Every PDP request results in permit

[sambenas]

Hello, I recently got started using the AuthZForce PDP/PAP API's, and for some reason every request is resulting in a permit. As an example, here is a policy I created:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
 xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 PolicySetId="P1"
 Version="1.0"
 PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
 <Description>Test Policy Set</Description>
 <Target />
 <Policy
  PolicyId="FileAccessApp"
  Version="1.0"
  RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
  <Description>Policy for FileAccessApp</Description>
  <Target>
   <AnyOf>
    <AllOf>
     <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      <AttributeValue
       DataType="http://www.w3.org/2001/XMLSchema#string">FileAccessApp</AttributeValue>
      <AttributeDesignator
       Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
       AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
       DataType="http://www.w3.org/2001/XMLSchema#string"
       MustBePresent="true" />
     </Match>
    </AllOf>
   </AnyOf>
  </Target>
  <Rule RuleId="Must_Be_US" Effect="Permit">
   <Description>Only US Citizens may access files.</Description>
   <Target>
    <AnyOf>
     <AllOf>
      <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
       <AttributeValue
        DataType="http://www.w3.org/2001/XMLSchema#string">file</AttributeValue>
       <AttributeDesignator
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
        AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id"
        DataType="http://www.w3.org/2001/XMLSchema#string"
        MustBePresent="true" />
      </Match>
     </AllOf>
    </AnyOf>
    <AnyOf>
     <AllOf>
      <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
       <AttributeValue
        DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
       <AttributeDesignator
        Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
        AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
        DataType="http://www.w3.org/2001/XMLSchema#string"
        MustBePresent="true" />
      </Match>
     </AllOf>
    </AnyOf>
   </Target>
   <Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
     <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
      <AttributeValue
       DataType="http://www.w3.org/2001/XMLSchema#string">US_Citizen</AttributeValue>
      <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
       DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"
       Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
    </Apply>
   </Condition>
  </Rule>
 </Policy>
</PolicySet>

And yet, the request below results in a Permit

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="false">
 <Attributes
  Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
  <Attribute
   AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
   IncludeInResult="false">
   <AttributeValue
   DataType="http://www.w3.org/2001/XMLSchema#string">Dave</AttributeValue>
  </Attribute>
  <Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
   IncludeInResult="false"> <AttributeValue
   DataType="http://www.w3.org/2001/XMLSchema#string">Not_Us_Citizen</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes
  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
  <Attribute
   AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
   IncludeInResult="false">
   <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#string">FileAccessApp</AttributeValue>
  </Attribute>
  <Attribute
   AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" IncludeInResult="false">
   <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#string">file</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes
  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
  <Attribute
   AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
   IncludeInResult="false">
   <AttributeValue
    DataType="http://www.w3.org/2001/XMLSchema#string">access</AttributeValue>
  </Attribute>
 </Attributes>
 <Attributes
  Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>

If I enable ReturnPolicyIfList I see the line <PolicyIdReference Version="0.1.0">permit-all</PolicyIdReference>

How to disable this? Will just manually removing the 0.1.0.xml file and restarting Tomcat do it or is there a specific API call I need to make?

[cdanger]

The PDP is still using the default root PolicySet. Beware that only the root PolicySet or PolicySets referenced by it (via PolicySetIdReference) are used actually by the PDP for evaluation. The root policy - where the PDP starts the evaluation - is set in PDP properties as explained in the doc.

If you want the PDP to evaluate your policy (P1 in the case) directly as the root policy, either you change the policy's PolicySetId to match the current rootPolicyRefExpression value, or you change rootPolicyRefExpression to P1. You can also use it as a child policy by updating the current root policy with a PolicySetIdReference to P1.

[cdanger]

Closing this in absence of reply from OP for over a month.

[sambenas]

I am sorry for my lack of response. But yes, closing this issue is appropriate. Thank you for your help!