A Reference for XACML on WebLogic Server

Understand the extensions that you can use when writing XACML 2.0 documents to protect resources on WebLogic Server and the restrictions that WebLogic Server places on XACML. The eXtensible Access Control Markup Language (XACML) is an XML language for expressing authorization policies and role assignments. XACML offers extension points so that vendors such as Oracle can express vendor-specific resources, data types, and functions in XACML.

The WebLogic Server XACML Authorization Provider and XACML Role Mapping Provider:

This appendix includes the following sections:

This document describes only the WebLogic Server extensions and restrictions for XACML. For a complete reference of the XACML 2.0 language, see the OASIS XACML 2.0 Core Specification and the OASIS RBAC specification.

Comparison of WebLogic Server and XACML Security Models

The WebLogic Server model for representing resources and policies follows the model of Java EE deployment descriptors. This Java EE model creates a hierarchy of resources in which roles and authorization policies at the top of the hierarchy protect resources that are lower in the hierarchy. (See Protecting a Hierarchy of Resources.) Policies lower in a hierarchy always override policies higher in the hierarchy. The higher levels of the resource hierarchy contain enterprise applications, Web applications, and EJBs. The lowest levels of the resource hierarchy contain EJB methods, HTTP methods on specific URL patterns, and MBean getters and setters.

The XACML model also recognizes a hierarchy of resources. Unlike the native WebLogic Server model, your XACML policies must specify how to interpret cases in which a resource is protected by its own policy and by a policy on the resource's parent or ancestor.

In addition, a XACML document typically distinguishes between a resource and the actions of a resource. For example, a XACML document defines a resource such as an EJB, and then defines an action within the EJB resource to represent a method in the EJB. The native WebLogic Server model considers an EJB and each EJB method to be resources. See Figure A-1.

Figure A-1 WebLogic Resource Hierarchy Includes Methods

Description of Figure A-1 follows
Description of "Figure A-1 WebLogic Resource Hierarchy Includes Methods"

While it is possible to describe an action such as an EJB method as a XACML resource, a more natural expression in XACML would define an EJB as a resource and an EJB method as an action within the resource.

Comparison of Terminology

The WebLogic Server terminology for describing resources and policies follows the model of Java EE deployment descriptors. This Java EE model uses the following terms to describe key concepts:

  • Role, which contains one or more conditions that describe which users or groups are in the role at any given time. A role expression is a collection of conditions and the name of a user or group whom the conditions add to the role. The collection of expressions is the role statement.

  • Policy, which contains one or more conditions that describe who can access a resource at any given time. A policy expression is a collection of conditions and the name of a user, group, or role whom the conditions allow access. The collection of expressions is the policy statement.

In XACML, a set of rules comprise a policy, and policies can be used to determine who is in a role or who can access a resource. In general, a XACML policy is equivalent to a role statement or policy statement in WebLogic Server.

Description of Data Types

Oracle implements support for all of the data types that are required by the XACML core specification. It supports additional, standard XML data types and provides a group of custom data types. This document uses the bea: prefix to indicate that a data type is a custom Oracle type.

For a description of all data types that the WebLogic XACML providers recognize, see com.bea.common.security.xacml.Type in Java API Reference for Oracle WebLogic Server.

Action Identifiers

XACML uses an Action element to identify an operation in a resource or a hierarchy of resources.

WebLogic Server supports all of the XACML Action identifiers, as described in the XACML 2.0 Core Specification, and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear.

To identify operations in WebLogic Server resources (for example, to identify a specific EJB method), use action identifiers as described in Table A-1.

Note:

While it is possible to use a resource identifier to describe an operation such as an EJB method, a more natural expression in XACML would use an action identifier. See Comparison of WebLogic Server and XACML Security Models.

Table A-1 Action Identifiers

To Identify... Use This Identifier...

An operation

  • Attribute ID: urn:oasis:names:tc:xacml:1.0:action:action-id

  • Data Type: string

  • Value: Depends on the type of resource that contains the operation. See Table A-2.

When the provider performs a security check

  • Attribute ID: urn:bea:xacml:2.0:action:direction

  • Data Type: string

  • Values: ONCE, PRIOR, or POST

The WebLogic Security SPI contains an optional feature that enables containers to specify when a provider performs a security check on a request:

  • ONCE requests an authorization check once with no preference of whether it is done before or after an operation.

  • PRIOR requests an authorization check prior to processing the request.

  • POST requests an authorization check after the request has been processed but before the results have been returned.

You can use this direction identifier to match requests that have been checked ONCE, PRIOR, or POST.

See weblogic.security.spi.Direction in the Java API Reference for Oracle WebLogic Server, which is the object type that is used to pass ONCE, PRIOR, or POST to the security provider.

Note: Using a Direction object in a decision is optional for Authorization providers. The WebLogic Server XACML Authorization provider supports only the ONCE value.

Table A-2 describes the value that you specify for the action-id identifier.

Table A-2 Value for the action-id Identifier

If the operation is in this resource type... Specify...

Admin

The name of an administrative activity that is protected by an Admin resource. For example, UserLockout.

For a list of valid values, see the action parameter for the weblogic.security.service.AdminResource constructor in the Java API Reference for Oracle WebLogic Server.

Application

The name of the application as displayed in the WebLogic Server Administration Console.

Control

The name of a method in a Java control. Java controls are reusable components that you can create and use anywhere within a WebLogic Platform application.

EJB

The name of an EJB method. For example, mymethod. If the method is overloaded, all methods with the specified method name will be matched.

JDBC

The name of an administrative activity that is protected by a JDBC resource.

For a list of valid values, see the action parameter for the weblogic.security.service.JDBCResource constructor in the Java API Reference for Oracle WebLogic Server.

JMS

The name of an administrative activity that is protected by a JMS resource.

For a list of valid values, see the action parameter for the weblogic.security.service.JMSResource constructor in the Java API Reference for Oracle WebLogic Server.

JMX

The name of an operation in a WebLogic Server MBean. For example, shutdown.

JNDI

The name of an administrative activity that is protected by a JNDI resource.

For a list of valid values, see the action parameter for the weblogic.security.service.JNDIResource constructor in the Java API Reference for Oracle WebLogic Server.

Server

The name of a server life cycle activity that is protected by a Server resource. For example, boot.

For a list of valid values, see Server Resources.

URL

The name of an HTTP method. For example, POST.

Web Service

The name of a Web Service method. For example, mymethod.

Work Context

The name of an administrative activity that is protected by a Work Context resource.

For a list of valid values, see the action parameter for the weblogic.security.service.WorkContextResource constructor in the Java API Reference for Oracle WebLogic Server.

All others

The following string: access

Examples

The following example uses an Action element to specify that the target is mymethod within the SimpleSoap Web Service.

Note:

When specifying values in the <AttributeValue> element, you must not include extraneous space characters. In particular:

  • Do not precede the first value with more than a single space character.

  • When specifying multiple values, do not separate each value by more than a single space character.

  • Make sure there are no space characters that follow the last value.

For example:

<AttributeValue datatype>value1, value2, value3</AttributeValue>
<Target>
  <Resources>
   <Resource>
   <ResourceMatch
    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;webservices&gt;, application=webservicesJwsSimpleEar,contextPath=/jws_basic_simple, webService=SimpleSoapPort</AttributeValue>
    <ResourceAttributeDesignator
     AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
     DataType="http://www.w3.org/2001/XMLSchema#string"
     MustBePresent="true"/>
   </ResourceMatch>
  </Resource>
  </Resources>
  <ActionMatch
    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mymethod</AttributeValue>
     <ActionAttributeDesignator
      AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
      DataType="http://www.w3.org/2001/XMLSchema#string"
      MustBePresent="true"/>
  </ActionMatch>
</Target> 

Environment Identifiers

XACML uses an optional Environment element to describe conditions in the operating environment that must be met before providing access to a target. For example, an Environment element can specify a time and date range within which access is allowed.

WebLogic Server supports all of the XACML Environment identifiers (see the OASIS XACML 2.0 Core Specification at http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf) and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear. Table A-3 lists and provides the values that can be specified for identifiers that can be used to hold values that the container passes to the provider.

Table A-3 WebLogic Server Environment Identifiers

Identifier Value and Description

Attribute ID:

urn:bea:xacml:2.0:environment:context:key 

In this identifier, key specifies a ContextHandler element name as defined in ContextHandlers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server. A ContextHandler is a WebLogic class that obtains additional context and container-specific information from the resource container and represents the information as a list of name/value pairs.

Data Type:

bea:Object, string, or double

Value:

The value of the ContextHandler element that you want to match.

Examples

The following example uses an Environment element to match value of a WebLogic Server listen port. Such an element could create a policy that requires a request to come through listen port 9001:

<Environment>
   <EnvironmentMatch
      MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal"> 
      <EnvironmentAttributeDesignator
           AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.cont
           extelement.channel.Port"
            DataType="http://www.w3.org/2001/XMLSchema#double"/> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">9001</AttributeValue>
   </EnvironmentMatch> 
</Environment>

Policy and PolicySet Identifiers

XACML uses a Policy element to contain one or more rules and a PolicySet element to contain one or more policies. Each element must include the PolicySetId attribute to provide a unique identification. The XACML specification requires PolicySetId identifiers to be legal URI values.

XACML documents use the PolicySetId to include a specific Policy or PolicySet element within another PolicySet element. WebLogic Server uses the PolicySetId as the key in the Authorization provider or Role Mapping provider's policy store.

WebLogic Server reserves URI values beginning with urn:bea: for its internal use. While you cannot create your own policies with URIs that begin with urn:bea:, you can use these values to include Oracle's policies in your policy sets.

Examples

The following example is a valid identifier for a Policy element:

<Policy
    PolicyId="urn:mycompany:myapplication:policyid:1"
...>

The following example is a valid reference to the Policy element above:

<PolicyIdReference>
    urn:mycompany:myapplication:policyid:1
</PolicyIdReference>

Resource Identifiers

XACML uses a Resource element to represent data, a service, or a system component.

WebLogic Server supports all of the XACML Resource identifiers, as described in the XACML 2.0 Core Specification.

To identify a WebLogic Server resource, use resource identifiers as described in Table A-4. For information about WebLogic Server resources, see Resource Types You Can Secure with Policies.

Table A-4 WebLogic Server Resource Identifiers

To identify a... Use the following identifier...

Resource

  • Attribute ID: urn:oasis:names:tc:xacml:1.0:resource:resource-id

  • Data Type: string

  • Value: A collection of name and value pairs that specify the WebLogic Server resource type and the location of the resource in the WebLogic Server resource hierarchy. WebLogic Server generates these identifiers.

    Note that a policy that uses this identifier will not protect resources that are below the specified resource. For example, if you use this identifier for a policy on a Web Service module, the policy will not protect methods within the Web Service.

See Get the ID of the Resource to Secure.

Resource and its ancestors

  • Attribute ID: urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self

  • Data Type: string

  • Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers.

See Get the ID of the Resource to Secure.

Parent of a resource

  • Attribute ID: urn:oasis:names:tc:xacml:1.0:resource:resource-parent

  • Data Type: string

  • Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers.

See Get the ID of the Resource to Secure.

Ancestor of a resource

  • Attribute ID: urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor

  • Data Type: string

  • Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers.

See Get the ID of the Resource to Secure.

Examples

The following example Resource element matches a Web Service named SimpleSoapPort and all methods within that Web Service:

<Resource>
   <ResourceMatch
    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;webservices&gt;, application=webservicesJwsSimpleEar, contextPath=/jws_basic_simple, webService=SimpleSoapPort</AttributeValue>
    <ResourceAttributeDesignator
     AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
     DataType="http://www.w3.org/2001/XMLSchema#string"
     MustBePresent="true"/>
   </ResourceMatch>
</Resource> 

Subject Identifiers

XACML uses a Subject element to represent an actor whose attributes may be referenced by a predicate.

WebLogic Server supports all of the XACML Subject identifiers, as described in the XACML 2.0 Core Specification.

To identify a WebLogic Server user, group, or role as defined in a WebLogic Server realm, use subject identifiers as described Table A-5.

Table A-5 WebLogic Subject Identifiers

To identify a... Use the following identifier...

User principal

  • Attribute ID: urn:oasis:names:tc:xacml:1.0:subject:subject-id

  • Data Type: string

  • Value: Name of a WebLogic Server user principal.

Group principal

  • Attribute ID: urn:oasis:names:tc:xacml:2.0:subject:group

  • Data Type: string

  • Values: Name of a WebLogic Server group principal.

Role

  • Attribute ID: urn:oasis:names:tc:xacml:2.0:subject:role

  • Data Type: string

  • Values: Names of one or more roles as resolved by a XACML Role Mapping provider.

Note: WebLogic Server supports only a subset of the RBAC Profile specification, which is the specification that defines this attribute.

Subject who has signed a SOAP document

  • Attribute ID: urn:bea:xacml:2.0:subject:context:com.bea.contextelement.webservice.Integrity{{namespace}element}

    where namespace and element are the namespace and element that was signed.

    For example:

    urn:bea:xacml:2.0:subject:context:com.bea. contextelement.webservice.Integrity{{ http://schemas.xmlsoap.org/soap/envelope/}Body}

  • Data Type: string

  • Values: The Java subject who has signed the element (either user ID or group ID).

Examples

For an example of a XACML document that uses identifiers from Table A-7 to define a security role that can be used to protect access to a Web Service, see Example 7-2.

WebLogic Server Functions for XACML

The following sections describe the functions that the WebLogic Server XACML providers support in addition to the functions described in the XACML Core Specification:

Custom Data Type Variants

The following function identifiers specify functions that are direct ports of standard XACML functions and operate on XML and WebLogic Server data types long, float, decimal and bea:Character. For a description of these data types, see com.bea.common.security.xacml.Type in Java API Reference for Oracle WebLogic Server.

In this list, type refers to the names of the data types (long, float, decimal or character):

urn:bea:xacml:2.0:function:type-equal
urn:bea:xacml:2.0:function:type-greater-than
urn:bea:xacml:2.0:function:type-greater-than-or-equal
urn:bea:xacml:2.0:function:type-less-than
urn:bea:xacml:2.0:function:type-less-than-or-equal
urn:bea:xacml:2.0:function:type-one-and-only
urn:bea:xacml:2.0:function:type-bag-size urn:bea:xacml:2.0:function:type-is-in
urn:bea:xacml:2.0:function:type-bag urn:bea:xacml:2.0:function:type-intersection
urn:bea:xacml:2.0:function:type-union
urn:bea:xacml:2.0:function:type-at-least-one-member-of
urn:bea:xacml:2.0:function:type-subset
urn:bea:xacml:2.0:function:type-set-equals

For information on functions that compare bea:Objects, see Object Comparisons.

Examples

The following example is a Condition that uses urn:bea:xacml:2.0:function:character-equal to compare two bea:characters:

<Condition>
   <Apply FunctionId="urn:bea:xacml:2.0:function:character-equal">
     <AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">Q</AttributeValue>
     <AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">Q</AttributeValue>
   </Apply>
</Condition> 

Miscellaneous Functions

Table A-6 lists the miscellaneous functions that WebLogic Server provides in addition to the standard XACML functions.

Table A-6 Miscellaneous WebLogic Server XACML Functions

Function Description

in-development-mode

  • URI: urn:bea:xacml:2.0:function:in-development-mode

  • Input Type: null

  • Return Type: boolean

  • Description: This function takes no arguments and returns true if the WebLogic Server instance that hosts the realm is in development mode

See Creating a WebLogic Domain in Creating WebLogic Domains Using the Configuration Wizard.

instance-method

  • URI: urn:bea:xacml:2.0:function:instance-method

  • Input Type: bea:Object, string, Bag of bea:Class, [bea:Object ... ]

  • Return Type: bea:Object

  • Description: This function invokes a method on a bea:Object that the container makes available in the current context.

The function takes the following arguments:

  • bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

  • string. The method name.

  • Bag of bea:Class. The Java classes that are declared in the method's signature. Use Oracle's string-to-class function to create the required classes. See Object Type Conversions.

  • Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.

The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.

instance-method-match

  • URI: urn:bea:xacml:2.0:function:instance-method-match

  • Input Type: bea:Object, string, [bea:Object ... ]

  • Return Type: bea:Object

  • Description: This function invokes a method on a bea:Object that the container makes available in the current context.

The function takes the following arguments:

  • bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

  • string. The method name.

  • Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.

This function uses the method name and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not exactly one method that matches the parameters, then the function result is indeterminate.

The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.

instance-method-v2

  • URI: urn:bea:xacml:2.0:function:instance-method-v2

  • Input Type: bea:Class, bea:Object, string, Bag of bea:Class, [bea:Object ... ]

  • Return Type: bea:Object

  • Description: This function invokes a method on a bea:Object that the container makes available in the current context.

The function takes the following arguments:

  • bea:Class. The class type of the bea:Object. Use Oracle's string-to-class function to create the class. See Object Type Conversions.

  • bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

  • string. The method name.

  • Bag of bea:Class. The Java classes that are declared in the method's signature. Use Oracle's string-to-class function to create the required classes. See Object Type Conversions.

  • Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.

The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.

instance-method-match-v2

  • URI: urn:bea:xacml:2.0:function:instance-method-match-v2

  • Input Type: bea:Class, bea:Object, string, [bea:Object ... ]

  • Return Type: bea:Object

  • Description: This function uses the class type of the bea:Object, method name, and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate.

The function takes the following arguments:

  • bea:Class. The class type of the bea:Object. Use Oracle's string-to-class function to create the class. See Object Type Conversions.

  • bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

  • string. The method name.

  • Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.

The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.

instance-method-match-v3

  • URI: urn:bea:xacml:2.0:function:instance-method-match-v3

  • Input Type: string, bea:Object, string, Bag of string,[bea:Object... ]

  • Return Type: bea:Object

  • Description: This function uses the class name of the bea:Object, method name, and the class types of the parameter bea:Objects to find the appropriate method in the target bea:Object. If the target bea:Object does not contain exactly one method that matches the parameters, then the function result is indeterminate.

This function invokes uses the Java reflection API to invoke a method on a specified bea:Object. The function takes the following arguments:

  • String. The name of the bea:Object's class type.

  • bea:Object. A Java object whose method will be invoked. Use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

  • String. The method name.

  • Bag of string. The class names of the parameters in the method signature.

  • Zero or more bea:Objects. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions.

  • The function returns the return value of the invoked method as a bea:Object. Methods that return void may not be invoked.

Example

The following policy uses the instance-method function to invoke the HttpServletRequest.getAuthType() method on requests that match a specific URL pattern (see javax.servlet.http.HttpServletRequest.getAuthType() in the Java EE 7 Platform API Specification, available at http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html#getAuthType). The WebLogic Server ContextHandler makes this HttpServletRequest object available to the Authorization and Role Mapping providers for all requests that come through the servlet container. Any policy for a URL resource can invoke this or other HttpServletRequest methods.

Example A-1 Policy That Invokes HttpServletRequest.getAuthType()

<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
   PolicyId="urn:sample:xacml:2.0:function:instance-method"
   RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:
     first-applicable">
  <Description>function:instance-method</Description>
  <Target>
    <Resources>
      <Resource>
         <ResourceMatch
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;url&gt;, application=MedRecEAR, contextPath=,uri=/docs/*</AttributeValue>
             <ResourceAttributeDesignator
               AttributeId="urn:oasis:names:tc:xacml:2.0:resource:
                  resource-ancestor-or-self"
               DataType="http://www.w3.org/2001/XMLSchema#string"
                MustBePresent="true"/>
         </ResourceMatch>
      </Resource>
    </Resources>
  </Target>
  <!-- Declaring the instance-method function as a variable because this policy
       invokes it multiple times.
  -->
  <VariableDefinition VariableId="authType">
    <Apply FunctionId="urn:bea:xacml:2.0:function:instance-method">
      <!-- Passing the HttpServletRequest object to the function, which the
           BEA ContextHandler makes available to the security framework.
      -->
      <Apply FunctionId="urn:bea:xacml:2.0:function:object-one-and-only">
        <EnvironmentAttributeDesignator 
           DataType="urn:bea:xacml:2.0:data-type:object"
           AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.
              contextelement.servlet.HttpServletRequest" />
      </Apply>
      <!--  Passing "getAuthType()" as the name of the HttpServletRequest 
             method to invoke 
      -->
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">getAuthType</AttributeValue>
      <!-- Because the getAuthType() method signature contains no parameters,
           pass an empty bag of Class.
      -->
      <Apply FunctionId="urn:bea:xacml:2.0:function:class-bag" />
    </Apply>
  </VariableDefinition>
  <!-- Creating a rule that allows access to the resource only if
       the getAuthType() returns a non-null value and if the non-null
       value is "CLIENT_CERT"
  -->
  <Rule RuleId="primary-rule" Effect="Permit">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
          <Apply FunctionId="urn:bea:xacml:2.0:function:object-is-null">
            <VariableReference VariableId="authType" />
          </Apply>
        </Apply>
        <Apply
           FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <!-- Because the instance-method function returns a bea:Object, 
                 this policy wraps the function in an object-to-string function,
                 which enables comparison a of the function output with another
                 string.
           -->
           <Apply FunctionId="urn:bea:xacml:2.0:function:object-to-string">
              <VariableReference VariableId="authType" />
           </Apply>
           <!--  Declaring a String object to compare to the
                 HttpServletRequest.getAuthType() return value. 
           -->
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLIENT_CERT</AttributeValue>
         </Apply>
       </Apply>
    </Condition>
  </Rule>
  <Rule RuleId="deny-rule" Effect="Deny" />
</Policy>

Time/Date Conversions

Table A-7 lists the functions that Oracle provides to convert XACML times and dates to different data types.

Table A-7 WebLogic Server Time/Date Conversions

Function Description

dateTime-dayOfMonth

  • URI: urn:bea:xacml:2.0:function:dateTime-dayOfMonth

  • Input Type: dateTime

  • Return Type: integer

  • Description: This function takes a single argument of type dateTime and returns an integer value that represents the day of month implied by the dateTime input.

    The first day of the month is represented with a value of 1.

dateTime-dayOfMonthMaximum

  • URI: urn:bea:xacml:2.0:function:dateTime-dayOfMonthMaximum

  • Input Type: dateTime

  • Return Type: integer

  • Description: This function takes a single argument of type dateTime and returns an integer value that represents the value of the last day of the month.

    For example, if the dateTime describes a time in the month of December, the function returns 31 (because December has a maximum of 31 days). This function adjusts the value returned for February on leap years.

dateTime-dayOfWeek

  • URI: urn:bea:xacml:2.0:function:dateTime-dayOfWeek

  • Input Type: dateTime

  • Return Type: integer

  • Description: This function takes a single argument of type dateTime and returns an integer value that indicates the day of the week implied by the dateTime input.

    Sunday is the first day of the week and has a value of 1.

dateTime-secondsOfDay

  • URI: urn:bea:xacml:2.0:function:dateTime-secondsOfDay

  • Input Type: dateTime

  • Return Type: integer

  • Description: This function takes a single argument of type dateTime and returns an integer value that indicates the number of whole seconds that have elapsed in the day that is indicated by the dateTime input.

dayTimeDuration-timeZoneOffset

  • URI: urn:bea:xacml:2.0:function:dayTimeDuration-timeZoneOffset

  • Input Type: null

  • Return Type: dayTimeDuration

  • Description: This function takes no arguments and returns a dayTimeDuration value that indicates the time-zone offset between the local time and GMT time.

string-to-dateTime

  • URI: urn:bea:xacml:2.0:function:string-to-dateTime

  • Input Type: string

  • Return Type: dateTime

  • Description: This function takes a single argument of type string and returns the argument as a dateTime.

string-to-date

  • URI: urn:bea:xacml:2.0:function:string-to-date

  • Input Type: string

  • Return Type: date

  • Description: This function takes a single argument of type string and returns the argument as a date.

object-to-dateTime

  • URI: urn:bea:xacml:2.0:function:object-to-dateTime

  • Input Type: bea:Object

  • Return Type: dateTime

  • Description: This function takes a single argument of type bea:Object and returns the value as a dateTime object. If the bea:Object is an instance of java.util.Calendar, then its value is returned directly. If the bea:Object is an instance of java.security.Timestamp or java.util.Date, this function converts the bea:Object to java.util.Calendar and returns the Calendar value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into a dateTime value.

object-to-date

  • URI: urn:bea:xacml:2.0:function:object-to-date

  • Input Type: bea:Object

  • Return Type: date

  • Description: This function takes a single argument of type bea:Object and returns the value as a date object. If the bea:Object is an instance of java.util.Calendar, then its value is returned directly. If the bea:Object is an instance of java.util.Date, this function converts the bea:Object to java.util.Calendar and returns the Calendar value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into a date value.

Arithmetic Conversions and Functions

Table A-8 lists the functions that Oracle provides to convert arithmetic values to different Input Types and to extend the basic set of arithmetic functions specified by XACML.

Table A-8 WebLogic Server Arithmetic Conversions and Functions

Function Description

float-to-double

  • URI: urn:bea:xacml:2.0:function:float-to-double

  • Input Type: float

  • Return Type: double

  • Description: This function takes a single argument of type float and returns the argument as a double.

long-to-double

  • URI: urn:bea:xacml:2.0:function:long-to-double

  • Input Type: long

  • Return Type: double

  • Description: This function takes a single argument of type long and returns the argument as a double.

long-to-float

  • URI: urn:bea:xacml:2.0:function:long-to-float

  • Input Type: long

  • Return Type: float

  • Description: This function takes a single argument of type long and returns the argument as a float.

integer-to-float

  • URI: urn:bea:xacml:2.0:function:integer-to-float

  • Input Type: integer

  • Return Type: float

  • Description: This function takes a single argument of type integer and returns the argument as a float.

integer-to-long

  • URI: urn:bea:xacml:2.0:function:integer-to-long

  • Input Type: integer

  • Return Type: long

  • Description: This function takes a single argument of type integer and returns the argument as a long.

string-to-double

  • URI: urn:bea:xacml:2.0:function:string-to-double

  • Input Type: string

  • Return Type: double

  • Description: This function takes a single argument of type string and returns the argument as a double.

string-to-long

  • URI: urn:bea:xacml:2.0:function:string-to-long

  • Input Type: string

  • Return Type: long

  • Description: This function takes a single argument of type string and returns the argument as a long.

string-to-integer

  • URI: urn:bea:xacml:2.0:function:string-to-integer

  • Input Type: string

  • Return Type: integer

  • Description: This function takes a single argument of type string and returns the argument as a integer.

string-to-float

  • URI: urn:bea:xacml:2.0:function:integer-to-long

  • Input Type: string

  • Return Type: float

  • Description: This function takes a single argument of type string and returns the argument as a float.

to-degrees

  • URI: urn:bea:xacml:2.0:function:to-degrees

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double, converts the value from radians to degrees, and returns the degrees value as a double.

to-radians

  • URI: urn:bea:xacml:2.0:function:to-radians

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double, converts the value from degrees to radians, and returns the radians value as a double.

acos

  • URI: urn:bea:xacml:2.0:function:acos

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns the arc cosine of the argument as a double.

asin

  • URI: urn:bea:xacml:2.0:function:asin

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns the arc sine of the argument as a double.

atan

  • URI: urn:bea:xacml:2.0:function:atan

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns the arc tangent of the argument as a double.

atan2

  • URI: urn:bea:xacml:2.0:function:atan2

  • Input Type: double

  • Return Type: double

  • Description: This function takes two arguments of type double that represent the x and y coordinates of a point. It returns a double value which is the theta component of the point in polar coordinates for the r value that corresponds to the x coordinate.

ceil

  • URI: urn:bea:xacml:2.0:function:ceil

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns a double value that is the smallest mathematical integer that is greater than or equal to the argument value.

cos

  • URI: urn:bea:xacml:2.0:function:cos

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns the cosine of the argument as a double.

exp

  • URI: urn:bea:xacml:2.0:function:exp

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns a double value that is Euler's number, e, raised to the power of the argument value.

ieee-remainder

  • URI: urn:bea:xacml:2.0:function:ieee-remainder

  • Input Type: double

  • Return Type: double

  • Description: This function takes two arguments of type double and returns a double value that is the remainder operation result of the two arguments as described in the IEEE 754 standard. See https://ieeexplore.ieee.org/document/5976968.

log

  • URI: urn:bea:xacml:2.0:function:log

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and the natural logarithm as a double.

maximum

  • URI: urn:bea:xacml:2.0:function:maximum

  • Input Type: double

  • Return Type: double

  • Description: This function takes two arguments of type double and returns the larger of the two values as a double.

minimum

  • URI: urn:bea:xacml:2.0:function:minimum

  • Input Type: double

  • Return Type: double

  • Description: This function takes two arguments of type double and returns the smaller of the two values as a double.

pow

  • URI: urn:bea:xacml:2.0:function:pow

  • Input Type: double

  • Return Type: double

  • Description: This function takes two arguments of type double and returns a double value that is the result of taking the first argument value to the power of the second argument value.

random-number

  • URI: urn:bea:xacml:2.0:function:random-number

  • Input Type: double

  • Return Type: double

  • Description: This function takes two arguments of type double and returns a double value that is a random number greater than or equal to the first argument and less than the second argument.

rint

  • URI: urn:bea:xacml:2.0:function:rint

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns a double value that is the mathematical integer that is closest to the argument value. If the higher and lower integer values are equally close, then the even value is returned.

sqrt

  • URI: urn:bea:xacml:2.0:function:sqrt

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns the square root as a double.

tan

  • URI: urn:bea:xacml:2.0:function:tan

  • Input Type: double

  • Return Type: double

  • Description: This function takes a single argument of type double and returns the tangent as a double.

Object Type Conversions

WebLogic Server provides a collection of functions for converting XACML data into Java objects. The URI for each function in this collection is as follows:

urn:bea:xacml:2.0:function:type-to-object 

where type is the name of a XACML data type. Table A-9 lists all data types and the Java object that the corresponding function returns.

For example, this function returns test as a java.lang.String object:

<Apply
  FunctionId="urn:bea:xacml:2.0:function:string-to-object">test</Apply> 

Table A-9 Data to Java Object Conversion

When type equals... The urn:bea:xacml:2.0:function:type-to-object function returns...

character

java.lang.Character

string

java.lang.String 

boolean

java.lang.Boolean

integer

java.lang.Integer

double

java.lang.Double

float

java.lang.Float

long

java.lang.Long

decimal

java.lang.Double

base64Binary

java.lang.Byte[] 

hexBinary

java.lang.Byte[] 

date

java.util.Calendar 

time

java.util.Calendar 

dateTime

java.util.Calendar

dayTimeDuration

java.lang.Long

yearMonthDuration

java.lang.Integer

rfc822Name

java.lang.String

x500Name

java.lang.String

anyURI

java.net.URI

ipAddress

java.lang.String

dnsAddress

java.lang.String

Table A-10 lists the functions that Oracle provides to convert strings or Java objects to different data or object types. To pass objects that the container makes available to the current context, use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

Table A-10 WebLogic Server Object Conversions

Function Description

string-to-class

  • URI: urn:bea:xacml:2.0:function:string-to-class

  • Input Type: string

  • Return Type: bea:Class

  • Description: This function takes a single argument of type string, invokes java.lang.Class.forName() on the argument value, and returns the result as a bea:Class.

object-to-string

  • URI: urn:bea:xacml:2.0:function:object-to-string

  • Input Type: bea:Object

  • Return Type: string

  • Description: This function takes a single argument of type bea:Object, invokes java.lang.Object.toString() on the argument value, and returns the result as a string.

object-to-double

  • URI: urn:bea:xacml:2.0:function:object-to-double

  • Input Type: bea:Object

  • Return Type: double

  • Description: This function takes a single argument of type bea:Object and returns the value as a double. If the bea:Object is an instance of double, then its value is used directly. If the bea:Object is an instance of java.lang.Number, then this function invokes Number.doubleValue() on the value. Otherwise, this function converts the bea:Object to a java.lang.String and parses the String into a double.

object-to-integer

  • URI: urn:bea:xacml:2.0:function:object-to-integer

  • Input Type: bea:Object

  • Return Type: integer

  • Description: This function takes a single argument of type bea:Object and returns the value as integer. If the bea:Object is an instance of java.lang.Integer, then its value is used directly. If the bea:Object is an instance of java.lang.Number, then this function invokes Number.intValue() on the value. Otherwise, this function converts the bea:Object to java.lang.String and parses the String into an integer.

Object Comparisons

Table A-11 lists the functions that Oracle provides to compare Java objects.

Table A-11 WebLogic Server Object Comparisons

Function Description

object-is-null

  • URI: urn:bea:xacml:2.0:function:object-is-null

  • Input Type: bea:Object

  • Return Type: boolean

  • Description: This function takes a single argument of type bea:Object and returns a boolean value indicating whether the object reference is equal to the Java keyword null. If there is no object that corresponds to the given object reference, this function returns true.

object-equal

object-greater-than

  • URI: urn:bea:xacml:2.0:function:object-greater-than

  • Input Type: bea:Object, bea:Object

  • Return Type: boolean

  • Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is greater than the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.

object-greater-than-or-equal

  • URI: urn:bea:xacml:2.0:function:object-greater-than-or-equal

  • Input Type: bea:Object, bea:Object

  • Return Type: boolean

  • Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is greater than or equal to the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.

object-less-than

  • URI: urn:bea:xacml:2.0:function:object-less-than

  • Input Type: bea:Object, bea:Object

  • Return Type: boolean

  • Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is less than the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.

object-less-than-or-equal

  • URI: urn:bea:xacml:2.0:function:object-less-than-or-equal

  • Input Type: bea:Object, bea:Object

  • Return Type: boolean

  • Description: This function takes two arguments of type bea:Object and returns a boolean value indicating whether the first bea:Object is less than or equal to the second bea:Object. The two bea:Objects must implement java.lang.Comparable, else the evaluation is indeterminate.

object-collection-contains

  • URI: urn:bea:xacml:2.0:function:object-collection-contains

  • Input Type: bea:Object, bea:Object

  • Return Type: boolean

  • Description: This function takes two arguments of type bea:Object and returns a boolean that indicates whether the first bea:Object contains the second bea:Object, as determined by Collection.contains(). The first bea:Object must implement java.util.Collection, else the evaluation is indeterminate.

    For information about the Collection.contains() method, see http://docs.oracle.com/javase/8/docs/api/java/util/Collection.html#contains-java.lang.Object-.

object-collection-contains-all

  • URI: urn:bea:xacml:2.0:function:object-collection-contains-all

  • Input Type: bea:Object, bea:Object

  • Return Type: boolean

  • Description: This function takes two arguments of type bea:Object and returns a boolean that indicates whether the first bea:Object contains all of the second bea:Object as determined by Collection.containsAll(). Both bea:Objects must implement java.util.Collection, else the evaluation is indeterminate.

    For information about the Collection.containsAll() method, see http://docs.oracle.com/javase/8/docs/api/java/util/Collection.html#containsAll-java.util.Collection-.

String Comparisons and Manipulations

Table A-12 lists the functions that Oracle provides to compare Java objects.

Table A-12 WebLogic Server String Comparisons and Manipulations

Function Description

string-char-at

  • URI: urn:bea:xacml:2.0:function:string-char-at

  • Input Type: string, integer

  • Return Type: bea:Character

  • Description: This function takes two arguments of type string and integer, searches in the string for the character that is in the position indicated by the Integer, and returns the character as a bea:Character.

string-compare-to-ignore-case

  • URI: urn:bea:xacml:2.0:function:string-compare-to-ignore-case

  • Input Type: string, string

  • Return Type: integer

This function takes two arguments of type string and returns an integer that indicates how the two string arguments compare:

  • 0 if the strings are identical

  • Less than 0 if the first string lexically precedes the second string

  • Greater than 0 if the first string lexically follows the second string

Comparisons are preformed without considering case.

string-contains

  • URI: urn:bea:xacml:2.0:function:string-contains

  • Input Type: string, string

  • Return Type: boolean

  • Description: This function takes two arguments of type string and returns a boolean value that indicates whether the first string contains the value of the second string as a substring.

string-starts-with

  • URI: urn:bea:xacml:2.0:function:string-starts-with

  • Input Type: string, string

  • Return Type: boolean

  • Description: This function takes two arguments of type string and returns a boolean value that indicates whether the first string value starts with the value of the second string.

string-ends-with

  • URI: urn:bea:xacml:2.0:function:string-ends-with

  • Input Type: string, string

  • Return Type: boolean

  • Description: This function takes two arguments of type string and returns a boolean that indicates whether the first string value ends with the value of the second string.

string-length

  • URI: urn:bea:xacml:2.0:function:string-length

  • Input Type: string

  • Return Type: integer

  • Description: This function takes a single argument of type string and returns an integer that indicates the length of the string value.

string-replace

  • URI: urn:bea:xacml:2.0:function:string-replace

  • Input Type: string, bea:Character, bea:Character

  • Return Type: string

  • Description: This function takes three arguments of type string, bea:Character, and bea:Character, replaces in the string all instances of the first bea:Character value with the value of the second bea:Character, and returns the result as a string.

string-substring

  • URI: urn:bea:xacml:2.0:function:string-substring

  • Input Type: string, integer, integer

  • Return Type: string

  • Description: This function takes three arguments of type string, integer, and integer, and returns a string that is the substring of the string argument from and including the index of the first integer argument to but excluding the index of the second integer argument.

string-normalize-to-upper-case

  • URI: urn:bea:xacml:2.0:function:string-normalize-to-upper-case

  • Input Type: string

  • Return Type: string

  • Description: This function takes a single argument of type string, normalizes it to upper case, and returns the result as a string.

Rule and Policy-Combining Algorithm

If multiple PolicySets apply to a decision, their results are combined using the following algorithm:

urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides