Merge branch 'release/5.0.0'

authzforce · Feb 8, 2022 · f496ddf · f496ddf
2 parents 93c1116 + 7970496
commit f496ddf
Show file tree

Hide file tree

Showing 22 changed files with 188 additions and 63 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,45 @@ All notable changes to this project are documented in this file following the [K
 Issues reported on [GitHub](https://github.com/authzforce/core/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
 
 
+## 5.0.0
+### Changed
+- **PDP configuration XML schema changed: follow [AuthzForce Core migration instructions](https://github.com/authzforce/core/blob/develop/MIGRATION.md#migration-from-version-17x-to-18x) to migrate your old PDP configuration(s) (`pdp.xml`) to the new schema.**
+  - Target namespace changed to `http://authzforce.github.io/core/xmlns/pdp/8`
+  - `useStandardDatatypes` replaced with `standardDatatypesEnabled`;
+  - `useStandardFunctions` replaced with `standardFunctionsEnabled`
+  - `useStandardCombiningAlgorithms` replaced with `standardCombiningAlgorithmsEnabled`
+  - `enableXPath` replaced with `xPathEnabled`
+  - `standardEnvAttributeSource` replaced with `standardAttributeProvidersEnabled` and new `attributeProvider` type `StdEnvAttributeProviderDescriptor`. More info in [AuthzForce Core README](https://github.com/authzforce/core#providing-current-datetime-current-date-and-current-time-attributes).
+  - `pdp/@version` attribute changed from required to optional with default value `8.1`
+- Parent project `authzforce-ce-parent` upgraded to 8.2.1:
+- Dependencies upgraded:
+    - `authzforce-ce-core-pdp-engine`/`authzforce-ce-core-pdp-io-xacml-json`: 19.0.0
+    - `authzforce-ce-core-pdp-api`: 20.0.0
+    - `authzforce-ce-jaxrs-utils`: 2.0.3
+    - `authzforce-ce-xacml-json-model`: 3.0.4
+    - Saxon-HE: 10.6
+    - Guava: 31.0
+    - Apache CXF: 3.5.0
+    - Spring Boot: 2.6.3
+    - Spring Core: 5.2.14
+    - SLF4J: 1.7.32
+    - `jaxb2-basics-runtime`: 0.12.0
+    - `javax.mail`: 1.6.2
+    - `tomcat-embed-core`: 9.0.58
+
+- API changes:
+
+    -  For better support of XACML standard Multiple Decision Profile, request evaluation methods of the following PDP extensions now take an extra optional parameter (`Optional<EvaluationContext>`) for the Multiple Decision Request context: `CombiningAlg`, `Function`, `NamedAttributeProvider`, `PolicyProvider`.
+
+### Added
+- XACML JSON Profile feature: support for JSON Objects in XACML/JSON Attribute Values (linked to issue authzforce/server#61 ), allowing for complex structures (JSON objects) as data types
+- Support for `<VariableReference>` equivalent in `<Target>`/`<Match>` elements: this feature is a workaround for a limitation in XACML schema which is not allowing Variables (`<VariableReference>`) in `Match` elements; i.e. the feature allows policy writers to use an equivalent of `<VariableReference>`s in `<Match>` elements (without changing the XACML schema) through a special kind of `<AttributeDesignator>` (in a specific `Category`, and `AttributeId` is used as `VariableId`). More info in [AuthzForce Core README](https://github.com/authzforce/core#using-variables-variablereference-in-targetmatch).
+
+### Fixed
+- Loading XACML/JSON schemas offline (linked to issue authzforce/server#64)
+- CVE-2021-22118, CVE-2021-22696 and CVE-2021-3046
+
+
 ## 4.0.1
 ### Fixed
 - Dockerfile

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -19,10 +19,11 @@
 1. Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
 1. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish`
 1. Click the Release button to release to Maven Central.
-1. Build the Docker image
+1. Build and publish the Docker image to Docker Hub
    ```shell
    $ docker build -t authzforce/restful-pdp:${project.version} .
-   $ docker push
+   $ docker login
+   $ docker push authzforce/restful-pdp:${project.version}
    ```
 
 More info on jgitflow: http://jgitflow.bitbucket.org/
diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@ See [AuthzForce Core features](https://github.com/authzforce/core#features) for
 See [AuthzForce Core limitations](https://github.com/authzforce/core#limitations).
 
 ## System requirements
-Java (JRE) 8 or later.
+Java (JRE) 11 or later.
 
 
 ## Versions
@@ -39,7 +39,7 @@ See the [change log](CHANGELOG.md) following the *Keep a CHANGELOG* [conventions
 See the [license file](LICENSE).
 
 ## Getting started
-Get the [latest executable jar](http://central.maven.org/maven2/org/ow2/authzforce/authzforce-ce-restful-pdp-cxf-spring-boot-server/) from Maven Central with groupId/artifactId = `org.ow2.authzforce`/`authzforce-ce-restful-pdp-cxf-spring-boot-server`. 
+Get the [latest executable jar](https://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-restful-pdp-cxf-spring-boot-server/) from Maven Central with groupId/artifactId = `org.ow2.authzforce`/`authzforce-ce-restful-pdp-cxf-spring-boot-server`. The name of the JAR is `authzforce-ce-restful-pdp-cxf-spring-boot-server-M.m.p.jar` (replace `M.m.p` with the latest version).
 
 Make sure it is executable (replace `M.m.p` with the current version):
 
@@ -84,6 +84,39 @@ In order to use them, put the extension JAR(s) into an `extensions` folder in th
 $ java -Dloader.path=extensions -jar authzforce-ce-restful-pdp-cxf-spring-boot-server-M.m.p.jar
 ```
 
+### Example with MongoDBPolicyProvider extension
+To use the Policy Provider for policies stored in MongoDB, please make sure the JAR with the MongoDB policy provider, i.e. the `authzforce-ce-core-pdp-testutils` module (in the **same version** as `authzforce-ce-core-pdp-engine` that is already included in AuthzForce RESTful PDP) is on the classpath, eg. in the *extensions* folder mentioned above, with *and all its required dependencies*. The main dependencies (looking at the pom of `pdp-testutils` module) in Maven terms are:
+
+```xml
+<dependency>
+         <groupId>org.jongo</groupId>
+         <artifactId>jongo</artifactId>
+	 <!-- Set the version to whatever version is specified in authzforce-ce-core-pdp-testutils Maven POM.  -->
+         <version>${jongo.version}</version>
+</dependency>
+<dependency>
+         <groupId>org.mongodb</groupId>
+         <artifactId>mongo-java-driver</artifactId>
+	<!-- Set the version to whatever version is specified in authzforce-ce-core-pdp-testutils Maven POM. -->
+         <version>${mongo-java-driver.version}</version>
+</dependency>
+```
+
+These dependencies have dependencies as well, so make sure to include them all, if not already on the classpath. (There is a way to assemble all jars in a dependency tree automatically with Maven.)
+
+Then do steps 2 to 4 of [Using Policy Providers](https://github.com/authzforce/core/wiki/Policy-Providers#using-policy-providers), that is to say:
+1. Add this import to PDP extensions schema (`pdp-ext.xsd`) to allow using the extension(s) from the `authzforce-ce-core-pdp-testutils` module in PDP configuration:
+    ```xml
+    <xs:import namespace="http://authzforce.github.io/core/xmlns/test/3" />
+    ```
+1. Add an entry to the XML catalog (`catalog.xml`) to locate the schema corresponding to this namespace:
+    ```xml
+    <uri name="http://authzforce.github.io/core/xmlns/test/3" uri="classpath:org.ow2.authzforce.core.pdp.testutil.ext.xsd" />
+    ```
+1. Add the `policyProvider` element to the PDP configuration (`pdp.xml`), using the new namespace above, like in [this example](https://github.com/authzforce/core/blob/master/pdp-testutils/src/test/resources/org/ow2/authzforce/core/pdp/testutil/test/pdp.xml) (follow the link).
+
+[More info](https://github.com/authzforce/core/wiki/Policy-Providers#more-info-on-the-mongodbpolicyprovider).
+
 ## Vulnerability reporting
 If you want to report a vulnerability, you must do so on the [OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/restful-pdp/issues) and when creating the issue, check the box labeled **"This issue is confidential and should only be visible to team members with at least Reporter access"**. Then, if the AuthzForce team can confirm it, they will make it public and set a fix version.
 

diff --git a/cxf-spring-boot-server/Dockerfile b/cxf-spring-boot-server/Dockerfile
@@ -12,7 +12,7 @@ VOLUME /tmp
 RUN addgroup --system spring && adduser --system --home /home/spring --ingroup spring --disabled-password spring
 USER spring:spring
 WORKDIR /home/spring
-ARG JAR_FILE=target/*-4.0.1.jar
+ARG JAR_FILE=target/*-5.0.0.jar
 COPY ${JAR_FILE} /app.jar
 # COPY extensions /extensions
 

diff --git a/cxf-spring-boot-server/pom.xml b/cxf-spring-boot-server/pom.xml
@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-restful-pdp</artifactId>
-		<version>4.0.1</version>
+		<version>5.0.0</version>
 	</parent>
 	<artifactId>authzforce-ce-restful-pdp-cxf-spring-boot-server</artifactId>
 	<name>${project.groupId}:${project.artifactId}</name>
@@ -17,14 +17,36 @@
 		<url>${git.url.base}/restful-pdp/cxf-spring-boot-server</url>
 	</scm>
 	<properties>
-		<!-- FIX: cxf-spring-boot-starter-jaxrs depends indirectly on tomcat-embed-core:9.0.39 affected by CVE-2020-17527 -->
-		<tomcat-version>9.0.41</tomcat-version>
+		<tomcat-version>9.0.58</tomcat-version>
 	</properties>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-dependencies</artifactId>
+				<!-- Override Spring Boot v2.6.1 - used by cxf-spring-boot-starter-jaxrs:3.5.0 - which depends on Spring Core 5.3.14 which has 1 vulnerability. -->
+				<version>${spring-boot-starter.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+				<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
+				<exclusions>
+					<exclusion>
+						<groupId>org.skyscreamer</groupId>
+						<artifactId>jsonassert</artifactId>
+					</exclusion>
+					<exclusion>
+						<groupId>com.jayway.jsonpath</groupId>
+						<artifactId>json-path</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
 	<dependencies>
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-restful-pdp-jaxrs</artifactId>
-			<version>4.0.1</version>
+			<version>5.0.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.cxf</groupId>

diff --git a/...er/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java b/...er/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java
@@ -1,5 +1,5 @@
-/**
- * Copyright (C) 2012-2021 THALES.
+/*
+ * Copyright (C) 2012-2022 THALES.
  *
  * This file is part of AuthzForce CE.
  *

diff --git a/cxf-spring-boot-server/src/main/resources/pdp.xml b/cxf-spring-boot-server/src/main/resources/pdp.xml
@@ -1,8 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <pdp
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="http://authzforce.github.io/core/xmlns/pdp/7"
-	version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
+	xmlns="http://authzforce.github.io/core/xmlns/pdp/8" maxVariableRefDepth="10" maxPolicyRefDepth="10">
 	<policyProvider
 		id="rootPolicyProvider"
 		xsi:type="StaticPolicyProvider">

diff --git a/.../test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java b/.../test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java
@@ -1,5 +1,5 @@
-/**
- * Copyright (C) 2012-2021 THALES.
+/*
+ * Copyright (C) 2012-2022 THALES.
  *
  * This file is part of AuthzForce CE.
  *

diff --git a/cxf-spring-boot-server/src/test/resources/server/pdp.xml b/cxf-spring-boot-server/src/test/resources/server/pdp.xml
@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10"
-	strictAttributeIssuerMatch="false">
+<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/8" maxVariableRefDepth="10" maxPolicyRefDepth="10">
 	<!-- You may customize this PDP configuration except 'rootPolicyProvider' element. -->
 	<policyProvider id="rootPolicyProvider" xsi:type="StaticPolicyProvider">
 		<policyLocation>${PARENT_DIR}/IIA001/Policy.xml</policyLocation>
@@ -10,7 +9,8 @@
 		<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
 	</ioProcChain>
 	<ioProcChain>
+		<!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:multiple:repeated-attribute-categories-lax"  for Multiple Decision Profile support. -->
 		<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
 		<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
 	</ioProcChain>
-</pdp>
+</pdp>
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -6,7 +6,7 @@ services:
   pdp:
     # depends_on:
     #  - iam
-    image: authzforce/restful-pdp:4.0.1
+    image: authzforce/restful-pdp:5.0.0
 
     ports:
      - "8080:8080"

diff --git a/docker/pdp/conf/pdp.xml b/docker/pdp/conf/pdp.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10"
+<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/8" version="8.1" maxVariableRefDepth="10" maxPolicyRefDepth="10"
 	strictAttributeIssuerMatch="false">
 	<!-- You may customize this PDP configuration except 'rootPolicyProvider' element. -->
 	<policyProvider id="rootPolicyProvider" xsi:type="StaticPolicyProvider">

diff --git a/jaxrs/pom.xml b/jaxrs/pom.xml
@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-restful-pdp</artifactId>
-		<version>4.0.1</version>
+		<version>5.0.0</version>
 	</parent>
 	<artifactId>authzforce-ce-restful-pdp-jaxrs</artifactId>
 	<name>${project.groupId}:${project.artifactId}</name>
@@ -17,7 +17,7 @@
 		<url>${git.url.base}/restful-pdp/jaxrs</url>
 	</scm>
 	<properties>
-		<authzforce-ce-core.version>17.0.0</authzforce-ce-core.version>
+		<authzforce-ce-core.version>19.0.0</authzforce-ce-core.version>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -33,12 +33,18 @@
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-jaxrs-utils</artifactId>
-			<version>2.0.0</version>
+			<version>2.0.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.ow2.authzforce</groupId>
+			<artifactId>authzforce-ce-core-pdp-testutils</artifactId>
+			<version>${authzforce-ce-core.version}</version>
+			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.testng</groupId>
 			<artifactId>testng</artifactId>
-			<version>6.11</version>
+			<version>6.14.3</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

diff --git a/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/PdpBundle.java b/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/PdpBundle.java
@@ -1,5 +1,5 @@
-/**
- * Copyright 2012-2021 THALES.
+/*
+ * Copyright 2012-2022 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -17,18 +17,12 @@
  */
 package org.ow2.authzforce.rest.pdp.jaxrs;
 
-import java.io.IOException;
-import java.util.Map;
-import java.util.Map.Entry;
-
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.Request;
 import oasis.names.tc.xacml._3_0.core.schema.wd_17.Response;
-
 import org.json.JSONObject;
 import org.ow2.authzforce.core.pdp.api.CloseablePdpEngine;
 import org.ow2.authzforce.core.pdp.api.DecisionRequestPreprocessor;
 import org.ow2.authzforce.core.pdp.api.DecisionResultPostprocessor;
-import org.ow2.authzforce.core.pdp.api.XmlUtils;
 import org.ow2.authzforce.core.pdp.api.io.BaseXacmlJaxbResultPostprocessor;
 import org.ow2.authzforce.core.pdp.api.io.PdpEngineInoutAdapter;
 import org.ow2.authzforce.core.pdp.api.value.AttributeValueFactoryRegistry;
@@ -39,6 +33,10 @@
 import org.ow2.authzforce.core.pdp.io.xacml.json.BaseXacmlJsonResultPostprocessor;
 import org.ow2.authzforce.core.pdp.io.xacml.json.SingleDecisionXacmlJsonRequestPreprocessor;
 
+import java.io.IOException;
+import java.util.Map;
+import java.util.Map.Entry;
+
 /**
  * Bundle containing the PDP engine with associated adapters
  *
@@ -73,12 +71,12 @@ public PdpBundle(final PdpEngineConfiguration pdpConf, final boolean enableXacml
 		final int clientReqErrVerbosityLevel = pdpConf.getClientRequestErrorVerbosityLevel();
 		final AttributeValueFactoryRegistry attValFactoryRegistry = pdpConf.getAttributeValueFactoryRegistry();
 		final boolean isStrictAttIssuerMatchEnabled = pdpConf.isStrictAttributeIssuerMatchEnabled();
-		final boolean isXpathEnabled = pdpConf.isXpathEnabled();
+		final boolean isXpathEnabled = pdpConf.isXPathEnabled();
 
-		this.xacmlJaxbIoAdapter = PdpEngineAdapters.newInoutAdapter(Request.class, Response.class, engine, ioProcChains, extraPdpFeatures -> SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled, XmlUtils.SAXON_PROCESSOR,
+		this.xacmlJaxbIoAdapter = PdpEngineAdapters.newInoutAdapter(Request.class, Response.class, engine, ioProcChains, extraPdpFeatures -> SingleDecisionXacmlJaxbRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled,
 				extraPdpFeatures), () -> new BaseXacmlJaxbResultPostprocessor(clientReqErrVerbosityLevel));
 
-		this.xacmlJsonIoAdapter = enableXacmlJsonProfile ? PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, engine, ioProcChains, extraPdpFeatures -> SingleDecisionXacmlJsonRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled, XmlUtils.SAXON_PROCESSOR,
+		this.xacmlJsonIoAdapter = enableXacmlJsonProfile ? PdpEngineAdapters.newInoutAdapter(JSONObject.class, JSONObject.class, engine, ioProcChains, extraPdpFeatures -> SingleDecisionXacmlJsonRequestPreprocessor.LaxVariantFactory.INSTANCE.getInstance(attValFactoryRegistry, isStrictAttIssuerMatchEnabled, isXpathEnabled,
 				extraPdpFeatures), () -> new BaseXacmlJsonResultPostprocessor(clientReqErrVerbosityLevel)) : null;
 	}
 

diff --git a/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/XacmlPdpResource.java b/jaxrs/src/main/java/org/ow2/authzforce/rest/pdp/jaxrs/XacmlPdpResource.java
@@ -1,5 +1,5 @@
-/**
- * Copyright 2012-2021 THALES.
+/*
+ * Copyright 2012-2022 THALES.
  *
  * This file is part of AuthzForce CE.
  *

diff --git a/jaxrs/src/test/java/org/ow2/authzforce/rest/pdp/jaxrs/test/XacmlRestProfileJaxRsTest.java b/jaxrs/src/test/java/org/ow2/authzforce/rest/pdp/jaxrs/test/XacmlRestProfileJaxRsTest.java
@@ -1,5 +1,5 @@
-/**
- * Copyright 2012-2021 THALES.
+/*
+ * Copyright 2012-2022 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -29,12 +29,8 @@
 import org.ow2.authzforce.xacml.json.model.LimitsCheckingJSONObject;
 import org.ow2.authzforce.xacml.json.model.XacmlJsonUtils;
 import org.testng.Assert;
-import org.testng.annotations.AfterClass;
-import org.testng.annotations.BeforeClass;
-import org.testng.annotations.Test;
+import org.testng.annotations.*;
 
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.FileReader;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -63,9 +59,9 @@ public class XacmlRestProfileJaxRsTest
 
 	private static Server server;
 
-	private static void startServer() throws Exception
+	private static void startServer(String pdpConfigLocation) throws Exception
 	{
-		final PdpEngineConfiguration pdpConf = PdpEngineConfiguration.getInstance("src/test/resources/pdp.xml");
+		final PdpEngineConfiguration pdpConf = PdpEngineConfiguration.getInstance(pdpConfigLocation, "src/test/resources/catalog.xml", "src/test/resources/pdp-ext.xsd");
 		/*
 		 * See also http://cxf.apache.org/docs/secure-jax-rs-services.html
 		 */
@@ -83,10 +79,11 @@ private static void startServer() throws Exception
 		server = sf.create();
 	}
 
+	@Parameters("pdp_config_location")
 	@BeforeClass
-	public static void initialize() throws Exception
+	public static void initialize(@Optional("src/test/resources/pdp.xml") String pdpConfigLocation) throws Exception
 	{
-		startServer();
+		startServer(pdpConfigLocation);
 	}
 
 	@AfterClass

diff --git a/jaxrs/src/test/resources/GH-9/pdp.xml b/jaxrs/src/test/resources/GH-9/pdp.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	 xmlns="http://authzforce.github.io/core/xmlns/pdp/8"
+	 xmlns:ext="http://authzforce.github.io/core/xmlns/test/3" version="8.1">
+	<policyProvider id="refPolicyProvider" xsi:type="ext:MongoDBBasedPolicyProviderDescriptor" serverHost="localhost" serverPort="27017" dbName="test" collectionName="policies" />
+	<rootPolicyRef>root</rootPolicyRef>
+</pdp>
+