URI of a XACML Request pre-processor to be enabled. A XACML Request preprocessor is a PDP extension that applies some processing of the request, such as validation and transformation, prior to the policy evaluation. As an example of validation, a Request preprocessor may reject a request containing an unsupported XACML element. As an example of transformation, it may support the MultiRequests element, and more generally the Multiple Decision Profile or Hierarchical Resource Profile by creating multiple Individual Decision Requests from the original XACML request, as defined in XACML Multiple Decision Profile specification, section 2; and then call the policy evaluation engine for each Individual Decision Request. At the end, the results (one per Individual Decision Request) may be combined by a Result postprocessor specified by next attribute resultPostproc.

There must be one and only one Java class on the classpath - say com.example.FooRequestPreproc - implementing interface org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor with zero-arg constructor, and this URI must match the one returned by: new com.example.FooRequestPreproc().getId().

If the configuration parameter enableXPath is true, it is the responsibility of the Request preprocessor to parse XACML Request/Attributes/Content nodes. If the configuration parameter strictAttributeIssuerMatch is true, it is the responsibility of the Request preprocessor to keep values of Attributes with Issuer separate from values of Attributes without Issuer, in the attribute map returned by getNamedAttributes() on the IndividualDecisionRequests produced by the Request preprocessor.

The following values of requestPreproc are natively supported:

urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax

implements only XACML 3.0 Core (NO support for Multiple Decision) and allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0 core spec, §7.3.3)

urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-strict

implements only XACML 3.0 Core (NO support for Multiple Decision) and does not allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)

urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax

implements Multiple Decision Profile, section 2.3 (repeated attribute categories), and allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0 core spec, §7.3.3)

urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-strict

same as previous one, except it does not allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances)

More info about Request Preprocessors is available on AuthzForce wiki.

URI of a XACML decision Result post-processor to be enabled. A decision Result post-processor is a PDP extension that process the result(s) from the policy evaluation before the final XACML Response is created (and returned back to the requester). For example, a typical Result post-processor may combine multiple individual decisions - produced by the requestPreproc - to a single decision Result if and only if the XACML Request's CombinedDecision is set to true, as defined in XACML Multiple Decision Profile specification, section 3. There must be one and only one Java class on the classpath - say com.example.FooResultPostproc - implementing interface org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor with zero-arg constructor, and this URI must match the one returned by: new com.example.FooResultPostproc().getId() .

More info about Result Postprocessors is available on AuthzForce wiki.