Package org.ow2.authzforce.core.pdp.impl
Class CloseableNamedAttributeProviderRegistry
- java.lang.Object
-
- org.ow2.authzforce.core.pdp.impl.CloseableNamedAttributeProviderRegistry
-
- All Implemented Interfaces:
Closeable
,AutoCloseable
public final class CloseableNamedAttributeProviderRegistry extends Object implements Closeable
Registry ofCloseableNamedAttributeProvider
sThe AttributeProviders may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore, you are required to call
close()
when you no longer need an instance - especially before replacing with a new instance (with different modules) - in order to make sure these resources are released properly by each underlying module (e.g. close the attribute caches).- Version:
- $Id: $
-
-
Constructor Summary
Constructors Constructor Description CloseableNamedAttributeProviderRegistry(List<org.ow2.authzforce.core.pdp.api.CloseableNamedAttributeProvider.DependencyAwareFactory> attributeProviderFactories, org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry attributeFactory, boolean strictAttributeIssuerMatch)
Instantiates a "composite/modular" Attribute Provider that tries to find attribute values in evaluation context, then, if not there, query dedicated sub-provider(s) (created fromattributeProviderFactories
) providing the requested attribute ID, if there is any.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
beginIndividualDecisionRequest(org.ow2.authzforce.core.pdp.api.EvaluationContext context, Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext)
For each Individual Decision request, the PDP engine calls this method before the evaluation against the policy.void
beginMultipleDecisionRequest(org.ow2.authzforce.core.pdp.api.EvaluationContext mdpContext)
When the Multiple Decision Profile is used, the PDP engine calls this method before evaluating the Individual Decision Requests of a given Multiple Decision request.void
close()
List<org.ow2.authzforce.core.pdp.api.NamedAttributeProvider>
getProviders(org.ow2.authzforce.core.pdp.api.AttributeFqn attributeName)
Get AttributeProviders for a given attribute
-
-
-
Constructor Detail
-
CloseableNamedAttributeProviderRegistry
public CloseableNamedAttributeProviderRegistry(List<org.ow2.authzforce.core.pdp.api.CloseableNamedAttributeProvider.DependencyAwareFactory> attributeProviderFactories, org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry attributeFactory, boolean strictAttributeIssuerMatch) throws IOException
Instantiates a "composite/modular" Attribute Provider that tries to find attribute values in evaluation context, then, if not there, query dedicated sub-provider(s) (created fromattributeProviderFactories
) providing the requested attribute ID, if there is any.- Parameters:
attributeFactory
- (mandatory) attribute value factoryattributeProviderFactories
- Factories of all the Attribute Providers to be combined in the created instance (Attribute Providers resolve values of attributes absent from the request context). Empty if none. We assume that they are listed in dependency order, i.e. for any AttributeProvider AP (at index N) in the list, if AP depends on attribute(s) A, B, etc. then A, B, etc. are assumed to be provided by either another AttributeProvider preceding AP in the list (at index n < N), or the PDP input request directly.strictAttributeIssuerMatch
- true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, ยง5.29, in the case that the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with the XACML 3.0 Attribute Evaluation: "If the Issuer is not present in the AttributeDesignator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."- Throws:
IllegalArgumentException
- If any Attribute Provider created fromattributeProviderFactories
does not provide any attribute.IOException
- error closing the Attribute Providers created fromattributeProviderFactories
, when aIllegalArgumentException
is raised
-
-
Method Detail
-
getProviders
public List<org.ow2.authzforce.core.pdp.api.NamedAttributeProvider> getProviders(org.ow2.authzforce.core.pdp.api.AttributeFqn attributeName)
Get AttributeProviders for a given attribute- Parameters:
attributeName
- attribute name- Returns:
- providers, empty list if there is none
-
beginMultipleDecisionRequest
public void beginMultipleDecisionRequest(org.ow2.authzforce.core.pdp.api.EvaluationContext mdpContext)
When the Multiple Decision Profile is used, the PDP engine calls this method before evaluating the Individual Decision Requests of a given Multiple Decision request. This call is passed on to all AttributeProviders (used in this factory) that haveNamedAttributeProvider.supportsBeginMultipleDecisionRequest()
return true- Parameters:
mdpContext
- context of a Multiple Decision request evaluation, will be passed on asmdpContext
argument of each AttributeProvider (NamedAttributeProvider.get(AttributeFqn, Datatype, EvaluationContext, Optional)
) when Individual Decision requests are evaluated.
-
beginIndividualDecisionRequest
public void beginIndividualDecisionRequest(org.ow2.authzforce.core.pdp.api.EvaluationContext context, Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext) throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
For each Individual Decision request, the PDP engine calls this method before the evaluation against the policy. This call is passed on to all AttributeProviders (used in this factory) that haveNamedAttributeProvider.supportsBeginIndividualDecisionRequest()
return true- Parameters:
context
- individual decision request context, will be passed on ascontext
argument of each AttributeProvider (NamedAttributeProvider.get(AttributeFqn, Datatype, EvaluationContext, Optional)
) when the Individual Decision request is evaluated against an AttributeDesignator or AttributeSelector with ContextSelectorId.mdpContext
- context of a Multiple Decision request evaluation, will be passed on asmdpContext
argument of each AttributeProvider (NamedAttributeProvider.get(AttributeFqn, Datatype, EvaluationContext, Optional)
) when Individual Decision requests are evaluated.- Throws:
org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
-
close
public void close() throws IOException
- Specified by:
close
in interfaceAutoCloseable
- Specified by:
close
in interfaceCloseable
- Throws:
IOException
-
-