Javadocs: PDP engine , XACML/JSON extension , Test utilities

AuthzForce Core (Community Edition)

Authorization PDP (Policy Decision Point) engine implementing the OASIS XACML v3.0.

AuthzForce Core may be used in the following ways:

• Java API: you may use AuthzForce Core from your Java code to instantiate an embedded Java PDP.
• CLI (Command-Line Interface): you may call AuthzForce Core PDP engine from the command-line (e.g. in a script) by running the provided executable.

HTTP/REST server: if you are interested in using an HTTP/REST API compliant with REST Profile of XACML 3.0, check the AuthzForce RESTful PDP project and AuthzForce server project.

Features

Compliance with the following OASIS XACML 3.0 standards

• XACML v3.0 - Core standard
• XACML v3.0 - Core and Hierarchical Role Based Access Control (RBAC) Profile Version 1.0
• XACML v3.0 - Multiple Decision Profile Version 1.0 - Repeated attribute categories (urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories).
• XACML v3.0 - JSON Profile Version 1.0, with extra security features:
  • JSON schema Draft v6 validation;
  • DoS mitigation: JSON parser variant checking max JSON string size, max number of JSON keys/array items and max JSON object depth.
• Experimental support for:
  • XACML v3.0 - Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0: only dnsName-value datatype and dnsName-value-equal function are supported;
  • XACML v3.0 - Additional Combining Algorithms Profile Version 1.0: on-permit-apply-second policy combining algorithm;
  • XACML v3.0 - Multiple Decision Profile Version 1.0 - Requests for a combined decision (urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision).

For further details on what is actually supported regarding the XACML specifications, please refer to the conformance tests README.

Enhancements to the XACML standard

• OGC (Open Geospatial Consortium) GeoXACML standards:

  • GeoXACML 1.0 support: see this AuthzForce extension from SecureDimensions.
  • GeoXACML 3.0 Core support: see this AuthzForce extension from SecureDimensions.
  • GeoXACML 3.0 JSON Profile 1.0 support: see this AuthzForce extension from SecureDimensions.

• Support <VariableReference> (indirectly) in <Target>/<Match> elements: this feature is a workaround for a limitation in XACML schema which does not allow Variables (<VariableReference>) in Match elements; i.e. the feature allows policy writers to use an equivalent of <VariableReference>s in <Match> elements (without changing the XACML schema) through a special kind of <AttributeDesignator> (specific Category, and AttributeId is used as VariableId). More details in the Usage section below.

Interfaces

• Java API: basically a library for instantiating and using a PDP engine from your Java (or any Java-compatible) code;
• CLI (Command-Line Interface): basically an executable that you can run from the command-line to test the engine; HTTP/REST API compliant with REST Profile of XACML 3.0 is provided by AuthzForce RESTful PDP project for PDP only, and AuthzForce server project for PDP and PAP with multi-tenancy.

Safety & Security

• Prevention of circular XACML policy references (PolicyIdReference/PolicySetIdReference) as mandated by XACML 3.0;
• Control of the maximum XACML PolicyIdReference/PolicySetIdReference depth;
• Prevention of circular XACML variable references (VariableReference) as mandated by XACML 3.0;
• Control of the maximum XACML VariableReference depth.

Performance:

• Optional strict multivalued attribute parsing: if enabled, multivalued attributes must be formed by grouping all AttributeValue elements in the same Attribute element (instead of duplicate Attribute elements); this does not fully comply with XACML 3.0 Core specification of Multivalued attributes (§7.3.3), but it usually performs better than the default mode since it simplifies the parsing of attribute values in the request.
• Optional strict attribute Issuer matching: if enabled, AttributeDesignators without Issuer only match request Attributes without Issuer (and same AttributeId, Category...); this option is not fully compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not present on a AttributeDesignator; but it is the recommended option for better performance when all AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29) says: If the Issuer is not present in the attribute designator, then the matching of the attribute to the named attribute SHALL be governed by AttributeId and DataType attributes alone.);
• Optimal integer data-type implementation: the maxIntegerValue configuration parameter (expected maximum absolute value in XACML attributes of type http://www.w3.org/2001/XMLSchema#integer) helps the PDP choose the most efficient Java data-type. By default, the XACML/XML type http://www.w3.org/2001/XMLSchema#integer is mapped to the larger Java data-type: BigInteger. However, this may be overkill for example in the case of integer attributes representing the age of a person; in this case, the Short type is more appropriate and especially more efficient. Therefore, decreasing the maxIntegerValue value as much as possible, based on the range you expect your integer values to fit in, makes the PDP engine more efficient on integer handling: lower memory consumption, faster computations.
• Pluggable Decision Cache: you can plug in your own XACML Decision Cache mechanism to speed up evaluation of (repetitive) requests. See down below for more info (Decision Cache extension).

Extensibility points

• Attribute Datatypes: you may extend the PDP engine with custom XACML attribute datatypes;
• Functions: you may extend the PDP engine with custom XACML functions;
• Combining Algorithms: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
• Attribute Providers a.k.a. PIPs (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation;
• Request Preprocessor: you may customize the processing of XACML Requests before evaluation by the PDP core engine, e.g. used for supporting new XACML Request formats, and/or implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.