[jboss-cvs] JBossAS SVN: r86558 - in projects/security/security-xacml/tags: 2.0.3.CR5 and 15 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Mar 31 18:24:03 EDT 2009
Author: anil.saldhana at jboss.com
Date: 2009-03-31 18:24:03 -0400 (Tue, 31 Mar 2009)
New Revision: 86558
Added:
projects/security/security-xacml/tags/2.0.3.CR5/
projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/attr/TimeAttributeUnitTestCase.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/resources/requests/
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/java/org/jboss/test/security/xacml/interop/himss09/
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/logging.properties
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/policies/interop/himss09/himss-policy-01.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/requests/interop/himss09/
projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/pom.xml
Removed:
projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml
projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml
projects/security/security-xacml/tags/2.0.3.CR5/pom.xml
Log:
[maven-release-plugin] copy for tag 2.0.3.CR5
Copied: projects/security/security-xacml/tags/2.0.3.CR5 (from rev 86468, projects/security/security-xacml/trunk)
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml
===================================================================
--- projects/security/security-xacml/trunk/assembly/pom.xml 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,62 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <parent>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-xacml-project</artifactId>
- <version>2.0.3.CR4-SNAPSHOT</version>
- <relativePath>../parent</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <artifactId>jbossxacml</artifactId>
- <packaging>pom</packaging>
- <name>JBoss XACML- Assembly</name>
- <url>http://labs.jboss.org/portal/jbosssecurity/</url>
- <description>JBoss XACML</description>
- <licenses>
- <license>
- <name>lgpl</name>
- <url>http://repository.jboss.com/licenses/lgpl.txt</url>
- </license>
- </licenses>
- <organization>
- <name>JBoss Inc.</name>
- <url>http://www.jboss.org</url>
- </organization>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-assembly-plugin</artifactId>
- <version>2.1</version>
- <executions>
- <execution>
- <phase>package</phase>
- <goals>
- <goal>attached</goal>
- </goals>
- </execution>
- </executions>
- <configuration>
- <archive>
- <manifestEntries>
- <Specification-Title>JBoss XACML</Specification-Title>
- <Specification-Version>${project.version}</Specification-Version>
- <Specification-Vendor>Red Hat Middleware LLC</Specification-Vendor>
- <Implementation-Title>JBoss XACML</Implementation-Title>
- <Implementation-Version>${project.version}</Implementation-Version>
- <Implementation-VendorId>org.jboss.security</Implementation-VendorId>
- <Implementation-Vendor>Red Hat Middleware LLC</Implementation-Vendor>
- <Implementation-URL>http://labs.jboss.org/portal/jbosssecurity/</Implementation-URL>
- </manifestEntries>
- </archive>
- <descriptors>
- <descriptor>bin.xml</descriptor>
- <descriptor>sources.xml</descriptor>
- </descriptors>
- </configuration>
- <inherited>false</inherited>
- </plugin>
- </plugins>
- </build>
-
-</project>
Copied: projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml (from rev 86557, projects/security/security-xacml/trunk/assembly/pom.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/assembly/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,62 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml-project</artifactId>
+ <version>2.0.3.CR5</version>
+ <relativePath>../parent</relativePath>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>jbossxacml</artifactId>
+ <packaging>pom</packaging>
+ <name>JBoss XACML- Assembly</name>
+ <url>http://labs.jboss.org/portal/jbosssecurity/</url>
+ <description>JBoss XACML</description>
+ <licenses>
+ <license>
+ <name>lgpl</name>
+ <url>http://repository.jboss.com/licenses/lgpl.txt</url>
+ </license>
+ </licenses>
+ <organization>
+ <name>JBoss Inc.</name>
+ <url>http://www.jboss.org</url>
+ </organization>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>2.1</version>
+ <executions>
+ <execution>
+ <phase>package</phase>
+ <goals>
+ <goal>attached</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <archive>
+ <manifestEntries>
+ <Specification-Title>JBoss XACML</Specification-Title>
+ <Specification-Version>${project.version}</Specification-Version>
+ <Specification-Vendor>Red Hat Middleware LLC</Specification-Vendor>
+ <Implementation-Title>JBoss XACML</Implementation-Title>
+ <Implementation-Version>${project.version}</Implementation-Version>
+ <Implementation-VendorId>org.jboss.security</Implementation-VendorId>
+ <Implementation-Vendor>Red Hat Middleware LLC</Implementation-Vendor>
+ <Implementation-URL>http://labs.jboss.org/portal/jbosssecurity/</Implementation-URL>
+ </manifestEntries>
+ </archive>
+ <descriptors>
+ <descriptor>bin.xml</descriptor>
+ <descriptor>sources.xml</descriptor>
+ </descriptors>
+ </configuration>
+ <inherited>false</inherited>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/pom.xml 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,32 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <parent>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-xacml-project</artifactId>
- <version>2.0.3.CR4-SNAPSHOT</version>
- <relativePath>../build/pom.xml</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <artifactId>jboss-sunxacml</artifactId>
- <packaging>jar</packaging>
- <name>JBoss port of sunxacml</name>
- <url>http://www.jboss.org</url>
- <description>JBoss XACML Library</description>
- <dependencies>
- <dependency>
- <groupId>apache-xerces</groupId>
- <artifactId>xml-apis</artifactId>
- <version>2.7.1</version>
- </dependency>
- <dependency>
- <groupId>apache-xalan</groupId>
- <artifactId>xalan</artifactId>
- <version>j_2.7.0</version>
- </dependency>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>3.8.1</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-</project>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml (from rev 86557, projects/security/security-xacml/trunk/jboss-sunxacml/pom.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,32 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml-project</artifactId>
+ <version>2.0.3.CR5</version>
+ <relativePath>../build/pom.xml</relativePath>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>jboss-sunxacml</artifactId>
+ <packaging>jar</packaging>
+ <name>JBoss port of sunxacml</name>
+ <url>http://www.jboss.org</url>
+ <description>JBoss XACML Library</description>
+ <dependencies>
+ <dependency>
+ <groupId>apache-xerces</groupId>
+ <artifactId>xml-apis</artifactId>
+ <version>2.7.1</version>
+ </dependency>
+ <dependency>
+ <groupId>apache-xalan</groupId>
+ <artifactId>xalan</artifactId>
+ <version>j_2.7.0</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>3.8.1</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
\ No newline at end of file
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,700 +0,0 @@
-
-/*
- * @(#)BasicEvaluationCtx.java
- *
- * Copyright 2004-2006 Sun Microsystems, Inc. All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistribution of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * 2. Redistribution in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * Neither the name of Sun Microsystems, Inc. or the names of contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * This software is provided "AS IS," without a warranty of any kind. ALL
- * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
- * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
- * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
- * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
- * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
- * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
- * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
- * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
- * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
- * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- *
- * You acknowledge that this software is not designed or intended for use in
- * the design, construction, operation or maintenance of any nuclear facility.
- */
-
-package org.jboss.security.xacml.sunxacml;
-
-
-
-
-
-import java.net.URI;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-import org.jboss.security.xacml.sunxacml.attr.AttributeDesignator;
-import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
-import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
-import org.jboss.security.xacml.sunxacml.attr.DateAttribute;
-import org.jboss.security.xacml.sunxacml.attr.DateTimeAttribute;
-import org.jboss.security.xacml.sunxacml.attr.StringAttribute;
-import org.jboss.security.xacml.sunxacml.attr.TimeAttribute;
-import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
-import org.jboss.security.xacml.sunxacml.ctx.Attribute;
-import org.jboss.security.xacml.sunxacml.ctx.RequestCtx;
-import org.jboss.security.xacml.sunxacml.ctx.Subject;
-import org.jboss.security.xacml.sunxacml.finder.AttributeFinder;
-import org.w3c.dom.Node;
-
-
-/**
- * A basic implementation of <code>EvaluationCtx</code> that is created from
- * an XACML Request and falls back on an AttributeFinder if a requested
- * value isn't available in the Request.
- * <p>
- * Note that this class can do some optional caching for current date, time,
- * and dateTime values (defined by a boolean flag to the constructors). The
- * XACML specification requires that these values always be available, but it
- * does not specify whether or not they must remain constant over the course
- * of an evaluation if the values are being generated by the PDP (if the
- * values are provided in the Request, then obviously they will remain
- * constant). The default behavior is for these environment values to be
- * cached, so that (for example) the current time remains constant over the
- * course of an evaluation.
- *
- * @since 1.2
- * @author Seth Proctor
- */
-public class BasicEvaluationCtx implements EvaluationCtx
-{
- // the finder to use if a value isn't in the request
- private AttributeFinder finder;
-
- // the DOM root the original RequestContext document
- private Node requestRoot;
-
- // the 4 maps that contain the attribute data
- private HashMap subjectMap;
- private HashMap resourceMap;
- private HashMap actionMap;
- private HashMap environmentMap;
-
- // the resource and its scope
- private AttributeValue resourceId;
- private int scope;
-
- // the cached current date, time, and datetime, which we may or may
- // not be using depending on how this object was constructed
- private DateAttribute currentDate;
- private TimeAttribute currentTime;
- private DateTimeAttribute currentDateTime;
- private boolean useCachedEnvValues;
-
- // the logger we'll use for all messages
- private static final Logger logger =
- Logger.getLogger(BasicEvaluationCtx.class.getName());
-
- /**
- * Constructs a new <code>BasicEvaluationCtx</code> based on the given
- * request. The resulting context will cache current date, time, and
- * dateTime values so they remain constant for this evaluation.
- *
- * @param request the request
- *
- * @throws ParsingException if a required attribute is missing, or if there
- * are any problems dealing with the request data
- */
- public BasicEvaluationCtx(RequestCtx request) throws ParsingException {
- this(request, null, true);
- }
-
- /**
- * Constructs a new <code>BasicEvaluationCtx</code> based on the given
- * request.
- *
- * @param request the request
- * @param cacheEnvValues whether or not to cache the current time, date,
- * and dateTime so they are constant for the scope
- * of this evaluation
- *
- * @throws ParsingException if a required attribute is missing, or if there
- * are any problems dealing with the request data
- */
- public BasicEvaluationCtx(RequestCtx request, boolean cacheEnvValues)
- throws ParsingException
- {
- this(request, null, cacheEnvValues);
- }
-
- /**
- * Constructs a new <code>BasicEvaluationCtx</code> based on the given
- * request, and supports looking outside the original request for attribute
- * values using the <code>AttributeFinder</code>. The resulting context
- * will cache current date, time, and dateTime values so they remain
- * constant for this evaluation.
- *
- * @param request the request
- * @param finder an <code>AttributeFinder</code> to use in looking for
- * attributes that aren't in the request
- *
- * @throws ParsingException if a required attribute is missing, or if there
- * are any problems dealing with the request data
- */
- public BasicEvaluationCtx(RequestCtx request, AttributeFinder finder)
- throws ParsingException
- {
- this(request, finder, true);
- }
-
- /**
- * Constructs a new <code>BasicEvaluationCtx</code> based on the given
- * request, and supports looking outside the original request for attribute
- * values using the <code>AttributeFinder</code>.
- *
- * @param request the request
- * @param finder an <code>AttributeFinder</code> to use in looking for
- * attributes that aren't in the request
- * @param cacheEnvValues whether or not to cache the current time, date,
- * and dateTime so they are constant for the scope
- * of this evaluation
- *
- * @throws ParsingException if a required attribute is missing, or if there
- * are any problems dealing with the request data
- */
- public BasicEvaluationCtx(RequestCtx request, AttributeFinder finder,
- boolean cacheEnvValues) throws ParsingException {
- // keep track of the finder
- this.finder = finder;
-
- // remember the root of the DOM tree for XPath queries
- requestRoot = request.getDocumentRoot();
-
- // initialize the cached date/time values so it's clear we haven't
- // retrieved them yet
- this.useCachedEnvValues = cacheEnvValues;
- currentDate = null;
- currentTime = null;
- currentDateTime = null;
-
- // get the subjects, make sure they're correct, and setup tables
- subjectMap = new HashMap();
- setupSubjects(request.getSubjects());
-
- // next look at the Resource data, which needs to be handled specially
- resourceMap = new HashMap();
- setupResource(request.getResource());
-
- // setup the action data, which is generic
- actionMap = new HashMap();
- mapAttributes(request.getAction(), actionMap);
-
- // finally, set up the environment data, which is also generic
- environmentMap = new HashMap();
- mapAttributes(request.getEnvironmentAttributes(), environmentMap);
- }
-
- /**
- * This is quick helper function to provide a little structure for the
- * subject attributes so we can search for them (somewhat) quickly. The
- * basic idea is to have a map indexed by SubjectCategory that keeps
- * Maps that in turn are indexed by id and keep the unique ctx.Attribute
- * objects.
- */
- private void setupSubjects(Set subjects) throws ParsingException {
- // make sure that there is at least one Subject
- if (subjects.size() == 0)
- throw new ParsingException("Request must a contain subject");
-
- // now go through the subject attributes
- Iterator it = subjects.iterator();
- while (it.hasNext()) {
- Subject subject = (Subject)(it.next());
-
- URI category = subject.getCategory();
- Map categoryMap = null;
-
- // see if we've already got a map for the category
- if (subjectMap.containsKey(category)) {
- categoryMap = (Map)(subjectMap.get(category));
- } else {
- categoryMap = new HashMap();
- subjectMap.put(category, categoryMap);
- }
-
- // iterate over the set of attributes
- Iterator attrIterator = subject.getAttributes().iterator();
-
- while (attrIterator.hasNext()) {
- Attribute attr = (Attribute)(attrIterator.next());
- String id = attr.getId().toString();
-
- if (categoryMap.containsKey(id)) {
- // add to the existing set of Attributes w/this id
- Set existingIds = (Set)(categoryMap.get(id));
- existingIds.add(attr);
- } else {
- // this is the first Attr w/this id
- HashSet newIds = new HashSet();
- newIds.add(attr);
- categoryMap.put(id, newIds);
- }
- }
- }
- }
-
- /**
- * This basically does the same thing that the other types need
- * to do, except that we also look for a resource-id attribute, not
- * because we're going to use, but only to make sure that it's actually
- * there, and for the optional scope attribute, to see what the scope
- * of the attribute is
- */
- private void setupResource(Set resource) throws ParsingException {
- mapAttributes(resource, resourceMap);
-
- // make sure there resource-id attribute was included
- if (! resourceMap.containsKey(RESOURCE_ID)) {
- System.err.println("Resource must contain resource-id attr");
- //throw new ParsingException("resource missing resource-id");
- } else {
- // make sure there's only one value for this
- Set set = (Set)(resourceMap.get(RESOURCE_ID));
- if (set.size() > 1) {
- System.err.println("Resource may contain only one " +
- "resource-id Attribute");
- throw new ParsingException("too many resource-id attrs");
- } else {
- // keep track of the resource-id attribute
- resourceId = ((Attribute)(set.iterator().next())).getValue();
- }
-
- }
-
- //SECURITY-162: Relax resource-id requirement
- if(this.resourceId == null)
- this.resourceId = new StringAttribute("");
-
- // see if a resource-scope attribute was included
- if (resourceMap.containsKey(RESOURCE_SCOPE)) {
- Set set = (Set)(resourceMap.get(RESOURCE_SCOPE));
-
- // make sure there's only one value for resource-scope
- if (set.size() > 1) {
- System.err.println("Resource may contain only one " +
- "resource-scope Attribute");
- throw new ParsingException("too many resource-scope attrs");
- }
-
- Attribute attr = (Attribute)(set.iterator().next());
- AttributeValue attrValue = attr.getValue();
-
- // scope must be a string, so throw an exception otherwise
- if (! attrValue.getType().toString().
- equals(StringAttribute.identifier))
- throw new ParsingException("scope attr must be a string");
-
- String value = ((StringAttribute)attrValue).getValue();
-
- if (value.equals("Immediate")) {
- scope = SCOPE_IMMEDIATE;
- } else if (value.equals("Children")) {
- scope = SCOPE_CHILDREN;
- } else if (value.equals("Descendants")) {
- scope = SCOPE_DESCENDANTS;
- } else {
- System.err.println("Unknown scope type: " + value);
- throw new ParsingException("invalid scope type: " + value);
- }
- } else {
- // by default, the scope is always Immediate
- scope = SCOPE_IMMEDIATE;
- }
- }
-
- /**
- * Generic routine for resource, attribute and environment attributes
- * to build the lookup map for each. The Form is a Map that is indexed
- * by the String form of the attribute ids, and that contains Sets at
- * each entry with all attributes that have that id
- */
- private void mapAttributes(Set input, Map output) {
- Iterator it = input.iterator();
- while (it.hasNext()) {
- Attribute attr = (Attribute)(it.next());
- String id = attr.getId().toString();
-
- if (output.containsKey(id)) {
- Set set = (Set)(output.get(id));
- set.add(attr);
- } else {
- Set set = new HashSet();
- set.add(attr);
- output.put(id, set);
- }
- }
- }
-
- /**
- * Returns the DOM root of the original RequestType XML document.
- *
- * @return the DOM root node
- */
- public Node getRequestRoot() {
- return requestRoot;
- }
-
- /**
- * Returns the resource scope of the request, which will be one of the
- * three fields denoting Immediate, Children, or Descendants.
- *
- * @return the scope of the resource in the request
- */
- public int getScope() {
- return scope;
- }
-
- /**
- * Returns the resource named in the request as resource-id.
- *
- * @return the resource
- */
- public AttributeValue getResourceId() {
- return resourceId;
- }
-
- /**
- * Changes the value of the resource-id attribute in this context. This
- * is useful when you have multiple resources (ie, a scope other than
- * IMMEDIATE), and you need to keep changing only the resource-id to
- * evaluate the different effective requests.
- *
- * @param resourceId the new resource-id value
- */
- public void setResourceId(AttributeValue resourceId) {
- this.resourceId = resourceId;
-
- // there will always be exactly one value for this attribute
- Set attrSet = (Set)(resourceMap.get(RESOURCE_ID));
- Attribute attr = (Attribute)(attrSet.iterator().next());
-
- // remove the old value...
- attrSet.remove(attr);
-
- // ...and insert the new value
- attrSet.add(new Attribute(attr.getId(), attr.getIssuer(),
- attr.getIssueInstant(), resourceId));
- }
-
- /**
- * Returns the value for the current time. The current time, current
- * date, and current dateTime are consistent, so that they all
- * represent the same moment. If this is the first time that one
- * of these three values has been requested, and caching is enabled,
- * then the three values will be resolved and stored.
- * <p>
- * Note that the value supplied here applies only to dynamically
- * resolved values, not those supplied in the Request. In other words,
- * this always returns a dynamically resolved value local to the PDP,
- * even if a different value was supplied in the Request. This is
- * handled correctly when the value is requested by its identifier.
- *
- * @return the current time
- */
- public synchronized TimeAttribute getCurrentTime() {
- long millis = dateTimeHelper();
-
- if (useCachedEnvValues)
- return currentTime;
- else
- return new TimeAttribute(new Date(millis));
- }
-
- /**
- * Returns the value for the current date. The current time, current
- * date, and current dateTime are consistent, so that they all
- * represent the same moment. If this is the first time that one
- * of these three values has been requested, and caching is enabled,
- * then the three values will be resolved and stored.
- * <p>
- * Note that the value supplied here applies only to dynamically
- * resolved values, not those supplied in the Request. In other words,
- * this always returns a dynamically resolved value local to the PDP,
- * even if a different value was supplied in the Request. This is
- * handled correctly when the value is requested by its identifier.
- *
- * @return the current date
- */
- public synchronized DateAttribute getCurrentDate() {
- long millis = dateTimeHelper();
-
- if (useCachedEnvValues)
- return currentDate;
- else
- return new DateAttribute(new Date(millis));
- }
-
- /**
- * Returns the value for the current dateTime. The current time, current
- * date, and current dateTime are consistent, so that they all
- * represent the same moment. If this is the first time that one
- * of these three values has been requested, and caching is enabled,
- * then the three values will be resolved and stored.
- * <p>
- * Note that the value supplied here applies only to dynamically
- * resolved values, not those supplied in the Request. In other words,
- * this always returns a dynamically resolved value local to the PDP,
- * even if a different value was supplied in the Request. This is
- * handled correctly when the value is requested by its identifier.
- *
- * @return the current dateTime
- */
- public synchronized DateTimeAttribute getCurrentDateTime() {
- long millis = dateTimeHelper();
-
- if (useCachedEnvValues)
- return currentDateTime;
- else
- return new DateTimeAttribute(new Date(millis));
- }
-
- /**
- * Private helper that figures out if we need to resolve new values,
- * and returns either the current moment (if we're not caching) or
- * -1 (if we are caching)
- */
- private long dateTimeHelper() {
- // if we already have current values, then we can stop (note this
- // always means that we're caching)
- if (currentTime != null)
- return -1;
-
- // get the current moment
- Date time = new Date();
- long millis = time.getTime();
-
- // if we're not caching then we just return the current moment
- if (! useCachedEnvValues) {
- return millis;
- } else {
- // we're caching, so resolve all three values, making sure
- // to use clean copies of the date object since it may be
- // modified when creating the attributes
- currentTime = new TimeAttribute(time);
- currentDate = new DateAttribute(new Date(millis));
- currentDateTime = new DateTimeAttribute(new Date(millis));
- }
-
- return -1;
- }
-
- /**
- * Returns attribute value(s) from the subject section of the request
- * that have no issuer.
- *
- * @param type the type of the attribute value(s) to find
- * @param id the id of the attribute value(s) to find
- * @param category the category the attribute value(s) must be in
- *
- * @return a result containing a bag either empty because no values were
- * found or containing at least one value, or status associated with an
- * Indeterminate result
- */
- public EvaluationResult getSubjectAttribute(URI type, URI id,
- URI category) {
- return getSubjectAttribute(type, id, null, category);
- }
-
- /**
- * Returns attribute value(s) from the subject section of the request.
- *
- * @param type the type of the attribute value(s) to find
- * @param id the id of the attribute value(s) to find
- * @param issuer the issuer of the attribute value(s) to find or null
- * @param category the category the attribute value(s) must be in
- *
- * @return a result containing a bag either empty because no values were
- * found or containing at least one value, or status associated with an
- * Indeterminate result
- */
- public EvaluationResult getSubjectAttribute(URI type, URI id, URI issuer,
- URI category) {
- // This is the same as the other three lookups except that this
- // has an extra level of indirection that needs to be handled first
- Map map = (Map)(subjectMap.get(category));
-
- if (map == null) {
- // the request didn't have that category, so we should try asking
- // the attribute finder
- return callHelper(type, id, issuer, category,
- AttributeDesignator.SUBJECT_TARGET);
- }
-
- return getGenericAttributes(type, id, issuer, map, category,
- AttributeDesignator.SUBJECT_TARGET);
- }
-
- /**
- * Returns attribute value(s) from the resource section of the request.
- *
- * @param type the type of the attribute value(s) to find
- * @param id the id of the attribute value(s) to find
- * @param issuer the issuer of the attribute value(s) to find or null
- *
- * @return a result containing a bag either empty because no values were
- * found or containing at least one value, or status associated with an
- * Indeterminate result
- */
- public EvaluationResult getResourceAttribute(URI type, URI id,
- URI issuer) {
- return getGenericAttributes(type, id, issuer, resourceMap, null,
- AttributeDesignator.RESOURCE_TARGET);
- }
-
- /**
- * Returns attribute value(s) from the action section of the request.
- *
- * @param type the type of the attribute value(s) to find
- * @param id the id of the attribute value(s) to find
- * @param issuer the issuer of the attribute value(s) to find or null
- *
- * @return a result containing a bag either empty because no values were
- * found or containing at least one value, or status associated with an
- * Indeterminate result
- */
- public EvaluationResult getActionAttribute(URI type, URI id, URI issuer) {
- return getGenericAttributes(type, id, issuer, actionMap, null,
- AttributeDesignator.ACTION_TARGET);
- }
-
- /**
- * Returns attribute value(s) from the environment section of the request.
- *
- * @param type the type of the attribute value(s) to find
- * @param id the id of the attribute value(s) to find
- * @param issuer the issuer of the attribute value(s) to find or null
- *
- * @return a result containing a bag either empty because no values were
- * found or containing at least one value, or status associated with an
- * Indeterminate result
- */
- public EvaluationResult getEnvironmentAttribute(URI type, URI id,
- URI issuer) {
- return getGenericAttributes(type, id, issuer, environmentMap, null,
- AttributeDesignator.ENVIRONMENT_TARGET);
- }
-
- /**
- * Helper function for the resource, action and environment methods
- * to get an attribute.
- */
- private EvaluationResult getGenericAttributes(URI type, URI id, URI issuer,
- Map map, URI category,
- int designatorType) {
- // try to find the id
- Set attrSet = (Set)(map.get(id.toString()));
- if (attrSet == null) {
- // the request didn't have an attribute with that id, so we should
- // try asking the attribute finder
- return callHelper(type, id, issuer, category, designatorType);
- }
-
- // now go through each, considering each Attribute object
- List attributes = new ArrayList();
- Iterator it = attrSet.iterator();
-
- while (it.hasNext()) {
- Attribute attr = (Attribute)(it.next());
-
- // make sure the type and issuer are correct
- if ((attr.getType().equals(type)) &&
- ((issuer == null) ||
- ((attr.getIssuer() != null) &&
- (attr.getIssuer().equals(issuer.toString()))))) {
-
- // if we got here, then we found a match, so we want to pull
- // out the values and put them in out list
- attributes.addAll(attr.getValues());
- }
- }
-
- // see if we found any acceptable attributes
- if (attributes.size() == 0) {
- // we failed to find any that matched the type/issuer, or all the
- // Attribute types were empty...so ask the finder
- if (logger.isLoggable(Level.FINE))
- logger.fine("Attribute not in request: " + id.toString() +
- " ... querying AttributeFinder");
-
- return callHelper(type, id, issuer, category, designatorType);
- }
-
- // if we got here, then we found at least one useful AttributeValue
- return new EvaluationResult(new BagAttribute(type, attributes));
- }
-
- /**
- * Private helper that calls the finder if it's non-null, or else returns
- * an empty bag
- */
- private EvaluationResult callHelper(URI type, URI id, URI issuer,
- URI category, int adType) {
- if (finder != null) {
- return finder.findAttribute(type, id, issuer, category,
- this, adType);
- } else {
- logger.warning("Context tried to invoke AttributeFinder but was " +
- "not configured with one");
-
- return new EvaluationResult(BagAttribute.createEmptyBag(type));
- }
- }
-
- /**
- * Returns the attribute value(s) retrieved using the given XPath
- * expression.
- *
- * @param contextPath the XPath expression to search
- * @param namespaceNode the DOM node defining namespace mappings to use,
- * or null if mappings come from the context root
- * @param type the type of the attribute value(s) to find
- * @param xpathVersion the version of XPath to use
- *
- * @return a result containing a bag either empty because no values were
- * found or containing at least one value, or status associated with an
- * Indeterminate result
- */
- public EvaluationResult getAttribute(String contextPath,
- Node namespaceNode, URI type,
- String xpathVersion) {
- if (finder != null) {
- return finder.findAttribute(contextPath, namespaceNode, type, this,
- xpathVersion);
- } else {
- logger.warning("Context tried to invoke AttributeFinder but was " +
- "not configured with one");
-
- return new EvaluationResult(BagAttribute.createEmptyBag(type));
- }
- }
-
-}
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java (from rev 86469, projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/BasicEvaluationCtx.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,700 @@
+
+/*
+ * @(#)BasicEvaluationCtx.java
+ *
+ * Copyright 2004-2006 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistribution of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistribution in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the name of Sun Microsystems, Inc. or the names of contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * This software is provided "AS IS," without a warranty of any kind. ALL
+ * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
+ * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+ * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
+ * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
+ * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
+ * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
+ * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
+ * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
+ * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
+ * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ *
+ * You acknowledge that this software is not designed or intended for use in
+ * the design, construction, operation or maintenance of any nuclear facility.
+ */
+
+package org.jboss.security.xacml.sunxacml;
+
+
+
+
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import org.jboss.security.xacml.sunxacml.attr.AttributeDesignator;
+import org.jboss.security.xacml.sunxacml.attr.AttributeValue;
+import org.jboss.security.xacml.sunxacml.attr.BagAttribute;
+import org.jboss.security.xacml.sunxacml.attr.DateAttribute;
+import org.jboss.security.xacml.sunxacml.attr.DateTimeAttribute;
+import org.jboss.security.xacml.sunxacml.attr.StringAttribute;
+import org.jboss.security.xacml.sunxacml.attr.TimeAttribute;
+import org.jboss.security.xacml.sunxacml.cond.EvaluationResult;
+import org.jboss.security.xacml.sunxacml.ctx.Attribute;
+import org.jboss.security.xacml.sunxacml.ctx.RequestCtx;
+import org.jboss.security.xacml.sunxacml.ctx.Subject;
+import org.jboss.security.xacml.sunxacml.finder.AttributeFinder;
+import org.w3c.dom.Node;
+
+
+/**
+ * A basic implementation of <code>EvaluationCtx</code> that is created from
+ * an XACML Request and falls back on an AttributeFinder if a requested
+ * value isn't available in the Request.
+ * <p>
+ * Note that this class can do some optional caching for current date, time,
+ * and dateTime values (defined by a boolean flag to the constructors). The
+ * XACML specification requires that these values always be available, but it
+ * does not specify whether or not they must remain constant over the course
+ * of an evaluation if the values are being generated by the PDP (if the
+ * values are provided in the Request, then obviously they will remain
+ * constant). The default behavior is for these environment values to be
+ * cached, so that (for example) the current time remains constant over the
+ * course of an evaluation.
+ *
+ * @since 1.2
+ * @author Seth Proctor
+ */
+public class BasicEvaluationCtx implements EvaluationCtx
+{
+ // the finder to use if a value isn't in the request
+ private AttributeFinder finder;
+
+ // the DOM root the original RequestContext document
+ private Node requestRoot;
+
+ // the 4 maps that contain the attribute data
+ private HashMap subjectMap;
+ private HashMap resourceMap;
+ private HashMap actionMap;
+ private HashMap environmentMap;
+
+ // the resource and its scope
+ private AttributeValue resourceId;
+ private int scope;
+
+ // the cached current date, time, and datetime, which we may or may
+ // not be using depending on how this object was constructed
+ private DateAttribute currentDate;
+ private TimeAttribute currentTime;
+ private DateTimeAttribute currentDateTime;
+ private boolean useCachedEnvValues;
+
+ // the logger we'll use for all messages
+ private static final Logger logger =
+ Logger.getLogger(BasicEvaluationCtx.class.getName());
+
+ /**
+ * Constructs a new <code>BasicEvaluationCtx</code> based on the given
+ * request. The resulting context will cache current date, time, and
+ * dateTime values so they remain constant for this evaluation.
+ *
+ * @param request the request
+ *
+ * @throws ParsingException if a required attribute is missing, or if there
+ * are any problems dealing with the request data
+ */
+ public BasicEvaluationCtx(RequestCtx request) throws ParsingException {
+ this(request, null, true);
+ }
+
+ /**
+ * Constructs a new <code>BasicEvaluationCtx</code> based on the given
+ * request.
+ *
+ * @param request the request
+ * @param cacheEnvValues whether or not to cache the current time, date,
+ * and dateTime so they are constant for the scope
+ * of this evaluation
+ *
+ * @throws ParsingException if a required attribute is missing, or if there
+ * are any problems dealing with the request data
+ */
+ public BasicEvaluationCtx(RequestCtx request, boolean cacheEnvValues)
+ throws ParsingException
+ {
+ this(request, null, cacheEnvValues);
+ }
+
+ /**
+ * Constructs a new <code>BasicEvaluationCtx</code> based on the given
+ * request, and supports looking outside the original request for attribute
+ * values using the <code>AttributeFinder</code>. The resulting context
+ * will cache current date, time, and dateTime values so they remain
+ * constant for this evaluation.
+ *
+ * @param request the request
+ * @param finder an <code>AttributeFinder</code> to use in looking for
+ * attributes that aren't in the request
+ *
+ * @throws ParsingException if a required attribute is missing, or if there
+ * are any problems dealing with the request data
+ */
+ public BasicEvaluationCtx(RequestCtx request, AttributeFinder finder)
+ throws ParsingException
+ {
+ this(request, finder, true);
+ }
+
+ /**
+ * Constructs a new <code>BasicEvaluationCtx</code> based on the given
+ * request, and supports looking outside the original request for attribute
+ * values using the <code>AttributeFinder</code>.
+ *
+ * @param request the request
+ * @param finder an <code>AttributeFinder</code> to use in looking for
+ * attributes that aren't in the request
+ * @param cacheEnvValues whether or not to cache the current time, date,
+ * and dateTime so they are constant for the scope
+ * of this evaluation
+ *
+ * @throws ParsingException if a required attribute is missing, or if there
+ * are any problems dealing with the request data
+ */
+ public BasicEvaluationCtx(RequestCtx request, AttributeFinder finder,
+ boolean cacheEnvValues) throws ParsingException {
+ // keep track of the finder
+ this.finder = finder;
+
+ // remember the root of the DOM tree for XPath queries
+ requestRoot = request.getDocumentRoot();
+
+ // initialize the cached date/time values so it's clear we haven't
+ // retrieved them yet
+ this.useCachedEnvValues = cacheEnvValues;
+ currentDate = null;
+ currentTime = null;
+ currentDateTime = null;
+
+ // get the subjects, make sure they're correct, and setup tables
+ subjectMap = new HashMap();
+ setupSubjects(request.getSubjects());
+
+ // next look at the Resource data, which needs to be handled specially
+ resourceMap = new HashMap();
+ setupResource(request.getResource());
+
+ // setup the action data, which is generic
+ actionMap = new HashMap();
+ mapAttributes(request.getAction(), actionMap);
+
+ // finally, set up the environment data, which is also generic
+ environmentMap = new HashMap();
+ mapAttributes(request.getEnvironmentAttributes(), environmentMap);
+ }
+
+ /**
+ * This is quick helper function to provide a little structure for the
+ * subject attributes so we can search for them (somewhat) quickly. The
+ * basic idea is to have a map indexed by SubjectCategory that keeps
+ * Maps that in turn are indexed by id and keep the unique ctx.Attribute
+ * objects.
+ */
+ private void setupSubjects(Set subjects) throws ParsingException {
+ // make sure that there is at least one Subject
+ if (subjects.size() == 0)
+ throw new ParsingException("Request must a contain subject");
+
+ // now go through the subject attributes
+ Iterator it = subjects.iterator();
+ while (it.hasNext()) {
+ Subject subject = (Subject)(it.next());
+
+ URI category = subject.getCategory();
+ Map categoryMap = null;
+
+ // see if we've already got a map for the category
+ if (subjectMap.containsKey(category)) {
+ categoryMap = (Map)(subjectMap.get(category));
+ } else {
+ categoryMap = new HashMap();
+ subjectMap.put(category, categoryMap);
+ }
+
+ // iterate over the set of attributes
+ Iterator attrIterator = subject.getAttributes().iterator();
+
+ while (attrIterator.hasNext()) {
+ Attribute attr = (Attribute)(attrIterator.next());
+ String id = attr.getId().toString();
+
+ if (categoryMap.containsKey(id)) {
+ // add to the existing set of Attributes w/this id
+ Set existingIds = (Set)(categoryMap.get(id));
+ existingIds.add(attr);
+ } else {
+ // this is the first Attr w/this id
+ HashSet newIds = new HashSet();
+ newIds.add(attr);
+ categoryMap.put(id, newIds);
+ }
+ }
+ }
+ }
+
+ /**
+ * This basically does the same thing that the other types need
+ * to do, except that we also look for a resource-id attribute, not
+ * because we're going to use, but only to make sure that it's actually
+ * there, and for the optional scope attribute, to see what the scope
+ * of the attribute is
+ */
+ private void setupResource(Set resource) throws ParsingException {
+ mapAttributes(resource, resourceMap);
+
+ // make sure there resource-id attribute was included
+ if (! resourceMap.containsKey(RESOURCE_ID)) {
+ System.err.println("Resource must contain resource-id attr");
+ //throw new ParsingException("resource missing resource-id");
+ } /*else {
+ // make sure there's only one value for this
+ Set set = (Set)(resourceMap.get(RESOURCE_ID));
+ if (set.size() > 1) {
+ System.err.println("Resource may contain only one " +
+ "resource-id Attribute");
+ throw new ParsingException("too many resource-id attrs");
+ } else {
+ // keep track of the resource-id attribute
+ resourceId = ((Attribute)(set.iterator().next())).getValue();
+ }
+
+ } */
+
+ //SECURITY-162: Relax resource-id requirement
+ if(this.resourceId == null)
+ this.resourceId = new StringAttribute("");
+
+ // see if a resource-scope attribute was included
+ if (resourceMap.containsKey(RESOURCE_SCOPE)) {
+ Set set = (Set)(resourceMap.get(RESOURCE_SCOPE));
+
+ // make sure there's only one value for resource-scope
+ if (set.size() > 1) {
+ System.err.println("Resource may contain only one " +
+ "resource-scope Attribute");
+ throw new ParsingException("too many resource-scope attrs");
+ }
+
+ Attribute attr = (Attribute)(set.iterator().next());
+ AttributeValue attrValue = attr.getValue();
+
+ // scope must be a string, so throw an exception otherwise
+ if (! attrValue.getType().toString().
+ equals(StringAttribute.identifier))
+ throw new ParsingException("scope attr must be a string");
+
+ String value = ((StringAttribute)attrValue).getValue();
+
+ if (value.equals("Immediate")) {
+ scope = SCOPE_IMMEDIATE;
+ } else if (value.equals("Children")) {
+ scope = SCOPE_CHILDREN;
+ } else if (value.equals("Descendants")) {
+ scope = SCOPE_DESCENDANTS;
+ } else {
+ System.err.println("Unknown scope type: " + value);
+ throw new ParsingException("invalid scope type: " + value);
+ }
+ } else {
+ // by default, the scope is always Immediate
+ scope = SCOPE_IMMEDIATE;
+ }
+ }
+
+ /**
+ * Generic routine for resource, attribute and environment attributes
+ * to build the lookup map for each. The Form is a Map that is indexed
+ * by the String form of the attribute ids, and that contains Sets at
+ * each entry with all attributes that have that id
+ */
+ private void mapAttributes(Set input, Map output) {
+ Iterator it = input.iterator();
+ while (it.hasNext()) {
+ Attribute attr = (Attribute)(it.next());
+ String id = attr.getId().toString();
+
+ if (output.containsKey(id)) {
+ Set set = (Set)(output.get(id));
+ set.add(attr);
+ } else {
+ Set set = new HashSet();
+ set.add(attr);
+ output.put(id, set);
+ }
+ }
+ }
+
+ /**
+ * Returns the DOM root of the original RequestType XML document.
+ *
+ * @return the DOM root node
+ */
+ public Node getRequestRoot() {
+ return requestRoot;
+ }
+
+ /**
+ * Returns the resource scope of the request, which will be one of the
+ * three fields denoting Immediate, Children, or Descendants.
+ *
+ * @return the scope of the resource in the request
+ */
+ public int getScope() {
+ return scope;
+ }
+
+ /**
+ * Returns the resource named in the request as resource-id.
+ *
+ * @return the resource
+ */
+ public AttributeValue getResourceId() {
+ return resourceId;
+ }
+
+ /**
+ * Changes the value of the resource-id attribute in this context. This
+ * is useful when you have multiple resources (ie, a scope other than
+ * IMMEDIATE), and you need to keep changing only the resource-id to
+ * evaluate the different effective requests.
+ *
+ * @param resourceId the new resource-id value
+ */
+ public void setResourceId(AttributeValue resourceId) {
+ this.resourceId = resourceId;
+
+ // there will always be exactly one value for this attribute
+ Set attrSet = (Set)(resourceMap.get(RESOURCE_ID));
+ Attribute attr = (Attribute)(attrSet.iterator().next());
+
+ // remove the old value...
+ attrSet.remove(attr);
+
+ // ...and insert the new value
+ attrSet.add(new Attribute(attr.getId(), attr.getIssuer(),
+ attr.getIssueInstant(), resourceId));
+ }
+
+ /**
+ * Returns the value for the current time. The current time, current
+ * date, and current dateTime are consistent, so that they all
+ * represent the same moment. If this is the first time that one
+ * of these three values has been requested, and caching is enabled,
+ * then the three values will be resolved and stored.
+ * <p>
+ * Note that the value supplied here applies only to dynamically
+ * resolved values, not those supplied in the Request. In other words,
+ * this always returns a dynamically resolved value local to the PDP,
+ * even if a different value was supplied in the Request. This is
+ * handled correctly when the value is requested by its identifier.
+ *
+ * @return the current time
+ */
+ public synchronized TimeAttribute getCurrentTime() {
+ long millis = dateTimeHelper();
+
+ if (useCachedEnvValues)
+ return currentTime;
+ else
+ return new TimeAttribute(new Date(millis));
+ }
+
+ /**
+ * Returns the value for the current date. The current time, current
+ * date, and current dateTime are consistent, so that they all
+ * represent the same moment. If this is the first time that one
+ * of these three values has been requested, and caching is enabled,
+ * then the three values will be resolved and stored.
+ * <p>
+ * Note that the value supplied here applies only to dynamically
+ * resolved values, not those supplied in the Request. In other words,
+ * this always returns a dynamically resolved value local to the PDP,
+ * even if a different value was supplied in the Request. This is
+ * handled correctly when the value is requested by its identifier.
+ *
+ * @return the current date
+ */
+ public synchronized DateAttribute getCurrentDate() {
+ long millis = dateTimeHelper();
+
+ if (useCachedEnvValues)
+ return currentDate;
+ else
+ return new DateAttribute(new Date(millis));
+ }
+
+ /**
+ * Returns the value for the current dateTime. The current time, current
+ * date, and current dateTime are consistent, so that they all
+ * represent the same moment. If this is the first time that one
+ * of these three values has been requested, and caching is enabled,
+ * then the three values will be resolved and stored.
+ * <p>
+ * Note that the value supplied here applies only to dynamically
+ * resolved values, not those supplied in the Request. In other words,
+ * this always returns a dynamically resolved value local to the PDP,
+ * even if a different value was supplied in the Request. This is
+ * handled correctly when the value is requested by its identifier.
+ *
+ * @return the current dateTime
+ */
+ public synchronized DateTimeAttribute getCurrentDateTime() {
+ long millis = dateTimeHelper();
+
+ if (useCachedEnvValues)
+ return currentDateTime;
+ else
+ return new DateTimeAttribute(new Date(millis));
+ }
+
+ /**
+ * Private helper that figures out if we need to resolve new values,
+ * and returns either the current moment (if we're not caching) or
+ * -1 (if we are caching)
+ */
+ private long dateTimeHelper() {
+ // if we already have current values, then we can stop (note this
+ // always means that we're caching)
+ if (currentTime != null)
+ return -1;
+
+ // get the current moment
+ Date time = new Date();
+ long millis = time.getTime();
+
+ // if we're not caching then we just return the current moment
+ if (! useCachedEnvValues) {
+ return millis;
+ } else {
+ // we're caching, so resolve all three values, making sure
+ // to use clean copies of the date object since it may be
+ // modified when creating the attributes
+ currentTime = new TimeAttribute(time);
+ currentDate = new DateAttribute(new Date(millis));
+ currentDateTime = new DateTimeAttribute(new Date(millis));
+ }
+
+ return -1;
+ }
+
+ /**
+ * Returns attribute value(s) from the subject section of the request
+ * that have no issuer.
+ *
+ * @param type the type of the attribute value(s) to find
+ * @param id the id of the attribute value(s) to find
+ * @param category the category the attribute value(s) must be in
+ *
+ * @return a result containing a bag either empty because no values were
+ * found or containing at least one value, or status associated with an
+ * Indeterminate result
+ */
+ public EvaluationResult getSubjectAttribute(URI type, URI id,
+ URI category) {
+ return getSubjectAttribute(type, id, null, category);
+ }
+
+ /**
+ * Returns attribute value(s) from the subject section of the request.
+ *
+ * @param type the type of the attribute value(s) to find
+ * @param id the id of the attribute value(s) to find
+ * @param issuer the issuer of the attribute value(s) to find or null
+ * @param category the category the attribute value(s) must be in
+ *
+ * @return a result containing a bag either empty because no values were
+ * found or containing at least one value, or status associated with an
+ * Indeterminate result
+ */
+ public EvaluationResult getSubjectAttribute(URI type, URI id, URI issuer,
+ URI category) {
+ // This is the same as the other three lookups except that this
+ // has an extra level of indirection that needs to be handled first
+ Map map = (Map)(subjectMap.get(category));
+
+ if (map == null) {
+ // the request didn't have that category, so we should try asking
+ // the attribute finder
+ return callHelper(type, id, issuer, category,
+ AttributeDesignator.SUBJECT_TARGET);
+ }
+
+ return getGenericAttributes(type, id, issuer, map, category,
+ AttributeDesignator.SUBJECT_TARGET);
+ }
+
+ /**
+ * Returns attribute value(s) from the resource section of the request.
+ *
+ * @param type the type of the attribute value(s) to find
+ * @param id the id of the attribute value(s) to find
+ * @param issuer the issuer of the attribute value(s) to find or null
+ *
+ * @return a result containing a bag either empty because no values were
+ * found or containing at least one value, or status associated with an
+ * Indeterminate result
+ */
+ public EvaluationResult getResourceAttribute(URI type, URI id,
+ URI issuer) {
+ return getGenericAttributes(type, id, issuer, resourceMap, null,
+ AttributeDesignator.RESOURCE_TARGET);
+ }
+
+ /**
+ * Returns attribute value(s) from the action section of the request.
+ *
+ * @param type the type of the attribute value(s) to find
+ * @param id the id of the attribute value(s) to find
+ * @param issuer the issuer of the attribute value(s) to find or null
+ *
+ * @return a result containing a bag either empty because no values were
+ * found or containing at least one value, or status associated with an
+ * Indeterminate result
+ */
+ public EvaluationResult getActionAttribute(URI type, URI id, URI issuer) {
+ return getGenericAttributes(type, id, issuer, actionMap, null,
+ AttributeDesignator.ACTION_TARGET);
+ }
+
+ /**
+ * Returns attribute value(s) from the environment section of the request.
+ *
+ * @param type the type of the attribute value(s) to find
+ * @param id the id of the attribute value(s) to find
+ * @param issuer the issuer of the attribute value(s) to find or null
+ *
+ * @return a result containing a bag either empty because no values were
+ * found or containing at least one value, or status associated with an
+ * Indeterminate result
+ */
+ public EvaluationResult getEnvironmentAttribute(URI type, URI id,
+ URI issuer) {
+ return getGenericAttributes(type, id, issuer, environmentMap, null,
+ AttributeDesignator.ENVIRONMENT_TARGET);
+ }
+
+ /**
+ * Helper function for the resource, action and environment methods
+ * to get an attribute.
+ */
+ private EvaluationResult getGenericAttributes(URI type, URI id, URI issuer,
+ Map map, URI category,
+ int designatorType) {
+ // try to find the id
+ Set attrSet = (Set)(map.get(id.toString()));
+ if (attrSet == null) {
+ // the request didn't have an attribute with that id, so we should
+ // try asking the attribute finder
+ return callHelper(type, id, issuer, category, designatorType);
+ }
+
+ // now go through each, considering each Attribute object
+ List attributes = new ArrayList();
+ Iterator it = attrSet.iterator();
+
+ while (it.hasNext()) {
+ Attribute attr = (Attribute)(it.next());
+
+ // make sure the type and issuer are correct
+ if ((attr.getType().equals(type)) &&
+ ((issuer == null) ||
+ ((attr.getIssuer() != null) &&
+ (attr.getIssuer().equals(issuer.toString()))))) {
+
+ // if we got here, then we found a match, so we want to pull
+ // out the values and put them in out list
+ attributes.addAll(attr.getValues());
+ }
+ }
+
+ // see if we found any acceptable attributes
+ if (attributes.size() == 0) {
+ // we failed to find any that matched the type/issuer, or all the
+ // Attribute types were empty...so ask the finder
+ if (logger.isLoggable(Level.FINE))
+ logger.fine("Attribute not in request: " + id.toString() +
+ " ... querying AttributeFinder");
+
+ return callHelper(type, id, issuer, category, designatorType);
+ }
+
+ // if we got here, then we found at least one useful AttributeValue
+ return new EvaluationResult(new BagAttribute(type, attributes));
+ }
+
+ /**
+ * Private helper that calls the finder if it's non-null, or else returns
+ * an empty bag
+ */
+ private EvaluationResult callHelper(URI type, URI id, URI issuer,
+ URI category, int adType) {
+ if (finder != null) {
+ return finder.findAttribute(type, id, issuer, category,
+ this, adType);
+ } else {
+ logger.warning("Context tried to invoke AttributeFinder but was " +
+ "not configured with one");
+
+ return new EvaluationResult(BagAttribute.createEmptyBag(type));
+ }
+ }
+
+ /**
+ * Returns the attribute value(s) retrieved using the given XPath
+ * expression.
+ *
+ * @param contextPath the XPath expression to search
+ * @param namespaceNode the DOM node defining namespace mappings to use,
+ * or null if mappings come from the context root
+ * @param type the type of the attribute value(s) to find
+ * @param xpathVersion the version of XPath to use
+ *
+ * @return a result containing a bag either empty because no values were
+ * found or containing at least one value, or status associated with an
+ * Indeterminate result
+ */
+ public EvaluationResult getAttribute(String contextPath,
+ Node namespaceNode, URI type,
+ String xpathVersion) {
+ if (finder != null) {
+ return finder.findAttribute(contextPath, namespaceNode, type, this,
+ xpathVersion);
+ } else {
+ logger.warning("Context tried to invoke AttributeFinder but was " +
+ "not configured with one");
+
+ return new EvaluationResult(BagAttribute.createEmptyBag(type));
+ }
+ }
+
+}
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,470 +0,0 @@
-
-/*
- * @(#)TimeAttribute.java
- *
- * Copyright 2003-2006 Sun Microsystems, Inc. All Rights Reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistribution of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * 2. Redistribution in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * Neither the name of Sun Microsystems, Inc. or the names of contributors may
- * be used to endorse or promote products derived from this software without
- * specific prior written permission.
- *
- * This software is provided "AS IS," without a warranty of any kind. ALL
- * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
- * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
- * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
- * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
- * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
- * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
- * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
- * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
- * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
- * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
- *
- * You acknowledge that this software is not designed or intended for use in
- * the design, construction, operation or maintenance of any nuclear facility.
- */
-
-package org.jboss.security.xacml.sunxacml.attr;
-
-
-import java.net.URI;
-import java.text.ParseException;
-import java.util.Date;
-import java.util.TimeZone;
-
-import org.jboss.security.xacml.sunxacml.ParsingException;
-import org.jboss.security.xacml.sunxacml.ProcessingException;
-import org.w3c.dom.Node;
-
-
-/**
- * Representation of an xs:time value. This class supports parsing
- * xs:time values. All objects of this class are immutable and
- * thread-safe. The <code>Date</code> objects returned are not, but
- * these objects are cloned before being returned.
- *
- * @since 1.0
- * @author Steve Hanna
- * @author Seth Proctor
- */
-public class TimeAttribute extends AttributeValue
-{
- /**
- * Official name of this type
- */
- public static final String identifier =
- "http://www.w3.org/2001/XMLSchema#time";
-
- /**
- * URI version of name for this type
- * <p>
- * This object is used for synchronization whenever we need
- * protection across this whole class.
- */
- private static URI identifierURI = URI.create(identifier);
-
- /**
- * Time zone value that indicates that the time zone was not
- * specified.
- */
- public static final int TZ_UNSPECIFIED = -1000000;
-
- /**
- * The time that this object represents in second resolution, in
- * milliseconds GMT, with zero being midnight. If no time zone was
- * specified, the local time zone is used to convert to milliseconds
- * relative to GMT.
- */
- private long timeGMT;
-
- /**
- * The number of nanoseconds beyond the time given by the timeGMT
- * field. The XML Query document says that fractional seconds
- * must be supported down to at least 100 nanosecond resolution.
- * The Date class only supports milliseconds, so we include here
- * support for nanosecond resolution.
- */
- private int nanoseconds;
-
- // NOTE: now that we're not using a Date object, the above two variables
- // could be condensed, and the interface could be changed so we don't
- // need to worry about tracking the time values separately
-
- /**
- * The time zone specified for this object (or TZ_UNSPECIFIED if
- * unspecified). The offset to GMT, in minutes.
- */
- private int timeZone;
-
- /**
- * The time zone actually used for this object (if it was
- * originally unspecified, the default time zone used).
- * The offset to GMT, in minutes.
- */
- private int defaultedTimeZone;
-
- /**
- * Cached encoded value (null if not cached yet).
- */
- private String encodedValue = null;
-
- /**
- * Creates a new <code>TimeAttribute</code> that represents
- * the current time in the current time zone.
- */
- public TimeAttribute() {
- this(new Date());
- }
-
- /**
- * Creates a new <code>TimeAttribute</code> that represents
- * the given time but uses the default timezone and offset values.
- *
- * @param time a <code>Date</code> object representing the
- * specified time down to second resolution. This
- * date should have a date of 01/01/1970. If it does
- * not, such a date will be forced. If this object
- * has non-zero milliseconds, they are combined
- * with the nanoseconds parameter.
- */
- public TimeAttribute(Date time) {
- super(identifierURI);
-
- int currOffset = DateTimeAttribute.getDefaultTZOffset(time);
- init(time, 0, currOffset, currOffset);
- }
-
- /**
- * Creates a new <code>TimeAttribute</code> that represents
- * the time supplied.
- *
- * @param time a <code>Date</code> object representing the
- * specified time down to second resolution. This
- * date should have a date of 01/01/1970. If it does
- * not, such a date will be forced. If this object
- * has non-zero milliseconds, they are combined
- * with the nanoseconds parameter.
- * @param nanoseconds the number of nanoseconds beyond the
- * Date specified in the date parameter
- * @param timeZone the time zone specified for this object
- * (or TZ_UNSPECIFIED if unspecified). The
- * offset to GMT, in minutes.
- * @param defaultedTimeZone the time zone actually used for this
- * object, which must be specified.
- * The offset to GMT, in minutes.
- */
- public TimeAttribute(Date time, int nanoseconds, int timeZone,
- int defaultedTimeZone) {
- super(identifierURI);
-
- // if the timezone is unspecified, it's illegal for the defaulted
- // timezone to also be unspecified
- if ((timeZone == TZ_UNSPECIFIED) &&
- (defaultedTimeZone == TZ_UNSPECIFIED))
- throw new ProcessingException("default timezone must be specified"
- + "when a timezone is provided");
-
- init(time, nanoseconds, timeZone, defaultedTimeZone);
- }
-
- /**
- * Initialization code shared by constructors.
- *
- * @param date a <code>Date</code> object representing the
- * specified time down to second resolution. This
- * date should have a date of 01/01/1970. If it does
- * not, such a date will be forced. If this object
- * has non-zero milliseconds, they are combined
- * with the nanoseconds parameter.
- * @param nanoseconds the number of nanoseconds beyond the
- * Date specified in the date parameter
- * @param timeZone the time zone specified for this object
- * (or TZ_UNSPECIFIED if unspecified). The
- * offset to GMT, in minutes.
- * @param defaultedTimeZone the time zone actually used for this
- * object (if it was originally unspecified,
- * the default time zone used).
- * The offset to GMT, in minutes.
- */
- private void init(Date date, int nanoseconds, int timeZone,
- int defaultedTimeZone) {
-
- // get a temporary copy of the date
- Date tmpDate = (Date)(date.clone());
-
- // Combine the nanoseconds so they are between 0 and 999,999,999
- this.nanoseconds =
- DateTimeAttribute.combineNanos(tmpDate, nanoseconds);
-
- // now that the date has been (potentially) updated, store the time
- this.timeGMT = tmpDate.getTime();
-
- // keep track of the timezone values
- this.timeZone = timeZone;
- this.defaultedTimeZone = defaultedTimeZone;
-
- // Check that the date is normalized to 1/1/70
- if ((timeGMT >= DateAttribute.MILLIS_PER_DAY) || (timeGMT < 0)) {
- timeGMT = timeGMT % DateAttribute.MILLIS_PER_DAY;
-
- // if we had a negative value then we need to shift by a day
- if (timeGMT < 0)
- timeGMT += DateAttribute.MILLIS_PER_DAY;
- }
- }
-
- /**
- * Returns a new <code>TimeAttribute</code> that represents
- * the xs:time at a particular DOM node.
- *
- * @param root the <code>Node</code> that contains the desired value
- * @return a new <code>TimeAttribute</code> representing the
- * appropriate value (null if there is a parsing error)
- */
- public static TimeAttribute getInstance(Node root)
- throws ParsingException, NumberFormatException, ParseException
- {
- return getInstance(root.getFirstChild().getNodeValue());
- }
-
- /**
- * Returns a new <code>TimeAttribute</code> that represents
- * the xs:time value indicated by the string provided.
- *
- * @param value a string representing the desired value
- * @return a new <code>TimeAttribute</code> representing the
- * desired value (null if there is a parsing error)
- * @throws ParsingException if any problems occurred while parsing
- */
- public static TimeAttribute getInstance(String value)
- throws ParsingException, NumberFormatException, ParseException
- {
- // Prepend date string for Jan 1 1970 and use the
- // DateTimeAttribute parsing code.
-
- value = "1970-01-01T" + value;
-
- DateTimeAttribute dateTime = DateTimeAttribute.getInstance(value);
-
- // if there was no explicit TZ provided, then we want to make sure
- // the that the defaulting is done correctly, especially since 1/1/70
- // is always out of daylight savings time
-
- Date dateValue = dateTime.getValue();
- int defaultedTimeZone = dateTime.getDefaultedTimeZone();
- if (dateTime.getTimeZone() == TZ_UNSPECIFIED) {
- TimeZone localTZ = TimeZone.getDefault();
- int newDefTimeZone =
- DateTimeAttribute.getDefaultTZOffset(new Date());
- dateValue = new Date(dateValue.getTime() -
- (newDefTimeZone - defaultedTimeZone) *
- DateAttribute.MILLIS_PER_MINUTE);
- defaultedTimeZone = newDefTimeZone;
- }
-
- return new TimeAttribute(dateValue,
- dateTime.getNanoseconds(),
- dateTime.getTimeZone(),
- defaultedTimeZone);
- }
-
- /**
- * Gets the time represented by this object. The return
- * value is a <code>Date</code> object representing the
- * specified time down to second resolution with a date
- * of January 1, 1970. Subsecond values are handled by the
- * {@link #getNanoseconds getNanoseconds} method.
- *
- * @return a <code>Date</code> object representing the
- * time represented by this object
- */
- public Date getValue() {
- return new Date(timeGMT);
- }
-
- /**
- * Gets the number of milliseconds since midnight GMT that this attribute
- * value represents. This is the same time returned by
- * <code>getValue</code>, and likewise the milliseconds are provided
- * with second resolution.
- *
- * @return milliseconds since midnight GMT
- */
- public long getMilliseconds() {
- return timeGMT;
- }
-
- /**
- * Gets the nanoseconds of this object.
- *
- * @return the number of nanoseconds
- */
- public int getNanoseconds() {
- return nanoseconds;
- }
-
- /**
- * Gets the time zone of this object (or TZ_UNSPECIFIED if
- * unspecified).
- *
- * @return the offset to GMT in minutes (positive or negative)
- */
- public int getTimeZone() {
- return timeZone;
- }
-
- /**
- * Gets the time zone actually used for this object (if it was
- * originally unspecified, the default time zone used).
- *
- * @return the offset to GMT in minutes (positive or negative)
- */
- public int getDefaultedTimeZone() {
- return defaultedTimeZone;
- }
-
- /**
- * Returns true if the input is an instance of this class and if its
- * value equals the value contained in this class.
- *
- * @param o the object to compare
- *
- * @return true if this object and the input represent the same value
- */
- public boolean equals(Object o) {
- if (! (o instanceof TimeAttribute))
- return false;
-
- TimeAttribute other = (TimeAttribute)o;
-
- return (timeGMT == other.timeGMT &&
- (nanoseconds == other.nanoseconds));
- }
-
- /**
- * Returns the hashcode value used to index and compare this object with
- * others of the same type. Typically this is the hashcode of the backing
- * data object.
- *
- * @return the object's hashcode value
- */
- public int hashCode() {
- // the standard Date hashcode is used here...
- int hashCode = (int)(timeGMT ^ (timeGMT >>> 32));
-
- // ...but both the timeGMT and the nanoseconds fields are considered
- // by the equals method, so it's best if the hashCode is derived
- // from both of those fields.
- hashCode = (31 * hashCode) + nanoseconds;
-
- return hashCode;
- }
-
- /**
- * Converts to a String representation.
- *
- * @return the String representation
- */
- public String toString() {
- StringBuffer sb = new StringBuffer();
- sb.append("TimeAttribute: [\n");
-
- // calculate the GMT value of this time
- long secsGMT = timeGMT / 1000;
- long minsGMT = secsGMT / 60;
- secsGMT = secsGMT % 60;
- long hoursGMT = minsGMT / 60;
- minsGMT = minsGMT % 60;
-
- // put the right number of zeros in place
- String hoursStr = (hoursGMT < 10) ? "0" + hoursGMT : "" + hoursGMT;
- String minsStr = (minsGMT < 10) ? "0" + minsGMT : "" + minsGMT;
- String secsStr = (secsGMT < 10) ? "0" + secsGMT : "" + secsGMT;
-
- sb.append(" Time GMT: " + hoursStr + ":" + minsStr + ":" + secsStr);
- sb.append(" Nanoseconds: " + nanoseconds);
- sb.append(" TimeZone: " + timeZone);
- sb.append(" Defaulted TimeZone: " + defaultedTimeZone);
- sb.append("]");
-
- return sb.toString();
- }
-
- /**
- * Encodes the value in a form suitable for including in XML data like
- * a request or an obligation. This returns a time value that could in
- * turn be used by the factory to create a new instance with the same
- * value.
- *
- * @return a <code>String</code> form of the value
- */
- public String encode() {
- if (encodedValue != null)
- return encodedValue;
-
- // "hh:mm:ss.sssssssss+hh:mm".length() = 27
- StringBuffer buf = new StringBuffer(27);
-
- // get the correct time for the timezone being used
- int millis = (int)timeGMT;
- if (timeZone == TZ_UNSPECIFIED)
- millis += (defaultedTimeZone * DateAttribute.MILLIS_PER_MINUTE);
- else
- millis += (timeZone * DateAttribute.MILLIS_PER_MINUTE);
-
- if (millis < 0) {
- millis += DateAttribute.MILLIS_PER_DAY;
- } else if (millis >= DateAttribute.MILLIS_PER_DAY) {
- millis -= DateAttribute.MILLIS_PER_DAY;
- }
-
- // now generate the time string
- int hour = millis / DateAttribute.MILLIS_PER_HOUR;
- millis = millis % DateAttribute.MILLIS_PER_HOUR;
- buf.append(DateAttribute.zeroPadInt(hour, 2));
- buf.append(':');
- int minute = millis / DateAttribute.MILLIS_PER_MINUTE;
- millis = millis % DateAttribute.MILLIS_PER_MINUTE;
- buf.append(DateAttribute.zeroPadInt(minute, 2));
- buf.append(':');
- int second = millis / DateAttribute.MILLIS_PER_SECOND;
- buf.append(DateAttribute.zeroPadInt(second, 2));
-
- // add any nanoseconds
- if (nanoseconds != 0) {
- buf.append('.');
- buf.append(DateAttribute.zeroPadInt(nanoseconds, 9));
- }
-
- // if there is a specified timezone, then include that in the encoding
- if (timeZone != TZ_UNSPECIFIED) {
- int tzNoSign = timeZone;
- if (timeZone < 0) {
- tzNoSign = -tzNoSign;
- buf.append('-');
- } else
- buf.append('+');
- int tzHours = tzNoSign / 60;
- buf.append(DateAttribute.zeroPadInt(tzHours, 2));
- buf.append(':');
- int tzMinutes = tzNoSign % 60;
- buf.append(DateAttribute.zeroPadInt(tzMinutes, 2));
- }
-
- // remember the encoding for later
- encodedValue = buf.toString();
-
- return encodedValue;
- }
-
-}
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java (from rev 86555, projects/security/security-xacml/trunk/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/main/java/org/jboss/security/xacml/sunxacml/attr/TimeAttribute.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,475 @@
+
+/*
+ * @(#)TimeAttribute.java
+ *
+ * Copyright 2003-2006 Sun Microsystems, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistribution of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistribution in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * Neither the name of Sun Microsystems, Inc. or the names of contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * This software is provided "AS IS," without a warranty of any kind. ALL
+ * EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING
+ * ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+ * OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED. SUN MICROSYSTEMS, INC. ("SUN")
+ * AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY DAMAGES SUFFERED BY LICENSEE
+ * AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THIS SOFTWARE OR ITS
+ * DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE FOR ANY LOST
+ * REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL,
+ * INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY
+ * OF LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THIS SOFTWARE,
+ * EVEN IF SUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ *
+ * You acknowledge that this software is not designed or intended for use in
+ * the design, construction, operation or maintenance of any nuclear facility.
+ */
+
+package org.jboss.security.xacml.sunxacml.attr;
+
+
+import java.net.URI;
+import java.text.ParseException;
+import java.util.Date;
+import java.util.TimeZone;
+
+import org.jboss.security.xacml.sunxacml.ParsingException;
+import org.jboss.security.xacml.sunxacml.ProcessingException;
+import org.w3c.dom.Node;
+
+
+/**
+ * Representation of an xs:time value. This class supports parsing
+ * xs:time values. All objects of this class are immutable and
+ * thread-safe. The <code>Date</code> objects returned are not, but
+ * these objects are cloned before being returned.
+ *
+ * @since 1.0
+ * @author Steve Hanna
+ * @author Seth Proctor
+ */
+public class TimeAttribute extends AttributeValue
+{
+ /**
+ * Official name of this type
+ */
+ public static final String identifier =
+ "http://www.w3.org/2001/XMLSchema#time";
+
+ /**
+ * URI version of name for this type
+ * <p>
+ * This object is used for synchronization whenever we need
+ * protection across this whole class.
+ */
+ private static URI identifierURI = URI.create(identifier);
+
+ /**
+ * Time zone value that indicates that the time zone was not
+ * specified.
+ */
+ public static final int TZ_UNSPECIFIED = -1000000;
+
+ /**
+ * The time that this object represents in second resolution, in
+ * milliseconds GMT, with zero being midnight. If no time zone was
+ * specified, the local time zone is used to convert to milliseconds
+ * relative to GMT.
+ */
+ private long timeGMT;
+
+ /**
+ * The number of nanoseconds beyond the time given by the timeGMT
+ * field. The XML Query document says that fractional seconds
+ * must be supported down to at least 100 nanosecond resolution.
+ * The Date class only supports milliseconds, so we include here
+ * support for nanosecond resolution.
+ */
+ private int nanoseconds;
+
+ // NOTE: now that we're not using a Date object, the above two variables
+ // could be condensed, and the interface could be changed so we don't
+ // need to worry about tracking the time values separately
+
+ /**
+ * The time zone specified for this object (or TZ_UNSPECIFIED if
+ * unspecified). The offset to GMT, in minutes.
+ */
+ private int timeZone;
+
+ /**
+ * The time zone actually used for this object (if it was
+ * originally unspecified, the default time zone used).
+ * The offset to GMT, in minutes.
+ */
+ private int defaultedTimeZone;
+
+ /**
+ * Cached encoded value (null if not cached yet).
+ */
+ private String encodedValue = null;
+
+ /**
+ * Creates a new <code>TimeAttribute</code> that represents
+ * the current time in the current time zone.
+ */
+ public TimeAttribute() {
+ this(new Date());
+ }
+
+ /**
+ * Creates a new <code>TimeAttribute</code> that represents
+ * the given time but uses the default timezone and offset values.
+ *
+ * @param time a <code>Date</code> object representing the
+ * specified time down to second resolution. This
+ * date should have a date of 01/01/1970. If it does
+ * not, such a date will be forced. If this object
+ * has non-zero milliseconds, they are combined
+ * with the nanoseconds parameter.
+ */
+ public TimeAttribute(Date time) {
+ super(identifierURI);
+
+ int currOffset = DateTimeAttribute.getDefaultTZOffset(time);
+ init(time, 0, currOffset, currOffset);
+ }
+
+ /**
+ * Creates a new <code>TimeAttribute</code> that represents
+ * the time supplied.
+ *
+ * @param time a <code>Date</code> object representing the
+ * specified time down to second resolution. This
+ * date should have a date of 01/01/1970. If it does
+ * not, such a date will be forced. If this object
+ * has non-zero milliseconds, they are combined
+ * with the nanoseconds parameter.
+ * @param nanoseconds the number of nanoseconds beyond the
+ * Date specified in the date parameter
+ * @param timeZone the time zone specified for this object
+ * (or TZ_UNSPECIFIED if unspecified). The
+ * offset to GMT, in minutes.
+ * @param defaultedTimeZone the time zone actually used for this
+ * object, which must be specified.
+ * The offset to GMT, in minutes.
+ */
+ public TimeAttribute(Date time, int nanoseconds, int timeZone,
+ int defaultedTimeZone) {
+ super(identifierURI);
+
+ // if the timezone is unspecified, it's illegal for the defaulted
+ // timezone to also be unspecified
+ if ((timeZone == TZ_UNSPECIFIED) &&
+ (defaultedTimeZone == TZ_UNSPECIFIED))
+ throw new ProcessingException("default timezone must be specified"
+ + "when a timezone is provided");
+
+ init(time, nanoseconds, timeZone, defaultedTimeZone);
+ }
+
+ /**
+ * Initialization code shared by constructors.
+ *
+ * @param date a <code>Date</code> object representing the
+ * specified time down to second resolution. This
+ * date should have a date of 01/01/1970. If it does
+ * not, such a date will be forced. If this object
+ * has non-zero milliseconds, they are combined
+ * with the nanoseconds parameter.
+ * @param nanoseconds the number of nanoseconds beyond the
+ * Date specified in the date parameter
+ * @param timeZone the time zone specified for this object
+ * (or TZ_UNSPECIFIED if unspecified). The
+ * offset to GMT, in minutes.
+ * @param defaultedTimeZone the time zone actually used for this
+ * object (if it was originally unspecified,
+ * the default time zone used).
+ * The offset to GMT, in minutes.
+ */
+ private void init(Date date, int nanoseconds, int timeZone,
+ int defaultedTimeZone) {
+
+ // get a temporary copy of the date
+ Date tmpDate = (Date)(date.clone());
+
+ // Combine the nanoseconds so they are between 0 and 999,999,999
+ this.nanoseconds =
+ DateTimeAttribute.combineNanos(tmpDate, nanoseconds);
+
+ // now that the date has been (potentially) updated, store the time
+ this.timeGMT = tmpDate.getTime();
+
+ // keep track of the timezone values
+ this.timeZone = timeZone;
+ this.defaultedTimeZone = defaultedTimeZone;
+
+ // Check that the date is normalized to 1/1/70
+ if ((timeGMT >= DateAttribute.MILLIS_PER_DAY) || (timeGMT < 0)) {
+ long div = timeGMT / DateAttribute.MILLIS_PER_DAY;
+ timeGMT = timeGMT % DateAttribute.MILLIS_PER_DAY;
+
+ //SECURITY-405
+ if(div == 1)
+ timeGMT += DateAttribute.MILLIS_PER_DAY;
+
+ // if we had a negative value then we need to shift by a day
+ if (timeGMT < 0)
+ timeGMT += DateAttribute.MILLIS_PER_DAY;
+ }
+ }
+
+ /**
+ * Returns a new <code>TimeAttribute</code> that represents
+ * the xs:time at a particular DOM node.
+ *
+ * @param root the <code>Node</code> that contains the desired value
+ * @return a new <code>TimeAttribute</code> representing the
+ * appropriate value (null if there is a parsing error)
+ */
+ public static TimeAttribute getInstance(Node root)
+ throws ParsingException, NumberFormatException, ParseException
+ {
+ return getInstance(root.getFirstChild().getNodeValue());
+ }
+
+ /**
+ * Returns a new <code>TimeAttribute</code> that represents
+ * the xs:time value indicated by the string provided.
+ *
+ * @param value a string representing the desired value
+ * @return a new <code>TimeAttribute</code> representing the
+ * desired value (null if there is a parsing error)
+ * @throws ParsingException if any problems occurred while parsing
+ */
+ public static TimeAttribute getInstance(String value)
+ throws ParsingException, NumberFormatException, ParseException
+ {
+ // Prepend date string for Jan 1 1970 and use the
+ // DateTimeAttribute parsing code.
+
+ value = "1970-01-01T" + value;
+
+ DateTimeAttribute dateTime = DateTimeAttribute.getInstance(value);
+
+ // if there was no explicit TZ provided, then we want to make sure
+ // the that the defaulting is done correctly, especially since 1/1/70
+ // is always out of daylight savings time
+
+ Date dateValue = dateTime.getValue();
+ int defaultedTimeZone = dateTime.getDefaultedTimeZone();
+ if (dateTime.getTimeZone() == TZ_UNSPECIFIED) {
+ TimeZone localTZ = TimeZone.getDefault();
+ int newDefTimeZone =
+ DateTimeAttribute.getDefaultTZOffset(new Date());
+ dateValue = new Date(dateValue.getTime() -
+ (newDefTimeZone - defaultedTimeZone) *
+ DateAttribute.MILLIS_PER_MINUTE);
+ defaultedTimeZone = newDefTimeZone;
+ }
+
+ return new TimeAttribute(dateValue,
+ dateTime.getNanoseconds(),
+ dateTime.getTimeZone(),
+ defaultedTimeZone);
+ }
+
+ /**
+ * Gets the time represented by this object. The return
+ * value is a <code>Date</code> object representing the
+ * specified time down to second resolution with a date
+ * of January 1, 1970. Subsecond values are handled by the
+ * {@link #getNanoseconds getNanoseconds} method.
+ *
+ * @return a <code>Date</code> object representing the
+ * time represented by this object
+ */
+ public Date getValue() {
+ return new Date(timeGMT);
+ }
+
+ /**
+ * Gets the number of milliseconds since midnight GMT that this attribute
+ * value represents. This is the same time returned by
+ * <code>getValue</code>, and likewise the milliseconds are provided
+ * with second resolution.
+ *
+ * @return milliseconds since midnight GMT
+ */
+ public long getMilliseconds() {
+ return timeGMT;
+ }
+
+ /**
+ * Gets the nanoseconds of this object.
+ *
+ * @return the number of nanoseconds
+ */
+ public int getNanoseconds() {
+ return nanoseconds;
+ }
+
+ /**
+ * Gets the time zone of this object (or TZ_UNSPECIFIED if
+ * unspecified).
+ *
+ * @return the offset to GMT in minutes (positive or negative)
+ */
+ public int getTimeZone() {
+ return timeZone;
+ }
+
+ /**
+ * Gets the time zone actually used for this object (if it was
+ * originally unspecified, the default time zone used).
+ *
+ * @return the offset to GMT in minutes (positive or negative)
+ */
+ public int getDefaultedTimeZone() {
+ return defaultedTimeZone;
+ }
+
+ /**
+ * Returns true if the input is an instance of this class and if its
+ * value equals the value contained in this class.
+ *
+ * @param o the object to compare
+ *
+ * @return true if this object and the input represent the same value
+ */
+ public boolean equals(Object o) {
+ if (! (o instanceof TimeAttribute))
+ return false;
+
+ TimeAttribute other = (TimeAttribute)o;
+
+ return (timeGMT == other.timeGMT &&
+ (nanoseconds == other.nanoseconds));
+ }
+
+ /**
+ * Returns the hashcode value used to index and compare this object with
+ * others of the same type. Typically this is the hashcode of the backing
+ * data object.
+ *
+ * @return the object's hashcode value
+ */
+ public int hashCode() {
+ // the standard Date hashcode is used here...
+ int hashCode = (int)(timeGMT ^ (timeGMT >>> 32));
+
+ // ...but both the timeGMT and the nanoseconds fields are considered
+ // by the equals method, so it's best if the hashCode is derived
+ // from both of those fields.
+ hashCode = (31 * hashCode) + nanoseconds;
+
+ return hashCode;
+ }
+
+ /**
+ * Converts to a String representation.
+ *
+ * @return the String representation
+ */
+ public String toString() {
+ StringBuffer sb = new StringBuffer();
+ sb.append("TimeAttribute: [\n");
+
+ // calculate the GMT value of this time
+ long secsGMT = timeGMT / 1000;
+ long minsGMT = secsGMT / 60;
+ secsGMT = secsGMT % 60;
+ long hoursGMT = minsGMT / 60;
+ minsGMT = minsGMT % 60;
+
+ // put the right number of zeros in place
+ String hoursStr = (hoursGMT < 10) ? "0" + hoursGMT : "" + hoursGMT;
+ String minsStr = (minsGMT < 10) ? "0" + minsGMT : "" + minsGMT;
+ String secsStr = (secsGMT < 10) ? "0" + secsGMT : "" + secsGMT;
+
+ sb.append(" Time GMT: " + hoursStr + ":" + minsStr + ":" + secsStr);
+ sb.append(" Nanoseconds: " + nanoseconds);
+ sb.append(" TimeZone: " + timeZone);
+ sb.append(" Defaulted TimeZone: " + defaultedTimeZone);
+ sb.append("]");
+
+ return sb.toString();
+ }
+
+ /**
+ * Encodes the value in a form suitable for including in XML data like
+ * a request or an obligation. This returns a time value that could in
+ * turn be used by the factory to create a new instance with the same
+ * value.
+ *
+ * @return a <code>String</code> form of the value
+ */
+ public String encode() {
+ if (encodedValue != null)
+ return encodedValue;
+
+ // "hh:mm:ss.sssssssss+hh:mm".length() = 27
+ StringBuffer buf = new StringBuffer(27);
+
+ // get the correct time for the timezone being used
+ int millis = (int)timeGMT;
+ if (timeZone == TZ_UNSPECIFIED)
+ millis += (defaultedTimeZone * DateAttribute.MILLIS_PER_MINUTE);
+ else
+ millis += (timeZone * DateAttribute.MILLIS_PER_MINUTE);
+
+ if (millis < 0) {
+ millis += DateAttribute.MILLIS_PER_DAY;
+ } else if (millis >= DateAttribute.MILLIS_PER_DAY) {
+ millis -= DateAttribute.MILLIS_PER_DAY;
+ }
+
+ // now generate the time string
+ int hour = millis / DateAttribute.MILLIS_PER_HOUR;
+ millis = millis % DateAttribute.MILLIS_PER_HOUR;
+ buf.append(DateAttribute.zeroPadInt(hour, 2));
+ buf.append(':');
+ int minute = millis / DateAttribute.MILLIS_PER_MINUTE;
+ millis = millis % DateAttribute.MILLIS_PER_MINUTE;
+ buf.append(DateAttribute.zeroPadInt(minute, 2));
+ buf.append(':');
+ int second = millis / DateAttribute.MILLIS_PER_SECOND;
+ buf.append(DateAttribute.zeroPadInt(second, 2));
+
+ // add any nanoseconds
+ if (nanoseconds != 0) {
+ buf.append('.');
+ buf.append(DateAttribute.zeroPadInt(nanoseconds, 9));
+ }
+
+ // if there is a specified timezone, then include that in the encoding
+ if (timeZone != TZ_UNSPECIFIED) {
+ int tzNoSign = timeZone;
+ if (timeZone < 0) {
+ tzNoSign = -tzNoSign;
+ buf.append('-');
+ } else
+ buf.append('+');
+ int tzHours = tzNoSign / 60;
+ buf.append(DateAttribute.zeroPadInt(tzHours, 2));
+ buf.append(':');
+ int tzMinutes = tzNoSign % 60;
+ buf.append(DateAttribute.zeroPadInt(tzMinutes, 2));
+ }
+
+ // remember the encoding for later
+ encodedValue = buf.toString();
+
+ return encodedValue;
+ }
+
+}
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/attr/TimeAttributeUnitTestCase.java (from rev 86555, projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/attr/TimeAttributeUnitTestCase.java)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/attr/TimeAttributeUnitTestCase.java (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/attr/TimeAttributeUnitTestCase.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.sunxacml.attr;
+
+import java.util.Date;
+
+import junit.framework.TestCase;
+
+import org.jboss.security.xacml.sunxacml.attr.TimeAttribute;
+
+/**
+ * Unit tests for the Time Attribute
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 30, 2009
+ */
+public class TimeAttributeUnitTestCase extends TestCase
+{
+ public void testTime() throws Exception
+ {
+ TimeAttribute end = TimeAttribute.getInstance("23:59:00-08:00");
+ TimeAttribute now = TimeAttribute.getInstance("16:50:07.091000000-05:00");
+
+ Date nowDate = now.getValue();
+ Date endDate = end.getValue();
+
+ assertTrue("4:50 PM CDT is before 11:59 PDT", nowDate.before(endDate));
+
+ end = TimeAttribute.getInstance("01:59:00-08:00");
+ now = TimeAttribute.getInstance("03:59:00-06:00");
+
+ nowDate = now.getValue();
+ endDate = end.getValue();
+
+ assertFalse("03:59 central is not before 01:59 PDT", nowDate.before(endDate) );
+
+ end = TimeAttribute.getInstance("03:59:00-08:00");
+ now = TimeAttribute.getInstance("03:59:00-08:00");
+
+ nowDate = now.getValue();
+ endDate = end.getValue();
+
+ assertFalse("03:59 PDT is not before 03:59 PDT", nowDate.before(endDate) );
+ }
+}
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request (from rev 86469, projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request)
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java
===================================================================
--- projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java 2009-03-30 13:13:14 UTC (rev 86469)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,49 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2008, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.test.security.sunxacml.request;
-
-import java.io.File;
-import java.io.FileInputStream;
-import java.util.Set;
-
-import org.jboss.security.xacml.sunxacml.ctx.RequestCtx;
-
-import junit.framework.TestCase;
-
-/**
- * Unit test to read xacml requests
- * @author Anil.Saldhana at redhat.com
- * @since Mar 30, 2009
- */
-public class RequestReadUnitTestCase extends TestCase
-{
-
- public void testMultipleResourceIds() throws Exception
- {
- String fileName = "src/test/resources/requests/multiple-resourceid.xml";
-
- RequestCtx req = RequestCtx.getInstance(new FileInputStream(new File(fileName)));
- assertNotNull("Request is not null", req);
- Set resources = req.getResource();
- assertTrue("Multiple resources", resources.size() > 1);
- }
-}
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java (from rev 86470, projects/security/security-xacml/trunk/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/java/org/jboss/test/security/sunxacml/request/RequestReadUnitTestCase.java 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,50 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.security.sunxacml.request;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.util.Set;
+
+import org.jboss.security.xacml.sunxacml.ctx.RequestCtx;
+
+import junit.framework.TestCase;
+
+/**
+ * Unit test to read xacml requests
+ * @author Anil.Saldhana at redhat.com
+ * @since Mar 30, 2009
+ */
+public class RequestReadUnitTestCase extends TestCase
+{
+
+ @SuppressWarnings("unchecked")
+ public void testMultipleResourceIds() throws Exception
+ {
+ String fileName = "src/test/resources/requests/multiple-resourceid.xml";
+
+ RequestCtx req = RequestCtx.getInstance(new FileInputStream(new File(fileName)));
+ assertNotNull("Request is not null", req);
+ Set resources = req.getResource();
+ assertTrue("Multiple resources", resources.size() > 1);
+ }
+}
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-sunxacml/src/test/resources/requests (from rev 86469, projects/security/security-xacml/trunk/jboss-sunxacml/src/test/resources/requests)
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/pom.xml 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,71 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <parent>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-xacml-project</artifactId>
- <version>2.0.3.CR4-SNAPSHOT</version>
- <relativePath>../build/pom.xml</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <artifactId>jboss-xacml</artifactId>
- <packaging>jar</packaging>
- <name>JBoss XACML</name>
- <url>http://www.jboss.org</url>
- <description>JBoss XACML Library</description>
- <dependencies>
- <dependency>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-sunxacml</artifactId>
- <version>${project.version}</version>
- </dependency>
- <dependency>
- <groupId>apache-xerces</groupId>
- <artifactId>xml-apis</artifactId>
- <version>2.7.1</version>
- </dependency>
- <dependency>
- <groupId>sun-jaxb</groupId>
- <artifactId>jaxb-api</artifactId>
- <version>2.1.4</version>
- </dependency>
- <dependency>
- <groupId>sun-jaxb</groupId>
- <artifactId>jaxb-impl</artifactId>
- <version>2.1.4</version>
- </dependency>
- <dependency>
- <groupId>sun-jaxb</groupId>
- <artifactId>jaxb-xjc</artifactId>
- <version>2.1.4</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>stax</groupId>
- <artifactId>stax-api</artifactId>
- <version>1.0</version>
- </dependency>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>3.8.1</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>sun-jaf</groupId>
- <artifactId>activation</artifactId>
- <version>1.1</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>codehaus-stax</groupId>
- <artifactId>stax</artifactId>
- <version>1.1.1</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- <version>2.5</version>
- <scope>test</scope>
- </dependency>
- </dependencies>
-</project>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml (from rev 86557, projects/security/security-xacml/trunk/jboss-xacml/pom.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,71 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml-project</artifactId>
+ <version>2.0.3.CR5</version>
+ <relativePath>../build/pom.xml</relativePath>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>jboss-xacml</artifactId>
+ <packaging>jar</packaging>
+ <name>JBoss XACML</name>
+ <url>http://www.jboss.org</url>
+ <description>JBoss XACML Library</description>
+ <dependencies>
+ <dependency>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-sunxacml</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>apache-xerces</groupId>
+ <artifactId>xml-apis</artifactId>
+ <version>2.7.1</version>
+ </dependency>
+ <dependency>
+ <groupId>sun-jaxb</groupId>
+ <artifactId>jaxb-api</artifactId>
+ <version>2.1.4</version>
+ </dependency>
+ <dependency>
+ <groupId>sun-jaxb</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ <version>2.1.4</version>
+ </dependency>
+ <dependency>
+ <groupId>sun-jaxb</groupId>
+ <artifactId>jaxb-xjc</artifactId>
+ <version>2.1.4</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>stax</groupId>
+ <artifactId>stax-api</artifactId>
+ <version>1.0</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>3.8.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>sun-jaf</groupId>
+ <artifactId>activation</artifactId>
+ <version>1.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>codehaus-stax</groupId>
+ <artifactId>stax</artifactId>
+ <version>1.1.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>2.5</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/java/org/jboss/test/security/xacml/interop/himss09 (from rev 86556, projects/security/security-xacml/trunk/jboss-xacml/src/test/java/org/jboss/test/security/xacml/interop/himss09)
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/logging.properties (from rev 86556, projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/logging.properties)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/logging.properties (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/logging.properties 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,21 @@
+# Specify the handlers to create in the root logger
+# (all loggers are children of the root logger)
+# The following creates two handlers
+handlers = java.util.logging.ConsoleHandler, java.util.logging.FileHandler
+
+# Set the default logging level for the root logger
+.level = ALL
+
+# Set the default logging level for new ConsoleHandler instances
+java.util.logging.ConsoleHandler.level = ALL
+
+# Set the default logging level for new FileHandler instances
+java.util.logging.FileHandler.level = ALL
+
+# Set the default formatter for new ConsoleHandler instances
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
+
+# Set the default logging level for the logger named org.jboss
+org.jboss.security.xacml.sunxacml.level = FINEST
+com.sun.xml.bind.level = OFF
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml
===================================================================
--- projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,11 +0,0 @@
-<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
- <ns:Policies>
- <ns:PolicySet>
- <ns:Location>test/policies/interop/himss09/himss-policy.xml</ns:Location>
- </ns:PolicySet>
- </ns:Policies>
- <ns:Locators>
- <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicyLocator">
- </ns:Locator>
- </ns:Locators>
-</ns:jbosspdp>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml (from rev 86555, projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/config/himss09-interop-config.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,11 @@
+<ns:jbosspdp xmlns:ns="urn:jboss:xacml:2.0">
+ <ns:Policies>
+ <ns:PolicySet>
+ <ns:Location>test/policies/interop/himss09/himss-policy-01.xml</ns:Location>
+ </ns:PolicySet>
+ </ns:Policies>
+ <ns:Locators>
+ <ns:Locator Name="org.jboss.security.xacml.locators.JBossPolicySetLocator">
+ </ns:Locator>
+ </ns:Locators>
+</ns:jbosspdp>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/policies/interop/himss09/himss-policy-01.xml (from rev 86556, projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/policies/interop/himss09/himss-policy-01.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/policies/interop/himss09/himss-policy-01.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/policies/interop/himss09/himss-policy-01.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,601 @@
+<?xml version="1.0" encoding="utf-8"?>
+<PolicySet xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-os.xsd"
+ PolicySetId="urn:oasis:names:tc:xspa:1.0"
+ PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Target />
+ <PolicySet PolicySetId="urn:oasis:names:tc:xspa:1.0:org" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>Contains all organizational policies which are evaluated on all requests.</Description>
+ <Target />
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:allowed:organizations" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject is attempting to access
+ a resource and is not a member of the allowed organizations.
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny" Effect="Deny">
+ <Description>Evaluates the allowed-organizations (if available) against the subject's locality.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:hoursofoperations" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject is attempting to access
+ the resource outside of the alloted time.
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny" Effect="Deny">
+ <Description>Evaluates the environment time against the hours of operation start and end.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:start" DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hoursofoperation:end" DataType="http://www.w3.org/2001/XMLSchema#time" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.STRUCTURED-ROLE NOT IN ORG.REQUIRED-ROLES -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org:required:roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject is attempting to access
+ a resource and they are not a member of the required role(s).
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:required:roles:deny" Effect="Deny">
+ <Description>Evaluates the organization roles (if available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <!-- MAY NEED TO SWITCH ~~ Is this a one to many relationship? Are all roles required or does the subject just need to be included? -->
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.PERMISSIONS NOT IN ORG.RESOURCE.PERMISSIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org.resource.permissions" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ The organization denies the request if the subject does not have adequate
+ permissions to access the resource.
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:org:resource.permissions:deny" Effect="Deny">
+ <Description>Evaluates the required permissions (if available) against the subject's permissions.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hl7:permission" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:org:hl7:permission" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:hl7:permission" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:org.catch-all" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
+ <Description></Description>
+ <Target />
+ <Rule RuleId="" Effect="Permit"></Rule>
+ </Policy>
+ </PolicySet>
+
+ <PolicySet PolicySetId="urn:oasis:names:tc:xspa:1.0:patient" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides">
+ <Description>These policies are patient consent directives and are invoked on medical-record requests.</Description>
+ <Target />
+
+ <!-- (RESOURCE.RESOURCETYPE IN PATIENT.MASKEDOBJECT) AND (SUBJECT.ROLE IN PATIENT.MA.DISSENTING-ROLES) -->
+ <!-- PROBLEMS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for problems from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-roles:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-roles for problems (if available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-role" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- MEDICATIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for medications from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-roles:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-roles for medications (if available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-role" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- ALERTS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request alerts from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-roles:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-roles for alerts (if available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-role" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+
+ <!-- IMMUNIZATIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-roles" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for immunizations from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-roles:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-roles for immunizations (if available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-role" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+
+ <!-- (RESOURCE.RESOURCETYPE IN PATIENT.MASKEDOBJECT) AND (SUBJECT.ROLE IN PATIENT.MA.DISSENTING-ROLES) -->
+ <!-- PROBLEMS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for problems from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for problems (if available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Problems:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- MEDICATIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for medications from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:medications:dissenting-subject-ids:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for medications (if available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Medications:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- ALERTS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for alerts from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:alerts:dissenting-subject-ids:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for alerts (if available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Alerts:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+ <!-- IMMUNIZATIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request for immunizations from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:immunizations:dissenting-subject-ids:permit" Effect="Permit">
+ <Description>Evaluates the dissenting-subject-id's for immunizations (if available) against the subject's NPI.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ <Obligations>
+ <Obligation ObligationId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:Immunizations:dissenting-subject-id" FulfillOn="Permit"></Obligation>
+ </Obligations>
+ </Policy>
+
+ <!-- SUBJECT.LOCALITY NOT IN PATIENT.ALLOWED-ORGANIZATIONS -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:patient:allowed:organizations" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if their locality is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:patient:allowed:organizations:deny" Effect="Deny">
+ <Description>Evaluates the allowed-organizations (if available) against the subject's locality.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:locality" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:allowed-organizations" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.ROLE IN PATIENT.DISSENTING-ROLES -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting:role" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if their role is not permitted by the patient.
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:patient:dissenting:roles:deny" Effect="Deny">
+ <Description>Evaluates the dissenting-role (if available) against the subject's role.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-role" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- SUBJECT.ID IN PATIENT.DISSENTING-ID -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-ids" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if the NPI is not permitted by the patient.
+ </Description>
+ <Target />
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0:resource:patient:masked:problems:dissenting-subject-ids:deny" Effect="Deny">
+ <Description>Evaluates the dissenting-subject-id (if available) against the subject's NPI.</Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
+ </Apply>
+ </Apply>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
+ <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:subject:npi" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:patient:dissenting-subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+
+ <!-- CONFIDENTIALITY -->
+ <Policy PolicyId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-codes" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
+ <Description>
+ Denies the request from the subject if the confidentiality code is set to "Sensitive". This policy
+ is acting as the "Catch-All".
+ </Description>
+ <Target>
+ <Resources>
+ <Resource>
+ <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:oasis:names:tc:xspa:1.0:resource:hl7:type:medical-record</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0:resource:hl7:type" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </ResourceMatch>
+ </Resource>
+ </Resources>
+ </Target>
+ <Rule RuleId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code:deny" Effect="Deny">
+ <Description>Evaluates the HL7 confidentiality-code.</Description>
+ <Target />
+ <Condition>
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+ <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+ <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">S</AttributeValue>
+ <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xspa:1.0.resource:patient:hl7:confidentiality-code" DataType="http://www.w3.org/2001/XMLSchema#string" />
+ </Apply>
+ </Apply>
+ </Condition>
+ </Rule>
+ </Policy>
+ </PolicySet>
+</PolicySet>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/jboss-xacml/src/test/resources/test/requests/interop/himss09 (from rev 86556, projects/security/security-xacml/trunk/jboss-xacml/src/test/resources/test/requests/interop/himss09)
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml
===================================================================
--- projects/security/security-xacml/trunk/parent/pom.xml 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,42 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <parent>
- <groupId>org.jboss</groupId>
- <artifactId>jboss-parent</artifactId>
- <version>4</version>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-xacml-project</artifactId>
- <version>2.0.3.CR4-SNAPSHOT</version>
- <packaging>pom</packaging>
- <name>JBoss XACML Build</name>
- <url>http://www.jboss.com</url>
- <description>
- The JBoss XACML Project
- </description>
- <scm>
- <connection>scm:svn:http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/trunk</connection>
- <developerConnection>scm:svn:https://svn.jboss.org/repos/jbossas/projects/security/security-xacml/trunk</developerConnection>
- </scm>
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-release-plugin</artifactId>
- <configuration>
- <tagBase>https://svn.jboss.org/repos/jbossas/projects/security/security-xacml/tags</tagBase>
- </configuration>
- </plugin>
- </plugins>
- </build>
- <repositories>
- <repository>
- <id>jboss</id>
- <name>JBoss Repository</name>
- <layout>default</layout>
- <url>http://anonsvn.jboss.org/repos/repository.jboss.org/maven2</url>
- <snapshots>
- <enabled>true</enabled>
- </snapshots>
- </repository>
- </repositories>
-</project>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml (from rev 86557, projects/security/security-xacml/trunk/parent/pom.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/parent/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,42 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.jboss</groupId>
+ <artifactId>jboss-parent</artifactId>
+ <version>4</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml-project</artifactId>
+ <version>2.0.3.CR5</version>
+ <packaging>pom</packaging>
+ <name>JBoss XACML Build</name>
+ <url>http://www.jboss.com</url>
+ <description>
+ The JBoss XACML Project
+ </description>
+ <scm>
+ <connection>scm:svn:http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.3.CR5</connection>
+ <developerConnection>scm:svn:https://svn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.3.CR5</developerConnection>
+ </scm>
+ <build>
+ <plugins>
+ <plugin>
+ <artifactId>maven-release-plugin</artifactId>
+ <configuration>
+ <tagBase>https://svn.jboss.org/repos/jbossas/projects/security/security-xacml/tags</tagBase>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ <repositories>
+ <repository>
+ <id>jboss</id>
+ <name>JBoss Repository</name>
+ <layout>default</layout>
+ <url>http://anonsvn.jboss.org/repos/repository.jboss.org/maven2</url>
+ <snapshots>
+ <enabled>true</enabled>
+ </snapshots>
+ </repository>
+ </repositories>
+</project>
\ No newline at end of file
Deleted: projects/security/security-xacml/tags/2.0.3.CR5/pom.xml
===================================================================
--- projects/security/security-xacml/trunk/pom.xml 2009-03-30 11:02:19 UTC (rev 86468)
+++ projects/security/security-xacml/tags/2.0.3.CR5/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -1,25 +0,0 @@
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
- <parent>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-xacml-project</artifactId>
- <version>2.0.3.CR4-SNAPSHOT</version>
- <relativePath>parent</relativePath>
- </parent>
- <modelVersion>4.0.0</modelVersion>
- <groupId>org.jboss.security</groupId>
- <artifactId>jboss-xacml-main</artifactId>
- <packaging>pom</packaging>
- <name>JBoss XACML - Aggregator</name>
- <url>http://labs.jboss.org/portal/jbosssecurity/</url>
- <description>JBoss Security is a cross cutting project that handles security for the JEMS projects</description>
- <modules>
- <module>parent</module>
- <module>jboss-sunxacml</module>
- <module>jboss-xacml</module>
- <module>assembly</module>
- </modules>
- <scm>
- <connection>scm:svn:http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/trunk</connection>
- <developerConnection>scm:svn:https://svn.jboss.org/repos/jbossas/projects/security/security-xacml/trunk</developerConnection>
- </scm>
-</project>
\ No newline at end of file
Copied: projects/security/security-xacml/tags/2.0.3.CR5/pom.xml (from rev 86557, projects/security/security-xacml/trunk/pom.xml)
===================================================================
--- projects/security/security-xacml/tags/2.0.3.CR5/pom.xml (rev 0)
+++ projects/security/security-xacml/tags/2.0.3.CR5/pom.xml 2009-03-31 22:24:03 UTC (rev 86558)
@@ -0,0 +1,25 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml-project</artifactId>
+ <version>2.0.3.CR5</version>
+ <relativePath>parent</relativePath>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>org.jboss.security</groupId>
+ <artifactId>jboss-xacml-main</artifactId>
+ <packaging>pom</packaging>
+ <name>JBoss XACML - Aggregator</name>
+ <url>http://labs.jboss.org/portal/jbosssecurity/</url>
+ <description>JBoss Security is a cross cutting project that handles security for the JEMS projects</description>
+ <modules>
+ <module>parent</module>
+ <module>jboss-sunxacml</module>
+ <module>jboss-xacml</module>
+ <module>assembly</module>
+ </modules>
+ <scm>
+ <connection>scm:svn:http://anonsvn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.3.CR5</connection>
+ <developerConnection>scm:svn:https://svn.jboss.org/repos/jbossas/projects/security/security-xacml/tags/2.0.3.CR5</developerConnection>
+ </scm>
+</project>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list