-
Notifications
You must be signed in to change notification settings - Fork 24
XACML Combining Algorithms
AuthzForce supports all the non-deprecated policy and rule combining algorithms defined in XACML 3.0 core and Additional Combining Algorithms Profile specification.
However, the XACML 3.0 Core standard allows to use extra policy/rule combining algorithms not defined in the standards. In order to use extra algorithms in AuthzForce, you must implement and provide it as a Combining Algorithm extension, or get it from a third party as such. The AuthzForce project also provides a separate Combining Algorithm extension example for documentation and testing purposes. If you wish to make your own Combining Algorithm extension, read on the next section. If you wish to test the example provided by AuthzForce or if you have another one ready for use, you may jump to the section Integrating a Combining Algorithm extension into AuthzForce.
The steps to make your own Combining Algorithm extension go as follows:
-
Create a Maven project with
jarpackaging type and following Maven dependency:Make sure the version matches the one used by the `authzforce-ce-core-pdp-engine` version you are using.... <dependencies> <dependency> <groupId>org.ow2.authzforce</groupId> <artifactId>authzforce-ce-core-pdp-api</artifactId> <!-- Make sure the version matches the one used by the `authzforce-ce-core-pdp-engine` version you are using.--> <version>17.0.0</version> <scope>provided</scope> </dependency> ... </dependencies> ... -
Create the Java implementation class, either extending class org.ow2.authzforce.core.pdp.api.combining.BaseCombiningAlg<D> or, as second resort, implementing interface org.ow2.authzforce.core.pdp.api.combining.CombiningAlg<D>, where the type parameter
Drepresents the type of elements combined by the algorithm implementation (policy or rule), more preciselyDmust be one of the following:-
org.ow2.authzforce.core.pdp.api.Decidable(recommended option) for a policy/rule combining algorithm implementation, i.e. combining policies and rules equally. For example, although the XACML standard specifies two distinct identifiers for the policy combining version and rule combining version of the deny-unless-permit algorithm, the normative algorithm specification in pseudo-code is the same, and is actually implemented by one single Java class in AuthForce. We strongly recommend this type parameter for your implementation as it makes it more generic and maximizes its reuse. -
org.ow2.authzforce.core.pdp.api.policy.PolicyEvaluatorfor a policy-only combining algorithm, e.g. the XACML Core standard only-one-applicable algorithm, or the on-permit-apply-second policy combining algorithm from XACML 3.0 Additional Combining Algorithms Profile Version 1.0. You may use AuthzForce TestOnPermitApplySecondCombiningAlg class (used for AuthzForce unit tests) as an example of implementation for this algorithm.
This class must have a public no-argument constructor or no constructor.
-
-
When your implementation class is ready, create a text file
org.ow2.authzforce.core.pdp.api.PdpExtensionin foldersrc/main/resources/META-INF/services(you have to create the folder first) and put the fully qualified name of your implementation class on the first line of this file, like in the example from Authzforce source code. -
Run Maven
packageto produce a JAR from the Maven project.
Now you have a Combining Algorithm extension ready for integration into AuthzForce Server, as explained in the next section.
This section assumes you have a Combining Algorithm extension in form of a JAR, typically produced by the process described in the previous section.
You may use AuthzForce PDP Core Tests JAR if you only wish to test the examples in this documentation.
This JAR is available on Maven Central: groupId= org.ow2.authzforce, artifactId= authzforce-ce-core-pdp-testutils, version= 16.0.0.
Add a combiningAlgorithm element with corresponding ID as value inside the pdp element of the PDP configuration file (XML).