The PDP uses a PolicyRetrievalPoint (PRP) implementation to retrieve XACML Policies for evaluation against a request. The TESB PDP ships with a default PRP implementation which retrieves role and permission policies from the XACML Policy Registry. The PRP implementation caches XACML policies to avoid costly calls to the XACML Policy Registry. The default caching mechanism is based on Ehcache. The default cache configuration is specified in the "pdp-ehcache.xml" file. This configuration can be overwritten by specifying a different cache configuration file, as detailed in the next section. The default cache configuration in "pdp-ehcache.xml" is as follows. This describes a cache where policies are not persisted to disk, or overflow to disk, and where policies do not expire in the cache. A separate cache is configured for both role and permission policies:
<defaultCache maxEntriesLocalHeap="10000" eternal="false" timeToIdleSeconds="0" timeToLiveSeconds="0" overflowToDisk="false" maxElementsOnDisk="20000" diskPersistent="false" diskExpiryThreadIntervalSeconds="120" memoryStoreEvictionPolicy="LRU" />
In addition to the ability to configure how policies are cached via a caching configuration file, it is possible to select a common caching strategy in the PDP configuration file. Three options are supported:
- InMemory: XACML policies are kept in memory and not written to disk
- OverflowToDisk: XACML policies are kept in memory, but will overflow to disk if the cache is full
- PersistToDisk: XACML policies are persisted to disk
When the PDP is started for the first time, it will retrieve all role policies from the XACML Policy Registry. Permission policies are only retrieved as needed from the XACML Policy Registry. So in the course of evaluating a request against the set of role policies, if a role policy matches the request, then the relevant permission policy will be retrieved from the Policy Registry. This policy will then be cached to avoid having to retrieve it again. It is possible to configure the PDP to also retrieve all permission policies on startup.
The PDP is configured with an interval to reload XACML policies from the registry. After the initial policy retrieval, a scheduler is started to retrieve policies from the registry. The policy caches are cleared once this interval elapses, and new policies are downloaded.