Resource filtering with XACML Multiple Decision Profile

Resource filtering is one of useful and powerful feature that comes with XACML. Basically this would become more popular with XACML 3.0 due to multiple decision profile. With multiple decision profile, PEP can ask authorization for multiple resources for the PDP, Where your PEP can only filter out the permit results. Let try filtering sample with WSO2 Balana from  svn  or snapshot Balana distribution from here

In a web page, there can be various static contents. Lets assume web page contains various type of static images. These images are not authorized to view for all users. There are specific permissions for each image. Therefore before web page is viewed by user, authorization must be done for each images and dynamically filter the authorized content for user. Authorization rules can be based on user attributes or roles that user has been assigned.

Lets create following use case.

1. There is a index.jsp page that can be accessed after the user is login to the web application.

2. There three user groups called “publicUsers“, “internalUsers” and “adminUsers

3. publicUsers are the users who has registered to view the contain of the web site. And they can are only allowed to see view.gif and help.gif images.

4. internalUsers are the internal users of the organization, They area only allowed to what publicUsers can see and also see copy.gif, move.gif and cancel.gif images

5. adminUsers are internal admin users of the organization, They can view any images.

Attribute finder module is shipped with this sample. Actually this module must call to a user store and must retrieve the user attributes such as role data, But this sample attribute finder has been hard corded few names and corresponding roles as following

bob has assigned to publicUsers group
alice has assigned to internalUsers group
peter has assigned to adminUsers group

You can simply extend this sample according to the your requirement…

Discuss this article on Stack Overflow


    1. Hi,

      I tried doing the following:
      Attribute subjectAttribute = new Attribute(“urn:oasis:names:tc:xacml:1.0:subject-category:access-subject”, “urn:oasis:names:tc:xacml:1.0:subject:subject-id”, ProxyConstants.DEFAULT_DATA_TYPE, userId);
      Attribute actionAttribute = new Attribute(“urn:oasis:names:tc:xacml:3.0:attribute-category:action”, “urn:oasis:names:tc:xacml:1.0:action:action-id”, ProxyConstants.DEFAULT_DATA_TYPE, “GET”);
      Attribute resourceAttribute = new Attribute(“urn:oasis:names:tc:xacml:3.0:attribute-category:resource”, “urn:oasis:names:tc:xacml:1.0:resource:resource-id”, ProxyConstants.DEFAULT_DATA_TYPE, “/Entitlement_Sample_WebApp/protected2.jsp”);
      Attribute resourceAttribute2 = new Attribute(“urn:oasis:names:tc:xacml:3.0:attribute-category:resource”, “urn:oasis:names:tc:xacml:1.0:resource:resource-id”, ProxyConstants.DEFAULT_DATA_TYPE, “/Entitlement_Sample_WebApp/protected13.jsp”);
      Attribute resourceAttribute3 = new Attribute(“urn:oasis:names:tc:xacml:3.0:attribute-category:resource”, “urn:oasis:names:tc:xacml:1.0:resource:resource-id”, ProxyConstants.DEFAULT_DATA_TYPE, “/Entitlement_Sample_WebApp/protected14.jsp”);
      Attribute environmentAttribute = new Attribute(“urn:oasis:names:tc:xacml:3.0:attribute-category:environment”, “urn:oasis:names:tc:xacml:1.0:environment:environment-id”, ProxyConstants.DEFAULT_DATA_TYPE, “”);
      Attribute[] tempArr = {actionAttribute, subjectAttribute, resourceAttribute, resourceAttribute2, resourceAttribute3};

      response = pepProxy.getDecision(tempArr, “SOAP_APP”);

      But the output doesn’t contain individual results but a combined one. Am I missing anything? Your help is greatly appreciated.


Leave a Reply

Your email address will not be published. Required fields are marked *