Data model of AuthZForce PDP configuration.
XML schema versioning: the version attribute of the root schema element identifies the Major.Minor version of this schema. The Minor version is used for any backwards-compatible change. The Major version is incremented after any change that is NOT backwards-compatible. The Major version part must be suffix of the target namespace - but not the Minor version - to separate namespaces that are not backwards-compatible.
All Element Summary |
||||||||||||
|
URI of an XACML attribute datatype to be added to supported datatypes.
|
||||||||||||
|
XACML Attribute Provider that provides attributes not already provided in the XACML request from PEP, e.g. from external sources.
|
||||||||||||
|
URI of a XACML policy/rule-combining algorithm to be added to supported algorithms.
|
||||||||||||
|
Decision cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request.
|
||||||||||||
|
URI of a XACML function to be added to supported functions.
|
||||||||||||
|
I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required.
|
||||||||||||
|
PDP configuration
|
||||||||||||
|
Location of the XML file that is expected to contain the Policy or PolicySet element to be referenced by a Policy(Set)IdReference in the root PolicySet loaded by a root policy Provider.
|
||||||||||||
|
XACML Policy Provider that resolves Policy(Set)IdReferences.
|
||||||||||||
|
URI of a XACML Request pre-processor to be enabled.
|
||||||||||||
|
URI of a XACML decision Result post-processor to be enabled.
|
||||||||||||
|
Identifies the root policy from which the policy evaluation begins.
|
||||||||||||
Complex Type Summary |
||||||||||
|
Pair of compatible PDP input/output processors - resp. requestPreproc and resultPostproc - where compatible means: requestPreproc.getOutputRequestType() == resultPostproc.getRequestType()
|
||||||||||
|
Policy(Set) Provider loading policies statically from URLs.
|
||||||||||
|
Reference to a policy element, i.e. a XACML PolicySet or XACML Policy
|
||||||||||
Simple Type Summary |
||||||
|
Defines the source for the standard environment attributes specified in §10.2.5: current-time, current-date and current-dateTime.
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema elementFormDefault="qualified" targetNamespace="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1" xmlns="http://www.w3.org/1999/xhtml" xmlns:authz-ext="http://authzforce.github.io/xmlns/pdp/ext/3" xmlns:tns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:xacml="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:import namespace="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"/>
<xs:annotation>
<xs:documentation xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
</xs:annotation>
<p>
</xs:documentation>
Data model of AuthZForce PDP configuration.
</p>
<p>
XML schema versioning: the
</p>
<i>version</i>
attribute of the root
<i>schema</i>
element identifies the
<i>Major.Minor</i>
version of this
schema. The <i>Minor</i>
version is used for any backwards-compatible change. The
<i>Major</i>
version is
incremented after any change that is NOT backwards-compatible. The <i>Major</i>
version part
must be suffix of the target namespace - but not the <i>Minor</i>
version - to
separate namespaces that are not backwards-compatible.
<xs:annotation>
</xs:annotation>
</xs:element>
<xs:sequence>
</xs:complexType>
<xs:element maxOccurs="unbounded" minOccurs="0" name="attributeDatatype" type="xs:anyURI">
</xs:sequence>
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
URI of an XACML attribute datatype to be added to supported datatypes. Policies require datatypes for function arguments and AttributeAssignment expressions. For every datatype,
</p>
there must be one and only one Java class on the classpath - say <i>com.example.FooValueFactory</i>
- implementing interface
<i>
org.ow2.authzforce.core.pdp.api.value.AttributeValueFactory
</i>
with zero-arg
constructor, and this URI must match the one returned by <i>new com.example.FooValueFactory().getId()</i>
.
<p>
More info about Attribute Data-types is available on
</p>
<a href="https://github.com/authzforce/core/wiki/XACML-Data-Types">AuthzForce wiki</a>
.
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
URI of a XACML function to be added to supported functions. For every function, its return type and all its parameter types must be either standard mandatory ones enabled by
</xs:documentation>
<i>useStandardDatatypes</i>
attribute, or custom ones declared in previous
<i>attributeDatatype</i>
elements; and there must be one and only one Java class - say
<i>com.example.FooFunction</i>
- on the
classpath implementing interface <i>org.ow2.authzforce.core.pdp.api.func.Function</i>
with zero-arg constructor, and this URI must match the one returned by:
<i>new com.example.FooFunction().getId()</i>
.
<p>
More info about Functions is available on
</p>
<a href="https://github.com/authzforce/core/wiki/XACML-Functions">AuthzForce wiki</a>
.
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
URI of a XACML policy/rule-combining algorithm to be added to supported algorithms. There must be one and only one Java class - say
</xs:documentation>
<i>com.example.FooCombiningAlg</i>
- on the
classpath implementing interface <i>
org.ow2.authzforce.core.pdp.api.combining.CombiningAlg
</i>
with zero-arg constructor, and this URI must match the one returned by:
<i>
new
</i>
com.example.FooCombiningAlg().getId() .
<p>
More info about Policy and Rule Combining Algorithms is available on
</p>
<a href="https://github.com/authzforce/core/wiki/XACML-Combining-Algorithms">AuthzForce wiki</a>
.
<xs:element maxOccurs="1" minOccurs="1" name="policyProvider" type="authz-ext:AbstractPolicyProvider">
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
XACML Policy Provider that resolves
</p>
<i>Policy(Set)IdReference</i>
s. There must be one and only one Java class on the classpath - say
<i>com.example.FooPolicyProviderFactory</i>
- implementing interface
<i>
org.ow2.authzforce.core.pdp.api.policy.CLoseablePolicyProvider.Factory<CONF_T>
</i>
with zero-arg constructor, where
<i>CONF_T</i>
is the JAXB type bound
to this XML element type. <p>
More info about Policy Providers (how to make/use one) is available on
</p>
<a href="https://github.com/authzforce/core/wiki/Policy-Providers">AuthzForce wiki</a>
.
<p>
Implementation classes can use
</p>
<i>
org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
</i>
method to replace
<i>${property_name}</i>
placeholders with such properties. You
may use <i>!</i>
(exclamation mark) as a
separating character between the placeholder property name and a default value that is used if the property is undefined. E.g. <i>${PARENT_DIR!/home/foo/conf}</i>
will be replaced with
<i>/home/foo/conf</i>
if
<i>PARENT_DIR</i>
is undefined.
In the location, you may use placeholders enclosed between <i>${</i>
and
<i>}</i>
for the following properties:
<ul>
<li>
</ul>
the global property
</li>
<i>PARENT_DIR</i>
for
defining - in a generic way - a path relative to the parent directory to the XML file where this is used; <li>
Java system properties;
</li>
<li>
System environment variables.
</li>
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
Identifies the root policy from which the policy evaluation begins. This identifier must be resolved by the Policy Provider configured previously (cf.
</xs:documentation>
<i>policyProvider</i>
element). In case this is not specified, the policy returned by the
<i>PolicyProvider#getCandidateRootPolicy()</i>
method is used as root policy. Refer to the respective PolicyProvider's documentation for more information.
<xs:element maxOccurs="1" minOccurs="0" name="decisionCache" type="authz-ext:AbstractDecisionCache">
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
Decision cache that, for a given request, provides the XACML policy evaluation result from a cache if there is a cached result for the given request. There must be
</p>
one and only one Java class on the classpath - say <i>com.example.FooDecisionCacheFactory</i>
-implementing interface
<i>
org.ow2.authzforce.core.pdp.api.DecisionCache.Factory<CONF_T>
</i>
with zero-arg
constructor, where <i>CONF_T</i>
is the JAXB type bound to this XML element type.
<p>
More info about Decision Cache extensions is available on
</p>
<a href="https://github.com/authzforce/core/wiki/Decision-Caches">AuthzForce wiki</a>
.
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
I/O processing chains if specific processing before and/or after policy evaluation by the PDP engine is required. Each chain must handle a different input datatype. In
</xs:documentation>
other words, there is no more than one I/O processing chain per supported input type, e.g. one for XACML/XML input, another for XACML/JSON input.
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Version of the current schema for which the instance
</xs:documentation>
document is valid. Must match the <i>version</i>
attribute value of the
root <i>schema</i>
element in the corresponding version
of this schema.
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Enable support for XACML core standard mandatory
</xs:documentation>
datatypes. If <i>false</i>
, only datatypes specified in
<i>attributeDatatype</i>
elements are available to the PDP, and therefore
only these datatypes may be be used in policies.
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Enable support for XACML core standard mandatory
</xs:documentation>
functions. Requires <i>useStandardDatatypes=true</i>
if true; if false, only functions specified in
<i>function</i>
elements are
available to the PDP, and therefore only these functions may be be used in policies. <xs:attribute default="true" name="useStandardCombiningAlgorithms" type="xs:boolean" use="optional">
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Enable support for XACML core standard combining
</xs:documentation>
algorithms. If false, only algorithms specified in <i>combiningAlgorithm</i>
elements are available to the PDP, and therefore
only these algorithms may be be used in policies. <xs:attribute default="REQUEST_ELSE_PDP" name="standardEnvAttributeSource" type="tns:StandardEnvironmentAttributeSource" use="optional"/>
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Enable support for
</xs:documentation>
<i>AttributeSelectors</i>
,
<i>xpathExpression</i>
datatype and
<i>xpath-node-count</i>
function. This
overrides <i>useStandardDatatypes</i>
parameter, i.e.
<i>xpathExpression</i>
is
not supported anyway if <i>enableXpath</i>
is false. This feature is
experimental (not to be used in production) and may have a negative impact on performance. Use with caution. For your information, <i>AttributeSelector</i>
and
<i>xpathExpression</i>
datatype support is marked
as optional in XACML 3.0 core specification.
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
true iff we want strict Attribute Issuer matching and we require that all AttributeDesignators set the
</p>
Issuer field. <p>
<i>Strict Attribute Issuer matching</i>
</p>
means that an AttributeDesignator without Issuer matches only request
Attributes without Issuer. This mode is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is not present in the Attribute Designator, but it performs better and is recommended when all AttributeDesignators have an Issuer (best practice). Indeed, the XACML 3.0 Attribute Evaluation section §5.29 says: <i>
If the Issuer is not present in the AttributeDesignator, then the matching of the
</i>
attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone. Therefore, if
<i>strictAttributeIssuerMatch</i>
is false, since policies may use
<i>AttributeDesignator</i>
s without
Issuer, if the requests are using matching Attributes but with none, one or more different Issuers, this PDP engine has to gather all the values from all the attributes with matching Category/AttributeId but with any Issuer or no Issuer. Therefore, in order to stay compliant with §5.29 and still enforce best practice, when <i>
strictAttributeIssuerMatch =
</i>
true , we also require that all
AttributeDesignators set the Issuer field.
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Maximum absolute integer value. This is the expected maximum absolute value for XACML attributes of standard type
</xs:documentation>
<i>http://www.w3.org/2001/XMLSchema#integer</i>
(requires
<i>
useStandardDatatypes
</i>
= true ). Decreasing this value as much
as possible helps the PDP engine optimize the processing of integer values (lower memory consumption, faster computations).
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Maximum depth of Variable reference chaining:
</xs:documentation>
<i>VariableDefinition1 -> VariableDefinition2 -> ...</i>
; where
<i>-></i>
represents a
VariableReference. It is recommended to specify a value for this attribute in production for security/safety reasons. Indeed, if not specified, no maximum is enforced (unlimited).
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Maximum depth of Policy(Set) reference chaining:
</xs:documentation>
<i>PolicySet1 -> PolicySet2 -> ... -> Policy(Set)N</i>
; where
<i>-></i>
represents
a <i>Policy(Set)IdReference</i>
. It is
recommended to specify a value for this attribute in production for security/safety reasons. Indeed, if not specified, no maximum is enforced (unlimited). <xs:attribute default="0" name="clientRequestErrorVerbosityLevel" type="xs:nonNegativeInteger" use="optional">
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
Level of verbosity of the error message trace returned in case of client request errors, e.g. invalid requests. Increasing this value
</xs:documentation>
usually helps the clients better pinpoint the issue with their Requests. This parameter is relevant to the Result postprocessor ( <i>resultPostproc</i>
parameter) which is expected to
enforce this verbosity level when returning Indeterminate Results due to client request errors. The Result postprocessor must return all error messages in the Java stacktrace up to the same level as this parameter's value if the stacktrace is bigger, else the full stacktrace. <xs:key name="datatypeKey">
<xs:selector xpath="tns:attributeDatatype"/>
</xs:key>
<xs:field xpath="."/>
<xs:key name="functionKey">
<xs:selector xpath="tns:function"/>
</xs:key>
<xs:field xpath="."/>
<xs:key name="algorithmKey">
<xs:selector xpath="tns:combiningAlgorithm"/>
</xs:key>
<xs:field xpath="."/>
<xs:key name="refPolicyProviderKey">
<xs:selector xpath="tns:refPolicyProvider"/>
</xs:key>
<xs:field xpath="@id"/>
<xs:key name="attributeProviderKey">
<xs:selector xpath="tns:attributeProvider"/>
</xs:key>
<xs:field xpath="@id"/>
<xs:key name="requestPreprocKey">
<xs:selector xpath="tns:ioProcChain/tns:requestPreproc"/>
</xs:key>
<xs:field xpath="."/>
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
XACML Attribute Provider that provides attributes not already provided
</p>
in the XACML request from PEP, e.g. from external sources. There must be one and only one Java class on the classpath - say <i>com.example.FooAttributeProviderFactory</i>
-
implementing interface <i>
org.ow2.authzforce.core.pdp.api.CloseableDesignatedAttributeProvider.Factory<CONF_T>
</i>
with
zero-arg constructor, where <i>CONF_T</i>
is the JAXB type bound to
this XML element type. This Attribute Provider may also depend on previously defined <i>attributeProviders</i>
, to find dependency
attributes, i.e. attributes that this Provider does not support itself, but requires to find its supported attributes. Therefore, if an <i>attributeProvider</i>
AP1
requires/depends on an attribute A that is not to be provided in the XACML request from the PEP, another <i>attributeProvider</i>
AP2
providing this attribute A must be declared before AP1. <p>
More info about Attribute Providers (how to make/use one) is available on
</p>
<a href="https://github.com/authzforce/core/wiki/Attribute-Providers">AuthzForce wiki</a>
.
<p>
Such configurations (XML instances of this schema)
</p>
may use placeholders enclosed between <i>${</i>
and
<i>}</i>
for the following properties:
<ul>
<li>
</ul>
the global property
</li>
<i>PARENT_DIR</i>
for defining - in a generic
way - a path relative to the parent directory to the XML file where this is used; <li>
Java system properties;
</li>
<li>
System environment variables.
</li>
<p>
Implementation classes can use
</p>
<i>
org.ow2.authzforce.pd.api.EnvironmentProperties#replacePlaceholders()
</i>
to replace
<i>${property_name}</i>
placeholders with such properties.
You may use <i>!</i>
(exclamation mark) as a separating character
between the placeholder property name and a default value that is used if the property is undefined. E.g. <i>${PARENT_DIR!/home/foo/conf}</i>
will be
replaced with <i>/home/foo/conf</i>
if
<i>PARENT_DIR</i>
is undefined.
<p>
In the location, you
</p>
may use placeholders enclosed between <i>${</i>
and
<i>}</i>
for the following properties:
<ul>
<li>
</ul>
the global property
</li>
<i>PARENT_DIR</i>
for defining - in a generic way - a path relative to the parent directory to the
XML file where this is used; <li>
Java system properties;
</li>
<li>
System environment variables.
</li>
<xs:annotation>
</xs:simpleType>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
Defines the source for the standard environment attributes specified
</p>
in §10.2.5: current-time, current-date and current-dateTime. The options are: <dl>
<dt>REQUEST_ELSE_PDP</dt>
</dl>
<dd>
The default choice, that complies with the
</dd>
XACML standard (§10.2.5): <i>
If
</i>
values for these attributes are not present in the decision request, then their values MUST be supplied by the context handler . In our case,
<i>context handler</i>
means the
PDP. In other words, the attribute values come from request by default, or from the PDP if (and *only if* in this case) they are not set in the request. More precisely, if any of these standard environment attributes is provided in the request, none of the PDP values is used, even if some policy requires one that is missing from the request. Indeed, this is to avoid such case when the decision request specifies at least one date/time attribute, e.g. current-time, but not all of them, e.g. not current-dateTime, and the policy requires both the one(s) provided and the one(s) not provided. In this case, if the PDP provides its own value(s) for the missing attributes (e.g. current-dateTime), this may cause some inconsistencies since we end up having date/time attributes coming from two different sources/environments (current-time and current-dateTime for instance). In short, since this option introduces some ambiguities with regards to the XACMl specification, we strongly recommend to use the other options below. <dt>REQUEST_ONLY</dt>
<dd>
Always use the value from the request, or nothing
</dd>
if the value is not set in the request, in which case this results in Indeterminate (missing attribute) if the policy evaluation requires it. <dt>PDP_ONLY</dt>
<dd>
Always use the values from the PDP. In other words,
</dd>
Request values are simply ignored; PDP values systematically override the ones from the request. This also guarantees that they are always set (by the PDP). NB: note that the XACML standard (§10.2.5) says: "If values for these attributes are not present in the decision request, then their values MUST be supplied by the context handler" but it does NOT say "If AND ONLY IF values..." So this option could still be considered XACML compliant in a strict sense. <xs:restriction base="xs:string">
<xs:enumeration value="REQUEST_ELSE_PDP"/>
</xs:restriction>
<xs:enumeration value="REQUEST_ONLY"/>
<xs:enumeration value="PDP_ONLY"/>
<xs:annotation>
</xs:complexType>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
Pair of compatible PDP input/output processors - resp.
</p>
<i>requestPreproc</i>
and
<i>resultPostproc</i>
- where
<i>compatible</i>
means:
<i>
requestPreproc.getOutputRequestType() ==
</i>
resultPostproc.getRequestType()
<xs:element name="requestPreproc" type="xs:anyURI">
</xs:sequence>
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
URI of a XACML Request pre-processor to be enabled. A XACML Request
</p>
preprocessor is a PDP extension that applies some processing of the request, such as validation and transformation, prior to the policy evaluation. As an example of validation, a Request preprocessor may reject a request containing an unsupported XACML element. As an example of transformation, it may support the MultiRequests element, and more generally the Multiple Decision Profile or Hierarchical Resource Profile by creating multiple Individual Decision Requests from the original XACML request, as defined in XACML Multiple Decision Profile specification, section 2; and then call the policy evaluation engine for each Individual Decision Request. At the end, the results (one per Individual Decision Request) may be combined by a Result postprocessor specified by next attribute <i>resultPostproc</i>
.
<p>
There must be one and only one Java class on the classpath - say
</p>
<i>com.example.FooRequestPreproc</i>
- implementing
interface <i>
org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor
</i>
with
zero-arg constructor, and this URI must match the one returned by: <i>
new
</i>
com.example.FooRequestPreproc().getId() .
<p>
If the configuration parameter
</p>
<i>enableXPath</i>
is true, it is the
responsibility of the Request preprocessor to parse XACML Request/Attributes/Content nodes. If the configuration parameter <i>strictAttributeIssuerMatch</i>
is true, it is the responsibility of
the Request preprocessor to keep values of Attributes with Issuer separate from values of Attributes without Issuer, in the attribute map returned by <i>getNamedAttributes()</i>
on
the IndividualDecisionRequests produced by the Request preprocessor. <p>
The following values of
</p>
<i>requestPreproc</i>
are natively supported:
<dl>
<dt>
</dl>
urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax
</dt>
<dd>
implements only XACML 3.0 Core (NO support for Multiple Decision)
</dd>
and allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0 core spec, §7.3.3) <dt>
urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-strict
</dt>
<dd>
implements only XACML 3.0 Core (NO support for Multiple Decision)
</dd>
and does not allow duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances) <dt>
urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax
</dt>
<dd>
implements Multiple Decision Profile, section 2.3
</dd>
(repeated attribute categories), and allows duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (complying with XACML 3.0 core spec, §7.3.3) <dt>
urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-strict
</dt>
<dd>
same as previous one, except it does not allow
</dd>
duplicate <Attribute> with same meta-data in the same <Attributes> element of a Request (NOT complying with XACML 3.0 core spec, §7.3.3, but better performances) <p>
More info about Request Preprocessors is available on
</p>
<a href="https://github.com/authzforce/core/wiki/XACML-Request-Preprocessors">AuthzForce wiki</a>
.
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
URI of a XACML decision Result post-processor to be enabled.
</p>
A decision Result post-processor is a PDP extension that process the result(s) from the policy evaluation before the final XACML Response is created (and returned back to the requester). For example, a typical Result post-processor may combine multiple individual decisions - produced by the <i>requestPreproc</i>
- to a
single decision Result if and only if the XACML Request's <i>CombinedDecision</i>
is
set to true, as defined in XACML Multiple Decision Profile specification, section 3. There must be one and only one Java class on the classpath - say <i>com.example.FooResultPostproc</i>
-
implementing interface <i>
org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor
</i>
with
zero-arg constructor, and this URI must match the one returned by: <i>
new
</i>
com.example.FooResultPostproc().getId() .
<p>
More info about Result Postprocessors is available on
</p>
<a href="https://github.com/authzforce/core/wiki/XACML-Result-Postprocessors">AuthzForce wiki</a>
.
<xs:annotation>
</xs:complexType>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
Policy(Set) Provider loading policies
</p>
statically from URLs. Any <i>PolicyIdReference</i>
used in a PolicySet here
must refer to a Policy loaded here as well. Besides, a PolicySet P1 must be loaded before any other PolicySet P2 with a reference (PolicySetIdReference) to P1. As PolicySets are loaded in the order of declaration of <i>policyLocation</i>
s, the order
matters for PolicySetIdReference resolution. This PolicyProvider implements the <i>PolicyProvider#getCandidateRootPolicy()</i>
- the method provides a default root policy to be used when the PDP's configuration parameter
<i>rootPolicyRef</i>
is undefined - as follows:
<ul>
<li>
</ul>
If there is one and only one XACML Policy provided (e.g. one or more
</li>
<i>policyLocation</i>
s are defined, pointing to one or more versions of the same XACML Policy), return the latest version of this Policy;
<li>
Else apply the same rule to XACML PolicySet(s);
</li>
<li>
Else no candidate (e.g. there is more than one XACML Policy and more than one XACML PolicySet, in which case the
</li>
<i>rootPolicyRef</i>
must be explicitly defined in PDP's configuration to make the choice).
<xs:complexContent>
<xs:extension base="authz-ext:AbstractPolicyProvider">
</xs:complexContent>
<xs:sequence>
</xs:extension>
<xs:element maxOccurs="unbounded" minOccurs="1" name="policyLocation" type="xs:anyURI">
</xs:sequence>
<xs:annotation>
</xs:element>
<xs:documentation>
</xs:annotation>
<p>
</xs:documentation>
Location of the XML file that is expected to
</p>
contain the Policy or PolicySet element to be referenced by a Policy(Set)IdReference in the root PolicySet loaded by a root policy Provider. The location may also be a file pattern in the form <i>file://DIRECTORY_PATH/*SUFFIX</i>
or
<i>file://DIRECTORY_PATH/**...*SUFFIX</i>
, etc. (arbitrarily long sequence of wildcard characters) in
which case the location is expanded to all regular files in the directory located at <i>DIRECTORY_PATH</i>
with suffix
<i>SUFFIX</i>
, not crossing directory boundaries if using a single wildcard; but crossing
directory boundaries if using more than a single wildcard (there may not be a SUFFIX; in other words, SUFFIX may be an empty string). The number of wildcards in the sequence <i>**....*</i>
defines the
maximum number of directory levels to search. <p>
In the location, you may use placeholders enclosed between
</p>
<i>${</i>
and
<i>}</i>
for the following properties:
<ul>
<li>
</ul>
The global property
</li>
<i>PARENT_DIR</i>
for
defining - in a generic way - a path relative to the parent directory to the XML file where this is used; <li>
Java system properties;
</li>
<li>
System environment variables.
</li>
<p>
You may use
</p>
<i>!</i>
(exclamation mark) as a separating
character between the placeholder property name and a default value that is used if the property is undefined. E.g. <i>${PARENT_DIR!/home/foo/conf}</i>
will be
replaced with <i>/home/foo/conf</i>
if
<i>PARENT_DIR</i>
is undefined.
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
true iff all versions of any policy must be ignored except the last, i.e. whenever there are multiple versions for the same policy ID, do as if only the last one exists.
</xs:documentation>
<xs:annotation>
</xs:complexType>
<xs:documentation>
</xs:annotation>
Reference to a policy element, i.e. a XACML PolicySet or XACML Policy
</xs:documentation>
<xs:simpleContent>
<xs:extension base="xs:anyURI">
</xs:simpleContent>
<xs:attribute name="version" type="xacml:VersionType" use="optional">
</xs:extension>
<xs:annotation>
</xs:annotation>
</xs:attribute>
<xs:annotation>
</xs:attribute>
<xs:documentation>
</xs:annotation>
If
</xs:documentation>
<i>policySet=true</i>
, then look for a XACML PolicySet matching the identifier and versions if defined.
If <i>policySet=false</i>
, then look for a XACML Policy matching the identifier and versions if defined.
If this attribute is not specified, look for a XACML Policy matching the identifier and version, then if not found, look for a XACML PolicySet matching the identifier and version. </xs:schema>
|
XML schema documentation generated with FlexDoc/XML 1.12.2 using FlexDoc/XML XSDDoc 2.9.1 template set. All XSD diagrams generated by FlexDoc/XML DiagramKit. |