Okke, Yes it is thread-safe. You definitely should not have to instantiate an OpenAZPDPDEngine for every decide.
The PDP Engine has default Standard Policy Finder factory and Policy Finder, but you don¹t have to use them. You could create your own policy finder factory (PolicyFinderFactory) and possibly also the policy finder (PolicyFinder) if necessary. That way you can link directly to your database and dynamically provide the policy(s) to the PDP when it gets a request. In fact the XACML-PDP-REST has its own implementation of the Policy Finder Factory. It isn¹t much different than the standard one. All it does it load the policies immediately vs loading the first time a request. So when a new set of policies is pushed to the XACML-PDP-REST, it creates an instance of a PDP engine and loads the policies, does a little verification, and then its ready to use for requests swaps it in with the currently running PDP engine instance. Hope that helps, Pam On 9/14/15, 11:57 AM, "Okke Harsta" <[email protected]> wrote: >Hi, > >We intend to use the the OpenAZPDPEngine in a Spring Boot application and >currently we are instantiating only one PDPEngine in the application. Is >this going to give us problems when multiple requests use the same >instance of OpenAZPDPEngine? Effectively I¹m asking if the >OpenAZPDPEngine is thread-safe. We are going to store the policies in the >database and I rather not instantiate an OpenAZPDPEngine for every decide >and effectively lazily load the policies. Current code: > > @Bean > @Autowired > public PDPEngine pdpEngine( > @Value("${xacml.properties.path}") final String >xacmlPropertiesFileLocation) throws IOException, FactoryException { > Resource resource = >resourceLoader.getResource(xacmlPropertiesFileLocation); > String absolutePath = resource.getFile().getAbsolutePath(); > > //This will be picked up by the XACML bootstrapping when creating a >new PDPEngine > System.setProperty(XACMLProperties.XACML_PROPERTIES_NAME, >absolutePath); > > PDPEngineFactory factory = PDPEngineFactory.newInstance(); > return factory.newEngine(); > } > >If the OpenAZPDPEngine is not thread-safe are there any intentions to >alter this? > >I also would like to add new Polices at run-time to the PDPEngine and it >looks like there is no hook for this. Correct? It seems that in a >high-traffic environment where every login goes through the PDPEngine it >is a significant performance penalty to call >PDPEngineFactory.newInstance() for every request. > >Thanks, >Okke > >
