tns:attributeDatatype, tns:attributeProvider, tns:combiningAlgorithm, tns:decisionCache, tns:function, tns:ioProcChain, tns:policyProvider, tns:rootPolicyRef

Level of verbosity of the error message trace returned in case of client request errors, e.g. invalid requests. Increasing this value usually helps the clients better pinpoint the issue with their Requests. This parameter is relevant to the Result postprocessor (resultPostproc parameter) which is expected to enforce this verbosity level when returning Indeterminate Results due to client request errors. The Result postprocessor must return all error messages in the Java stacktrace up to the same level as this parameter's value if the stacktrace is bigger, else the full stacktrace.

Enable support for AttributeSelectors, xpathExpression datatype and xpath-node-count function. This overrides useStandardDatatypes parameter, i.e. xpathExpression is not supported anyway if enableXpath is false. This feature is experimental (not to be used in production) and may have a negative impact on performance. Use with caution. For your information, AttributeSelector and xpathExpression datatype support is marked as optional in XACML 3.0 core specification.

Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type http://www.w3.org/2001/XMLSchema#integer (requires useStandardDatatypes = true). Decreasing this value as much as possible helps the PDP engine optimize the processing of integer values (lower memory consumption, faster computations).

Maximum depth of Policy(Set) reference chaining: PolicySet1 -> PolicySet2 -> ... -> Policy(Set)N; where -> represents a Policy(Set)IdReference. It is recommended to specify a value for this attribute in production for security/safety reasons. Indeed, if not specified, no maximum is enforced (unlimited).

Maximum depth of Variable reference chaining: VariableDefinition1 -> VariableDefinition2 -> ...; where -> represents a VariableReference. It is recommended to specify a value for this attribute in production for security/safety reasons. Indeed, if not specified, no maximum is enforced (unlimited).

true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the Issuer field.

Strict Attribute Issuer matching means that an AttributeDesignator without Issuer matches only request Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is not present in the Attribute Designator, but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Indeed, the XACML 3.0 Attribute Evaluation section §5.29 says: If the Issuer is not present in the AttributeDesignator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone. Therefore, if strictAttributeIssuerMatch is false, since policies may use AttributeDesignators without Issuer, if the requests are using matching Attributes but with none, one or more different Issuers, this PDP engine has to gather all the values from all the attributes with matching Category/AttributeId but with any Issuer or no Issuer. Therefore, in order to stay compliant with §5.29 and still enforce best practice, when strictAttributeIssuerMatch = true, we also require that all AttributeDesignators set the Issuer field.

Enable support for XACML core standard combining algorithms. If false, only algorithms specified in combiningAlgorithm elements are available to the PDP, and therefore only these algorithms may be be used in policies.

Enable support for XACML core standard mandatory datatypes. If false, only datatypes specified in attributeDatatype elements are available to the PDP, and therefore only these datatypes may be be used in policies.

Enable support for XACML core standard mandatory functions. Requires useStandardDatatypes=true if true; if false, only functions specified in function elements are available to the PDP, and therefore only these functions may be be used in policies.

Version of the current schema for which the instance document is valid. Must match the version attribute value of the root schema element in the corresponding version of this schema.

URI of an XACML attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype, there must be one and only one Java class on the classpath - say com.example.FooValueFactory - implementing interface org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory with zero-arg constructor, and this URI must match the one returned by new com.example.FooValueFactory().getId().

More info about Attribute Data-types is available on AuthzForce wiki.

URI of a XACML policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say com.example.FooCombiningAlg - on the classpath implementing interface org.ow2.authzforce.core.pdp.api.combining.CombiningAlg with zero-arg constructor, and this URI must match the one returned by: new com.example.FooCombiningAlg().getId().

More info about Policy and Rule Combining Algorithms is available on AuthzForce wiki.

Decision cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be one and only one Java class on the classpath - say com.example.FooDecisionCacheFactory -implementing interface org.ow2.authzforce.core.pdp.api.DecisionCache.Factory<CONF_T> with zero-arg constructor, where CONF_T is the JAXB type bound to this XML element type.

More info about Decision Cache extensions is available on AuthzForce wiki.

URI of a XACML function to be added to supported functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by useStandardDatatypes attribute, or custom ones declared in previous attributeDatatype elements; and there must be one and only one Java class - say com.example.FooFunction - on the classpath implementing interface org.ow2.authzforce.core.pdp.api.func.Function with zero-arg constructor, and this URI must match the one returned by: new com.example.FooFunction().getId().

More info about Functions is available on AuthzForce wiki.

I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required. Each chain must handle a different input datatype. In other words, there is no more than one I/O processing chain per supported input type, e.g. one for XACML/XML input, another for XACML/JSON input.

XACML Policy Provider that resolves Policy(Set)IdReferences. There must be one and only one Java class on the classpath - say com.example.FooPolicyProviderFactory - implementing interface org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory<CONF_T> with zero-arg constructor, where CONF_T is the JAXB type bound to this XML element type.

More info about Policy Providers (how to make/use one) is available on AuthzForce wiki.

Implementation classes can use org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders() method to replace ${property_name} placeholders with such properties. You may use ! (exclamation mark) as a separating character between the placeholder property name and a default value that is used if the property is undefined. E.g. ${PARENT_DIR!/home/foo/conf} will be replaced with /home/foo/conf if PARENT_DIR is undefined. In the location, you may use placeholders enclosed between ${ and } for the following properties:

• the global property PARENT_DIR for defining - in a generic way - a path relative to the parent directory to the XML file where this is used;
• Java system properties;
• System environment variables.

Identifies the root policy from which the policy evaluation begins. This identifier must be resolved by the Policy Provider configured previously (cf. policyProvider element). In case this is not specified, the policy returned by the PolicyProvider#getCandidateRootPolicy() method is used as root policy. Refer to the respective PolicyProvider's documentation for more information.