XACML Response validation
Once the XACML Request described in the previous section has been created, it must be dispatched to the PDP (as covered in the next few sections). The PDP evaluates the Request, and constructs a XACML Response and returns it to the client.
The PDP can return a decision of Permit, Deny, NotApplicable or Indeterminate. Access is allowed only if the decision of the PDP is Permit. For any other decision, the PEP will throw a CXF AccessDeniedException. The PDP can also return an Obligations Element that is defined in the relevant policy as part of the request. The PEP is supposed to only grant access on a Permit decision if it can satisfy all Obligations. The TESB PEP does not support Obligations by default, but does have a pluggable way of handling an Obligations element if required.
An example of a XACML response is given below.
<Response
xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>