Class BaseXacmlJaxbRequestPreprocessor
- java.lang.Object
-
- org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbRequestPreprocessor
-
- All Implemented Interfaces:
DecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
public abstract class BaseXacmlJaxbRequestPreprocessor extends Object implements DecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
Convenient base class forDecisionRequestPreprocessor
implementations supporting core XACML-schema-defined XML input handled by JAXB framework
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
BaseXacmlJaxbRequestPreprocessor.Factory
Convenient base class forDecisionRequestPreprocessor.Factory
implementations supporting core XACML-schema-defined XML input handled by JAXB framework
-
Field Summary
Fields Modifier and Type Field Description protected static IndeterminateEvaluationException
UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
Indeterminate exception to be thrown iff MultiRequests element not supported by the request preprocessor
-
Constructor Summary
Constructors Modifier Constructor Description protected
BaseXacmlJaxbRequestPreprocessor(AttributeValueFactoryRegistry attributeValueFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Set<String> extraPdpFeatures)
Creates instance of request pre-processor.protected
BaseXacmlJaxbRequestPreprocessor(AttributeValueFactoryRegistry attributeValueFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Set<String> extraPdpFeatures, Optional<NamedXacmlAttributeParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attribute>> customNamedAttributeParser)
Creates instance of request pre-processor.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description Class<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request>
getInputRequestType()
Returns the type of input requestsClass<IndividualXacmlJaxbRequest>
getOutputRequestType()
Returns the type of output individual decision requestsabstract List<IndividualXacmlJaxbRequest>
process(List<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> attributesList, SingleCategoryXacmlAttributesParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, Optional<XPathCompilerProxy> xPathCompiler, Map<String,String> namespaceURIsByPrefix)
Pre-processes (validates and/or transforms) a Request, may result in multiple individual decision requests, e.g.List<IndividualXacmlJaxbRequest>
process(oasis.names.tc.xacml._3_0.core.schema.wd_17.Request jaxbRequest, Map<String,String> namespaceURIsByPrefix)
Pre-processes a decision request, may result in multiple individual decision requests, e.g.
-
-
-
Field Detail
-
UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
protected static final IndeterminateEvaluationException UNSUPPORTED_MULTI_REQUESTS_EXCEPTION
Indeterminate exception to be thrown iff MultiRequests element not supported by the request preprocessor
-
-
Constructor Detail
-
BaseXacmlJaxbRequestPreprocessor
protected BaseXacmlJaxbRequestPreprocessor(AttributeValueFactoryRegistry attributeValueFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Set<String> extraPdpFeatures, Optional<NamedXacmlAttributeParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attribute>> customNamedAttributeParser) throws UnsupportedOperationException
Creates instance of request pre-processor.- Parameters:
attributeValueFactoryRegistry
- registry of datatype-specific attribute value parsersstrictAttributeIssuerMatch
- true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with the XACML 3.0 Attribute Evaluation: "If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."allowAttributeDuplicates
- true iff the pre-processor should allow defining multivalued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). Indeed, not allowing this is not fully compliant with the XACML spec according to a discussion on the xacml-dev mailing list (see Handling repetitions of Attribute Category/Id/Issuer/DataType in XACML Request), referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same <Attribute> with same meta-data but different values should be considered equivalent to a single <Attribute> element with same meta-data and merged values (multivalued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the <AttributeDesignator>.Setting this parameter to
false
is not fully compliant, but provides better performance, especially if you know the Requests to be well-formed, i.e. all AttributeValues of a given Attribute are grouped together in the same <Attribute> element. Combined withstrictAttributeIssuerMatch == true
, this is the most efficient alternative (although not fully compliant).requireContentForXPath
- true iff Attributes/Content parsing (into XDM) for XPath evaluation is requiredextraPdpFeatures
- extra - non-mandatory per XACML 3.0 core specification - features supported by PDP engine. Any feature requested by any request is checked against this before processing the request further. If some feature is not supported, an Indeterminate Result is returned.customNamedAttributeParser
- custom parser of named Attributes, to customize how XACML Attributes are converted into instance of AuthzForce internal Attribute class- Throws:
UnsupportedOperationException
- ifstrictAttributeIssuerMatch == false && allowAttributeDuplicates == false
which is not supported
-
BaseXacmlJaxbRequestPreprocessor
protected BaseXacmlJaxbRequestPreprocessor(AttributeValueFactoryRegistry attributeValueFactoryRegistry, boolean strictAttributeIssuerMatch, boolean allowAttributeDuplicates, boolean requireContentForXPath, Set<String> extraPdpFeatures) throws UnsupportedOperationException
Creates instance of request pre-processor.- Parameters:
attributeValueFactoryRegistry
- registry of datatype-specific attribute value parsersstrictAttributeIssuerMatch
- true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with the XACML 3.0 Attribute Evaluation: "If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."allowAttributeDuplicates
- true iff the pre-processor should allow defining multivalued attributes by repeating the same XACML Attribute (same AttributeId) within a XACML Attributes element (same Category). Indeed, not allowing this is not fully compliant with the XACML spec according to a discussion on the xacml-dev mailing list (see Handling repetitions of Attribute Category/Id/Issuer/DataType in XACML Request), referring to the XACML 3.0 core spec, §7.3.3, that indicates that multiple occurrences of the same <Attribute> with same meta-data but different values should be considered equivalent to a single <Attribute> element with same meta-data and merged values (multivalued Attribute). Moreover, the XACML 3.0 conformance test 'IIIA024' expects this behavior: the multiple subject-id Attributes are expected to result in a multi-value bag during evaluation of the <AttributeDesignator>.Setting this parameter to
false
is not fully compliant, but provides better performance, especially if you know the Requests to be well-formed, i.e. all AttributeValues of a given Attribute are grouped together in the same <Attribute> element. Combined withstrictAttributeIssuerMatch == true
, this is the most efficient alternative (although not fully compliant).requireContentForXPath
- true iff Attributes/Content parsing (into XDM) for XPath evaluation is requiredextraPdpFeatures
- extra - non-mandatory per XACML 3.0 core specification - features supported by PDP engine. Any feature requested by any request is checked against this before processing the request further. If some feature is not supported, an Indeterminate Result is returned.- Throws:
UnsupportedOperationException
- ifstrictAttributeIssuerMatch == false && allowAttributeDuplicates == false
which is not supported
-
-
Method Detail
-
getInputRequestType
public final Class<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request> getInputRequestType()
Description copied from interface:DecisionRequestPreprocessor
Returns the type of input requests- Specified by:
getInputRequestType
in interfaceDecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
- Returns:
INPUT_DECISION_REQUEST
class.
-
getOutputRequestType
public final Class<IndividualXacmlJaxbRequest> getOutputRequestType()
Description copied from interface:DecisionRequestPreprocessor
Returns the type of output individual decision requests- Specified by:
getOutputRequestType
in interfaceDecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
- Returns:
OUTPUT_INDIVIDUAL_DECISION_REQUEST
class.
-
process
public abstract List<IndividualXacmlJaxbRequest> process(List<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> attributesList, SingleCategoryXacmlAttributesParser<oasis.names.tc.xacml._3_0.core.schema.wd_17.Attributes> xacmlAttrsParser, boolean isApplicablePolicyIdListReturned, boolean combinedDecision, Optional<XPathCompilerProxy> xPathCompiler, Map<String,String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
Pre-processes (validates and/or transforms) a Request, may result in multiple individual decision requests, e.g. if implementing the Multiple Decision Profile or Hierarchical Resource profile- Parameters:
attributesList
- list of XACML Request Attributes elementsxacmlAttrsParser
- XACML Attributes element Parser instance, used to parse each Attributes inattributesList
.isApplicablePolicyIdListReturned
- XACML Request's propertyreturnPolicyIdList
.combinedDecision
- XACML Request's propertyisCombinedDecision
xPathCompiler
- xpathExpression compiler, corresponding to the XACML RequestDefaults element, or null if no RequestDefaults element or XPath support disabled globally by PDP configuration.namespaceURIsByPrefix
- namespace prefix-URI mappings (e.g. "... xmlns:prefix=uri") in the original XACML Request bound toreq
, used as part of the context for XPath evaluation. IfxPathCompiler.isPresent()
,xPathCompiler.get().getDeclaredNamespacePrefixToUriMap()
provides the mappings instead and namespaceURIsByPrefix shall be empty- Returns:
- individual decision requests, as defined in Multiple Decision Profile, e.g. a singleton list if no multiple decision requested or supported by the pre-processor
Return a Collection and not array to make it easy for the implementer to create a defensive copy with Collections#unmodifiableList() and alike.
- Throws:
IndeterminateEvaluationException
- if some feature requested in the Request is not supported by this pre-processor
-
process
public final List<IndividualXacmlJaxbRequest> process(oasis.names.tc.xacml._3_0.core.schema.wd_17.Request jaxbRequest, Map<String,String> namespaceURIsByPrefix) throws IndeterminateEvaluationException
Description copied from interface:DecisionRequestPreprocessor
Pre-processes a decision request, may result in multiple individual decision requests, e.g. if implementing the Multiple Decision Profile- Specified by:
process
in interfaceDecisionRequestPreprocessor<oasis.names.tc.xacml._3_0.core.schema.wd_17.Request,IndividualXacmlJaxbRequest>
- Parameters:
jaxbRequest
- input RequestnamespaceURIsByPrefix
- namespace prefix-URI mappings (e.g. "... xmlns:prefix=uri") in the original XACML Request bound toreq
, used as part of the context for XPath evaluation; may be null if such mapping defined- Returns:
- individual decision requests, as defined in Multiple Decision Profile, e.g. a singleton list if no multiple decision requested or supported by this
Return a Collection and not array to make it easy for the implementer to create a defensive copy with Collections#unmodifiableList() and alike.
- Throws:
IndeterminateEvaluationException
- if some feature requested in the Request is not supported by this
-
-