请求中的XACML JSON强制性类别

Question

I have a doubt with respect to the 4 categories of the JSON Profile of XACML 3.0 .

When I send a request in JSON from the PEP to the PDP, does the PEP always need to send AccessSubject, Resource, Action and Enviroment to the PDP or can the PEP send any category in the JSON request?

This is the diagram JSON request .

Answer 1

A JSON request may contain any number of categories including custom categories. This applies to a XACML request whether it be encoded in JSON or XML (I am the editor of this profile and work for the company, Axiomatics , which implements it).

The JSON profile also defines 8 default categories which can be used. These category names are:

• urn:oasis:names:tc:xacml:3.0:attribute-category:resource : Resource
• urn:oasis:names:tc:xacml:3.0:attribute-category:action : Action
• urn:oasis:names:tc:xacml:3.0:attribute-category:environment : Environment
• urn:oasis:names:tc:xacml:1.0:subject-category:access-subject : AccessSubject
• urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject : RecipientSubject
• urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject : IntermediarySubject
• urn:oasis:names:tc:xacml:1.0:subject-category:codebase : Codebase
• urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine : RequestingMachine

Here is an example which only uses 3 categories and uses their shorthand notation:

{
    "Request": {
        "AccessSubject": {
            "Attribute": [
                {"AttributeId": "com.acme.user.employeeId",
                 "Value": "Alice"}
            ]},
        "Resource": {
            "Attribute": [
                {"AttributeId": "com.acme.record.recordId",
                    "Value": "123"},
                {"AttributeId": "com.acme.object.objectType",
                 "Value": "record"}
            ]},
        "Action": {
            "Attribute": [
                {"AttributeId": "com.acme.action.actionId",
                 "Value": "view"}
            ]}
    }
}