All notable changes to this project are documented in this file following the Keep a CHANGELOG conventions. This project adheres to Semantic Versioning.
- Migrated to Java 17 as minimum required Java version and JAXB 4.0: replaced javax.xml.bind.* with jakarta.xml.bind.* in class imports
- Upgraded parent project (authzforce-ce-parent): 9.0.0
- Upgraded managed dependencies:
- authzforce-ce-xacml-model: 9.0.0
- authzforce-ce-pdp-ext-model: 9.0.0
- jakarta.mail-api: 2.1.2
- Spring Core: 6.0.11
- Slf4j: 2.0.7
- guava 32.1.3-jre
- Upgraded parent project (authzforce-ce-parent) version: 8.5.0
- CVEs in dependencies by upgrading:
- authzforce-ce-xacml-model, authzforce-ce-pdp-ext-model: 8.5.0
- javax.mail-api to jakarta.mail-api: 1.6.7
- guava: 32.1.2-jre
- slf4j-api: 1.7.36
- Saxon-HE: 12.3
- Support for XACML
<StatusDetail>
/<MissingAttributeDetail>
(requested by AuthzForce Core issue authzforce/core#69 ):- Returned by AttributeDesignator expression evaluator when missing named attribute(s)
ImmutableXacmlStatus
andIndeterminateEvaluationException
classes improved: new constructors supporting XACMLMissingAttributeDetail
element
BaseXacmlJaxbRequestPreprocessor
class: new constructor arg:Optional<NamedXacmlAttributeParser<Attribute>> customNamedAttributeParser
(custom parser of named Attributes, to customize how XACML Attributes are converted into instance of AuthzForce internal Attribute class)
- New
XMLUtils.SAXBasedXmlnsFilteringParser
class constructor parameter - XML namespace prefix-to-URI mappings - to help fix the issue authzforce/server#66 .
- Error when having multiple XPath expressions (e.g. AttributeSelectors) with XPath variables in the same Policy (the list of declared variables on Saxon XPathCompiler is internally saved and not reinitialized after each call to
XPathCompiler#compile(String)
having side effects when reusing the same XPathCompiler instance).
- Feature: XPath variables in
xPathExpression
AttributeValue
s' XPath expressions can now be defined by XACML VariableDefinitions (variable name used as XACML VariableId), which means XACML Variables can be used as XPath variables there. - Added immutable implementation of
BaseXPathCompilerProxy
:BasicImmutableXPathCompilerProxy
class.
- Feature: XPath variables in
AttributeSelector
s' XPath expressions can now be defined by XACML VariableDefinitions (variable name used as XACML VariableId), which means XACML Variables can be used as XPath variables there.
- Spotbugs issues: public API methods'
XPathCompiler
(Saxon API) parameter now replaced with new immutable classXPathCompilerProxy
instead of SAXON for safer code.
-
Changed Datatype extension interface (
AttributeValueFactory
):getInstance(...)
XPathCompiler
parameter replaced withOptional<XPathCompilerProxy>
, where XPathCompilerProxy is a immutable version ofXPathCompiler
class with extra methods; the parameter is optional because XPath support may be disabled by PDP configuration or missing Policy(Set)Defaults/XPathVersion in XACML Policy(Set)Datatype
interface: addedItemType getXPathItemType()
method used to declare Variable types on Saxon XPath evaluator when compiling XPath expressions with variablesAttributeValue
must now implementgetXdmItem()
to return a XPath-compatible (XDM) value to be used as variables in XPath expressions, in order to support the new Feature mentioned above.
-
Changed
EvaluationContext
interface to better handle XACML Variables in XPath expressions (support the new Feature mentioned above):- Added
getVariables()
to get the list of all VariableReferences/Values in context for evaluation of XPath expression putVariableIfAbsent(...)
String variableId
parameter changed toVariableReference variableRef
- Added
-
Changed
ExpressionFactory
interface: addedisXpathEnabled()
andgetVariableExpressions()
to get list of VariableExpressions for declaring all Variable names/types on XPath expression in order to support the new Feature mentioned in previous section -
Changed
VariableReference
interface: addedQName getXPathVariableName()
method used to declare and assign variables when compiling and evaluating XPath expressions (with SAXON API).
- Request pre-processor extension interface changed:
DecisionRequestPreprocessor.Factory#getInstance(...)
method changed:xmlProcessor
arg removed
- PMD/Spotbugs error fix: new classes
ImmutableXacmlStatus
,ImmutableXacmlStatusCode
used as immutable replacements for XACML-schema-derived (JAXB-annotated)Status
andStatusCode
.
- Upgraded parent project
authzforce-ce-parent
version to 8.2.0:- Upgraded SLF4j to 1.7.32
- Upgraded Saxon-HE to 10.6
- Upgraded Guava to 31.0
- Upgraded Maven plugins:
- license-maven-plugin to 4.1
- maven-pmd-plugin to 3.15.0 and PMD to 6.42.0
- dependency-check-maven to 6.5.3
- maven-compiler-plugin to 3.9.0
- maven-source-plugin to 3.2.1
- maven-javadoc-plugin to 3.3.1
- maven-jar-plugin to 3.2.2
- maven-gpg-plugin to 3.0.1
- CVE-2021-22060: Spring upgraded to 5.2.19
authzforce-ce-parent
version: 8.1.0- Improved support of Multiple Decision Profile in the
PdpEngine
interface and the following types of PDP extensions: Combining Algorithm, Function, Attribute Provider, Policy Provider. The corresponding interfaces (CombiningAlg
...) have changed: certain of their methods - called during request evaluation - now take a newOptional<EvaluationContext>
parameter which is used to pass the MDP evaluation context (MDP = Multiple Decision Profile) which is an evaluation context shared across all the Individual Decision Requests within the same Multiple Decision Request whenever MDP is used in the input request to the PDP. This enables all PDP extensions to be aware / provide better support of the Multiple Decision Profile. This may be used in particular by an Attribute Provider providing the standard current-time/current-date/current-dateTime attributes which should have the same values for all Individual Decision Requests corresponding to the same Multiple Decision Request. DecisionRequest
andEvaluationContext
interfaces changed:- New method
getCreationTimestamp()
: provides the date/time of the request/context creation. Used typically for the standard current-* attributes. putNamedAttributeValueIfAbsent(AttributeFqn, AttributeBag)
replaced with more genericputNamedAttributeValue(AttributeFqn, AttributeBag, boolean override)
- New method
-
XacmlAttributeId enum: added standard attribute
urn:oasis:names:tc:xacml:2.0:resource:target-namespace
-
Attribute Provider (
NamedAttributeProvider
) interface: added 2 new methods for better support of the Multiple Decision Profile (all implemented by default to do nothing):beginMultipleDecisionRequest(EvaluationContext mdpContext)
: for special processing in the context of the MDP request (before corresponding Individual Decision requests are evaluated)supportsBeginMultipleDecisionRequest()
: indicates whether the Attribute Provider implementsbeginMultipleDecisionRequest()
method and therefore needs the PDP engine to call it when a new MDP request is evaluatedbeginIndividualDecisionRequest(EvaluationContext individualDecisionContext, Optional<EvaluationContext> mdpContext)
: for special processing in the context of an Individual Decision request, before it is evaluated against policies (before theget(attribute)
method is ever called for the individual decision request).supportsBeginIndividualDecisionRequest()
: indicates whether the Attribute Provider implementsbeginIndividualDecisionRequest()
method and therefore needs the PDP engine to call it when a new individual decision request is evaluated.
- CVE-2021-22118: updated parent version to 8.0.2 -> Spring to 5.2.15
- Upgraded javax.mailapi to 1.6.2
- Issue raised on AuthzForce Server project: authzforce/server#62
- Upgraded project parent version: 8.0.0
- Upgraded to Java 11 (Java 8 no longer supported)
- Maven plugin findbugs (obsolete) replaced with spotbugs
- Upgraded project parent version: 7.6.1
- Upgraded managed dependency slf4j-api: 1.7.30
- PolicyProvider API:
CloseablePolicyProvider.Factory#getInstance(...)
takes new parameterotherHelpingPolicyProvider
which allows a new Policy Provider to call other(s) previously instantiated ones for help - during instantiation or later - in order to resolve policies (references) it cannot resolve on its own. Therefore, this allows to combine multiple Policy Providers together.
- #2: CVE-2018-8088 affecting slf4j (upgraded version of slf4j managed by parent project)
- Upgraded project parent version to 7.6.0
- Maven dependency
javax.mail-api
: scope changed toprovided
since an actual implementation should be provided at runtime instead, e.g.com.sun.mail:javax.mail
(in the same version) to avoid class overlap/duplicate.
- Parent project version: 7.5.1 (security fix)
PolicyProvider
interface: new methodgetCandidateRootPolicy()
provides a default root policy to the PDP when 'rootPolicyRef' undefined in PDP configuration (helps simplify PDP configuration)
- More generic PolicyProvider interface: type-parametered with the type of PolicyEvaluator returned by get(...) method
- *RootPolicyProvider and *RefPolicyProvider interfaces removed; only (Closeable)PolicyProvider and (Base|Closeable)StaticPolicyProvider remain.
- Parent project version: 7.5.0 -> changed dependency versions:
- authzforce-ce-xmlns-model: 7.5.0
- authzforce-ce-xacml-model: 7.5.0
- authzforce-ce-pdp-ext-model: 7.5.0
- Guava: 24.1.1-jre
- Replaced dependency mailapi with javax.mail-api v1.6.0
- ExpressionFactory interface: new method
getVariableExpression(variableId)
- Apply class: added check for VariableReference used as first arg (sub-function) to higher-order function: variables (resolved at evaluation time) are not allowed, only constant
- TimeValue class: more Javadoc giving info about underlying XmlGregorianCalendar's year/month/day fields (set to DatatypeConstants.FIELD_UNDEFINED)
- GenericAttributeProviderBasedAttributeDesignatorExpression class: moved from authzforce-ce-core-pdp-engine project
- Parent project (authzforce-ce-parent) version: 7.3.0, which changes dependency versions:
- authzforce-ce-xmlns-model: 7.3.0
- authzforce-ce-xacml-model: 7.3.0
- authzforce-ce-pdp-ext-model: 7.3.0
- Spring: 4.3.14.RELEASE
- Saxon-HE: 9.8.0-12
- Interfaces: PolicyEvaluator has new method getEnclosedPolicies(), used to detect duplicate PolicyId/Version
- Classes from authzforce-ce-core-pdp-engine, which may be useful to PEP implementations (PEPs should not depend on authzforce-ce-core-pdp-engine except if using an embedded PDP):
StandardAttributeValueFactories
(for mapping standard Java types or XACML datatypes into AuthzForce data model)ImmutableAttributeValueFactoryRegistry
(required by the previous one)BasePdpExtensionRegistry
(required by the previous one).
AttributeValueFactoryRegistry#getCompatibleFactory(Class)
method: used in unit tests.AttributeValueFactoryRegistry#newAttributeBag(Collection, AttributeSource)
: creates an AttributeBag with a custom AttributeSourcePrimitiveDatatype#getInstanceClass()
method: gives the Java class associated to the (XACML) datatype, in AuthzForce data model.XacmlJaxbParsingUtils#parseXacmlJaxbResult(Result)
method: to convert XACML/XML Result into AuthzForce data model's DecisionResult
- For more flexibility, genericity and code simplification (better adaptation to non-XML formats such as JSON in particular), AuthzForce data model classes (e.g.
AttributeValue
) no longer extend XACML-schema-derived (JAXB-annotated) classes (e.g.AttributeValueType
). DecisionCache.Factory#getInstance(...)
: new AttributeValueFactoryRegistry parameter for the decision cache system to be able to create/restore AttributeValues from deserialized data stored or produced by external - possibly remote - systems (e.g. cache storage database).CloseableDesignatedAttributeProvider
(resp.BaseDesignatedAttributeProvider
) class renamed toCloseableNamedAttributeProvider
(resp.BaseNamedAttributeProvider
) to reuse the official term "named attribute" from §7.3 of XACML 3.0 spec.
- IllegalArgumentException for empty XACML anyURI, i.e.
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
. XACML 3.0 spec's anyURI datatype (annex B.3) is defined by W3C XML schema specification (2004)'s anyURI datatype, itself defined by RFC 2396 and 2732 at IETF. An empty URI is valid according to RFC 2396 (section 4.2), therefore an empty AttributeValue with anyURI datatype must be parsed successfully into an empty value. (Fix toSimpleValue
class.) - AuthzForce
IntegerValue
s wrongly considered not equal if created from different Java integer types (for the same value), e.g.1
(Integer) and1L
(Long). (Fix toequals()
implementations inGenericInteger
subclasses.)
- Interface method DecisionCache.Factory#getInstance(...): added EnvironmentProperties parameter to allow passing environment properties to DecisionCache implementations
- Interface method AttributeProvider#get(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Interface method EvaluationContext#getNamedAttributeValue(...): replaced parameter type BagDatatype with Datatype to simplify AttributeProviders' code
- Class VersionPatterns renamed to PolicyVersionPatterns because depends on PolicyVersionPattern (with no 's') class
- Updated authzforce-ce-parent version: 7.1.0 -> 7.2.0:
- Changes dependency version: slf4j: 1.7.22 --> 1.7.25
- Changes build plugin versions:
- OWASP dependency-check plugin: 3.0.1 -> 3.0.2 (fix blocking bug #978 on their GitHub)
- Copyright end year (2018) in license headers
- API interface/abstract class:
SimpleValue.BaseFactory
abstract class: newgetSupportedInputTypes()
for simple attribute value factories to specify the input Java types they support, i.e. that they can parse to AttributeValue, in order to help implement newAttributeValueFactoryRegistry#newAttributeValue/AttributeBag(...)
methodsAttributeValueFactoryRegistry
interface: newnewAttributeValue(Serializable)
andnewAttributeBag(Collection<? extends Serializable>)
methods for creatingAttributeValue
/AttributeBag
from raw Java types without specifying a XACML datatype argument explicitly, but based on the input types supported by the simple AttributeValueFactories (of subtypeSimpleValue.BaseFactory
) in the registry, which info is provided by thegetSupportedInputTypes()
mentioned previously. This change contributes to the implementation of authzforce-ce-core issue #10 on GitHub.
X500NameValue
class: added constructor from X500Principal
- Parent project: 7.0.0 -> 7.1.0
- Managed dependency version: guava: 21.0 -> 22.0
- Parent project: 6.0.0 -> 7.0.0
- Renamed PDP extension interfaces and base implementations:
- (Base|Closeable)AttributeProviderModule > (Base|Closeable)DesignatedAttributeProvider
- (Base)RequestFilter -> (Base)DecisionRequestPreprocessor
- DecisionResultFilter -> DecisionResultPostprocessor
- CloseablePdp -> CloseablePdpEngine
- (Immutable)PdpDecisionRequest -> (Immutable)DecisionRequest
- PdpDecisionResult -> DecisionResult
- PdpDecisionRequest(Factory|Builder) -> DecisionRequest(Factory|Builder)
- (Base|Closeable)(Static)RefPolicyProviderModule -> (Base|Closeable)(Static)RefPolicyProvider
- RootPolicyProviderModule -> RootPolicyProvider
- (Base)DatatypeFactory(Registry) -> (Base)AttributeValueFactory(Registry) (using new class AttributeDatatype subclass of Datatype)
- Uses of IdReferenceType (for Policy(Set)IdReference) replaced by new interface PrimaryPolicyMetadata (identifies Policy uniquely) in all APIs where necessary
- Moved JaxbXacmlUtils utility class out to authzforce-ce-xacml-model project (renamed to Xacml3JaxbHelper)
- New extensible framework for PDP engine adapters, e.g. for specific types of input/output (SerDes), PDP engine itself made agnostic of request/response serialization formats
- New package org.ow2.authzforce.core.pdp.api.io for classes related to input/output (SerDes) adapter, e.g. from/to XACML-XML
- New interface PdpEngineInoutAdapter (default implementation is XACML/XML using JAXB API, XACML/JSON one moved to separate project)
- More optimal implementation of XACML integer values: 3 possible GenericInteger interface implementations depending on maximum (size) (ArbitrarilyBigInteger for java BigIntegers, MediumInteger for java Integers, and LongInteger for java Longs), with value caching (like Java Integer/Long). This optimizes memory usage / CPU computation when dealing with XACML integers small enough to fit in Java Integers/Longs.
- Class naming conventions regarding acronyms (only first letter should be uppercase, see also
https://google.github.io/styleguide/javaguide.html#s5.3-camel-case), for example:
- AnyURIValue -> AnyUriValue
- AttributeFQN -> AttributeFqn
- AttributeFQNs -> AttributeFqns
- CloseablePDP -> CloseablePdp
- JaxbXACMLUtils -> JaxbXacmlUtils
- PDPEngine -> PdpEngine
- XMLUtils -> XmlUtils...
- StaticRefPolicyProviderModule interface to abstract class
- Renamed RefPolicyProvider.Utils class (utility methods for Policy Provider implementations) to RefPolicyProvider.Helper
- BaseStaticRefPolicyProviderModule class as convenient base class for static Policy Provider (StaticRefPolicyProviderModule ) implementations
- Class AttributeSource and AttributeSources: source of attribute values, e.g. the Request, the PDP, an AttributeProvider module, etc.
- Class AttributeBag: new kind of Bag that represents an attribute bag (values) with metadata such as value source (AttributeSource)
- Interface EvaluationContext: new methods to attach one or more context listeners, and get back the attached listener(s)
- New Expression interface implementations: AttributeDesignatorExpression (XACML AttributeDesignator evaluator) and AttributeSelectorExpression (XACML Attribute Selector evaluator)
- Changed POM parent version: 6.0.0.
- Changed DecisionResultFilter interface methods
- Changed RequestFilter interface methods
- Changed DecisionCache interface methods by adding EvaluationContext parameter for context-dependent caches
- Changed RefPolicyProvider interface methods
- Changed PDPEngine interface methods
- Changed EvaluationContext interface methods
- Changed Expression interface methods
- Changed VersionPatterns class methods to return new PolicyVersionPattern class that helps manipulate XACML VersionMatchTypes
- Refactoring:
- Renamed class IndividualDecisionRequest to IndividualXACMLRequest (XACML-specific model of Individual Decision Request)
- Renamed class IndividualPdpDecisionRequest to PdpDecisionRequest (individual request in XACML-agnostic AuthzForce model)
- Renamed class AttributeGUID(s) to AttributeFQN(s) (Fully Qualified Name is more appropriate than GUID)
- Renamed class MutableBag to MutableAttributeBag
- Changed parent version: v5.1.0:
- License: GPL v3.0 replaced with Apache License v2.0
- Project URL: 'https://tuleap.ow2.org/projects/authzforce' replaced with 'https://authzforce.ow2.org'
- GIT repository URL base: 'https://tuleap.ow2.org/plugins/git/authzforce' replaced with 'https://gitlab.ow2.org/authzforce'
- Return type of
Datatype#getTypeParameter()
:Datatype<?>
replaced withOptional<Datatype<?>>
- Return type of
AttributeGUID#getIssuer()
:String<?>
replaced withOptional<String<?>>
- Changed parent version: 4.1.1 -> 5.0.0 -> Changed dependency versions: SLF4J: 1.7.6 -> 1.7.22; Guava: 20.0 -> 21.0
- Renamed class Pdp to PDPEngine and added methods to evaluate one or multiple Individual Decision Requests using more efficient API than XACML-schema-derived Request
- Renamed class PdpDecisionInput to PdpDecisionRequest -> changed DecisionCache API
- Changed DecisionResultFilter API
- Parent project version: 4.1.1 (upgrades owasp dep check mvn plugin version: 1.4.4 -> 1.4.4.1)
- LOG CRLF INJECTION issue (reported by find-sec-bugs) no longer fixed in code but assumed handled by logback configuration (see Layout pattern 'replace' keyword in logback documentation)
- Parent project version: 4.0.0 -> 4.1.0 => Saxon-HE dependency version 9.7.0-11 -> 9.7.0-14
- Security issues reported by find-sec-bugs plugin
- Extension mechanism to switch HashMap/HashSet implementation; default implementation is based on native JRE and Guava.
- AtomicValue interface for atomic/primitive values, implemented by Function and AttributeValue
- Public class PrimitiveDatatype for primitive value datatypes
- ConstantExpression interface (replaces ValueExpression) for all constant Value expression
- FunctionExpression interface, Expression wrapper for Functions (Function no longer extends Expression but AtomicValue) like Value
- Function datatype constant in StandardDatatypes class, used as formal parameter type for functions in higher-order functions
- Maven plugin owasp-dependency-check to check vulnerabilities in dependencies
- Function no longer extends Expression but AtomicValue since Function Expression is now materialized by new FunctionExpression interface
- Expression interface: method boolean isStatic() replaced by getValue() to get the constant result if expression is static/constant (instead of calling evaluate(null) which forces callers the complexity of handling IndeterminateEvaluationException), null if not
- ExpressionFactory interface: Function return types replaced with FunctionExpression (new interface)
- FirstOrderFunctionCall abstract class (base class for first-order function call implementations): changed to interface and abstract class logic moved to new BaseFirstOrderFunctionCall class,
- DatatypeFactory interface: removed method isExpressionStatic(), now useless since we have new Expression#getValue() method
- CombiningAlg (combining algorithm interface) Evaluator interface: more generic
- Maven parent project version: 3.4.0 -> 4.0.0:
- Java version: 1.7 -> 1.8 (maven.compiler.source/target property)
- Guava dependency version: 18.0 -> 20.0
- Saxon-HE dependency version: 9.6.0-5 -> 9.7.0-11
- com.sun.mail:javax.mail v1.5.4 changed to com.sun.mail:mailapi v1.5.6
- ValueExpression interface, replaced by ConstantExpression
- Dependency on Koloboke, replaced by extension mechanism mentioned in Added section that would allow switching from the default HashMap/HashSet implementation to Koloboke-based.
- Javadoc issues
- Bag.equals() ignoring duplicates (like XACML set-equals function). Fixed by using Guava Multiset as backend structure and Multiset.equals(), to comply with the mathematical definition of a bag/multiset and XACML definition which is basically the same.
- BaseStaticRootPolicyProviderModule keeping a reference to static refPolicyProvider, although policies are to be resolved statically at initialization time, after that, it is no longer needed. Fix: remove BaseStaticRootPolicyProviderModule to force RootPoliyPovider modules to manage their refPolicyProvider and free memory after use.
- Bag.elements() method, returns a Multiset (Guava) view of a bag's elements, useful in particular to implement functions with bags like XACML set-*
- BaseStaticRootPolicyProviderModule class removed (see fix above)
- Dependency: com.koloboke:koloboke-impl-jdk6-7:1.0.0 for better (performance and API) HashMap/HashSet. More info: http://java-performance.info/hashmap-overview-jdk-fastutil-goldman-sachs-hppc-koloboke-trove-january-2015/
- CombiningAlg.Evaluator (Combining Algorithm evaluator interface):
- Return type changed to ExtendedDecision (Decision, Status, Extended Indeterminate if Decision is Indeterminate), simpler than formerly DecisionResult
- evaluate() takes 2 extra "out" parameters: UpdatablePepActions and UpdatableApplicablePolicies used to add/return PEP actions and applicable policies collected during evaluation
- DecisionCache interface: input PdpDecisionInput and output PdpDecisionResult allow handling 2 new fields: named attributes and extra Content nodes used during evaluation; thus enabling smarter caching possibilities
- EvaluationContext interface: addApplicablePolicy(...) replaced by isApplicablePolicyIdListRequested() because applicable policies are now collected in the new "out" parameter above and in the evaluation results (DecisionResult) returned by Policy evaluators
- Deprecated Expression#getJAXBElement() usually used to get the original XACML from which the Expression was parsed (no longer considered useful)
- Bag#equals() re-implemented like XACML function set-equals
- Change implementation of unmodifiable lists to Guava ImmutableList
- Made all implementations of DecisionResult immutable
- Project parent version (3.4.0): all JAXB-annotated classes derived from XACML schema now implements java.io.Serializable interface. This affects subclasses StatusHelper, CombinerParameterEvaluator and concrete XXXValue classes (extending XACML AttributeValue)
- All method parameters made final when applicable
- IndividualDecisionRequest#isApplicablePolicyIdentifiersReturned() method renamed to isApplicablePolicyIdListReturned()
- CombiningAlgSet and FunctionSet classes (GitHub issue #1), now useless.
- Attribute Provider Extension interface (CloseableAttributeProviderModule interface): new parameter to pass global PDP environment properties to AttributeProvider extensions
- Code-style issues reported by Codacy
- Issues reported by Codacy
- FirstOrderBagFunctions#getFunctions(): changed parameters to only one of type DatatypeFactory for simplification
- Current year in license header
- Implementations of XACML 3.0 Core standard data types
- Re-usable/abstract classes for XACML comparison/conversion/higher-order/set/bag functions
- Javadoc of DecisionResult#getExtendedIndeterminate() method
- PDP extensions that are static root policy providers should now implement StaticRootPolicyProviderModule class, instead of RootPolicyProviderModule.Static class
- PDP extensions that are static ref-policy providers should now implement StaticRefPolicyProvider class, instead of RefPolicyProvider class with isStatic() method returning true
- (Static)RootPolicyProviderModule and (Static)RefPolicyProviderModule#get(...) return type is now (Static)TopLevelPolicyElementEvaluator instead of IPolicyEvaluator interface (removed)
- Interface method PolicyEvaluator#getExtraPolicyMetadata(): provides version of the evaluated Policy(Set) and policies referenced (directly/indirectly) from this Policy(Set)
- Interface method PolicyEvaluator#getPolicyElementType(): provides the type of top-level policy element (Policy or PolicySet).
- Interface method DecisionResult#getExtendedIndeterminate(): provides Extended Indeterminate value (to be used when #getDecision() returns "Indeterminate")
- Initial release on GitHub