EvaluatablePreprocess

[darrellhansen]

What is the purpose of EvaluatablePreprocess?

[Florian Huonder]

Hi,

Thx for your interest.
You are asking regarding the EvaluatablePreprocess.
EvaluatablePreprocess enables an implementer to process the deployed evaluatables before evaluation (at deployment time). An example could be to replace local references with the referenced policies directly to save the lookup time. Other examples could be optimizations of the policy tree.
But the feature you are looking at is no longer present in the current herasaf-xacml-core 1.0.0 development trunk (current stable release 1.0.0-M2, current development release 1.0.0.M3-SNAPSHOT).
The reason for removing this feature was that we wanted to make the core very lightwight (you see that the old stuff (0.x versions) is relatively heavy (Spring dependencies, multiple modules, ...).
Nevertheless the new core is open for such features through its architecture. Such preprocessings should be, in my opinion, something that should be part of the policy repository. The repository is plugable what enables you to implement such preprocessing logic by yourself.

May I ask you why you are looking at the "old" implementations (0.x versions). We are very interested in the reason.
We strongly recommend to use the new, maintained and actively developped, version 1.0.0-M2 (or 1.0.0.M3-SNAPSHOT).

I am looking forward to hearing from you.

Best regards,
Florian

update:
Some more information are here:

• http://dev.herasaf.org/wiki/display/XACMLCORE/XACML+Core+1.0.0-M3+%28Snapshot%29
• http://dev.herasaf.org/browse/XACMLCORE#selectedTab=com.atlassian.jira.plugin.system.project%3Aroadmap-panel

[darrellhansen]

Sorry for the delay in responding. I have been in and out of working on this and my memory is a little vague. I saw that with the new 1.x core release that it was simplified. I have this code. It has a SimplePDP as an example. The 0.x release has a PDP that works with the Persistence Mgr and that is what we need. Also, just so you know, we are looking to embed a PDP on each of our application servers in a server farm. We want an app node to come up, load all the policies and be ready to service requests as the load balancer sends requests. In other words, our PEPs and PDPs will be local on the same app node. It is the only way we believe we can get the performance we need. We expect to have policies persisted in a database, preprocessed into Evaluatable form so that at start up it is very fast to initialize and we want all the optimization we can get...that is what I recall from a month ago...so I might be bit inaccurate.

I will focus on the latest release and try to figure out how to do the more complex PDP that we need based on the latest release. The Simplified PDP that came with the core didn't quite gel in my mind for me especially when I looked at the thesis design documents. If it is possible to have another code trunk that shows example application of the core, with database persistence etc, that would be great. I know that each customer may want to implement in various ways so you want the core to be lightweight, but it makes it hard to envision how to use it.

[Florian Huonder]

Hi,

We removed an explicit persiting policy repository implementation in the "new" core (1.0.0.x) because of the leightweightness. Our intention was to provide an API where customers could hook into.
For your case I would suggest an implementation of a PolicyRetrivalPoint that loads the policies from the database with support of the PolicyMarshaller. The PolicyMarshaller creates Evalutable objects directly.
The SimplePDPFactory than can return a new SimplePDP with your custom PolicyRetrivalPoint.

The thesis document is no longer accurate for the "new" core. For the new core use our Wiki (http://dev.herasaf.org/wiki/display/XACMLCORE/XACML+Core+1.0.0-M3+%28Snapshot%29) as starting point.
If you have any further questions, don't hesitate to ask.

Best regards,
Florian