Schema
The schema definition for the attribute connector configuration is available below in XML, and JSON/YAML format.
- XML
- JSON/YAML
table.config.xsd
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="root">
<xs:complexType>
<xs:sequence>
<xs:element name="connection">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" type="xs:integer" name="acceptedHttpCodes"/>
<xs:element name="authentication">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="authenticationMode">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="This parameter indicates the type of authentication we are dealing with such as 'Basic', 'Bearer' or 'OAuth2'." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="clientId"/>
<xs:element type="xs:string" name="clientSecret"/>
<xs:element type="xs:string" name="domain"/>
<xs:element type="xs:boolean" name="fetchAuthTokenEagerly"/>
<xs:element type="xs:string" name="password"/>
<xs:element type="xs:string" name="scope"/>
<xs:element type="xs:string" name="token"/>
<xs:element type="xs:string" name="tokenServiceAuthenticationMode">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="When the authentication mode requires retrieving tokens from a token server, this parameter indicates the type of authentication use to contact the server. This attribute is optional, and it defaults to 'Basic'." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="tokenUrl"/>
<xs:element type="xs:string" name="username"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element maxOccurs="unbounded" type="xs:undefined" name="connectionKeys"/>
<xs:element maxOccurs="unbounded" name="headers">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="name">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="The value for the header comes from either a static value element or from a XACML attribute" name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="value"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element maxOccurs="unbounded" type="xs:integer" name="ignoredHttpCodes"/>
<xs:element type="xs:boolean" name="insecure">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="For HTTPS connections, the connector verifies the server's TLS certificate. This option allows disabling that verification." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="method"/>
<xs:element type="xs:boolean" name="processURL">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="This flag indicates whether to process URLs to replace + with %20." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="retryStrategy">
<xs:complexType>
<xs:sequence>
<xs:element name="interval">
<xs:complexType>
<xs:sequence></xs:sequence>
<xs:attribute name="description" default="The delay between retry attempts. The type of the interval can be either of `fixed` or `exponential ` type. A fixed interval will wait for the specified `millis` (ms) before retrying, while an exponential interval will increase the waiting time between retries exponentially by the specified `factor` after each failure." type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element type="xs:integer" name="maxRetries">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="How many times the HttpClient will retry the failed requests" name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="maxTimeForRetries">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:integer" name="millis"/>
</xs:sequence>
<xs:attribute name="description" default="The maximum time allowed for an attribute to be retrieved with the retries included." type="xs:string"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="description" default="The retry strategy that will be followed for the failed http requests" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element maxOccurs="unbounded" name="retryableExceptions">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="messageOfExceptionContains"/>
<xs:element type="xs:string" name="typeOfException"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element maxOccurs="unbounded" type="xs:integer" name="retryableHttpCodes"/>
<xs:element type="xs:string" name="url">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="The URL of the target service. It can be static e.g. ://xacml.apispark.net/v1/users or have dynamic parts e.g. https://xacml.apispark.net/v1/users/{0}. URLs must be encoded." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:boolean" name="useWindowsAuthentication">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="This flag is deprecated, and when is set to true an exception is thrown. It has been kept for backwards compatibility. On older versions this flag indicated whether the HTTP client should rely on NTLM auth. This was useful for .NET web services that needed a service account and when the service account run Tomcat." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element type="xs:boolean" name="detailedException">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="If true, when a non expected HTTP code is received, the exception will contain full request and response which might contain sensitive information." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="identifier">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="The globally unique identifier for this configuration. The identifier is used to generate unique identifiers for the mappings. Each mapping must have a globally unique deterministic identifier for attribute caching to work correctly." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element maxOccurs="unbounded" name="mappings">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:string" name="attributeName">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="The attribute name to be mapped to the full attribute definition from the dictionary. It is the recommended way to define an attribute. Alternatively, xacmlAttribute can be used." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="contentType">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="This is a string which represents the content type of the message being sent in the case of a POST request. This element is optional. If the payload is JSON, then the value is application/json. If the payload is XML, then the value is text/xml. Check with the administrator of the target service for the correct value (if any)." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="template">
<xs:complexType>
<xs:sequence>
<xs:element type="xs:boolean" name="classpath">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="This flag indicates whether the template is to be read from the classpath or from the filesystem" name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:boolean" name="payload">
<xs:complexType>
<xs:simpleContent>
<xs:extension>
<xs:attribute default="This flag indicates whether the template points to a file or contains the actual content of the payload. If this attribute is set to true, then the classpath attribute is irrelevant." name="description" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element type="xs:string" name="value"/>
</xs:sequence>
<xs:attribute name="description" default="The path to the resource containing the template message e.g. /messages/template.json. It is optional if the request doesn't contain a payload (e.g. a GET request)." type="xs:string"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:attribute default="https://json-schema.org/draft/2020-12/schema" name="$schema" type="xs:string"/>
<xs:attribute default="[object Object]" name="$defs" type="xs:string"/>
</xs:schema>
table.config.json
{
"$schema" : "https://json-schema.org/draft/2020-12/schema",
"$defs" : {
"KeyType" : {
"type" : "object",
"properties" : {
"attributeName" : {
"type" : "string",
"description" : "The attribute name to be mapped to the full attribute definition from the dictionary. It is the recommended way to define an attribute. Alternatively, xacmlAttribute can be used."
},
"xacmlAttribute" : {
"$ref" : "#/$defs/NamedAttribute"
}
}
},
"KeystoreType" : {
"type" : "object",
"properties" : {
"file" : {
"type" : "string"
},
"password" : {
"type" : "string"
},
"type" : {
"type" : "string"
}
},
"required" : [ "file" ]
},
"NamedAttribute" : {
"type" : "object",
"properties" : {
"attributeId" : {
"type" : "string"
},
"category" : {
"type" : "string"
},
"datatype" : {
"type" : "string"
},
"issuer" : {
"type" : "string"
}
}
}
},
"type" : "object",
"properties" : {
"connection" : {
"type" : "object",
"properties" : {
"acceptedHttpCodes" : {
"type" : "array",
"items" : {
"type" : "integer"
}
},
"authentication" : {
"type" : "object",
"properties" : {
"authenticationMode" : {
"type" : "string",
"description" : "This parameter indicates the type of authentication we are dealing with such as 'Basic', 'Bearer' or 'OAuth2'."
},
"clientId" : {
"type" : "string"
},
"clientSecret" : {
"type" : "string"
},
"domain" : {
"type" : "string"
},
"fetchAuthTokenEagerly" : {
"type" : "boolean"
},
"password" : {
"type" : "string"
},
"scope" : {
"type" : "string"
},
"token" : {
"type" : "string"
},
"tokenServiceAuthenticationMode" : {
"type" : "string",
"description" : "When the authentication mode requires retrieving tokens from a token server, this parameter indicates the type of authentication use to contact the server. This attribute is optional, and it defaults to 'Basic'."
},
"tokenUrl" : {
"type" : "string"
},
"username" : {
"type" : "string"
}
},
"required" : [ "authenticationMode" ]
},
"connectionKeys" : {
"description" : "There must be as many keys as there are different placeholders in the URL. Each key is used as a value for the URL. For instance userid could be a key and its value, 33cd91c1-4e71-11e6-898d-f1931def5a85, would be used to form https://xacml.apispark.net/v1/users/33cd91c1-4e71-11e6-898d-f1931def5a85",
"type" : "array",
"items" : {
"$ref" : "#/$defs/KeyType"
}
},
"headers" : {
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"headerKey" : {
"$ref" : "#/$defs/KeyType"
},
"name" : {
"type" : "string",
"description" : "The value for the header comes from either a static value element or from a XACML attribute"
},
"value" : {
"type" : "string"
}
},
"required" : [ "name" ]
}
},
"ignoredHttpCodes" : {
"type" : "array",
"items" : {
"type" : "integer"
}
},
"insecure" : {
"type" : "boolean",
"description" : "For HTTPS connections, the connector verifies the server's TLS certificate. This option allows disabling that verification."
},
"keystore" : {
"$ref" : "#/$defs/KeystoreType"
},
"method" : {
"type" : "string"
},
"processURL" : {
"type" : "boolean",
"description" : "This flag indicates whether to process URLs to replace + with %20."
},
"retryStrategy" : {
"type" : "object",
"properties" : {
"interval" : {
"type" : "object",
"properties" : {
"factor" : {
"type" : "integer"
},
"millis" : {
"type" : "integer"
},
"type" : {
"type" : "string"
}
},
"description" : "The delay between retry attempts. The type of the interval can be either of `fixed` or `exponential ` type. A fixed interval will wait for the specified `millis` (ms) before retrying, while an exponential interval will increase the waiting time between retries exponentially by the specified `factor` after each failure."
},
"maxRetries" : {
"type" : "integer",
"description" : "How many times the HttpClient will retry the failed requests"
},
"maxTimeForRetries" : {
"type" : "object",
"properties" : {
"millis" : {
"type" : "integer"
}
},
"description" : "The maximum time allowed for an attribute to be retrieved with the retries included."
}
},
"required" : [ "interval" ],
"description" : "The retry strategy that will be followed for the failed http requests"
},
"retryableExceptions" : {
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"messageOfExceptionContains" : {
"type" : "string"
},
"typeOfException" : {
"type" : "string"
}
},
"required" : [ "typeOfException" ]
}
},
"retryableHttpCodes" : {
"type" : "array",
"items" : {
"type" : "integer"
}
},
"truststore" : {
"$ref" : "#/$defs/KeystoreType"
},
"url" : {
"type" : "string",
"description" : "The URL of the target service. It can be static e.g. ://xacml.apispark.net/v1/users or have dynamic parts e.g. https://xacml.apispark.net/v1/users/{0}. URLs must be encoded."
},
"useWindowsAuthentication" : {
"type" : "boolean",
"description" : "This flag is deprecated, and when is set to true an exception is thrown. It has been kept for backwards compatibility. On older versions this flag indicated whether the HTTP client should rely on NTLM auth. This was useful for .NET web services that needed a service account and when the service account run Tomcat."
}
},
"required" : [ "method", "url" ]
},
"detailedException" : {
"type" : "boolean",
"description" : "If true, when a non expected HTTP code is received, the exception will contain full request and response which might contain sensitive information."
},
"identifier" : {
"type" : "string",
"description" : "The globally unique identifier for this configuration. The identifier is used to generate unique identifiers for the mappings. Each mapping must have a globally unique deterministic identifier for attribute caching to work correctly."
},
"mappings" : {
"type" : "array",
"items" : {
"type" : "object",
"properties" : {
"attributeName" : {
"type" : "string",
"description" : "The attribute name to be mapped to the full attribute definition from the dictionary. It is the recommended way to define an attribute. Alternatively, xacmlAttribute can be used."
},
"contentType" : {
"type" : "string",
"description" : "This is a string which represents the content type of the message being sent in the case of a POST request. This element is optional. If the payload is JSON, then the value is application/json. If the payload is XML, then the value is text/xml. Check with the administrator of the target service for the correct value (if any)."
},
"keys" : {
"type" : "array",
"items" : {
"$ref" : "#/$defs/KeyType"
}
},
"template" : {
"type" : "object",
"properties" : {
"classpath" : {
"type" : "boolean",
"description" : "This flag indicates whether the template is to be read from the classpath or from the filesystem"
},
"payload" : {
"type" : "boolean",
"description" : "This flag indicates whether the template points to a file or contains the actual content of the payload. If this attribute is set to true, then the classpath attribute is irrelevant."
},
"value" : {
"type" : "string"
}
},
"description" : "The path to the resource containing the template message e.g. /messages/template.json. It is optional if the request doesn't contain a payload (e.g. a GET request)."
},
"xacmlAttribute" : {
"$ref" : "#/$defs/NamedAttribute",
"description" : "This is the XACML attribute the PDP is looking for e.g. a user's department or a placeholder attribute e.g. pip.payload that will be later parsed by the Parser Attribute Finder."
}
}
}
}
},
"required" : [ "connection", "identifier", "mappings" ]
}