JSON Profile of XACML 3.0 Version 1.1
Committee Specification Draft 01 /
Public Review Draft 01
24 August 2018
Specification URIs
This version:
http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/csprd01/xacml-json-http-v1.1-csprd01.doc (Authoritative)
http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/csprd01/xacml-json-http-v1.1-csprd01.html
http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/csprd01/xacml-json-http-v1.1-csprd01.pdf
Previous version:
N/A
Latest version:
http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/xacml-json-http-v1.1.doc (Authoritative)
http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/xacml-json-http-v1.1.html
http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/xacml-json-http-v1.1.pdf
Technical Committee:
OASIS eXtensible Access Control Markup Language (XACML) TC
Chairs:
Hal Lockhart (hal.lockhart@oracle.com), Oracle
Bill Parducci (bill@parducci.net), Individual
Editors:
David Brossard (david.brossard@axiomatics.com), Axiomatics AB
Steven Legg (steven.legg@viewds.com), Individual
Related work:
This specification replaces or supersedes:
This specification is related to:
· eXtensible Access Control Markup Language (XACML) Version 3.0 Plus Errata 01. Edited by Erik Rissanen. 12 July 2017. OASIS Standard incorporating Approved Errata. http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os-complete.html. Latest version: http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.html.
Abstract:
The aim of this profile is to define a standardized interface between a policy enforcement point and a policy decision point using JSON. The decision request and response structure is specified in the core XACML specification. This profile leverages it.
Status:
This document was last revised or approved by the OASIS eXtensible Access Control Markup Language (XACML) TC on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document. Any other numbered Versions and other technical work produced by the Technical Committee (TC) are listed at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#technical.
TC members should send comments on this specification to the TC’s email list. Others should send comments to the TC’s public comment list, after subscribing to it by following the instructions at the “Send A Comment” button on the TC’s web page at https://www.oasis-open.org/committees/xacml/.
This specification is provided under the RF on Limited Terms Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (https://www.oasis-open.org/committees/xacml/ipr.php).
Note that any machine-readable content (Computer Language Definitions) declared Normative for this Work Product is provided in separate plain text files. In the event of a discrepancy between any such plain text file and display content in the Work Product's prose narrative document(s), the content in the separate plain text file prevails.
Citation format:
When referencing this specification the following citation format should be used:
[xacml-json-v1.1]
JSON Profile of XACML 3.0 Version 1.1. Edited by David Brossard and Steven Legg. 24 August 2018. OASIS Committee Specification Draft 01 / Public Review Draft 01. http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/csprd01/xacml-json-http-v1.1-csprd01.html. Latest version: http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/xacml-json-http-v1.1.html.
Notices
Copyright © OASIS Open 2018. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above guidance.
Table of Contents
3 Overview of the translation mechanisms
3.3.3 The xpathExpression Datatype
4.2 Representation of the XACML request in JSON
4.2.1 The Request object representation
4.2.2 The Category object representation
4.2.2.1 Shorthand notation for standard XACML categories
4.2.2.2 Default Category objects
4.2.3 The Content object representation
4.2.4 The Attribute object representation
4.2.5 The MultiRequests object representation
4.2.6 The RequestReference object representation.
5.2 Representation of the XACML response in JSON
5.2.1 The Result object representation
5.2.2 The Status object representation
5.2.3 The MissingAttributeDetail object
5.2.4 The StatusCode object representation
5.2.5 The ObligationOrAdvice object representation
5.2.6 The AttributeAssignment object representation
5.2.7 The PolicyIdentifierList object representation
5.2.8 The IdReference object representation
7.7 Interoperability Considerations
7.8 Applications which use this media type.
7.11 Macintosh File Type Code(s)
8.3 Request for Multiple Decisions Example
8.4 Multiple Decisions Response Example
{Non-normative}
The XACML architecture promotes a loose coupling between the component that enforces decisions, the policy enforcement point (PEP), and the component that decides based on XACML policies, the policy decision point (PDP).
The XACML standard defines the format of the request and the response between the PEP and the PDP. As the default representation of XACML is XML and is backed by a schema, the request and response are typically expressed as XML elements or documents. Depending on the PDP implementation, the request and response could be embedded inside a SOAP message or even a SAML assertion as described in the SAML profile of XACML.
With the rise in popularity of APIs and its consumerization, it becomes important for XACML to be easily understood in order to increase the likelihood it will be adopted.
This profile aims at defining a JSON format for the XACML request and response. It also defines the transport between client (PEP) and service (PDP).
In writing this document, the authors have kept three items in mind:
This specification is provided under the RF on Limited Terms Mode of the OASIS IPR Policy, the mode chosen when the Technical Committee was established. For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (https://www.oasis-open.org/committees/xacml/ipr.php).
Array
An ordered sequence of zero or more JSON elements.
Element
In JSON, a value; either a JSON primitive type, an object or an array.
Member
A name/value pair in a JSON object.
Object
In JSON, an unordered collection of zero or more members.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
[RFC2119] S. Bradner, Key words for use in RFCs to Indicate Requirement Levels, http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997.
[RFC4627] D. Crockford, The application/json Media Type for JavaScript Object Notation (JSON), http://tools.ietf.org/html/rfc4627, IETF RFC 4627, July 2006.
[XACMLMDP] XACML v3.0 Multiple Decision Profile Version 1.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-en.doc
[RFC8259] T.Bray, Ed., The JavaScript Object Notation (JSON) Data Interchange Format, https://tools.ietf.org/html/rfc8259, IETF RFC 8259, December 2017.
[NAMESPACES] Bray, Tim, et.al. eds, Namespaces in XML 1.0 (Third Edition), W3C Recommendation 8 December 2009, available at http://www.w3.org/TR/2009/REC-xml-names-20091208/
[XML] Bray, Tim, et.al. eds, Extensible Markup Language (XML) 1.0 (Fifth Edition), W3C Recommendation 26 November 2008, available at http://www.w3.org/TR/2008/REC-xml-20081126/
[XMLDatatypes] Biron, Paul et al. Eds, XML Schema Part 2: Datatypes Second Edition, W3C Recommendation 28 October 2004, available at http://www.w3.org/TR/xmlschema-2/
[XPATH] James Clark and Steve DeRose, XML Path Language (XPath), Version 1.0, W3C Recommendation 16 November 1999. Available at: http://www.w3.org/TR/xpath
[IEEE754] Institute of Electrical and Electronics Engineers, "Standard for Floating-Point Arithmetic", IEEE Standard 754, August 2008.
[XACMLREST] REST Profile of XACML v3.0 Version 1.0. Edited by Rémon Sinnema. Latest version: http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.doc.
[HTTP] Hypertext Transfer Protocol. June 1999. IETF RFC 2616. http://tools.ietf.org/html/rfc2616
[HTTPS] HTTP over TLS. May 2000. IETF RFC 2818. http://tools.ietf.org/html/rfc2818
[BASE64] The Base16, Base32, and Base64 Data Encodings. October 2006. IETF RFC 4648. http://tools.ietf.org/html/rfc4648
{Non-normative}
XML introduces the notion of elements. The equivalent notion in JSON is an object. XML introduces the notion of attributes. The equivalent notion in JSON is a member.
To avoid bloating the JSON request and response, certain parts of a request and response have default values which can then be omitted. As an example, the default value for the data-type of an attribute value is String (http://www.w3.org/2001/XMLSchema#string).
The user should refer to the XACML 3.0 specification document [XACML30] for a normative definition of the request and response elements.
Unless otherwise stated, JSON member names MUST match the XACML XML element and/or attribute names exactly, including case.
The following XML elements and attributes have been renamed:
The order of the objects and values in XACML does not matter. Therefore, the order of objects and values in the serialized form (JSON) does not matter.
When in the XACML specification an XML element occurs zero or more times, the JSON equivalent is an optional member with an array for the value. The array MAY be empty and this case is semantically equivalent to the member being omitted from the containing object.
When in the XACML specification an XML element occurs one or more times, the JSON equivalent is a mandatory member with an array for the value. The array MUST have at least one element.
The class diagram in section 4.1. Class Diagram states the cardinality and relationship between kinds of objects.
The JSON null value is not permitted, including as an element in an array. If an optional, non-array member has no value then it MUST be omitted from the containing object. A mandatory, non-array member MUST have a non-null value.
This section defines how data-types are represented and handled in the JSON representation. Chapter 10, section 10.2.7 in the XACML 3.0 specification as well as section A.2 list the data-types that are defined in XACML. These are listed in the table below in section 3.3.1. It lists the shorthand value that MAY be used when creating a XACML attribute in the JSON representation.
The full XACML data type URI can also be used in JSON as the JSON shorthand type codes are a convenience, not a replacement.
It is also possible to omit the JSON "DataType" member for certain XACML data types when it can safely be inferred from the value of the attribute as shown in Table 1.
Table 1. JSON shorthand and rules of inference for XACML data types.
XACML data type identifier |
JSON shorthand type code |
Mapping / Inference Rule |
http://www.w3.org/2001/XMLSchema#string |
string |
JSON string |
http://www.w3.org/2001/XMLSchema#boolean |
boolean |
JSON boolean |
http://www.w3.org/2001/XMLSchema#integer |
integer |
JSON number with no fractional portion and within the integer range defined by the XML schema in [XMLDatatypes]. |
http://www.w3.org/2001/XMLSchema#double |
double |
JSON number with fractional portion or out of integer range as defined in [XMLDatatypes]. |
http://www.w3.org/2001/XMLSchema#time |
time |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#date |
date |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#dateTime |
dateTime |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#dayTimeDuration |
dayTimeDuration |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#yearMonthDuration |
yearMonthDuration |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#anyURI |
anyURI |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#hexBinary |
hexBinary |
None – inference must fail. |
http://www.w3.org/2001/XMLSchema#base64Binary |
base64Binary |
None – inference must fail. |
urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name |
rfc822Name |
None – inference must fail. |
urn:oasis:names:tc:xacml:1.0:data-type:x500Name |
x500Name |
None – inference must fail. |
urn:oasis:names:tc:xacml:2.0:data-type:ipAddress |
ipAddress |
None – inference must fail. |
urn:oasis:names:tc:xacml:2.0:data-type:dnsName |
dnsName |
None – inference must fail. |
urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression |
xpathExpression |
None – inference must fail |
For all of the XACML data types that cannot be inferred from the value, the following MUST be observed:
In the case of an array of two or more values, and if the "DataType" member is not specified, it may not be possible to infer the "DataType" until all the values have been inspected.
Inference for multiple values works according to the inference rules as set in section 3.3.1. If a given data type cannot be inferred and there is no "DataType" member specified then the array of values will be considered as an array of string.
If an array of values contains integers and doubles only (excluding non-numerical values), then the inference will make the array an array of double.
Any other combination of values will make the inference fail and the array will be considered as an array of string.
Values of the xpathExpression data-type are represented as JSON objects. Each such object contains the following members:
Table 2 - Members of the xPathExpression Datatype
Member name |
Type |
Mandatory/Optional |
Default value |
"XPathCategory" |
A string containing a URI or the shorthand notation defined in section 4.2.2.1 |
Mandatory |
None |
"Namespaces" |
An array of NamespaceDeclaration objects |
Optional |
None |
"XPath" |
String |
Mandatory |
None |
The "XPath" member contains the XPath expression [XPATH] from the XACML value. The "Namespaces" member contains namespace declarations for interpreting qualified names [NAMESPACES] in the XPath expression.
A NamespaceDeclaration object contains the following members:
Table 3 - Members of the NamespaceDeclaration Datatype
Member name |
Type |
Mandatory/Optional |
Default value |
"Prefix" |
String |
Optional |
None |
"Namespace" |
A string containing a URI |
Mandatory |
None |
Each NamespaceDeclaration object describes a single XML namespace declaration [NAMESPACES]. The "Prefix" member contains the namespace prefix and the "Namespace" member contains the namespace name. In the case of a namespace declaration for the default namespace the "Prefix" member SHALL be absent.
The "Namespaces" array MUST contain a NamespaceDeclaration object for each of the namespace prefixes used by the XPath expression. The "Namespaces" array MAY contain additional NamespaceDeclaration objects for namespace prefixes that are not used by the XPath expression. There SHALL NOT be more than one NamespaceDeclaration object for the same namespace prefix.
{Non-normative}
This example shows the XML representation of an XACML attribute with a value of the xpathExpression data-type and its corresponding representation in JSON.
As XML:
<Attribute xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector">
<AttributeValue
xmlns:md="urn:example:med:schemas:record"
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
>md:record/md:patient/md:patientDoB</AttributeValue>
</Attribute>
As JSON:
{
"Attribute":{
"AttributeId":"urn:oasis:names:tc:xacml:3.0:content-selector",
"DataType":"xpathExpression",
"Value":{
"XPathCategory":
"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Namespaces":[{
"Namespace":
"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
},{
"Prefix":"md",
"Namespace":"urn:example:med:schemas:record"
}],
"XPath":"md:record/md:patient/md:patientDoB"
}
}
}
The following special numeric values are not supported by the profile. Should the request contain such values, the Policy Decision Point MUST reply with an Indeterminate result and a status value of urn:oasis:names:tc:xacml:1.0:status:syntax-error as defined in Appendix B, section 8 of [XACML30].
Additional behavior of the PDP when returning urn:oasis:names:tc:xacml:1.0:status:syntax-error is specified in sections 5.57 and B.8 of [XACML30].
{Non-normative}
The example below illustrates equivalent possible notations:
Table 4 - Equivalent examples
Representation explicitly stating the data-type |
Representation omitting the data-type |
{ "Attribute":[{ "AttributeId":"document-id" "DataType":"integer" } |
{ "Attribute":[{ "AttributeId":"document-id" } |
The following class diagram represents the XACML request structure for the JSON representation. It is not a representation of the XACML request as expressed in XML.
The key differences are:
An XACML request is represented as an object with a single member named "Request". The value of the "Request" member is a Request object.
The Request object contains the following members:
Table 5 - Members of the Request object
Member name |
Type |
Mandatory/Optional |
Default value |
"ReturnPolicyIdList" |
Boolean |
Optional |
false |
"CombinedDecision" |
Boolean |
Optional |
false |
"XPathVersion" |
String |
Mandatory if the XACML request contains XPath expressions; otherwise, optional. |
None |
"Category" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"Resource" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"Action" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"Environment" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"AccessSubject" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"RecipientSubject" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"IntermediarySubject" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"CodeBase" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"RequestingMachine" |
An array of Category objects |
Optional, but see section 4.2.2.2. |
None |
"MultiRequests" |
A MultiRequests object |
Optional |
None |
The Category object corresponds to the XML <Attributes> element. Just like the <Attributes> element is specific to a given XACML attribute category, the Category object in JSON is specific to a given XACML attribute category.
The MultiRequests object serves to support the Multiple Decision Profile [XACMLMDP].
The representation of these objects is elicited in the following relevant sections.
Note that, in the XACML XML schema, the XML Request element contains a <RequestDefaults> element. To simplify things and since the <RequestDefaults> element contains a single <XPathVersion> element with a single value, the <RequestDefaults> element was flattened into a single member called "XPathVersion" as mentioned in the above table.
{Non-normative}
{
"Request":{
"Category":[…],
"XPathVersion":"http://www.w3.org/TR/1999/REC-xpath-19991116"
}
}
The Category object contains the following members:
Table 6 - Members of the Category object
Member name |
Type |
Mandatory/Optional |
Default value |
"CategoryId" |
A string containing a XACML category URI or the shorthand notation defined in section 4.2.2.1 |
Mandatory for a Category object in the "Category" member array; otherwise, optional. See section 4.2.2.2. |
None |
"Id" |
String |
Optional |
None |
"Content" |
String. The value must be escaped or encoded as explained in section 4.2.3. |
Optional |
None |
"Attribute" |
An array of Attribute objects |
Optional |
None |
The Attribute object is defined in section 4.2.4, The Attribute object representation.
The Category object is the equivalent of the <Attributes> element in the XACML XML representation.
The structure and default values for the aforementioned are elicited in the following relevant sections.
The following table defines a shorthand notation for the standard categories defined in [XACML30].
Table 7 - Shorthand notation for standard XACML categories
Identifier |
Short name |
urn:oasis:names:tc:xacml:3.0:attribute-category:resource |
Resource |
urn:oasis:names:tc:xacml:3.0:attribute-category:action |
Action |
urn:oasis:names:tc:xacml:3.0:attribute-category:environment |
Environment |
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject |
AccessSubject |
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject |
RecipientSubject |
urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject |
IntermediarySubject |
urn:oasis:names:tc:xacml:1.0:subject-category:codebase |
Codebase |
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine |
RequestingMachine |
The shorthand notation MAY be used as described in sections 4.2.2.2 and 4.2.2.
Category objects in the "Category" member array relate to various XACML attribute categories as indicated by their individual "CategoryId" member, which is a mandatory member only for these Category objects. To simplify the JSON representation, this profile also defines other members (of the Request object) with an array of Category objects for the value where the member names correspond to the short names defined in section 4.2.2.1. The Category objects in these arrays assume a default value for their "CategoryId" member, i.e., the short name of the containing member, so that it need not be explicitly written. The "CategoryId" member is optional for these Category objects, but if it is provided the value MUST be the same as the short name of the containing member.
The members with the short names have array values in order to cater for multiple decision requests as defined in [XACMLMDP].
The Request object MUST contain at least one Category object in one of its members.
{Non-normative}
{
"Request":{
"Category":[{
"CategoryId":"custom-category",
"Attribute":[…]
},{
"CategoryId":"another-custom-cat",
"Attribute":[…]
}],
"AccessSubject":[{
"Attribute":[…]
}],
"Action":[{
"Attribute":[…]
},{
"Attribute":[…]
}]
}
}
There are two possible ways to represent the XML content of a XACML request in the JSON representation: XML escaping or Base64 encoding. The request parser must determine whether XML escaping or Base 64 encoding is used. There are no members in the JSON request to indicate which is used.
In both cases, any XML content sent in a JSON request MUST include all namespace definitions needed to parse that content.
The value of the "Content" member is a string which MUST contain an XML payload per the XACML specification.
XML content must be escaped before being inserted into the JSON request. JSON dictates double quotes (") be escaped using a backslash (\). This profile therefore follows this behavior.
In addition, since the XML content could itself contain backslashes and possibly the sequence \", it is important to also escape backslashes.
In the case of Base64 encoding, the XML content shall be converted to its Base64 representation as per [BASE64].
{Non-normative}
The following is an example using XML escaping as defined in 4.2.3.1.
{
"Request":{
"AccessSubject":[{
"Content": "<?xml version=\"1.0\"?><catalog><book id=\"bk101\"><author>Gambardella, Matthew</author><title>XML Developer's Guide</title><genre>Computer</genre><price>44.95</price><publish_date>2000-10-01</publish_date><description>An in-depth look at creating applications with XML.</description></book></catalog>"
}]
}
}
The following is an example using Base64 encoding as defined in 4.2.3.2.
{
"Request":{
"AccessSubject":[{
"Content": "PD94bWwgdmVyc2lvbj0iMS4wIj8+DQo8Y2F0YWxvZz48Ym9vayBpZD0iYmsxMDEiPjxhdXRob3I+R2FtYmFyZGVsbGEsIE1hdHRoZXc8L2F1dGhvcj48dGl0bGU+WE1MIERldmVsb3BlcidzIEd1aWRlPC90aXRsZT48Z2VucmU+Q29tcHV0ZXI8L2dlbnJlPjxwcmljZT40NC45NTwvcHJpY2U+PHB1Ymxpc2hfZGF0ZT4yMDAwLTEwLTAxPC9wdWJsaXNoX2RhdGU+PGRlc2NyaXB0aW9uPkFuIGluLWRlcHRoIGxvb2sgYXQgY3JlYXRpbmcgYXBwbGljYXRpb25zIHdpdGggWE1MLjwvZGVzY3JpcHRpb24+PC9ib29rPjwvY2F0YWxvZz4="
}]
}
}
The Attribute object contains the following members:
Table 8 - Members of the Attribute Object
Member name |
Type |
Mandatory/ Optional |
Default value |
"AttributeId" |
A string containing a XACML attribute URI |
Mandatory |
None |
"Value" |
An array of elements of the same type; either string, boolean, number (which maps to either a XACML integer or double as defined in Supported Data Types) or object. |
Mandatory |
None |
"Issuer" |
String |
Optional |
None |
"DataType" |
A string containing a XACML data type URI or the shorthand notation defined in section 3.3.1 |
Optional |
The default value will be http://www.w3.org/2001/XMLSchema#string unless the data type can be safely assumed to be otherwise according to the rules set in sections 3.3.1 and 3.3.2. |
"IncludeInResult" |
Boolean |
Optional |
false |
{Non-normative}
{
"Attribute":[{
"AttributeId":"urn:oasis:names:tc:xacml:2.0:subject:role",
"Value":["manager","administrator"]
}]
}
The MultiRequests object is optional in the JSON representation of XACML. Its purpose is to support the Multiple Decision Profile [XACMLMDP]. The MultiRequests object contains the following members:
Table 9 - Members of the MultiRequests object
Member name |
Type |
Mandatory/Optional |
Default value |
"RequestReference" |
An array of one or more RequestReference objects |
Mandatory |
None |
The RequestReference object contains the following members:
Table 10 - Members of the RequestReference object
Member name |
Type |
Mandatory/Optional |
Default value |
"ReferenceId" |
An array of one or more strings. Each string MUST be the value of a Category object’s "Id" member. |
Mandatory |
None |
{
"MultiRequests":{
"RequestReference":[{
"ReferenceId":["foo1","bar1"]
},{
"ReferenceId":["foo2","bar1"]
},{
"ReferenceId":["foo3","bar1"]
}]
}
}
An XACML response is represented as an object with a single, mandatory member named "Response". The value of the "Response" member is an array of one or more Result objects. There is no Response object as such. Instead it is replaced by the value of what would otherwise be its only member, an array of Result objects. This eliminates the nesting of <Result> elements in the <Response> element introduced in XACML’s XML schema.
The Result object representation is detailed hereafter.
The Result object contains the following members:
Table 11 - Members of the Result object
Member name |
Type |
Mandatory/Optional |
Default value |
"Decision" |
String. There are only 4 valid values: "Permit", "Deny", "NotApplicable", and "Indeterminate". The values are case-sensitive. |
Mandatory |
None |
"Status" |
A Status object |
Optional |
None |
"Obligations" |
An array of ObligationOrAdvice objects |
Optional |
None |
"AssociatedAdvice" |
An array of ObligationOrAdvice objects |
Optional |
None |
"Category" |
An array of Category objects |
Optional |
None |
"PolicyIdentifierList" |
A PolicyIdentifierList object |
Optional |
None |
The JSON representation of the <Attributes> element in a XACML response is identical to the representation defined in section 4.2.2 The Category object representation.
The Status object contains the following members:
Table 12 - Members of the Status object
Member name |
Type |
Mandatory/Optional |
Default value |
"StatusMessage" |
String |
Optional |
None |
"StatusDetail" |
An array of JSON values |
Optional |
None |
"StatusCode" |
A StatusCode object |
Optional |
None |
The StatusDetail array MAY contain arbitrary XML within strings, in which case the XML content must be escaped using the same technique as specified in section 4.2.3, The Content object representation.
The StatusDetail array MAY contain MissingAttributeDetail objects.
The MissingAttributeDetail object in JSON contains the following members:
Table 13 - Members of the MissingAttributeDetail object
Member name |
Type |
Mandatory / Optional |
Default value |
"AttributeId" |
A string containing a XACML attribute URI |
Mandatory |
None |
"Value" |
An array of elements of the same type; either string, boolean, number (which maps to either a XACML integer or double as defined in Supported Data Types) or object. |
Optional |
None |
"Issuer" |
String |
Optional |
None |
"DataType" |
A string containing a XACML data type URI or the shorthand notation defined in section 3.3.1 |
Optional |
The default value will be http://www.w3.org/2001/XMLSchema#string unless the data type can be safely assumed to be otherwise according to the rules set in sections 3.3.1 and 3.3.2. |
"Category" |
A string containing a XACML category URI or the shorthand notation defined in section 4.2.2.1 |
Mandatory |
None |
The StatusCode object in JSON contains the following members:
Table 14 - Members of the StatusCode object
Member name |
Type |
Mandatory/Optional |
Default value |
"Value" |
A string containing a XACML status code URI |
Optional |
"urn:oasis:names:tc:xacml:1.0:status:ok" |
"StatusCode" |
A StatusCode object |
Optional |
None |
Note that the StatusCode object may contain a "StatusCode" member – hence potentially creating a recursive nesting of StatusCode objects.
{Non-normative}
{
"Response":[{
"Decision": "Permit"
"Status":{
"StatusCode":{
"Value": "http://example.com"
}
}
}]
}
The ObligationOrAdvice object contains the following members:
Table 15 - Members of the ObligationOrAdvice object
Member name |
Type |
Mandatory/Optional |
Default value |
"Id" |
A string containing a XACML obligation or advice URI |
Mandatory |
None |
"AttributeAssignment" |
An array of AttributeAssignment objects |
Optional |
None |
Note that the ObligationOrAdvice object maps to either an <Advice> or an <Obligation> element in the XACML XML representation. While in the XML representation, each element has an attribute called AdviceId or ObligationId respectively, in the JSON representation, the naming has been harmonized to "Id".
The AttributeAssignment object contains the following members:
Table 16 - Members of the AttributeAssignment object
Member name |
Type |
Mandatory/Optional |
Default value |
"AttributeId" |
A string containing a XACML attribute URI |
Mandatory |
None |
"Value" |
Variable |
Mandatory |
None |
"Category" |
A string containing a XACML category URI or the shorthand notation defined in section 4.2.2.1 |
Optional |
None |
"DataType" |
A string containing a XACML data type URI or the shorthand notation defined in section 3.3.1 |
Optional |
The default value depends on the inference rules defined in Supported Data Types. |
"Issuer" |
String |
Optional |
None |
The PolicyIdentifierList object contains the following members:
Table 17 - Members of the PolicyIdentifierList object
Member name |
Type |
Mandatory/Optional |
Default value |
"PolicyIdReference" |
An array of IdReference objects |
Optional |
None |
"PolicySetIdReference" |
An array of IdReference objects |
Optional |
None |
The IdReference object representation contains the following members:
Table 18 - Members of the IdReference object
Member name |
Type |
Mandatory/Optional |
Default value |
"Id" |
A string containing a XACML policy or policy set URI. Represents the value stored inside the XACML XML <PolicyIdReference> or <PolicySetIdReference> element. |
Mandatory |
None |
"Version" |
String |
Optional |
None |
The XACML request represented in its JSON format MAY be carried from a PEP to a PDP via an HTTP [HTTP] request as defined in the REST profile of XACML [XACMLREST].
HTTP Headers which may be used are:
{Non-normative}
The use of SSL/TLS [HTTPS] is RECOMMENDED to protect requests and responses as they are transferred across the network.
The following section defines the information required by IANA when applying for a new media type.
application
xacml+json
None.
version: The version parameter indicates the version of the XACML specification. Its range is the range of published XACML versions. As of this writing that is: 1.0, 1.1, 2.0, and 3.0. These and future version identifiers are of the form x.y, where x and y are decimal numbers with no leading zeros, with x being positive and y being non-negative.
Same as for application/xml [RFC4627].
Per their specification, application/xacml+json typed objects do not contain executable content.
XACML requests and responses contain information for which integrity and authenticity are important.
To counter potential issues, the publisher may use the transport layer’s security mechanisms to secure
xacml+json typed objects when they are in transit. For instance HTTPS, offers means to ensure the confidentiality and authenticity of the publishing party and the protection of the request/response in transit.
XACML 3.0 uses the urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 XML namespace URI. XACML 2.0 uses the urn:oasis:names:tc:xacml:2.0:policy XML namespace URI.
Potentially any application implementing XACML, as well as those applications implementing specifications based on XACML or those applications requesting an authorization decision from a XACML implementation.
Per [RFC4627], this section is not applicable.
Per [RFC4627], .json.
Text
Common
{Non-normative}
{Non-normative}
The following is a sample XACML request expressed in JSON.
{
"Request":{
"AccessSubject":[{
"Attribute":[{
"AttributeId":"subject-id",
"Value":"Andreas"
},{
"AttributeId":"location",
"Value":"Gamla Stan"
}]
}],
"Action":[{
"Attribute":[{
"AttributeId":"action-id",
"Value":"http://example.com/buy",
"DataType":"anyURI"
}]
}],
"Resource":[{
"Attribute":[{
"AttributeId":"book-title",
"Value":"Learn German in 90 days"
},{
"AttributeId":"currency",
"Value": "SEK"
},{
"AttributeId":"price",
"Value": 123.34
}]
}]
}
}
{Non-normative}
The following is a sample XACML response expressed in JSON.
{
"Response":[{
"Decision":"Permit"
}]
}
{Non-normative}
The following is a sample XACML request for multiple decisions expressed in JSON.
{
"Request":{
"AccessSubject":[{
"Id":"s1",
"Attribute":[{
"AttributeId":"com.acme.user.employeeId",
"Value":"Alice"
}]
}],
"Resource":[{
"Id":"r1",
"Attribute":[{
"AttributeId":"com.acme.object.objectType",
"Value":"record"
},{
"AttributeId":"com.acme.record.recordId",
"Value":"126",
"IncludeInResult":true
}]
},{
"Id":"r2",
"Attribute":[{
"AttributeId":"com.acme.object.objectType",
"Value":"record"
},{
"AttributeId":"com.acme.record.recordId",
"Value":"125",
"IncludeInResult":true
}]
}],
"Action":[{
"Id":"a1",
"Attribute":[{
"AttributeId":"com.acme.action.actionId",
"Value":"view",
"IncludeInResult":true
}]
},{
"Id":"a2",
"Attribute":[{
"AttributeId":"com.acme.action.actionId",
"Value":"edit",
"IncludeInResult":true
}]
},{
"Id":"a3",
"Attribute":[{
"AttributeId":"com.acme.action.actionId",
"Value":"delete",
"IncludeInResult":true
}]
}],
"MultiRequests":{
"RequestReference":[{
"ReferenceId":[
"s1",
"a1",
"r1"
]
},{
"ReferenceId":[
"s1",
"a2",
"r1"
]
}]
}
}
}
{Non-normative}
The following is a sample XACML response to a request for multiple decisions expressed in JSON.
{
"Response":[{
"Decision":"Deny",
"Status":{
"StatusCode":{
"Value":"urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode":{
"Value":"urn:oasis:names:tc:xacml:1.0:status:ok"
}
}
},
"Category":[{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute":[{
"AttributeId":"com.acme.record.recordId",
"Value":"126",
"DataType":"http://www.w3.org/2001/XMLSchema#string"
}]
},{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute":[{
"AttributeId":"com.acme.action.actionId",
"Value":"view",
"DataType":"http://www.w3.org/2001/XMLSchema#string"
}]
}]
},{
"Decision":"Deny",
"Status":{
"StatusCode":{
"Value":"urn:oasis:names:tc:xacml:1.0:status:ok",
"StatusCode":{
"Value":"urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Category":[{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
"Attribute":[{
"AttributeId":"com.acme.record.recordId",
"Value":"126",
"DataType":"http://www.w3.org/2001/XMLSchema#string"
}]
},{
"CategoryId":
"urn:oasis:names:tc:xacml:3.0:attribute-category:action",
"Attribute":[{
"AttributeId":"com.acme.action.actionId",
"Value":"edit",
"DataType":"http://www.w3.org/2001/XMLSchema#string"
}]
}]
}]
}
An implementation may conform to this profile if and only if both the XACML request and the response are correctly encoded into JSON as previously described in sections 3 through 5 and follows the transport requirements as specified in section 6.
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
Participants:
· Cyril Dangerville, Thales Group
· Rich Levinson, Oracle
· Hal Lockhart, Oracle
· Bill Parducci,
· Erik Rissanen, Axiomatics
· Anil Saldhana, Red Hat
· Remon Sinnema, EMC
· Danny Thorpe, Dell
· Paul Tyson, Bell Helicopters
Revision |
Date |
Editor |
Changes Made |
WD 01 |
2 Jul 2012 |
David Brossard |
Initial working draft |
WD 02 |
9 Jul 2012 |
David Brossard |
Integrated comments from XACML list. Enhanced the section on data-types. Added a class diagram for clarity. Changed tense to present. Removed overly explicit comparisons with XML representation. |
WD 03 |
19 Jul 2012 |
David Brossard |
Started work on the XACML response |
WD 04 |
20 Aug 2012 |
David Brossard |
Finalized work on the XACML response, added a note on HTTPS. Restructured the document to extract paragraphs common to the Request and Response section. |
WD 05 |
20 Sep 2012 |
David Brossard |
Took in comments from the XACML TC list (technical comments and typographical corrections) |
WD 06 |
29 Oct 2012 |
David Brossard |
Removed the Non-normative section in the appendix. Completed the conformance section. Added non-normative tags where needed. Also added a sample response example. Added the section on IANA registration. |
WD07 |
15 Nov 2012 |
David Brossard |
Removed the XPathExpression from the supported DataTypes. Fixed the examples as per Steven Legg’s email. Fixed the XML encoding of XML content as per conversations on the XACML TC list. |
WD08 |
27 Nov 2012 |
David Brossard |
Fixed the Base64 encoding section as per Erik Rissanen’s comments |
WD09 |
24 Dec 2012 |
David Brossard |
Addressed comments and fixed errors as per emails sent on the XACML TC list in December. |
WD10 |
4 Feb 2013 |
David Brossard |
Fixed the IANA registration section. Fixed inconsistent DataType spelling. DataType is always the XACML attribute and JSON property name. Data type refers to the English notion. Fixed the status XML content encoding to be consistent with the Request XML encoding technique. Fixed a non-normative section label. Fixed the formatting of JSON property names. Fixed the XACML to JSON data type inference by adding references to the relevant XML data types. |
WD11 |
5 Feb 2013 |
David Brossard |
Fixed the AttributeAssignment section |
WD12 |
10 May 2013 |
David Brossard |
Reinserted a section on the xpathExpression data type. Fixed the PolicyIdReference section (missing value). Fixed the Response example. Simplified the XPathVersion / RequestDefaults Removed unnecessary nesting in Response / Result Renamed Attributes to Category |
WD13 |
14 June 2013 |
David Brossard |
Fixed the final issue re. Category vs. Attributes. |
WD14 |
12 July 2013 |
David Brossard |
Cleaned up the documents and comments. |
WD15 |
02 September 2013 |
David Brossard |
Fixed document based on feedback from Steven Legg:
Also fixed subjective line in introduction based on email xacml-comment from David Webber. |
WD16 |
17 March 2014 |
David Brossard |
|
WD17 |
14 April 2014 |
David Brossard |
|
WD18 |
22 April 2014 |
David Brossard |
|
WD19 |
23 October 2014 |
David Brossard |
|
WD20 |
26 April 2018 |
Hal Lockhart |
|
WD21 |
24 May 2018 |
Steven Legg |
|
WD22 |
18 July 2018 |
|
|
WD23 |
15 August 2018 |
|
|