Multiple decision profile – Repeated attribute categories

In my previous post, we went though defining XACML policies for web application. Now i am going to try out the scenario that is defined there with first approach. i.e. Multiple decision profile with repeated attribute categories. Here i am using  Identity Server which is an open source XACML engine that supports XACML 3.0 and multiple decision profile

Step 1.  You need to upload and publish these policies in to the XACML PDP as enabled policies. You can find more details from here.

Step 2. Create multiple decision request from PEP TryIt tool
Lets say.. web application needs to verify the permitted item in the index.jsp for user “asela” (“asela” is in privateUser role). Therefore web application needs to create a XACML request with all the items (actions) in the index.jsp page.

  • Multiple attribute values can be given as common separated way.
  • “Include in result” is important to distinguish the results of XACML response.

Step 3. Use PEP TryIt tool invoke the PDP (Or else you can invoke “getDecision” method of the PDP API using SOAP UI )

You can find the XACML request from here


Step 4. You can see the multiple decisions with same XACML response and We can distinguish each decision using the attribute value that is returned.

You can find the XACML response from here


Step 5. Web application needs to filter out the items (actions) that are permitted in the response and allow them to the user.

Discuss this article on Stack Overflow


Leave a Reply

Your email address will not be published. Required fields are marked *