Package org.ow2.authzforce.core.pdp.api

Interface PdpEngine

All Known Subinterfaces:

CloseablePdpEngine

public interface PdpEngine

This is the interface for the Authorization PDP engines, providing the starting point for decision request evaluation, independent of data representation/serialization formats.

Method Summary

Modifier and Type	Method	Description
<INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Map.Entry<INDIVIDUAL_DECISION_REQ_T,? extends DecisionResult>>	evaluate(List<INDIVIDUAL_DECISION_REQ_T> requests, EvaluationContext mdpContext)	Generic API (serialization-format-agnostic) for evaluating multiple individual decision requests (see Multiple Decision Profile of XACML for the concept of "Individual Decision Request"), i.e.
DecisionResult	evaluate(DecisionRequest request)	Generic API (serialization-format-agnostic) for evaluating an individual decision request (see Multiple Decision Profile of XACML for the concept of "Individual Decision Request").
Iterable<PrimaryPolicyMetadata>	getApplicablePolicies()	Get the PDP engine's root policy and policies referenced - directly or indirectly - from the root policy, independent of the evaluation context, i.e.
DecisionRequestBuilder<?>	newRequestBuilder(int expectedNumOfAttributeCategories, int expectedTotalNumOfAttributes)	Gets the PDP-engine-specific individual decision request builder.

Method Detail

newRequestBuilder

DecisionRequestBuilder<?> newRequestBuilder(int expectedNumOfAttributeCategories,
                                            int expectedTotalNumOfAttributes)

Gets the PDP-engine-specific individual decision request builder.

Parameters:

expectedNumOfAttributeCategories - expected number of attribute categories in the request. This helps the implementation to allocate the right amount of memory and limit memory waste. Use negative value if unknown.

expectedTotalNumOfAttributes - expected total number of attributes (over all categories). This helps the implementation to allocate the right amount of memory and limit memory waste. Use negative value if unknown.

Returns:

implementation-specific request builder. May not be thread-safe.

evaluate

DecisionResult evaluate(DecisionRequest request)

Generic API (serialization-format-agnostic) for evaluating an individual decision request (see Multiple Decision Profile of XACML for the concept of "Individual Decision Request").

This method DOES NOT use any DecisionRequestPreprocessor or any DecisionResultPostprocessor. (Only based on core PDP engine.)

This method does not throw any exception but may still return an Indeterminate result if an error occurred. Therefore, clients should check whether == DecisionType#INDETERMINATE, in which case they can get more error info from ExtendedDecision.getCauseForIndeterminate()).

Parameters:

request - Individual Decision Request, as defined in the XACML Multiple Decision Profile (also mentioned in the Hierarchical Resource Profile)

Returns:

decision result.

evaluate

<INDIVIDUAL_DECISION_REQ_T extends DecisionRequest> Collection<Map.Entry<INDIVIDUAL_DECISION_REQ_T,? extends DecisionResult>> evaluate(List<INDIVIDUAL_DECISION_REQ_T> requests,
                                                                                                                                             EvaluationContext mdpContext)
                                                                                                                                      throws IndeterminateEvaluationException

Generic API (serialization-format-agnostic) for evaluating multiple individual decision requests (see Multiple Decision Profile of XACML for the concept of "Individual Decision Request"), i.e. as part of the same context. As a result, if any attribute is set by the PDP itself, e.g. the XACML standard environment attributes (current-date/current-time/current-date-time), it MUST have the same values for all input requests.

This method DOES NOT use any DecisionRequestPreprocessor or any DecisionResultPostprocessor. (Only based on core PDP engine.)

If the PDP uses any remote cache/database service, it should send all decision requests in the same service request and get all existing cache results in the service response, for performance reasons.

Parameters:

requests - Individual Decision Requests (see Multiple Decision Profile of XACML for the concept of "Individual Decision Request")

mdpContext - the context of the Multiple Decision request that the requests belong to, i.e. may be used to reuse common variables/attributes to all its individual decision requests. for any request in {code requests}, request.getCreationTimestamp() must match mdpContext.getCreationTimestamp()

Returns:

decision request-result pairs

Throws:

IndeterminateEvaluationException - error occurred preventing any request evaluation. (This error is not specific to a particular decision request. Such request-specific error results in an Indeterminate decision result with error cause available via ExtendedDecision.getCauseForIndeterminate())

getApplicablePolicies

Iterable<PrimaryPolicyMetadata> getApplicablePolicies()

Get the PDP engine's root policy and policies referenced - directly or indirectly - from the root policy, independent of the evaluation context, i.e. assuming all are statically resolved

Returns:

the root - always in first position - and referenced policies; null if any of these policies is not statically resolved (once and for all)