How can I return multiple attribute values in my Obligation Expression using XACML?

Question

I am using XACML 3.0 with Balana in my java application. MY XML schema is defined as follows:

<record>
    <proposal>
            <proposalid></proposalid>
            <proposaltitle></proposaltitle>
            <pi>
                <fullname></fullname>
                <workemail></workemail>
                <userid></userid>
            </pi>
            <copis>
                <copi>
                    <fullname></fullname>
                    <workemail></workemail>
                    <userid></userid>
                </copi>
                <copi>
                    <fullname></fullname>
                    <workemail></workemail>
                    <userid></userid>
                </copi>
                <copi>
                    <firstname></firstname>
                    <lastname></lastname>
                    <workemail></workemail>
                    <userid></userid>
                </copi>
            </copis>                
        </proposal>
    </record>

My Application send XACML request to the PEP as follows:

<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:proposal.role" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PI</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <Content>
      <ak:record xmlns:ak="http://akpower.org">
        <ak:proposal>
          <ak:proposalid>5702a60865dbb30b09a492cf</ak:proposalid>
          <ak:proposaltitle>Proposal 11</ak:proposaltitle>
          <ak:authorprofile>
            <ak:fullname>Milson Munakami</ak:fullname>
          </ak:authorprofile>
          <ak:pi>
            <ak:fullname>Milson Munakami</ak:fullname>
            <ak:workemail>milsonmun@yahoo.com</ak:workemail>
            <ak:userid>56fee3e965dbb35ce5c900fa</ak:userid>
          </ak:pi>
          <ak:copis>
            <ak:copi>
              <ak:fullname>PS Wang</ak:fullname>
              <ak:workemail>fdsafda@yahoo.comss</ak:workemail>
              <ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
            </ak:copi>
            <ak:copi>
              <ak:fullname>Thomas Voltz</ak:fullname>
              <ak:workemail>fdsafda@yahoo.comsss</ak:workemail>
              <ak:userid>56fee3e965dbb35ce5c900fx</ak:userid>
            </ak:copi>
          </ak:copis>
        </ak:proposal>
      </ak:record>
    </Content>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:3.0:content-selector" IncludeInResult="false">
      <AttributeValue XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression">//ak:record/ak:proposal</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:DeletedByPI" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTDELETED</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:proposal.section" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Whole Proposal</AttributeValue>
    </Attribute>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:SubmittedByPI" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">NOTSUBMITTED</AttributeValue>
    </Attribute>
  </Attributes>
  <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:proposal.action" IncludeInResult="false">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Save</AttributeValue>
    </Attribute>
  </Attributes>
</Request>

In my policy rule I have:

<ObligationExpressions>
      <ObligationExpression ObligationId="sendEmail" FulfillOn="Permit">
        <AttributeAssignmentExpression AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes</AttributeValue>
        </AttributeAssignmentExpression>
        <AttributeAssignmentExpression AttributeId="piEmail">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>        
        <AttributeAssignmentExpression AttributeId="piFullName">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:pi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>
        <AttributeAssignmentExpression AttributeId="coPisEmail">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:copis/ak:copi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>        
        <AttributeAssignmentExpression AttributeId="coPisFullName">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0:content-selector"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:copis/ak:copi/ak:fullname/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>
        </AttributeAssignmentExpression>
      </ObligationExpression>
    </ObligationExpressions>

My response is as follows:

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <Result>
    <Decision>Permit</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </Status>
    <Obligations>
      <Obligation ObligationId="sendEmail">
        <AttributeAssignment  AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:text" DataType="http://www.w3.org/2001/XMLSchema#string">
          Your proposal has been updated. As soon as possible please review your proposal for any unwanted changes
        </AttributeAssignment>
        <AttributeAssignment  AttributeId="piEmail" DataType="http://www.w3.org/2001/XMLSchema#string">
          milsonmun@yahoo.com
        </AttributeAssignment>
        <AttributeAssignment  AttributeId="piFullName" DataType="http://www.w3.org/2001/XMLSchema#string">
          Milson Munakami
        </AttributeAssignment>
      </Obligation>
    </Obligations>
  </Result>
</Response>

This doesn't contain any obligation values for coPisEmail and coPisFullName. Also I am not sure how can I grab those dynamic attributes' values? also how can I use those values in my applicaiton? For example does it going to return only one values with all Emails and Full Names or it going to return individual values in separate response? I think I am missing something in fucntion here:

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:**function:string-one-and-only**">
            <AttributeSelector MustBePresent="false"
              ContextSelectorId="urn:oasis:names:tc:xacml:3.0**:content-selector**"
              Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
              Path="//ak:pi/ak:workemail/text()" DataType="http://www.w3.org/2001/XMLSchema#string" />
          </Apply>

I fixed it using following AttributeExpression: – Milson Apr 19 '16 at 02:17 — Milson, Apr 19 '16 at 02:17

score 1 · Answer 1 · answered Apr 19 '16 at 11:49

There is nothing special that needs to be done in XACML to return multiple values. All attributes are bags by default. If the PDP finds multiple values for a given expression (attribute designator or attribute selector), then it will return all those values.

On a side note, As a best practice, try to avoid using XPath inside XACML policies as it makes them harder to understand. XML processing should be done in the PEP or inside a PIP and the XACML policy should remain as business-focused as possible.

How can I return multiple attribute values in my Obligation Expression using XACML?

1 Answers1