Once the XACML Request described in the previous section has been created, it must be dispatched to the PDP (as covered in the next few sections). The PDP evaluates the Request, and constructs a XACML Response and returns it to the client.
The PDP can return a decision of Permit
, Deny
, NotApplicable
or Indeterminate
.
Access is allowed only if the decision of the PDP is Permit
. For any other decision,
the PEP will throw a CXF AccessDeniedException. The PDP can also return an Obligations
Element that is defined in the relevant
policy as part of the request. The PEP is supposed to only grant access on a Permit
decision if it can satisfy
all Obligations. The TESB PEP does not support Obligations by default, but does have a pluggable way of handling
an Obligations element if required.
An example of a XACML response is given below.
<Response
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>