Skip to content

XACML Request Preprocessors

Jump to bottom Edit New page
Cyril Dangerville edited this page May 12, 2024 · 13 revisions

With AuthzForce Request Preprocessor extensions, you can support new ways of processing XACML Requests before evaluation by the PDP engine (e.g. used for implementing XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories (§3.3) ), for example support alternative request formats/syntax that can be translated to XACML.

Before you can use such extensions in AuthzForce API, you must implement one or get it from a third party as such; and then you deploy it on AuthzForce Server and enable it on a specific domain. Beware that AuthzForce already provides a Request Preprocessor implementing the functionality identified by urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories in XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories (§3.3).

If you wish to make your own Request Preprocessor extension, read on the next section. If you wish to test the example provided by AuthzForce or if you have another one ready for use, you may jump to the section Enabling a Request Preprocessor extension.

Making a Request Preprocessor extension

The steps to make your own Request Preprocessor extension for AuthzForce go as follows:

  1. Create a Maven project with jar packaging type and following Maven dependency:

    ...
<dependencies>
 <dependency>
  <groupId>org.ow2.authzforce</groupId>
  <artifactId>authzforce-ce-core-pdp-api</artifactId>
  <version>17.0.0</version>
 </dependency>
 ...
</dependencies>
...

  2. Create a Java class implementing interface org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor.Factory. This class must have a public no-argument constructor or no constructor. This factory class's main goal is to create instances of org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor. As the latter is an interface, you need a concrete subclass for your implementation. Instead of implementing the interface DecisionRequestPreprocessor directly to do so, you should extend class org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbRequestPreprocessor to facilitate the process whenever possible.

    You may look at the CustomTestRequestPreprocessorFactory class as an example, and also SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory (resp. SingleDecisionXacmlJaxbRequestPreprocessor.StrictVariantFactory) class as an example for -lax (resp. -strict) request preprocessor that implements the minimal XACML 3.0 Core-compliant request preprocessor identified by urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax (resp. urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-strict).

  3. When your implementation class is ready, create a text file org.ow2.authzforce.core.pdp.api.PdpExtension in folder src/main/resources/META-INF/services (you have to create the folder first) and put the fully qualified name of your implementation class on the first line of this file, like in the example from AuthzForce test source code that is used for the CustomTestRequestPreprocessorFactory class.

  4. Run Maven package to produce a JAR from the Maven project.

Now you have a Request Preprocessor extension ready for integration into AuthzForce Server, as explained in the next section.

Enabling a Request Preprocessor extension

Set the requestPreproc element value (inside the ioProcChain element) to the ID corresponding to your implementation in the PDP configuration file (XML).

Add a custom footer
Add a custom sidebar
Clone this wiki locally