XacmlPdpService

Service based policy decision point configuration.

Description

Description of the configuration object

PDP type (required)

The PDP type.

  • Allowed Values:

    • File

    • PolicyService

Do test only

Whether or not the PDP only responds to authorization decision testing requests. Use this field to avoid production use during the authorization policy creation and test phase.

Policy finder module name

The XACML policy finder module class name. The name of the class implementing the PolicyFinderModule class. DirX Access bu default ships these modules.

  • ABAC - com.siemens.dxa.services.authz.impl.xacml.pdp.finder.policy.policyservice.AbacPolicyFinderModule: to work with free-formed XACML policies (not limited to the RBAC profile; arbitrary XACML 1.x or 2.0 policies may be used as long as they are valid). These policies are stored in the directory-based policy storage.

  • RBAC - com.siemens.dxa.services.authz.impl.xacml.pdp.finder.policy.policyservice.RbacPolicyFinderModule: to work with XACML policies constrained according to the RBAC profile. These policies are stored in the directory-based policy storage.

  • RBAC_LEGACY - com.siemens.dxa.services.authz.impl.xacml.pdp.finder.policy.policyservice.RbacPolicyFinderModuleLegacy: to work with XACML policies constrained according to the RBAC profile. These policies are stored in the directory-based policy storage. This module has lower performance compared to the optimized RBAC module, however, internally it evaluates against RBAC XACML policies formed exactly according to the specification. This means, that it can be used for policy requesting.

Attribute finder module names

The XACML attribute finders configured for this PDP.

Resource finder module names

The XACML resource finders configured for this PDP.

Policy interpretation identifier

The identifier of the policy template used to resolve subject-specific attributes represented in XACML policies.

Do certification path validation

Whether or not the certificate path validation is enabled.

Certification revocation check type

The certificate revocation check.

  • Allowed Values:

    • nocheck

    • crlcheck

    • ocspcheck

    • bothcheck

Signature validation policy

The signature validation policy.

  • Allowed Values:

    • disabled

    • optional

    • required

Truststore password

The password of the truststore.

Truststore identifier

The identifier of the truststore with the trust anchors.

Do multiple decision profile

Whether or not the PDP supports the XACML multiple decision profile. The multiple decision profile is supported for XACML 3.0 requests/responses only.

Default policy combining algorithm

The policy-combining algorithm used when the 'XACMLAuthzDecisionQuery' contains the 'Policy' or 'PolicySet' element and the root policy of the PDP is not of a 'PolicySet' type. The actual root policy for the given query is constructed as a new 'PolicySet' containing the policies from the query followed by the original root policy and combined using the 'Default policy combining algorithm'. This setting is only relevant to the XACML SAML Profile.