Multiple decision profile – Repeated attribute categories

In my previous post, we went though defining XACML policies for web application. Now i am going to try out the scenario that is defined there with first approach. i.e. Multiple decision profile with repeated attribute categories. Here i am using  Identity Server which is an open source XACML engine that supports XACML 3.0 and multiple decision profile

Step 1.  You need to upload and publish these policies in to the XACML PDP as enabled policies. You can find more details from here.

Step 2. Create multiple decision request from PEP TryIt tool
Lets say.. web application needs to verify the permitted item in the index.jsp for user “asela” (“asela” is in privateUser role). Therefore web application needs to create a XACML request with all the items (actions) in the index.jsp page.

  • Multiple attribute values can be given as common separated way.
  • “Include in result” is important to distinguish the results of XACML response.

md1
Step 3. Use PEP TryIt tool invoke the PDP (Or else you can invoke “getDecision” method of the PDP API using SOAP UI )

You can find the XACML request from here

md2

Step 4. You can see the multiple decisions with same XACML response and We can distinguish each decision using the attribute value that is returned.

You can find the XACML response from here

md3

Step 5. Web application needs to filter out the items (actions) that are permitted in the response and allow them to the user.

Discuss this article on Stack Overflow

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *