ApplicationId JSON example
The ApplicationId attribute must only contain the server part of the full policy key. The resourceUri is then retrieved from the Request.Resource resource-id attribute and concatenated on the ApplicationId.
For an application resource with an Application ID /myapp and two resources, /myresource1 and /myresource2, two policy keys would be generated, /myapp/myresource1 and /myapp/myresource2.
This allows two separate policies to be evaluated within the one JSON request.
The corresponding XACML JSON would be:
{ "Request": { "Action": { "Attribute": [ { "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", "DataType": "string", "Value": "GET" } ] }, "Resource": [ { "Attribute": [ { "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id", "DataType": "string", "Value": "/myresource1" } ] }, { "Attribute": [ { "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id", "DataType": "string", "Value": "/myresource2" } ] } ], "Environment": { "Attribute": [ { "AttributeId": "ApplicationId", "DataType": "string", "Value": "/myapp", "Issuer": "http://security.tivoli.ibm.com/policy/distribution", } ] } } }
If the policy attached to /myapp/myresouce1 results in a Permit decision and the policy attached to /myapp/myresouce2 results in a Deny decision, the XACML JSON response would be:
{ "Response": [ { "Status": { "StatusCode": { "Value":"urn:oasis:names:tc:xacml:1.0:status:ok" } }, "Attribute": [ { "AttributeId":"urn:oasis:names:tc:xacml:1.0:resource:resource-id", "Value":"\/myresource1" } ], "Decision":"Permit" }, { "Status": { "StatusCode": { "Value":"urn:oasis:names:tc:xacml:1.0:status:ok" } }, "Attribute": [ { "AttributeId":"urn:oasis:names:tc:xacml:1.0:resource:resource-id", "Value":"\/myresource2" } ], "Decision":"Deny" } ] }
Parent topic: Invoking the RTSS XACML engine