• Home
• org.ow2.authzforce
• authzforce-ce-core
• 3.8.3
• source code

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

force.authzforce-ce-core.3.8.3.source-code.pdp.xsd Maven / Gradle / Ivy

	
	
	
		
			Data model of AuthZForce PDP configuration.
			
 For any such configuration (XML) file (instance of this schema) loaded, AuthZForce PDP configuration handler sets the global variable 'PARENT_DIR' to the path to the parent directory of this
				XML configuration file, so that any placeholder ${PARENT_DIR} is replaced with this value, and may be used in text nodes to specify file paths relative to the configuration file for instance. If
				the location to the configuration file is not resolved to a file on the file system, 'PARENT_DIR' is undefined. You may use the colon ':' as a separating character between the placeholder variable
				and an associated default value, if PARENT_DIR is initially undefined. E.g. ${PARENT_DIR:/home/foo/conf} will be replaced with '/home/foo/conf' if PARENT_DIR is undefined.
			
			

				XML schema versioning: the 'version' attribute of the root 'schema' element identifies the Major.Minor.Patch version of this schema. The Major.Minor part must match the Major.Minor part of the
				first compatible version of authzforce-ce-core library. The Patch version is used for any backwards-compatible change. The Minor version is incremented after any change that is NOT
				backwards-compatible. (As a result, the authzforce-ce-core library's minor version is incremented as well.)
				The Major.Minor version part must be part of the target namespace - but not the Patch
				version - to separate namespaces that are not backwards-compatible.
			
		
	
	
		
			Attribute Provider that provides attributes not already provided in the XACML request by PEP, e.g. from external sources. There must be one and only one Java class - say
				'com.example.FooAttributeProviderModuleFactory' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.AttributeProviderModule.Factory<CONF_T>' with zero-arg constructor,
				where
				CONF_T is the JAXB type bound to this XML element type. This attribute Provider may also depend on previously defined 'attributeProviders', to find dependency attributes, i.e. attributes that
				this
				Provider does not support itself, but requires to find its supported attributes. Therefore, if an 'attributeProvider' AFy requires/depends on an attribute A that is not to be provided by the
				PEP,
				another 'attributeProvider' AFx providing this attribute A must be declared before X.
			
		
	
	
		
			
				
					
						URI of an attribute datatype to be added to supported datatypes. There must be one and only one Java class - say 'com.example.FooValueFactory' - on the classpath implementing
							interface 'org.ow2.authzforce.core.value.DatatypeFactory' with zero-arg constructor, such that this URI equals: new com.example.FooValueFactory().getId().
						
					
				
				
					
						URI of a function to be added to supported functions. There must be one and only one Java class - say 'com.example.FooFunction' - on the classpath implementing interface
							'com.sun.xacml.Function' with zero-arg constructor, such that this URI equals: new com.example.FooFunction().getId().
						
					
				
				
					
						URI of a set of functions to be added to supported functions. There must be one and only one Java class - say 'com.example.FooFunctionSet' - on the classpath implementing
							interface 'org.ow2.authzforce.core.func.FunctionSet' with zero-arg constructor, such that this URI equals: new com.example.FooFunctionSet().getId().
						
					
				
				
					
						URI of a policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say 'com.example.FooCombiningAlg' - on the classpath
							implementing interface 'org.ow2.authzforce.core.pdp.api.CombiningAlg' with zero-arg constructor, such that this URI equals: new com.example.FooCombiningAlg().getId().
						
					
				
				
				
					
						Referenced policy Provider that resolves Policy(Set)IdReferences. There must be one and only one Java class - say 'com.example.FooRefPolicyProviderModuleFactory' - on the
							classpath implementing interface 'org.ow2.authzforce.core.pdp.api.RefPolicyProviderModule.Factory<CONF_T>' with zero-arg constructor, where CONF_T is the JAXB type bound to
							this XML
							element type. This referenced policy Provider may also use any of the 'refPolicyProvider' previously defined, if any, for Policy(Set)IdReference resolution; as some IdReferences may
							not be
							supported by this Provider. This element is not required if root policies found by the 'rootPolicyProvider' are always Policy elements, and not PolicySet elements.
						
					
				
				
					
						Root/top-level policy Provider that provides the root/top-level Policy(Set) to PDP for evaluation. There must be one and only one Java class - say
							'com.example.FooRootPolicyProviderModuleFactory' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.RootPolicyProviderModule.Factory<CONF_T>' with zero-arg
							constructor, where CONF_T is the JAXB type bound to this XML element type. This class may also implement
							'org.ow2.authzforce.core.pdp.api.RefPolicyProviderModule.Factory<CONF_T>' to
							be used
							as 'refPolicyProvider' as well. This policy Provider may also use any of the
							'refPolicyProvider' previously defined, if any, for Policy(Set)IdReference resolution.
						
					
				
				
					
						Decision Response cache that, for a given request, provides the XACML response from a cache if there is a cached response for the given request. There must be one and only one
							Java class - say 'com.example.FooDecisionCacheFactory' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.DecisionCache.Factory<CONF_T>' with zero-arg constructor,
							where
							CONF_T is the JAXB type bound to this XML element type.
						
					
				
			
			
				
					Version of the current schema for which the instance document is valid. Must match the 'version' attribute value of the root 'schema' element in the corresponding version of this
						schema.
					
				
			
			
				
					Enable support for XACML core standard attribute datatypes.					
				
			
			
				
					Enable support for XACML core standard mandatory functions.					
				
			
			
				
					Enable support for XACML core standard combining algorithms.					
				
			
			
				
					Enable support for AttributeSelectors and xpathExpression datatype. This overrides 'useStandardDatatypes' parameter, i.e. xpathExpression is not supported anyway if 'enableXpath'
						is false. This feature is experimental (not to be used in production) and may have a negative impact on performance. Use with caution. For your information, AttributeSelector and xpathExpression
						datatype support is marked as optional in XACML 3.0 core specification.
					
				
			
			
				
					Enable strict Attribute Issuer matching, i.e. AttributeDesignators without Issuer only match request Attributes without Issuer (and same AttributeId, Category...). This mode is not
						fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it performs better and is recommended when all AttributeDesignators have an
						Issuer (best practice). Reminder: the XACML 3.0 specification for AttributeDesignator evaluation (5.29) says: "If the Issuer is not present in the attribute designator, then the matching of the
						attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone."
					
				
			
			
				
					 Maximum depth of Variable reference chaining: VariableDefinition1 -> VariableDefinition2 -> ...; where '->' represents a VariableReference.					
				
			
			
				
					Maximum depth of Policy(Set) reference chaining: PolicySet1 -> PolicySet2 -> ... -> Policy(Set)N; where '->' represents a Policy(Set)IdReference.					
				
			
			
				
					
						
URI of a XACML Request filter to be enabled. A XACML Request filter is a PDP extension that applies some processing of the request, such as validation and transformation, prior to the policy
							evaluation. As an example of validation, a Request filter may reject a request containing an unsupported XACML element. As an example of transformation, it may support the MultiRequests
							element, and more generally the Multiple Decision Profile or Hierarchical Resource Profile by creating multiple
							Individual Decision Requests from the original XACML request, as defined in XACML
							Multiple Decision Profile specification, section 2; and then call the policy evaluation engine for each Individual Decision Request. At the end, the results (one per Individual Decision
							Request) may be combined by a DecisionCombiner specified by next attribute 'decisionCombiner'.
						
						
There must be one and only one Java class - say 'com.example.FooRequestFilter' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.RequestFilter' with zero-arg
							constructor, such
							that this URI equals: new com.example.FooRequestFilter().getId().
						
If the configuration parameter 'enableXPath' is true, it is the responsibility of the RequestFilter to parse XACML Request/Attributes/Content nodes. If the configuration parameter
							'strictAttributeIssuerMatch' is true, it is the responsibility of the RequestFilter to keep values of Attributes with Issuer
							separate from values of Attributes without Issuer, in the attribute
							map returned by getNamedAttributes() on
							the IndividualDecisionRequests produced by the RequestFilter.
						
The following values of 'requestFilter' are natively supported:
						
"urn:ow2:authzforce:xacml:request-filter:default-lax": implements only XACML 3.0 Core (NO support for Multiple Decision) and allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request
							(complying with XACML 3.0 core spec, §7.3.3)
						
"urn:ow2:authzforce:xacml:request-filter:default-strict": implements only XACML 3.0 Core (NO support for Multiple Decision) and does not allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request
							(NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)
						
"urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax": implements Multiple Decision Profile, section 2.3 (repeated attribute categories), and allows duplicate <Attribute> with same meta-data in the same
							<Attributes> element of a Request (complying with XACML 3.0 core spec, §7.3.3)
						
"urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-strict": same as previous one, except it does not allow duplicate <Attribute> with same meta-data in the same
							<Attributes> element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)
					
				
			
			
				
					URI of a XACML decision Result filter to be enabled. A decision Result filter is a PDP extension that process the result(s) from the policy evaluation before the final XACML
						Response is created (and returned back to the requester). For example, a typical Result filter may combine multiple individual decisions - produced by the 'requestFilter' - to a single decision
						Result if and only if the XACML Request's 'CombinedDecision' is set to true, as defined in XACML Multiple Decision Profile specification, section 3. There must be one and only one Java class -
						say 'com.example.FooDecisionResultFilter' - on the classpath implementing interface 'org.ow2.authzforce.core.pdp.api.DecisionResultFilter' with zero-arg constructor, such that this URI equals:
						new
						com.example.FooDecisionResultFilter().getId().
					
				
			
		
		
			
			
		
		
			
			
		
		
			
			
		
		
			
			
		
		
			
			
		
		
			
			
		
	
	
		
			PolicyProvider loading root policies statically from URLs.
		
		
			
				
					
						 Location of a XML file that is expected to contain the root (aka top-level) Policy or PolicySet. Use the global property 'PARENT_DIR' for paths under the parent directory to the
							XML file where this is used.
						
					
				
			
		
	
	
		
			Policy(Set)IdReference Provider loading policies statically from URLs. Any PolicyIdReference used in a PolicySet here must refer to a Policy loaded here as well. Besides, a PolicySet
				P1 must be loaded before any other PolicySet P2 with a reference (PolicySetIdReference) to P1. As PolicySets are loaded in the order of declaration of policyLocations, the order matters for
				PolicySetIdReference resolution.
			
		
		
			
				
					
						
							 Location of the XML file that is expected to contain the Policy or PolicySet element to be referenced by a Policy(Set)IdReference in the root PolicySet loaded by a root policy
								Provider. The location may also be a file pattern in the following form: "file://DIRECTORY_PATH/*SUFFIX", using wilcard character '*'; in which case the location is expanded to all regular
								files
								(not
								subdirectories)
								in
								directory located at DIRECTORY_PATH with suffix SUFFIX (there may not be a SUFFIX; in other words, SUFFIX may be an empty string). The files are
								NOT searched
								recursively on
								sub-directories. Use the global property 'PARENT_DIR' for defining - in a
								generic way - a path relative to the parent directory to the XML file where this is used.
							
						
					
				
			
		
	
	
		
			
				Static Root Policy Provider based on the RefPolicyProvider, i.e. the root policy is a PolicySet retrieved using the RefPolicyProvider (mandatory in this case).