JSON support with XACML 3.0 in your new WSO2 Identity Server 5.5.0 onwards.

JSON is a light-weight data interchange format which is used in many modern techniques and services. It is really easy for a man to read, write and understand a data in a JSON format than any other formats. So this easy JSON is now supporting with XACML 3.0 in your favorite open-source WSO2 Identity Server.

According to the specifications of Candidate OASIS Standard 01, JSON Profile of XACML 3.0 Version 1.0, WSO2 Identity Server 5.5.0 onwards, support this JSON format in order to make easy the life of the user to send XACML requests in the format of JSON via the XACML Rest profile and get the response back in the JSON format.

Let me tell you some important points in XACML 3.0 JSON implementation of requests and responses. They are as follows,

• The certain parts of JSON requests and responses have default values to avoid bloating.

eg: The default value for the data-type of an attribute value is String (http://www.w3.org/2001/XMLSchema#string)

• The name of the XACML XML Attributes element has been changed in JSON to the Category object to make sense the call of the parent element.
• The <AttributeValue> element in the XML representation no longer exists instead a value property was introduced to the attribute object.
• The AdviceId and the ObligationId attributes of the <Advice/> and the <Obligation/> XML elements respectively have been renamed to Id in JSON.
• The order of objects and values in the serialized form (JSON) does not matter, as it is not mattered in XACML.
• Can use the shorten form of Identifiers instaed of the URI as follows.

• JSON format supports the fully qualified XACML data-type URI as well as the shorten format of the data-type.

JSON shorthand and rules of inference for XACML data types

• Values of the xpathExpression data-type are represented as JSON objects. Each such object contains the following properties:

• The namespaces property should contain following properties:

eg: A sample JSON attribute format should be as follows,

{
    "Attribute": {
       "AttributeId": "urn:oasis:names:tc:xacml:3.0:content-selector",
       "DataType": "xpathExpression",
       "Value": {
               "XPathCategory": "urn:oasis:names:tc:xacml:3.0:attribute-category:resource",
               "Namespaces": [{
                       "Namespace":   "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
                       }, {
                       "Prefix": "md",
                       "Namespace":   "urn:example:med:schemas:record"
                           }],
               "XPath":"md:record/md:patient/md:patientDoB"
        }
   }
}

• The MultiRequests object is optional in the JSON representation of XACML. Its purpose is to support the Multiple Decision Profile. The WSO2 Identity Server also supports the Multiple Decision profile in the JSON format. (I will discuss this in details from my next blog-post).
• The JSON Attribute object contains an array of Attribute objects. The Attribute object contains the following properties:

attribute object properties

• The results of the JSON request is represented by the decision object in the form of a JSON Object. This can have following properties:

• Additionally the results can have status, obligations, associatedAdvice, category, policyIdentifierList which are optional.

Here is a sample request and a response that you get a when you try out in WSO2 Identity Server with a deployed policy as in XACML JSON sample 1

Request JSON :

{
   "Request": {
      "AccessSubject": {
         "Attribute": [
            {
               "AttributeId": "subject-id",
               "Value": "dinali",
               "DataType": "string",
               "IncludeInResult": true
            }
         ]
      },
     
      "Resource": {
         "Attribute": [
            {
               "AttributeId": "resource-id",
               "Value": "index.jsp",
               "DataType": "string",
               "IncludeInResult": true
            }
         ]
      },
      "Action": {
            "Attribute": [{
                    "AttributeId": "action-id",
                    "Value": "modify-welcome",
                    "DataType": "string",
                    "IncludeInResult": true
                }
            ]
        }
        
   }
}

Response JSON:

{
    "Response": [
        {
            "Decision": "Deny",
            "Status": {
                "StatusCode": {
                    "Value": "urn:oasis:names:tc:xacml:1.0:status:ok"
                }
            },
            "AccessSubject": {
                "Attribute": [
                    {
                        "AttributeId": "subject-id",
                        "Value": "dinali",
                        "IncludeInResult": "true",
                        "DataType": "string"
                    }
                ]
            },
            "Resource": {
                "Attribute": [
                    {
                        "AttributeId": "resource-id",
                        "Value": "index.jsp",
                        "IncludeInResult": "true",
                        "DataType": "string"
                    }
                ]
            },
            "Action": {
                "Attribute": [
                    {
                        "AttributeId": "action-id",
                        "Value": "modify-welcome",
                        "IncludeInResult": "true",
                        "DataType": "string"
                    }
                ]
            }
        }
    ]
}

You can try our new XACML JSON support with our Identity Server latest WUM update. This will help you to use XACML easily in your authorization flow with out any difficulty.

Enjoy XACML with JSON, and let me know your thoughts about this!