Interface DecisionResult

    • Method Detail

      • getPepActions

        com.google.common.collect.ImmutableList<PepAction> getPepActions()
        Get PEP actions (Obligations/Advices), may be empty - but not null - if the decision is neither Permit nor Deny
        Returns:
        PEP actions
      • getApplicablePolicies

        com.google.common.collect.ImmutableList<PrimaryPolicyMetadata> getApplicablePolicies()
        Get the list of the "applicable" policy elements (XACML Policy/PolicySet elements) that contributed to this decision.

        The XACML specification is ambiguous about what is considered an "applicable" policy, especially it does not state clearly which policies should be added to the PolicyIdentifierList in the final XACML Result. See the discussion here for more info: https://lists.oasis-open.org/archives/xacml-comment/201605/msg00004.html. Here we define an "applicable" policy more explicitly:

        A policy is "applicable" if and only if its evaluation result is different from NotApplicable (not NotApplicable means Applicable, shouldn't it?), and one of these two conditions is met:

        • The policy/policy reference has no enclosing policy, i.e. it is the root policy in PDP's evaluation.
        • The policy has an enclosing policy and the enclosing policy is "applicable". (This definition is recursive.)
        More formally: isApplicable(policy) iff evaluate(policy) != NotApplicable && (policy.parent == null || isApplicable(policy.parent))
        Returns:
        identifiers of policies found applicable for the decision request. Must be null if and only if the decision is NotApplicable. In particular, if the decision is different from NotApplicable but no applicable policy is returned (e.g. it was not requested to return such a list in the request), the returned list must be an empty list, not null.