Okke, 1. That¹s intentional design, the attributesRequired was intended for use within the PAP Admin Console during Policy Creation and PIP Definition. It was brought in late in the development after the PDP was developed.
2. The design of XACML is that a PIPEngine is called to provide a specific attribute, that only happens when the attribute is required to evaluate a PolicySet/Policy/Rule. As long as the PDP (or another PIPEngine) does not need the attribute, it won¹t get called. The PDP will first look in the request for the attribute, then go through each PIP engine asking for the attribute. The PIP Engine should return immediately if it doesn¹t provide that attribute, thus avoiding that expensive call. Make sure you write that Policy correctly. Also beware in the case of another PIP requiring the attribute being provided by that expensive PIP, in order to provide its own attribute. Pam On 9/9/15, 2:41 PM, "Okke Harsta" <[email protected]> wrote: >Hi, > >We want to Œenrich¹ attributes by using PIPEngines and I have a question >about that: > >1) PIPEngine#attributesRequired is never called during the decide process >and I thought this was the hook to ensure that a PIPEngine is not called >when the required attributes are not in the Request. Is this a bug or >intentional design? >2) How do I make sure that a PIPEngine is only called upon for a certain >Policy as our PIP does expensive calls and is only needed when for >example a certain Policy matches the Request > >Thanks, >Okke >
