "https://lists.oasis-open.org/archives/xacml-dev/201507/msg00001.html"}), referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same <Attribute> with same meta-data but different values should be considered equivalent to a single <Attribute> element with same meta-data and merged values (multi-valued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the <AttributeDesignator>.

    In a nutshell, this type of attribute parser does not comply fully with XACML 3.0. However, to benefit fully from the XACML capabilities, it is strongly recommended to avoid such Attribute repetitions and group all the values of the same Attribute in the same Attribute element with multiple AttributeValues. In that case, you will achieve better performances by using this "strict" parser instead of the "lax" version.

    • Method Detail

      • parseNamedAttribute

        public void parseNamedAttribute​(String attributeCategoryId,
                                INPUT_ATTRIBUTE inputXacmlAttribute,
                                net.sf.saxon.s9api.XPathCompiler xPathCompiler,
                                Map<AttributeFqn,​AttributeBag<?>> attributeMap)
                         throws IllegalArgumentException
        "Strict" parsing method, that parse all the values of a given attribute in one call. In short, this method will reject multiple calls on the same Attribute identifier (same metadata).
        Specified by:
        parseNamedAttribute in class XacmlRequestAttributeParser<INPUT_ATTRIBUTE,​AttributeBag<?>>
        Parameters:
        attributeMap - request attribute map to be updated by the result of parsing inputXacmlAttribute
        inputXacmlAttribute - input attribute object (not yet parsed into AuthzForce internal model), typically from original XACML request
        xPathCompiler - XPath compiler for compiling/evaluating XPath expressions in values, such as XACML xpathExpressions
        attributeCategoryId - attribute category ID
        Throws:
        IllegalArgumentException - if parsing of the inputXacmlAttribute because of invalid datatype or mixing of different datatypes; or if there are already existing values for the same attribute (repetition of same attribute is not allowed in strict mode)