Reference for XACML on WebLogic Server

Securing WebLogic Resources Using Roles and Policies

Reference for XACML on WebLogic Server

The eXtensible Access Control Markup Language (XACML) is an XML language for expressing authorization policies and role assignments. XACML offers extension points so that vendors such as Oracle can express vendor-specific resources, data types, and functions in XACML.
The WebLogic Server XACML Authorization Provider and XACML Role Mapping Provider implement and extend the XACML 2.0 Core Specification (see the OASIS XACML 2.0 Core Specification). These providers partially implement the Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML 2.0 (see the OASIS RBAC specification).
The following sections describe the extensions that you can use when writing XACML 2.0 documents to protect resources on WebLogic Server and the restrictions that WebLogic Server places on XACML:

Comparison of WebLogic Server and XACML Security Models
Action Identifiers
Environment Identifiers
Policy and PolicySet Identifiers
Resource Identifiers
Subject Identifiers
WebLogic Server Functions for XACML
Rule and Policy-Combining Algorithm

This document describes only the WebLogic Server extensions and restrictions for XACML. For a complete reference of the XACML 2.0 language, see the OASIS XACML 2.0 Core Specification and the RBAC specification from OASIS.

Comparison of WebLogic Server and XACML Security Models

The WebLogic Server model for representing resources and policies follows the model of Java EE deployment descriptors. This Java EE model creates a hierarchy of resources in which roles and authorization policies at the top of the hierarchy protect resources that are lower in the hierarchy. (See Protecting a Hierarchy of Resources.) Policies lower in a hierarchy always override policies higher in the hierarchy. The higher levels of the resource hierarchy contain enterprise applications, Web applications, and EJBs. The lowest levels of the resource hierarchy contain EJB methods, HTTP methods on specific URL patterns, and MBean getters and setters.
The XACML model also recognizes a hierarchy of resources. Unlike the native WebLogic Server model, your XACML policies must specify how to interpret cases in which a resource is protected by its own policy and by a policy on the resource's parent or ancestor.
In addition, a XACML document typically distinguishes between a resource and the actions of a resource. For example, a XACML document defines a resource such as an EJB, and then defines an action within the EJB resource to represent a method in the EJB. The native WebLogic Server model considers an EJB and each EJB method to be resources. See Figure 7-1. Figure 7-1 WebLogic Resource Hierarchy Includes Methods

While it is possible to describe an action such as an EJB method as a XACML resource, a more natural expression in XACML would define an EJB as a resource and an EJB method as an action within the resource.

Comparison of Terminology

The WebLogic Server terminology for describing resources and policies follows the model of Java EE deployment descriptors. This Java EE model uses the following terms to describe key concepts:

Role, which contains one or more conditions that describe which users or groups are in the role at any given time. A role expression is a collection of conditions and the name of a user or group whom the conditions add to the role. The collection of expressions is the role statement.
Policy, which contains one or more conditions that describe who can access a resource at any given time. A policy expression is a collection of conditions and the name of a user, group, or role whom the conditions allow access. The collection of expressions is the policy statement.

In XACML, a set of rules comprise a policy, and policies can be used to determine who is in a role or who can access a resource. In general, a XACML policy is equivalent to a role statement or policy statement in WebLogic Server.

Description of Data Types

Oracle implements support for all of the data types that are required by the XACML core specification. It supports additional, standard XML data types and provides a group of custom data types. This document uses the bea: prefix to indicate that a data type is a custom Oracle type.
For a description of all data types that the WebLogic XACML providers recognize, see com.bea.common.security.xacml.Type in WebLogic Server API Reference.

Action Identifiers

XACML uses an Action element to identify an operation in a resource or a hierarchy of resources.
WebLogic Server supports all of the XACML Action identifiers (see the OASIS XACML 2.0 Core Specification) and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear.
To identify operations in WebLogic Server resources (for example, to identify a specific EJB method), use action identifiers as described in Table A-1.

While it is possible to use a resource identifier to describe an operation such as an EJB method, a more natural expression in XACML would use an action identifier. See Comparison of WebLogic Server and XACML Security Models.

Table A-1 Action Identifiers
To Identify... Use This Identifier...
An operation Attribute ID: urn:oasis:names:tc:xacml:1.0:action:action-id
Data Type: string
Value: Depends on the type of resource that contains the operation. See Table A-2.
When the provider performs a security check Attribute ID: urn:bea:xacml:2.0:action:direction
Data Type: string
Values: ONCE, PRIOR, or POST The WebLogic Security SPI contains an optional feature that enables containers to specify when a provider performs a security check on a request:

ONCE requests an authorization check once with no preference of whether it is done before or after an operation.
PRIOR requests an authorization check prior to processing the request.
POST requests an authorization check after the request has been processed but before the results have been returned.
You can use this direction identifier to match requests that have been checked ONCE, PRIOR, or POST. For more information, see weblogic.security.spi.Direction in the WebLogic Server API Reference, which is the object type that is used to pass ONCE, PRIOR, or POST to the security provider.

Using a Direction object in a decision is optional for Authorization providers. The WebLogic Server XACML Authorization provider supports only the ONCE value.

Table A-2 describes the value that you specify for the action-id identifier.
Table A-2 Value for the action-id Identifier
If the operation is in this resource type... Specify...
Admin The name of an administrative activity that is protected by an Admin resource. For example, UserLockout. For a list of valid values, see the action parameter for the weblogic.security.service.AdminResource constructor in the WebLogic Server API Reference.
Application The name of the application as displayed in the Administration Console.
Control The name of a method in a Java control. Java controls are reusable components that you can use anywhere within a WebLogic Platform application. You can use built-in controls provided with WebLogic Workshop, or you can create your own.
EJB The name of an EJB method. For example, mymethod. If the method is overloaded, all methods with the specified method name will be matched.
JDBC The name of an administrative activity that is protected by a JDBC resource. For a list of valid values, see the action parameter for the weblogic.security.service.JDBCResource constructor in the WebLogic Server API Reference.
JMS The name of an administrative activity that is protected by a JMS resource. For a list of valid values, see the action parameter for the weblogic.security.service.JMSResource constructor in the WebLogic Server API Reference.
JMX The name of an operation in a WebLogic Server MBean. For example, shutdown.
JNDI The name of an administrative activity that is protected by a JNDI resource. For a list of valid values, see the action parameter for the weblogic.security.service.JNDIResource constructor in the WebLogic Server API Reference.
Server The name of a server life cycle activity that is protected by a Server resource. For example, boot. For a list of valid values, see Server Resources.
URL The name of an HTTP method. For example, POST.
Web Service The name of a Web Service method. For example, mymethod.
Work Context The name of an administrative activity that is protected by a Work Context resource. For a list of valid values, see the action parameter for the weblogic.security.service.WorkContextResource constructor in the WebLogic Server API Reference.
All others The following string: access

Examples

The following example uses an Action element to specify that the target is mymethod within the SimpleSoap Web Service:
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
type=<webservices>, application=webservicesJwsSimpleEar,
contextPath=/jws_basic_simple, webService=SimpleSoapPort
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ResourceMatch>
</Resource>
</Resources>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
mymethod
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ActionMatch>
</Target>

Environment Identifiers

XACML uses an optional Environment element to describe conditions in the operating environment that must be met before providing access to a target. For example, an Environment element can specify a time and date range within which access is allowed.
WebLogic Server supports all of the XACML Environment identifiers (see the OASIS XACML 2.0 Core Specification) and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear. See Table A-3.
Table A-3 WebLogic Server Environment Identifier
To Identify... Use This Identifier...
A value that the container passes to the provider Attribute ID: urn:bea:xacml:2.0:environment:context:key where key specifies a ContextHandler element name as defined in “ContextHandlers and WebLogic Resources” in Developing security providers for WebLogic Server. A ContextHandler is a WebLogic class that obtains additional context and container-specific information from the resource container and represents the information as a list of name/value pairs.
Data Type: bea:Object, string, or double
Value: The value of the ContextHandler element that you want to match.

Examples

The following example uses an Environment element to match value of a WebLogic Server listen port. Such an element could create a policy that requires a request to come through listen port 9001:
<Environment>

   <EnvironmentMatch

      MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal"> 

      <EnvironmentAttributeDesignator

           AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.cont

           extelement.channel.Port"

            DataType="http://www.w3.org/2001/XMLSchema#double"/> 

      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">

          9001

      </AttributeValue> 

   </EnvironmentMatch> 

</Environment>
Policy and PolicySet Identifiers

XACML uses a Policy element to contain one or more rules and a PolicySet element to contain one or more policies. Each element must include the PolicySetId attribute to provide a unique identification. The XACML specification requires PolicySetId identifiers to be legal URI values.
XACML documents use the PolicySetId to include a specific Policy or PolicySet element within another PolicySet element. WebLogic Server uses the PolicySetId as the key in the Authorization provider or Role Mapping provider's policy store.
WebLogic Server reserves URI values beginning with urn:bea: for its internal use. While you cannot create your own policies with URIs that begin with urn:bea:, you can use these values to include Oracle's policies in your policy sets.

Examples

The following example is a valid identifier for a Policy element:
<Policy
PolicyId="urn:mycompany:myapplication:policyid:1"
...>
The following example is a valid reference to the Policy element above:
<PolicyIdReference>
urn:mycompany:myapplication:policyid:1
</PolicyIdReference>

Resource Identifiers

XACML uses a Resource element to represent data, a service, or a system component.
WebLogic Server supports all of the XACML Resource identifiers (see the OASIS XACML 2.0 Core Specification).
To identify a WebLogic Server resource, use resource identifiers as described in Table A-4. For information about WebLogic Server resources, see Resource Types You Can Secure with Policies.
Table A-4 WebLogic Server Resource Identifiers
To Identify a... Use This Identifier...
Resource Attribute ID: urn:oasis:names:tc:xacml:1.0:resource:resource-id
Data Type: string
Value: A collection of name and value pairs that specify the WebLogic Server resource type and the location of the resource in the WebLogic Server resource hierarchy. WebLogic Server generates these identifiers. Note that a policy that uses this identifier will not protect resources that are below the specified resource. For example, if you use this identifier for a policy on a Web Service module, the policy will not protect methods within the Web Service. See Get the ID of the Resource to Secure.
Resource and its ancestors Attribute ID: urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self
Data Type: string
Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.
Parent of a resource Attribute ID: urn:oasis:names:tc:xacml:1.0:resource:resource-parent
Data Type: string
Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.
Ancestor of a resource Attribute ID: urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor
Data Type: string
Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.

Examples

The following example Resource element matches a Web Service named SimpleSoapPort and all methods within that Web Service:
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
type=<webservices>, application=webservicesJwsSimpleEar,
contextPath=/jws_basic_simple, webService=SimpleSoapPort
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true"/>
</ResourceMatch>
</Resource>

Subject Identifiers

XACML uses a Subject element to represent an actor whose attributes may be referenced by a predicate.
WebLogic Server supports all of the XACML Subject identifiers (see the OASIS XACML 2.0 Core Specification).
To identify a WebLogic Server user, group, or role as defined in a WebLogic Server realm, use subject identifiers as described Table A-5.
Table A-5 WebLogic Subject Identifiers
To Identify a... Use This Identifier...
User principal Attribute ID: urn:oasis:names:tc:xacml:1.0:subject:subject-id
Data Type: string
Value: Name of a WebLogic Server user principal.
Group principal Attribute ID: urn:oasis:names:tc:xacml:2.0:subject:group
Data Type: string
Values: Name of a WebLogic Server group principal.
Role Attribute ID: urn:oasis:names:tc:xacml:2.0:subject:role
Data Type: string
Values: Names of one or more roles as resolved by a XACML Role Mapping provider.

WebLogic Server supports only a subset of the RBAC Profile specification, which is the specification that defines this attribute.
Subject who has signed a SOAP document Attribute ID: urn:bea:xacml:2.0:subject:context:com.bea.
contextelement.webservice.Integrity{{namespace}element} where namespace and element are the namespace and element that was signed. For example:
urn:bea:xacml:2.0:subject:context:com.bea.
contextelement.webservice.Integrity{{
http://schemas.xmlsoap.org/soap/envelope/}Body} Data Type: string Values: The Java subject who has signed the element (either user ID or group ID).

Examples

For an example of a XACML document that uses identifiers from Table A-5 to define a security role that can be used to protect access to a Web Service, see Listing 7-1.

WebLogic Server Functions for XACML

The following sections describe the functions that the WebLogic Server XACML providers support in addition to the functions described in the XACML Core Specification:

Custom Data Type Variants
Miscellaneous Functions
Time/Date Conversions
Arithmetic Conversions and Functions
Object Type Conversions
Object Comparisons
String Comparisons and Manipulations

Custom Data Type Variants

The following function identifiers specify functions that are direct ports of standard XACML functions and operate on XML and WebLogic Server data types long, float, decimal and bea:Character. For a description of these data types, see com.bea.common.security.xacml.Type in WebLogic Server API Reference.
In this list, type refers to the names of the data types (long, float, decimal or character):
urn:bea:xacml:2.0:function:type-equal
urn:bea:xacml:2.0:function:type-greater-than
urn:bea:xacml:2.0:function:type-greater-than-or-equal
urn:bea:xacml:2.0:function:type-less-than
urn:bea:xacml:2.0:function:type-less-than-or-equal
urn:bea:xacml:2.0:function:type-one-and-only
urn:bea:xacml:2.0:function:type-bag-size
urn:bea:xacml:2.0:function:type-is-in
urn:bea:xacml:2.0:function:type-bag
urn:bea:xacml:2.0:function:type-intersection
urn:bea:xacml:2.0:function:type-union
urn:bea:xacml:2.0:function:type-at-least-one-member-of
urn:bea:xacml:2.0:function:type-subset
urn:bea:xacml:2.0:function:type-set-equals
For information on functions that compare bea:Objects, see Object Comparisons.

Examples

The following example is a Condition that uses urn:bea:xacml:2.0:function:character-equal to compare two bea:characters:
<Condition>
<Apply FunctionId="urn:bea:xacml:2.0:function:character-equal">
<AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">
Q
</AttributeValue>
<AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">
Q
</AttributeValue>
</Apply>
</Condition>

Miscellaneous Functions

Table A-6 lists the miscellaneous functions that WebLogic Server provides in addition to the standard XACML functions.
Table A-6 Miscellaneous WebLogic Server XACML Functions
Function Description
in-development-mode URI: urn:bea:xacml:2.0:function:in-development-mode
Input Type: null
Return Type: boolean
Description: This function takes no arguments and returns true if the WebLogic Server instance that hosts the realm is in development mode. See “Creating a WebLogic Domain” in Creating WebLogic Domains Using the Configuration Wizard.
instance-method URI: urn:bea:xacml:2.0:function:instance-method
Input Type: bea:Object, string, Bag of bea:Class, [bea:Object ... ]
Return Type: bea:Object
Description: This function invokes a method on a bea:Object that the container makes available in the current context. The function takes the following arguments:

bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.
string. The method name.
Bag of bea:Class. The Java classes that are declared in the method's signature. Use Oracle's string-to-class function to create the required classes. See Object Type Conversions.
Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.
The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.
instance-method-match URI: urn:bea:xacml:2.0:function:instance-method-match
Input Type: bea:Object, string, [bea:Object ... ]
Return Type: bea:Object
Description: This function invokes a method on a bea:Object that the container makes available in the current context. The function takes the following arguments:

bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.
string. The method name.
Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.
This function uses the method name and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.
instance-method-v2 URI: urn:bea:xacml:2.0:function:instance-method-v2
Input Type: bea:Class, bea:Object, string, Bag of bea:Class, [bea:Object ... ]
Return Type: bea:Object
Description: This function invokes a method on a bea:Object that the container makes available in the current context. The function takes the following arguments:

bea:Class. The class type of the bea:Object. Use Oracle's string-to-class function to create the class. See Object Type Conversions.
bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.
string. The method name.
Bag of bea:Class. The Java classes that are declared in the method's signature. Use Oracle's string-to-class function to create the required classes. See Object Type Conversions.
Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.
The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.
instance-method-match-v2 URI: urn:bea:xacml:2.0:function:instance-method-match-v2
Input Type: bea:Class, bea:Object, string, [bea:Object ... ]
Return Type: bea:Object
Description: The function takes the following arguments:

bea:Class. The class type of the bea:Object. Use Oracle's string-to-class function to create the class. See Object Type Conversions.
bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.
string. The method name.
Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.
This function uses the class type of the bea:Object, method name, and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.
instance-method-match-v3 URI: urn:bea:xacml:2.0:function:instance-method-match-v3
Input Type: string, bea:Object, string, Bag of string,[bea:Object ... ]
Return Type: bea:Object
Description: This function invokes uses the Java reflection API to invoke a method on a specified bea:Object. The function takes the following arguments:

String. The name of the bea:Object's class type.
bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.
String. The method name.
Bag of string. The class names of the parameters in the method signature.
Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.
This function uses the class name of the bea:Object, method name, and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.

Example

The following policy uses the instance-method function to invoke the HttpServletRequest.getAuthType() method on requests that match a specific URL pattern (see javax.servlet.http.HttpServletRequest.getAuthType() in Java EE 5.0 API Specification). The WebLogic Server ContextHandler makes this HttpServletRequest object available to the Authorization and Role Mapping providers for all requests that come through the servlet container. Any policy for a URL resource can invoke this or other HttpServletRequest methods. Listing A-1 Policy That Invokes HttpServletRequest.getAuthType()
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"

   PolicyId="urn:sample:xacml:2.0:function:instance-method"

   RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:

     first-applicable">

  <Description>function:instance-method</Description>

  <Target>

    <Resources>

      <Resource>

         <ResourceMatch

            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

            <AttributeValue

             DataType="http://www.w3.org/2001/XMLSchema#string">

              type=&lt;url&gt;, application=MedRecEAR, contextPath=,uri=/docs/*

             </AttributeValue>

             <ResourceAttributeDesignator

               AttributeId="urn:oasis:names:tc:xacml:2.0:resource:

                  resource-ancestor-or-self"

               DataType="http://www.w3.org/2001/XMLSchema#string"

                MustBePresent="true"/>

         </ResourceMatch>

      </Resource>

    </Resources>

  </Target>
  

  <VariableDefinition VariableId="authType">

    <Apply FunctionId="urn:bea:xacml:2.0:function:instance-method">

      

      <Apply FunctionId="urn:bea:xacml:2.0:function:object-one-and-only">

        <EnvironmentAttributeDesignator 

           DataType="urn:bea:xacml:2.0:data-type:object"

           AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.

              contextelement.servlet.HttpServletRequest" />

      </Apply>

      

      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">

        getAuthType

      </AttributeValue>

      

      <Apply FunctionId="urn:bea:xacml:2.0:function:class-bag" />

    </Apply>

  </VariableDefinition>
  

  <Rule RuleId="primary-rule" Effect="Permit">

    <Condition>

      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">

        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">

          <Apply FunctionId="urn:bea:xacml:2.0:function:object-is-null">

            <VariableReference VariableId="authType" />

          </Apply>

        </Apply>

        <Apply

           FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

           

           <Apply FunctionId="urn:bea:xacml:2.0:function:object-to-string">

              <VariableReference VariableId="authType" />

           </Apply>

           

           <AttributeValue

              DataType="http://www.w3.org/2001/XMLSchema#string">

              CLIENT_CERT

           </AttributeValue>

         </Apply>

       </Apply>

    </Condition>

  </Rule>

  <Rule RuleId="deny-rule" Effect="Deny" />

</Policy>
Time/Date Conversions

Table A-7 lists the functions that Oracle provides to convert XACML times and dates to different data types.
Table A-7 WebLogic Server Time/Date Conversions
Function Description
dateTime-dayOfMonth URI: urn:bea:xacml:2.0:function:dateTime-dayOfMonth
Input Type: dateTime
Return Type: integer
Description: This function takes a single argument of type dateTime and returns an integer value that represents the day of month implied by the dateTime input. The first day of the month is represented with a value of 1.
dateTime-dayOfMonthMaximum URI: urn:bea:xacml:2.0:function:dateTime-dayOfMonthMaximum
Input Type: dateTime
Return Type: integer
Description: This function takes a single argument of type dateTime and returns an integer value that represents the value of the last day of the month. For example, if the dateTime describes a time in the month of December, the function returns 31 (because December has a maximum of 31 days). This function adjusts the value returned for February on leap years.
dateTime-dayOfWeek URI: urn:bea:xacml:2.0:function:dateTime-dayOfWeek
Input Type: dateTime
Return Type: integer
Description: This function takes a single argument of type dateTime and returns an integer value that indicates the day of the week implied by the dateTime input. Sunday is the first day of the week and has a value of 1.
dateTime-secondsOfDay URI: urn:bea:xacml:2.0:function:dateTime-secondsOfDay
Input Type: dateTime
Return Type: integer
Description: This function takes a single argument of type dateTime and returns an integer value that indicates the number of whole seconds that have elapsed in the day that is indicated by the dateTime input.
dayTimeDuration-timeZoneOffset URI: urn:bea:xacml:2.0:function:dayTimeDuration-timeZoneOffset
Input Type: null
Return Type: dayTimeDuration
Description: This function takes no arguments and returns a dayTimeDuration value that indicates the time-zone offset between the local time and GMT time.
string-to-dateTime URI: urn:bea:xacml:2.0:function:string-to-dateTime
Input Type: string
Return Type: dateTime
Description: This function takes a single argument of type string and returns the argument as a dateTime.
string-to-date URI: urn:bea:xacml:2.0:function:string-to-date
Input Type: string
Return Type: date
Description: This function takes a single argument of type string and returns the argument as a date.
object-to-dateTime URI: urn:bea:xacml:2.0:function:object-to-dateTime
Input Type: bea:Object
Return Type: dateTime
Description: This function takes a single argument of type bea:Object and returns the value as a dateTime object. If the bea:Object is an instance of java.util.Calendar, then its value is returned directly. If the bea:Object is an instance of java.security.Timestamp or java.util.Date, this function converts the bea:Object to java.util.Calendar and returns the Calendar value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into a dateTime value.
object-to-date URI: urn:bea:xacml:2.0:function:object-to-date
Input Type: bea:Object
Return Type: date
Description: This function takes a single argument of type bea:Object and returns the value as a date object. If the bea:Object is an instance of java.util.Calendar, then its value is returned directly. If the bea:Object is an instance of java.util.Date, this function converts the bea:Object to java.util.Calendar and returns the Calendar value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into a date value.

Arithmetic Conversions and Functions

Table A-8 lists the functions that Oracle provides to convert arithmetic values to different Input Types and to extend the basic set of arithmetic functions specified by XACML.
Table A-8 WebLogic Server Arithmetic Conversions and Functions
Function Description
float-to-double URI: urn:bea:xacml:2.0:function:float-to-double
Input Type: float
Return Type: double
Description: This function takes a single argument of type float and returns the argument as a double.
long-to-double URI: urn:bea:xacml:2.0:function:long-to-double
Input Type: long
Return Type: double
Description: This function takes a single argument of type long and returns the argument as a double.
long-to-float URI: urn:bea:xacml:2.0:function:long-to-float
Input Type: long
Return Type: float
Description: This function takes a single argument of type long and returns the argument as a float.
integer-to-float URI: urn:bea:xacml:2.0:function:integer-to-float
Input Type: integer
Return Type: float
Description: This function takes a single argument of type integer and returns the argument as a float.
integer-to-long URI: urn:bea:xacml:2.0:function:integer-to-long
Input Type: integer
Return Type: long
Description: This function takes a single argument of type integer and returns the argument as a long.
string-to-double URI: urn:bea:xacml:2.0:function:string-to-double
Input Type: string
Return Type: double
Description: This function takes a single argument of type string and returns the argument as a double.
string-to-long URI: urn:bea:xacml:2.0:function:string-to-long
Input Type: string
Return Type: long
Description: This function takes a single argument of type string and returns the argument as a long.
string-to-integer URI: urn:bea:xacml:2.0:function:string-to-integer
Input Type: string
Return Type: integer
Description: This function takes a single argument of type string and returns the argument as a integer.
string-to-float URI: urn:bea:xacml:2.0:function:integer-to-long
Input Type: string
Return Type: float
Description: This function takes a single argument of type string and returns the argument as a float.
to-degrees URI: urn:bea:xacml:2.0:function:to-degrees
Input Type: double
Return Type: double
Description: This function takes a single argument of type double, converts the value from radians to degrees, and returns the degrees value as a double.
to-radians URI: urn:bea:xacml:2.0:function:to-radians
Input Type: double
Return Type: double
Description: This function takes a single argument of type double, converts the value from degrees to radians, and returns the radians value as a double.
acos URI: urn:bea:xacml:2.0:function:acos
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns the arc cosine of the argument as a double.
asin URI: urn:bea:xacml:2.0:function:asin
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns the arc sine of the argument as a double.
atan URI: urn:bea:xacml:2.0:function:atan
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns the arc tangent of the argument as a double.
atan2 URI: urn:bea:xacml:2.0:function:atan2
Input Type: double
Return Type: double
Description: This function takes two arguments of type double that represent the x and y coordinates of a point. It returns a double value which is the theta component of the point in polar coordinates for the r value that corresponds to the x coordinate.
ceil URI: urn:bea:xacml:2.0:function:ceil
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns a double value that is the smallest mathematical integer that is greater than or equal to the argument value.
cos URI: urn:bea:xacml:2.0:function:cos
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns the cosine of the argument as a double.
exp URI: urn:bea:xacml:2.0:function:exp
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns a double value that is Euler's number, e, raised to the power of the argument value.
ieee-remainder URI: urn:bea:xacml:2.0:function:ieee-remainder
Input Type: double
Return Type: double
Description: This function takes two arguments of type double and returns a double value that is the remainder operation result of the two arguments as described in the IEEE 754 standard. See http://grouper.ieee.org/groups/754/.
log URI: urn:bea:xacml:2.0:function:log
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and the natural logarithm as a double.
maximum URI: urn:bea:xacml:2.0:function:maximum
Input Type: double
Return Type: double
Description: This function takes two arguments of type double and returns the larger of the two values as a double.
minimum URI: urn:bea:xacml:2.0:function:minimum
Input Type: double
Return Type: double
Description: This function takes two arguments of type double and returns the smaller of the two values as a double.
pow URI: urn:bea:xacml:2.0:function:pow
Input Type: double
Return Type: double
Description: This function takes two arguments of type double and returns a double value that is the result of taking the first argument value to the power of the second argument value.
random-number URI: urn:bea:xacml:2.0:function:random-number
Input Type: double
Return Type: double
Description: This function takes two arguments of type double and returns a double value that is a random number greater than or equal to the first argument and less than the second argument.
rint URI: urn:bea:xacml:2.0:function:rint
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns a double value that is the mathematical integer that is closest to the argument value. If the higher and lower integer values are equally close, then the even value is returned.
sqrt URI: urn:bea:xacml:2.0:function:sqrt
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns the square root as a double.
tan URI: uurn:bea:xacml:2.0:function:tan
Input Type: double
Return Type: double
Description: This function takes a single argument of type double and returns the tangent as a double.

Object Type Conversions

WebLogic Server provides a collection of functions for converting XACML data into Java objects. The URI for each function in this collection is as follows:
urn:bea:xacml:2.0:function:type-to-object
where type is the name of a XACML data type. Table A-9 lists all data types and the Java object that the corresponding function returns.
For example, this function returns “test” as a java.lang.String object:
<Apply
FunctionId="urn:bea:xacml:2.0:function:string-to-object">test</Apply>
Table A-9 Data to Java Object Conversion
When type equals... The urn:bea:xacml:2.0:function:type-to-object function returns...
character java.lang.Character
string java.lang.String
boolean java.lang.Boolean
integer java.lang.Integer
double java.lang.Double
float java.lang.Float
long java.lang.Long
decimal java.lang.Double
base64Binary java.lang.Byte[]
hexBinary java.lang.Byte[]
date java.util.Calendar
time java.util.Calendar
dateTime java.util.Calendar
dayTimeDuration java.lang.Long
yearMonthDuration java.lang.Integer
rfc822Name java.lang.String
x500Name java.lang.String
anyURI java.net.URI
ipAddress java.lang.String
dnsAddress java.lang.String

Table A-10 lists the functions that Oracle provides to convert strings or Java objects to different data or object types. To pass objects that the container makes available to the current context, use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.
Table A-10 WebLogic Server Object Conversions
Function Description
string-to-class URI: urn:bea:xacml:2.0:function:string-to-class
Input Type: string
Return Type: bea:Class
Description: This function takes a single argument of type string, invokes java.lang.Class.forName() on the argument value, and returns the result as a bea:Class.
object-to-string URI: urn:bea:xacml:2.0:function:object-to-string
Input Type: bea:Object
Return Type: string
Description: This function takes a single argument of type bea:Object, invokes java.lang.Object.toString() on the argument value, and returns the result as a string.
object-to-double URI: urn:bea:xacml:2.0:function:object-to-double
Input Type: bea:Object
Return Type: double
Description: This function takes a single argument of type bea:Object and returns the value as a double. If the bea:Object is an instance of double, then its value is used directly. If the bea:Object is an instance of java.lang.Number, then this function invokes Number.doubleValue() on the value. Otherwise, this function convert the bea:Object to a java.lang.String and parses the String into a double.
object-to-integer URI: urn:bea:xacml:2.0:function:object-to-integer
Input Type: bea:Object
Return Type: integer
Description: This function takes a single argument of type bea:Object and returns the value as integer. If the bea:Object is an instance of java.lang.Integer, then its value is used directly. If the bea:Object is an instance of java.lang.Number, then this function invokes Number.intValue() on the value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into an integer.

Object Comparisons

Table A-11 lists the functions that Oracle provides to compare Java objects.
Table A-11 WebLogic Server Object Comparisons
Function Description
object-is-null URI: urn:bea:xacml:2.0:function:object-is-null
Input Type: bea:Object
Return Type: boolean
Description: This function takes a single argument of type bea:Object and returns a boolean value indicating whether the object reference is equal to the Java keyword null. If there is no object that corresponds to the given object reference, this function returns true.
object-equal URI: urn:bea:xacml:2.0:function:object-equal
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object, invokes java.lang.Object.equals(), and returns a boolean value indicating whether the two Objects are equal.
object-greater-than URI: urn:bea:xacml:2.0:function:object-greater-than
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is greater than the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-greater-than-or-equal URI: urn:bea:xacml:2.0:function:object-greater-than-or-equal
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is greater than or equal to the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-less-than URI: urn:bea:xacml:2.0:function:object-less-than
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is less than the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-less-than-or-equal URI: urn:bea:xacml:2.0:function:object-less-than-or-equal
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is less than or equal to the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-collection-contains URI: urn:bea:xacml:2.0:function:object-collection-contains
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object and returns a boolean that indicates whether the first bea:Object contains the second bea:Object as determined by Collection.contains(). The first bea:Object must implement java.util.Collection, else the evaluation is indeterminate.
object-collection-contains-all URI: urn:bea:xacml:2.0:function:object-collection-contains-all
Input Type: bea:Object, bea:Object
Return Type: boolean
Description: This function takes two arguments of type bea:Object and returns a boolean that indicates whether the first bea:Object contains all of the second bea:Object as determined by Collection.containsAll(). Both bea:Objects must implement java.util.Collection, else the evaluation is indeterminate.

String Comparisons and Manipulations

Table A-12 lists the functions that Oracle provides to compare Java objects.
Table A-12 WebLogic Server String Comparisons and Manipulations
Function Description
string-char-at URI: urn:bea:xacml:2.0:function:string-char-at
Input Type: string, integer
Return Type: bea:Character
Description: This function takes two arguments of type string and integer, searches in the string for the character that is in the position indicated by the Interger, and returns the character as a bea:Character.
string-compare-to-ignore-case URI: urn:bea:xacml:2.0:function:string-compare-to-ignore-case
Input Type: string, string
Return Type: integer
Description: This function takes two arguments of type string and returns an integer that indicates how the two string arguments compare:

0 if the strings are identical
Less than 0 if the first string lexically precedes the second string
Greater than 0 if the first string lexically follows the second string
Comparisons are preformed without considering case.
string-contains URI: urn:bea:xacml:2.0:function:string-contains
Input Type: string, string
Return Type: boolean
Description: This function takes two arguments of type string and returns a boolean value that indicates whether the first string contains the value of the second string as a substring.
string-starts-with URI: urn:bea:xacml:2.0:function:string-starts-with
Input Type: string, string
Return Type: boolean
Description: This function takes two arguments of type string and returns a boolean value that indicates whether the first string value starts with the value of the second string.
string-ends-with URI: urn:bea:xacml:2.0:function:string-ends-with
Input Type: string, string
Return Type: boolean
Description: This function takes two arguments of type string and returns a boolean that indicates whether the first string value ends with the value of the second string.
string-length URI: urn:bea:xacml:2.0:function:string-length
Input Type: string
Return Type: integer
Description: This function takes a single argument of type string and returns an integer that indicates the length of the string value.
string-replace URI: urn:bea:xacml:2.0:function:string-replace
Input Type: string, bea:Character , bea:Character
Return Type: string
Description: This function takes three arguments of type string, bea:Character, and bea:Character, replaces in the string all instances of the first bea:Character value with the value of the second bea:Character, and returns the result as a string.
string-substring URI: urn:bea:xacml:2.0:function:string-substring
Input Type: string, integer, integer
Return Type: string
Description: This function takes three arguments of type string, integer, and integer, and returns a string that is the substring of the string argument from and including the index of the first integer argument to but excluding the index of the second integer argument.
string-normalize-to-upper-case URI: urn:bea:xacml:2.0:function:string-normalize-to-upper-case
Input Type: string
Return Type: string
Description: This function takes a single argument of type string, normalizes it to upper case, and returns the result as a string.

Rule and Policy-Combining Algorithm

If multiple PolicySets apply to a decision, their results are combined using the following algorithm:
urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides

To Identify...	Use This Identifier...
An operation	Attribute ID:	urn:oasis:names:tc:xacml:1.0:action:action-id
Data Type:	string
Value:	Depends on the type of resource that contains the operation. See Table A-2.
When the provider performs a security check	Attribute ID:	urn:bea:xacml:2.0:action:direction
Data Type:	string
Values:	ONCE, PRIOR, or POST The WebLogic Security SPI contains an optional feature that enables containers to specify when a provider performs a security check on a request: ONCE requests an authorization check once with no preference of whether it is done before or after an operation. PRIOR requests an authorization check prior to processing the request. POST requests an authorization check after the request has been processed but before the results have been returned. You can use this direction identifier to match requests that have been checked ONCE, PRIOR, or POST. For more information, see weblogic.security.spi.Direction in the WebLogic Server API Reference, which is the object type that is used to pass ONCE, PRIOR, or POST to the security provider. Using a Direction object in a decision is optional for Authorization providers. The WebLogic Server XACML Authorization provider supports only the ONCE value.

If the operation is in this resource type...	Specify...
Admin	The name of an administrative activity that is protected by an Admin resource. For example, UserLockout. For a list of valid values, see the action parameter for the weblogic.security.service.AdminResource constructor in the WebLogic Server API Reference.
Application	The name of the application as displayed in the Administration Console.
Control	The name of a method in a Java control. Java controls are reusable components that you can use anywhere within a WebLogic Platform application. You can use built-in controls provided with WebLogic Workshop, or you can create your own.
EJB	The name of an EJB method. For example, mymethod. If the method is overloaded, all methods with the specified method name will be matched.
JDBC	The name of an administrative activity that is protected by a JDBC resource. For a list of valid values, see the action parameter for the weblogic.security.service.JDBCResource constructor in the WebLogic Server API Reference.
JMS	The name of an administrative activity that is protected by a JMS resource. For a list of valid values, see the action parameter for the weblogic.security.service.JMSResource constructor in the WebLogic Server API Reference.
JMX	The name of an operation in a WebLogic Server MBean. For example, shutdown.
JNDI	The name of an administrative activity that is protected by a JNDI resource. For a list of valid values, see the action parameter for the weblogic.security.service.JNDIResource constructor in the WebLogic Server API Reference.
Server	The name of a server life cycle activity that is protected by a Server resource. For example, boot. For a list of valid values, see Server Resources.
URL	The name of an HTTP method. For example, POST.
Web Service	The name of a Web Service method. For example, mymethod.
Work Context	The name of an administrative activity that is protected by a Work Context resource. For a list of valid values, see the action parameter for the weblogic.security.service.WorkContextResource constructor in the WebLogic Server API Reference.
All others	The following string: access

To Identify...	Use This Identifier...
A value that the container passes to the provider	Attribute ID:	urn:bea:xacml:2.0:environment:context:key where key specifies a ContextHandler element name as defined in “ContextHandlers and WebLogic Resources” in Developing security providers for WebLogic Server. A ContextHandler is a WebLogic class that obtains additional context and container-specific information from the resource container and represents the information as a list of name/value pairs.
Data Type:	bea:Object, string, or double
Value:	The value of the ContextHandler element that you want to match.

To Identify a...	Use This Identifier...
Resource	Attribute ID:	urn:oasis:names:tc:xacml:1.0:resource:resource-id
Data Type:	string
Value:	A collection of name and value pairs that specify the WebLogic Server resource type and the location of the resource in the WebLogic Server resource hierarchy. WebLogic Server generates these identifiers. Note that a policy that uses this identifier will not protect resources that are below the specified resource. For example, if you use this identifier for a policy on a Web Service module, the policy will not protect methods within the Web Service. See Get the ID of the Resource to Secure.
Resource and its ancestors	Attribute ID:	urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self
Data Type:	string
Values:	A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.
Parent of a resource	Attribute ID:	urn:oasis:names:tc:xacml:1.0:resource:resource-parent
Data Type:	string
Values:	A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.
Ancestor of a resource	Attribute ID:	urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor
Data Type:	string
Values:	A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.

To Identify a...	Use This Identifier...
User principal	Attribute ID:	urn:oasis:names:tc:xacml:1.0:subject:subject-id
Data Type:	string
Value:	Name of a WebLogic Server user principal.
Group principal	Attribute ID:	urn:oasis:names:tc:xacml:2.0:subject:group
Data Type:	string
Values:	Name of a WebLogic Server group principal.
Role	Attribute ID:	urn:oasis:names:tc:xacml:2.0:subject:role
Data Type:	string
Values:	Names of one or more roles as resolved by a XACML Role Mapping provider. WebLogic Server supports only a subset of the RBAC Profile specification, which is the specification that defines this attribute.

Function	Description
in-development-mode	URI:	urn:bea:xacml:2.0:function:in-development-mode
Input Type:	null
Return Type:	boolean
Description:	This function takes no arguments and returns true if the WebLogic Server instance that hosts the realm is in development mode. See “Creating a WebLogic Domain” in Creating WebLogic Domains Using the Configuration Wizard.
instance-method	URI:	urn:bea:xacml:2.0:function:instance-method
Input Type:	bea:Object, string, Bag of bea:Class, [bea:Object ... ]
Return Type:	bea:Object
Description:	This function invokes a method on a bea:Object that the container makes available in the current context. The function takes the following arguments: bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers. string. The method name. Bag of bea:Class. The Java classes that are declared in the method's signature. Use Oracle's string-to-class function to create the required classes. See Object Type Conversions. Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.
instance-method-match	URI:	urn:bea:xacml:2.0:function:instance-method-match
Input Type:	bea:Object, string, [bea:Object ... ]
Return Type:	bea:Object
Description:	This function invokes a method on a bea:Object that the container makes available in the current context. The function takes the following arguments: bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers. string. The method name. Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. This function uses the method name and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.
instance-method-v2	URI:	urn:bea:xacml:2.0:function:instance-method-v2
Input Type:	bea:Class, bea:Object, string, Bag of bea:Class, [bea:Object ... ]
Return Type:	bea:Object
Description:	This function invokes a method on a bea:Object that the container makes available in the current context. The function takes the following arguments: bea:Class. The class type of the bea:Object. Use Oracle's string-to-class function to create the class. See Object Type Conversions. bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers. string. The method name. Bag of bea:Class. The Java classes that are declared in the method's signature. Use Oracle's string-to-class function to create the required classes. See Object Type Conversions. Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.
instance-method-match-v2	URI:	urn:bea:xacml:2.0:function:instance-method-match-v2
Input Type:	bea:Class, bea:Object, string, [bea:Object ... ]
Return Type:	bea:Object
Description:	The function takes the following arguments: bea:Class. The class type of the bea:Object. Use Oracle's string-to-class function to create the class. See Object Type Conversions. bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers. string. The method name. Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. This function uses the class type of the bea:Object, method name, and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.
instance-method-match-v3	URI:	urn:bea:xacml:2.0:function:instance-method-match-v3
Input Type:	string, bea:Object, string, Bag of string,[bea:Object ... ]
Return Type:	bea:Object
Description:	This function invokes uses the Java reflection API to invoke a method on a specified bea:Object. The function takes the following arguments: String. The name of the bea:Object's class type. bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers. String. The method name. Bag of string. The class names of the parameters in the method signature. Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. This function uses the class name of the bea:Object, method name, and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as an bea:Object. Methods that return void may not be invoked.

Function	Description
dateTime-dayOfMonth	URI:	urn:bea:xacml:2.0:function:dateTime-dayOfMonth
Input Type:	dateTime
Return Type:	integer
Description:	This function takes a single argument of type dateTime and returns an integer value that represents the day of month implied by the dateTime input. The first day of the month is represented with a value of 1.
dateTime-dayOfMonthMaximum	URI:	urn:bea:xacml:2.0:function:dateTime-dayOfMonthMaximum
Input Type:	dateTime
Return Type:	integer
Description:	This function takes a single argument of type dateTime and returns an integer value that represents the value of the last day of the month. For example, if the dateTime describes a time in the month of December, the function returns 31 (because December has a maximum of 31 days). This function adjusts the value returned for February on leap years.
dateTime-dayOfWeek	URI:	urn:bea:xacml:2.0:function:dateTime-dayOfWeek
Input Type:	dateTime
Return Type:	integer
Description:	This function takes a single argument of type dateTime and returns an integer value that indicates the day of the week implied by the dateTime input. Sunday is the first day of the week and has a value of 1.
dateTime-secondsOfDay	URI:	urn:bea:xacml:2.0:function:dateTime-secondsOfDay
Input Type:	dateTime
Return Type:	integer
Description:	This function takes a single argument of type dateTime and returns an integer value that indicates the number of whole seconds that have elapsed in the day that is indicated by the dateTime input.
dayTimeDuration-timeZoneOffset	URI:	urn:bea:xacml:2.0:function:dayTimeDuration-timeZoneOffset
Input Type:	null
Return Type:	dayTimeDuration
Description:	This function takes no arguments and returns a dayTimeDuration value that indicates the time-zone offset between the local time and GMT time.
string-to-dateTime	URI:	urn:bea:xacml:2.0:function:string-to-dateTime
Input Type:	string
Return Type:	dateTime
Description:	This function takes a single argument of type string and returns the argument as a dateTime.
string-to-date	URI:	urn:bea:xacml:2.0:function:string-to-date
Input Type:	string
Return Type:	date
Description:	This function takes a single argument of type string and returns the argument as a date.
object-to-dateTime	URI:	urn:bea:xacml:2.0:function:object-to-dateTime
Input Type:	bea:Object
Return Type:	dateTime
Description:	This function takes a single argument of type bea:Object and returns the value as a dateTime object. If the bea:Object is an instance of java.util.Calendar, then its value is returned directly. If the bea:Object is an instance of java.security.Timestamp or java.util.Date, this function converts the bea:Object to java.util.Calendar and returns the Calendar value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into a dateTime value.
object-to-date	URI:	urn:bea:xacml:2.0:function:object-to-date
Input Type:	bea:Object
Return Type:	date
Description:	This function takes a single argument of type bea:Object and returns the value as a date object. If the bea:Object is an instance of java.util.Calendar, then its value is returned directly. If the bea:Object is an instance of java.util.Date, this function converts the bea:Object to java.util.Calendar and returns the Calendar value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into a date value.

Function	Description
float-to-double	URI:	urn:bea:xacml:2.0:function:float-to-double
Input Type:	float
Return Type:	double
Description:	This function takes a single argument of type float and returns the argument as a double.
long-to-double	URI:	urn:bea:xacml:2.0:function:long-to-double
Input Type:	long
Return Type:	double
Description:	This function takes a single argument of type long and returns the argument as a double.
long-to-float	URI:	urn:bea:xacml:2.0:function:long-to-float
Input Type:	long
Return Type:	float
Description:	This function takes a single argument of type long and returns the argument as a float.
integer-to-float	URI:	urn:bea:xacml:2.0:function:integer-to-float
Input Type:	integer
Return Type:	float
Description:	This function takes a single argument of type integer and returns the argument as a float.
integer-to-long	URI:	urn:bea:xacml:2.0:function:integer-to-long
Input Type:	integer
Return Type:	long
Description:	This function takes a single argument of type integer and returns the argument as a long.
string-to-double	URI:	urn:bea:xacml:2.0:function:string-to-double
Input Type:	string
Return Type:	double
Description:	This function takes a single argument of type string and returns the argument as a double.
string-to-long	URI:	urn:bea:xacml:2.0:function:string-to-long
Input Type:	string
Return Type:	long
Description:	This function takes a single argument of type string and returns the argument as a long.
string-to-integer	URI:	urn:bea:xacml:2.0:function:string-to-integer
Input Type:	string
Return Type:	integer
Description:	This function takes a single argument of type string and returns the argument as a integer.
string-to-float	URI:	urn:bea:xacml:2.0:function:integer-to-long
Input Type:	string
Return Type:	float
Description:	This function takes a single argument of type string and returns the argument as a float.
to-degrees	URI:	urn:bea:xacml:2.0:function:to-degrees
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double, converts the value from radians to degrees, and returns the degrees value as a double.
to-radians	URI:	urn:bea:xacml:2.0:function:to-radians
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double, converts the value from degrees to radians, and returns the radians value as a double.
acos	URI:	urn:bea:xacml:2.0:function:acos
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns the arc cosine of the argument as a double.
asin	URI:	urn:bea:xacml:2.0:function:asin
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns the arc sine of the argument as a double.
atan	URI:	urn:bea:xacml:2.0:function:atan
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns the arc tangent of the argument as a double.
atan2	URI:	urn:bea:xacml:2.0:function:atan2
Input Type:	double
Return Type:	double
Description:	This function takes two arguments of type double that represent the x and y coordinates of a point. It returns a double value which is the theta component of the point in polar coordinates for the r value that corresponds to the x coordinate.
ceil	URI:	urn:bea:xacml:2.0:function:ceil
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns a double value that is the smallest mathematical integer that is greater than or equal to the argument value.
cos	URI:	urn:bea:xacml:2.0:function:cos
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns the cosine of the argument as a double.
exp	URI:	urn:bea:xacml:2.0:function:exp
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns a double value that is Euler's number, e, raised to the power of the argument value.
ieee-remainder	URI:	urn:bea:xacml:2.0:function:ieee-remainder
Input Type:	double
Return Type:	double
Description:	This function takes two arguments of type double and returns a double value that is the remainder operation result of the two arguments as described in the IEEE 754 standard. See http://grouper.ieee.org/groups/754/.
log	URI:	urn:bea:xacml:2.0:function:log
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and the natural logarithm as a double.
maximum	URI:	urn:bea:xacml:2.0:function:maximum
Input Type:	double
Return Type:	double
Description:	This function takes two arguments of type double and returns the larger of the two values as a double.
minimum	URI:	urn:bea:xacml:2.0:function:minimum
Input Type:	double
Return Type:	double
Description:	This function takes two arguments of type double and returns the smaller of the two values as a double.
pow	URI:	urn:bea:xacml:2.0:function:pow
Input Type:	double
Return Type:	double
Description:	This function takes two arguments of type double and returns a double value that is the result of taking the first argument value to the power of the second argument value.
random-number	URI:	urn:bea:xacml:2.0:function:random-number
Input Type:	double
Return Type:	double
Description:	This function takes two arguments of type double and returns a double value that is a random number greater than or equal to the first argument and less than the second argument.
rint	URI:	urn:bea:xacml:2.0:function:rint
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns a double value that is the mathematical integer that is closest to the argument value. If the higher and lower integer values are equally close, then the even value is returned.
sqrt	URI:	urn:bea:xacml:2.0:function:sqrt
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns the square root as a double.
tan	URI:	uurn:bea:xacml:2.0:function:tan
Input Type:	double
Return Type:	double
Description:	This function takes a single argument of type double and returns the tangent as a double.

When type equals...	The urn:bea:xacml:2.0:function:type-to-object function returns...
character	java.lang.Character
string	java.lang.String
boolean	java.lang.Boolean
integer	java.lang.Integer
double	java.lang.Double
float	java.lang.Float
long	java.lang.Long
decimal	java.lang.Double
base64Binary	java.lang.Byte[]
hexBinary	java.lang.Byte[]
date	java.util.Calendar
time	java.util.Calendar
dateTime	java.util.Calendar
dayTimeDuration	java.lang.Long
yearMonthDuration	java.lang.Integer
rfc822Name	java.lang.String
x500Name	java.lang.String
anyURI	java.net.URI
ipAddress	java.lang.String
dnsAddress	java.lang.String

Function	Description
string-to-class	URI:	urn:bea:xacml:2.0:function:string-to-class
Input Type:	string
Return Type:	bea:Class
Description:	This function takes a single argument of type string, invokes java.lang.Class.forName() on the argument value, and returns the result as a bea:Class.
object-to-string	URI:	urn:bea:xacml:2.0:function:object-to-string
Input Type:	bea:Object
Return Type:	string
Description:	This function takes a single argument of type bea:Object, invokes java.lang.Object.toString() on the argument value, and returns the result as a string.
object-to-double	URI:	urn:bea:xacml:2.0:function:object-to-double
Input Type:	bea:Object
Return Type:	double
Description:	This function takes a single argument of type bea:Object and returns the value as a double. If the bea:Object is an instance of double, then its value is used directly. If the bea:Object is an instance of java.lang.Number, then this function invokes Number.doubleValue() on the value. Otherwise, this function convert the bea:Object to a java.lang.String and parses the String into a double.
object-to-integer	URI:	urn:bea:xacml:2.0:function:object-to-integer
Input Type:	bea:Object
Return Type:	integer
Description:	This function takes a single argument of type bea:Object and returns the value as integer. If the bea:Object is an instance of java.lang.Integer, then its value is used directly. If the bea:Object is an instance of java.lang.Number, then this function invokes Number.intValue() on the value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into an integer.

Function	Description
object-is-null	URI:	urn:bea:xacml:2.0:function:object-is-null
Input Type:	bea:Object
Return Type:	boolean
Description:	This function takes a single argument of type bea:Object and returns a boolean value indicating whether the object reference is equal to the Java keyword null. If there is no object that corresponds to the given object reference, this function returns true.
object-equal	URI:	urn:bea:xacml:2.0:function:object-equal
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object, invokes java.lang.Object.equals(), and returns a boolean value indicating whether the two Objects are equal.
object-greater-than	URI:	urn:bea:xacml:2.0:function:object-greater-than
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is greater than the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-greater-than-or-equal	URI:	urn:bea:xacml:2.0:function:object-greater-than-or-equal
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is greater than or equal to the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-less-than	URI:	urn:bea:xacml:2.0:function:object-less-than
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is less than the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-less-than-or-equal	URI:	urn:bea:xacml:2.0:function:object-less-than-or-equal
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is less than or equal to the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.
object-collection-contains	URI:	urn:bea:xacml:2.0:function:object-collection-contains
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object and returns a boolean that indicates whether the first bea:Object contains the second bea:Object as determined by Collection.contains(). The first bea:Object must implement java.util.Collection, else the evaluation is indeterminate.
object-collection-contains-all	URI:	urn:bea:xacml:2.0:function:object-collection-contains-all
Input Type:	bea:Object, bea:Object
Return Type:	boolean
Description:	This function takes two arguments of type bea:Object and returns a boolean that indicates whether the first bea:Object contains all of the second bea:Object as determined by Collection.containsAll(). Both bea:Objects must implement java.util.Collection, else the evaluation is indeterminate.

Function	Description
string-char-at	URI:	urn:bea:xacml:2.0:function:string-char-at
Input Type:	string, integer
Return Type:	bea:Character
Description:	This function takes two arguments of type string and integer, searches in the string for the character that is in the position indicated by the Interger, and returns the character as a bea:Character.
string-compare-to-ignore-case	URI:	urn:bea:xacml:2.0:function:string-compare-to-ignore-case
Input Type:	string, string
Return Type:	integer
Description:	This function takes two arguments of type string and returns an integer that indicates how the two string arguments compare: 0 if the strings are identical Less than 0 if the first string lexically precedes the second string Greater than 0 if the first string lexically follows the second string Comparisons are preformed without considering case.
string-contains	URI:	urn:bea:xacml:2.0:function:string-contains
Input Type:	string, string
Return Type:	boolean
Description:	This function takes two arguments of type string and returns a boolean value that indicates whether the first string contains the value of the second string as a substring.
string-starts-with	URI:	urn:bea:xacml:2.0:function:string-starts-with
Input Type:	string, string
Return Type:	boolean
Description:	This function takes two arguments of type string and returns a boolean value that indicates whether the first string value starts with the value of the second string.
string-ends-with	URI:	urn:bea:xacml:2.0:function:string-ends-with
Input Type:	string, string
Return Type:	boolean
Description:	This function takes two arguments of type string and returns a boolean that indicates whether the first string value ends with the value of the second string.
string-length	URI:	urn:bea:xacml:2.0:function:string-length
Input Type:	string
Return Type:	integer
Description:	This function takes a single argument of type string and returns an integer that indicates the length of the string value.
string-replace	URI:	urn:bea:xacml:2.0:function:string-replace
Input Type:	string, bea:Character , bea:Character
Return Type:	string
Description:	This function takes three arguments of type string, bea:Character, and bea:Character, replaces in the string all instances of the first bea:Character value with the value of the second bea:Character, and returns the result as a string.
string-substring	URI:	urn:bea:xacml:2.0:function:string-substring
Input Type:	string, integer, integer
Return Type:	string
Description:	This function takes three arguments of type string, integer, and integer, and returns a string that is the substring of the string argument from and including the index of the first integer argument to but excluding the index of the second integer argument.
string-normalize-to-upper-case	URI:	urn:bea:xacml:2.0:function:string-normalize-to-upper-case
Input Type:	string
Return Type:	string
Description:	This function takes a single argument of type string, normalizes it to upper case, and returns the result as a string.