The XACML 2.0 specification is not clear about how to handle abandoned evaluatables.
Therefor we added the possibility to configure this behavior in our XACML Core component.
What are abandoned evaluatables?
Consider the following scenario:
A PDP has deployed three policies: A, B and C.
The root combining algorithm of the PDP is deny-overrides.
When the evaluation starts and the first policy (A) returns a "deny", then the decision is made. In such a case it would be possible that B and C needn't to be evaluated.
But what if B and C contain deny-obligations? These should be caught as well.
The XACML 2.0 specification is not clear about this and therefore it can be chosen how the evaluation engine shall behave.
How to configure the PDP?
The SimplePDPFactory has various methods to get a PDP instance. Some of these methods can be fed with a flag (respectAbandonedEvaluatables) to tell the factory that the PDP that is returned must respect abandoned evaluatables.