XACML Sample for On-line Trading Application -1

XACML is the powerful way to build access control systems in your application. Here we are going to talk about how we can build a XACML driven authorization for on-line trading application called “K-Martket” This sample is shipped with Balana XACML implementation which can be found at here.

Scenario would be as follows….

1. K-Market is online trading company.

2. You can create a user account with K-Market and user profile data store in their own JDBC user store.

3. K-Market does some control over online trading based on the customer’s privilege and attribute of customers such as age, email and so on…

4. So They have implemented some access control over the online trading.

5. When customer is finished with his shopping cart and after entered the credit card details, K-Market access control system is triggered to check whether
this is an authorized online purchase.

6. K-Market has following access control scenarios in the initial phase of their access control system

7. K-Market have separate customers in to three groups and has put limit on online buying items.

i.e. Blue, Sliver and Gold.

Blue customers :

Can not by any liquor or medicine.
Maximum amount that they can purchase, is $ 100.
Maximum no of Drinks they can purchase is 10

Silver customers :

Can not by any liquor
Maximum amount that they can purchase, is $ 500.
Maximum no of Drinks they can purchase is 50
Maximum no of Medicine they can purchase is 50

Gold customers :

Maximum amount that they can purchase, is $ 500.
Maximum no of Liquor they can purchase is 10

You can find the sample from svn or from snapshot Balana distribution here and use “run” script to try out this…

Attribute finder module is shipped with the sample. Actually this must call to a user store and retrieve the user attributes and role data, But this attribute finder has hard corded few names and corresponding groups as following

bob has blue membership
alice has sliver membership
peter has gold membership

This sample has been used new features in XACML 3.0, i.e custom category (called “http://kmarket.com/category”) and advices (they are used with rule elements. Therefore customer can be known how purchase has been failed)

You can extend this sample further by just editing and adding new policies… let discuss them later…..

Discuss this article on Stack Overflow


  1. Hi.
    I’m currently working with the latest version of Balana in an attempt to create a small PoC to help with my understanding of XACML 3.0 at a technical level. One observation I have regarding the K-Market sample is that the inbound request message is generated as a String, with the smallest of substitutions. Do you have any recommended process for creating a request message using objects instead – such as with the RequestCtx object?

    Very impressed so far with your implementation, especially the XACML 3.0 features. Great job!


  2. Great thanks for your feedback. Yes we can create the xacml request without using String. Actually in sample, we have used String, as it is more easy to understand. We will update the one sample with RequestCtx and let you know.

  3. Hello,
    can you provide a link with the sample of creating a request with RequestCtx?

    Thank you in advance!

    Best regards,

  4. Hello,

    Nice blog. Any idea what steps I need to take to deploy the sample attribute finder module on WSO2 Identity Server(4.1)? Thanks.


    1. Thanks for the link. The sample attribute finder linked in the blog extended AttributeFinderModule, that was just for reference is it?

        1. Thanks, the build worked with 4.0.3. I placed the jar in to IS_HOME/repository/components/lib folder and updated the entitlement.properties file accordingly but WSO2 identity server isn’t able to find my classes(I get a class not found exception on server startup), any idea why? Thanks.

        2. Hello,

          Your suggestions worked in WSO2 Identity Server 4.0.0 but not on 4.1.0, not sure what the reason is – just wanted to bring it to your notice.


      1. I did not find such issue. Just tired with fresh 4.1.0 pack. Class was loaded with out any issue. Please double check class name in entitlement.properties file. Because as it is a class not found error, main reason must be that. Actually check for any spaces, because just found that class name is not trim after reading.

  5. Hi,
    I am new to using XACML and am trying out the Kmarket example you have provided. Could you please tell me how to run your example or refer me to some sites that could help me run your example. Like can I run your example from an Java IDE iteself or are there additional requirement too?


  6. Hello,

    I am not able to run the project with maven3.0.5.
    It throws following error :

    ERROR] The build could not read 1 project -> [Help 1]
    [ERROR] The project org.wso2.balana:org.wso2.balana.samples.kmarket.trading:1.0.0-SNAPSHOT (/root/kmarket-trading-sample/pom.xml) has 1 error
    [ERROR] Non-resolvable parent POM: Could not find artifact org.wso2.balana:balana-samples:pom:1.0.0-SNAPSHOT in wso2-maven2-repository (http://dist.wso2.org/maven2) and ‘parent.relativePath’ points at wrong local POM @ line 7, column 13 -> [Help 2]
    [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
    [ERROR] Re-run Maven using the -X switch to enable full debug logging.

    I tried changing the relative-path tag in pom.xml file to project location,but it didnt work.
    Please help.

Leave a Reply

Your email address will not be published. Required fields are marked *