Package org.ow2.authzforce.core.pdp.impl

Class CloseableNamedAttributeProviderRegistry

  • All Implemented Interfaces:
    Closeable, AutoCloseable
    public final class CloseableNamedAttributeProviderRegistry
extends Object
implements Closeable
    Registry of CloseableNamedAttributeProviders

    The AttributeProviders may very likely hold resources such as network resources to get attributes remotely, or attribute caches to speed up finding, etc. Therefore, you are required to call close() when you no longer need an instance - especially before replacing with a new instance (with different modules) - in order to make sure these resources are released properly by each underlying module (e.g. close the attribute caches).

    Version:
    $Id: $

    • Constructor Summary

      Constructors 
      Constructor Description
      CloseableNamedAttributeProviderRegistry​(List<org.ow2.authzforce.core.pdp.api.CloseableNamedAttributeProvider.DependencyAwareFactory> attributeProviderFactories, org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry attributeFactory, boolean strictAttributeIssuerMatch)
      Instantiates a "composite/modular" Attribute Provider that tries to find attribute values in evaluation context, then, if not there, query dedicated sub-provider(s) (created from attributeProviderFactories) providing the requested attribute ID, if there is any.

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void beginIndividualDecisionRequest​(org.ow2.authzforce.core.pdp.api.EvaluationContext context, Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext)
      For each Individual Decision request, the PDP engine calls this method before the evaluation against the policy.
      void beginMultipleDecisionRequest​(org.ow2.authzforce.core.pdp.api.EvaluationContext mdpContext)
      When the Multiple Decision Profile is used, the PDP engine calls this method before evaluating the Individual Decision Requests of a given Multiple Decision request.
      void close()
      List<org.ow2.authzforce.core.pdp.api.NamedAttributeProvider> getProviders​(org.ow2.authzforce.core.pdp.api.AttributeFqn attributeName)
      Get AttributeProviders for a given attribute

    • Constructor Detail

      • CloseableNamedAttributeProviderRegistry

        public CloseableNamedAttributeProviderRegistry​(List<org.ow2.authzforce.core.pdp.api.CloseableNamedAttributeProvider.DependencyAwareFactory> attributeProviderFactories,
                                               org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry attributeFactory,
                                               boolean strictAttributeIssuerMatch)
                                        throws IOException
        Instantiates a "composite/modular" Attribute Provider that tries to find attribute values in evaluation context, then, if not there, query dedicated sub-provider(s) (created from attributeProviderFactories) providing the requested attribute ID, if there is any.
        Parameters:
        attributeFactory - (mandatory) attribute value factory
        attributeProviderFactories - Factories of all the Attribute Providers to be combined in the created instance (Attribute Providers resolve values of attributes absent from the request context). Empty if none. We assume that they are listed in dependency order, i.e. for any AttributeProvider AP (at index N) in the list, if AP depends on attribute(s) A, B, etc. then A, B, etc. are assumed to be provided by either another AttributeProvider preceding AP in the list (at index n < N), or the PDP input request directly.
        strictAttributeIssuerMatch - true iff it is required that AttributeDesignator without Issuer only match request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, ยง5.29, in the case that the Issuer is not present; but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Set it to false, if you want full compliance with the XACML 3.0 Attribute Evaluation: "If the Issuer is not present in the AttributeDesignator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."
        Throws:
        IllegalArgumentException - If any Attribute Provider created from attributeProviderFactories does not provide any attribute.
        IOException - error closing the Attribute Providers created from attributeProviderFactories, when a IllegalArgumentException is raised

    • Method Detail

      • getProviders

        public List<org.ow2.authzforce.core.pdp.api.NamedAttributeProvider> getProviders​(org.ow2.authzforce.core.pdp.api.AttributeFqn attributeName)
        Get AttributeProviders for a given attribute
        Parameters:
        attributeName - attribute name
        Returns:
        providers, empty list if there is none

      • beginMultipleDecisionRequest

        public void beginMultipleDecisionRequest​(org.ow2.authzforce.core.pdp.api.EvaluationContext mdpContext)
        When the Multiple Decision Profile is used, the PDP engine calls this method before evaluating the Individual Decision Requests of a given Multiple Decision request. This call is passed on to all AttributeProviders (used in this factory) that have NamedAttributeProvider.supportsBeginMultipleDecisionRequest() return true
        Parameters:
        mdpContext - context of a Multiple Decision request evaluation, will be passed on as mdpContext argument of each AttributeProvider ( NamedAttributeProvider.get(AttributeFqn, Datatype, EvaluationContext, Optional) ) when Individual Decision requests are evaluated.

      • beginIndividualDecisionRequest

        public void beginIndividualDecisionRequest​(org.ow2.authzforce.core.pdp.api.EvaluationContext context,
                                           Optional<org.ow2.authzforce.core.pdp.api.EvaluationContext> mdpContext)
                                    throws org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException
        For each Individual Decision request, the PDP engine calls this method before the evaluation against the policy. This call is passed on to all AttributeProviders (used in this factory) that have NamedAttributeProvider.supportsBeginIndividualDecisionRequest() return true
        Parameters:
        context - individual decision request context, will be passed on as context argument of each AttributeProvider ( NamedAttributeProvider.get(AttributeFqn, Datatype, EvaluationContext, Optional) ) when the Individual Decision request is evaluated against an AttributeDesignator or AttributeSelector with ContextSelectorId.
        mdpContext - context of a Multiple Decision request evaluation, will be passed on as mdpContext argument of each AttributeProvider ( NamedAttributeProvider.get(AttributeFqn, Datatype, EvaluationContext, Optional) ) when Individual Decision requests are evaluated.
        Throws:
        org.ow2.authzforce.core.pdp.api.IndeterminateEvaluationException