ApplicationId JSON example
The ApplicationId attribute must only contain the server part of the full policy key. The resourceUri is then retrieved from the Request.Resource resource-id attribute and concatenated on the ApplicationId.
For an application resource with an Application ID /myapp and two resources, /myresource1 and /myresource2, two policy keys would be generated, /myapp/myresource1 and /myapp/myresource2.
This allows two separate policies to be evaluated within the one JSON request.
The corresponding XACML JSON would be:
{
"Request": {
"Action": {
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
"DataType": "string", "Value": "GET"
}
]
},
"Resource": [
{
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"DataType": "string", "Value": "/myresource1"
}
]
},
{
"Attribute": [
{
"AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"DataType": "string", "Value": "/myresource2"
}
]
}
],
"Environment": {
"Attribute": [
{
"AttributeId": "ApplicationId", "DataType": "string",
"Value": "/myapp", "Issuer":
"http://security.tivoli.ibm.com/policy/distribution",
}
]
}
}
}If the policy attached to /myapp/myresouce1 results in a Permit decision and the policy attached to /myapp/myresouce2 results in a Deny decision, the XACML JSON response would be:
{
"Response": [
{
"Status": {
"StatusCode": {
"Value":"urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Attribute": [
{
"AttributeId":"urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value":"\/myresource1"
}
],
"Decision":"Permit"
},
{
"Status": {
"StatusCode": {
"Value":"urn:oasis:names:tc:xacml:1.0:status:ok"
}
},
"Attribute": [
{
"AttributeId":"urn:oasis:names:tc:xacml:1.0:resource:resource-id",
"Value":"\/myresource2"
}
],
"Decision":"Deny"
}
]
}