XPath in XACML – Part 1

XPath is playing an import role in XACML when policies are evaluated for XML based data. When XML data is passed across nodes, PEP can be an interception point that calls the PDP with passing XML data. Based on the XML data, PDP can take decisions.  Let see how we can develop simple policy that can be used to evaluate a XML data.

Lets take very simple use case.

  • There is medi.com health care application where online registered user (patient, doctors and so on) can examine patient data.
  • Patient data store returns any data that is requested for given patient id regardless of the login user to application.
  • Medi.com has authorization interceptor (PEP) between their web application and patient data store.  PEP would authorizes the requested data by calling to a PDP.
  • One authorization rule is “Users can only read his own patient data”

Lets build a policy for this

XACML Policy

Policy says “User can only read his own patient data”.  As an example,  you login to the medi.com web application with patient id “bob” then you can only read patient data that is store for “bob”

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="medi-xpath-test-policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>XPath evaluation is done with respect to content elementand check for a matching value. Here content element has been bounded with custom namespace and prefix</Description>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeDesignator>
<Rule RuleId="rule1" Effect="Permit">
<Description>Rule to match value in content element using XPath</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
<AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="//ak:record/ak:patient/ak:patientId/text()" DataType="http://www.w3.org/2001/XMLSchema#string"></AttributeSelector>
<Rule RuleId="rule2" Effect="Deny">
<Description>Deny rule</Description>

For try out this policy,  I am using WSO2 Identity Server which is open source XACML server. You can upload this policy in to the PAP of WSO2 Identity Server



XACML  Request

In the XACML request XML data is send to the PDP by the PEP interceptor.  XACML request contains the XML data under the content element

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" >
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bob</AttributeValue>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<ak:record xmlns:ak="http://akpower.org">
<ak:street>51 Main road</ak:street>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>

You can try out this request with the policy that is uploaded in to WSO2 Identity Server.




XACML Response

PEP can get the decision based the result of the PDP

<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>

Lets build some complex scenario later…. 🙂

Discuss this article on Stack Overflow


  1. Hi Asela, i tried to upload the policy but the server turns to me that error “Entitlement policy is not updated. Error is :Unsupported Entitlement Policy. Policy can not be parsed”
    taking account that my server is working normally and i can upload simple policy

    1. Did you upload above XPath policy? If could you try again. Because I did some update with it.. (there was some end of the line issue with it.) Or if not, Could you please let us know the policy

  2. Hi I am facing problem in uploading the “policy_27.xml” xml file with WSO2 Identity server version 4.6.0.
    It is giving me the same error identified by nesso. My server is working correctly.
    Please reply.

    1. Hi Manjiri,

      What is the policy “policy_27.xml” ? where i can find it… May be there can be issues with the policy. Normally when you are adding a policy to Identity Server, Identity server validate the policy with its schema. Please verify your policy

  3. Thank you for the blog.
    This works perfectly all right.
    Later to this I was checking on how to create policy from the wso2 policy editor for using attribute selectors.
    No sufficient documentation is there for help.

    1. Thanks.. identity server policy editors have been implemented to help for people you do not know much on XACML. It just helps to create simple policies easily. But it does not cover all element that is mentioned in XACML spec. Therefore there is no attribute selectors in policy editors. However policy editor keeps improve

  4. Thank you Asela. I hope that I can get these features in any of the existing open source editors.
    I have some already created policies (xacmlv3.0 compliant) which uses VariableDefinition and VariableReference tags for modularizing the policy conditions. I tried importing them directly from identity server policy administration but again it is giving exception as : ClassCastException: …balana.cond.VariableReference cannot be cast to …Evaluatable.
    So wondering if the complete XACML3.0 implementation in library is also there or not?
    I will mark this issue at appropriate place. But, can you please answer to this query. It will help me to decide on to go with PAP of Wso2 or not.

      1. I’m using Balana, it seems the VariableReference tag cann’t be used uder the Condition: the exception says:“java.lang.ClassCastException: org.wso2.balana.cond.VariableReference cannot be cast to org.wso2.balana.cond.Evaluatable”
        my policy is :





    1. If you go through the policy editors that WSO2 Identity Server has provided. They does not have way to provide the Attribute selector element. I do not think there is specific link for it.

Leave a Reply

Your email address will not be published. Required fields are marked *