Reference for XACML on WebLogic Server

A Reference for XACML on WebLogic Server

Understand the extensions that you can use when writing XACML 2.0 documents to protect resources on WebLogic Server and the restrictions that WebLogic Server places on XACML. The eXtensible Access Control Markup Language (XACML) is an XML language for expressing authorization policies and role assignments. XACML offers extension points so that vendors such as Oracle can express vendor-specific resources, data types, and functions in XACML.

The WebLogic Server XACML Authorization Provider and XACML Role Mapping Provider:

Implement and extend the OASIS XACML 2.0 Core Specification, available at http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
Partially implement the Core and Hierarchical Role Based Access Control (RBAC) Profile of XACML 2.0, described in the OASIS RBAC specification at http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf

This appendix includes the following sections:

This document describes only the WebLogic Server extensions and restrictions for XACML. For a complete reference of the XACML 2.0 language, see the OASIS XACML 2.0 Core Specification and the OASIS RBAC specification.

Comparison of WebLogic Server and XACML Security Models

The WebLogic Server model for representing resources and policies follows the model of Java EE deployment descriptors. This Java EE model creates a hierarchy of resources in which roles and authorization policies at the top of the hierarchy protect resources that are lower in the hierarchy. (See Protecting a Hierarchy of Resources.) Policies lower in a hierarchy always override policies higher in the hierarchy. The higher levels of the resource hierarchy contain enterprise applications, Web applications, and EJBs. The lowest levels of the resource hierarchy contain EJB methods, HTTP methods on specific URL patterns, and MBean getters and setters.

The XACML model also recognizes a hierarchy of resources. Unlike the native WebLogic Server model, your XACML policies must specify how to interpret cases in which a resource is protected by its own policy and by a policy on the resource's parent or ancestor.

In addition, a XACML document typically distinguishes between a resource and the actions of a resource. For example, a XACML document defines a resource such as an EJB, and then defines an action within the EJB resource to represent a method in the EJB. The native WebLogic Server model considers an EJB and each EJB method to be resources. See Figure A-1.

Figure A-1 WebLogic Resource Hierarchy Includes Methods

Description of "Figure A-1 WebLogic Resource Hierarchy Includes Methods"

While it is possible to describe an action such as an EJB method as a XACML resource, a more natural expression in XACML would define an EJB as a resource and an EJB method as an action within the resource.

Comparison of Terminology

The WebLogic Server terminology for describing resources and policies follows the model of Java EE deployment descriptors. This Java EE model uses the following terms to describe key concepts:

Role, which contains one or more conditions that describe which users or groups are in the role at any given time. A role expression is a collection of conditions and the name of a user or group whom the conditions add to the role. The collection of expressions is the role statement.
Policy, which contains one or more conditions that describe who can access a resource at any given time. A policy expression is a collection of conditions and the name of a user, group, or role whom the conditions allow access. The collection of expressions is the policy statement.

In XACML, a set of rules comprise a policy, and policies can be used to determine who is in a role or who can access a resource. In general, a XACML policy is equivalent to a role statement or policy statement in WebLogic Server.

Description of Data Types

Oracle implements support for all of the data types that are required by the XACML core specification. It supports additional, standard XML data types and provides a group of custom data types. This document uses the bea: prefix to indicate that a data type is a custom Oracle type.

For a description of all data types that the WebLogic XACML providers recognize, see com.bea.common.security.xacml.Type in Java API Reference for Oracle WebLogic Server.

Action Identifiers

XACML uses an Action element to identify an operation in a resource or a hierarchy of resources.

WebLogic Server supports all of the XACML Action identifiers, as described in the XACML 2.0 Core Specification, and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear.

To identify operations in WebLogic Server resources (for example, to identify a specific EJB method), use action identifiers as described in Table A-1.

Note:

While it is possible to use a resource identifier to describe an operation such as an EJB method, a more natural expression in XACML would use an action identifier. See Comparison of WebLogic Server and XACML Security Models.

Table A-1 Action Identifiers

To Identify... Use This Identifier...

To Identify...	Use This Identifier...
An operation	Attribute ID: `urn:oasis:names:tc:xacml:1.0:action:action-id` Data Type: `string` Value: Depends on the type of resource that contains the operation. See Table A-2.
When the provider performs a security check	Attribute ID: `urn:bea:xacml:2.0:action:direction` Data Type: `string` Values: `ONCE`, `PRIOR`, or `POST` The WebLogic Security SPI contains an optional feature that enables containers to specify when a provider performs a security check on a request: `ONCE` requests an authorization check once with no preference of whether it is done before or after an operation. `PRIOR` requests an authorization check prior to processing the request. `POST` requests an authorization check after the request has been processed but before the results have been returned. You can use this `direction` identifier to match requests that have been checked `ONCE`, `PRIOR`, or `POST`. See `weblogic.security.spi.Direction` in the Java API Reference for Oracle WebLogic Server, which is the object type that is used to pass `ONCE`, `PRIOR`, or `POST` to the security provider. Note: Using a Direction object in a decision is optional for Authorization providers. The WebLogic Server XACML Authorization provider supports only the `ONCE` value.

An operation

Attribute ID: urn:oasis:names:tc:xacml:1.0:action:action-id
Data Type: string
Value: Depends on the type of resource that contains the operation. See Table A-2.

When the provider performs a security check

Attribute ID: urn:bea:xacml:2.0:action:direction
Data Type: string
Values: ONCE, PRIOR, or POST

The WebLogic Security SPI contains an optional feature that enables containers to specify when a provider performs a security check on a request:

ONCE requests an authorization check once with no preference of whether it is done before or after an operation.
PRIOR requests an authorization check prior to processing the request.
POST requests an authorization check after the request has been processed but before the results have been returned.

You can use this direction identifier to match requests that have been checked ONCE, PRIOR, or POST.

See weblogic.security.spi.Direction in the Java API Reference for Oracle WebLogic Server, which is the object type that is used to pass ONCE, PRIOR, or POST to the security provider.

Note: Using a Direction object in a decision is optional for Authorization providers. The WebLogic Server XACML Authorization provider supports only the ONCE value.

Table A-2 describes the value that you specify for the action-id identifier.

Table A-2 Value for the action-id Identifier

If the operation is in this resource type...	Specify...
Admin	The name of an administrative activity that is protected by an Admin resource. For example, `UserLockout`. For a list of valid values, see the action parameter for the `weblogic.security.service.AdminResource` constructor in the Java API Reference for Oracle WebLogic Server.
Application	The name of the application as displayed in the WebLogic Remote Console.
Control	The name of a method in a Java control. Java controls are reusable components that you can create and use anywhere within a WebLogic Platform application.
EJB	The name of an EJB method. For example, `mymethod`. If the method is overloaded, all methods with the specified method name will be matched.
JDBC	The name of an administrative activity that is protected by a JDBC resource. For a list of valid values, see the `action` parameter for the `weblogic.security.service.JDBCResource` constructor in the Java API Reference for Oracle WebLogic Server.
JMS	The name of an administrative activity that is protected by a JMS resource. For a list of valid values, see the `action` parameter for the `weblogic.security.service.JMSResource` constructor in the Java API Reference for Oracle WebLogic Server.
JMX	The name of an operation in a WebLogic Server MBean. For example, `shutdown`.
JNDI	The name of an administrative activity that is protected by a JNDI resource. For a list of valid values, see the `action` parameter for the `weblogic.security.service.JNDIResource` constructor in the Java API Reference for Oracle WebLogic Server.
Server	The name of a server life cycle activity that is protected by a Server resource. For example, `boot`. For a list of valid values, see Server Resources.
URL	The name of an HTTP method. For example, `POST`.
Web Service	The name of a Web Service method. For example, `mymethod`.
Work Context	The name of an administrative activity that is protected by a Work Context resource. For a list of valid values, see the `action` parameter for the `weblogic.security.service.WorkContextResource` constructor in the Java API Reference for Oracle WebLogic Server.
All others	The following string: `access`

Examples

The following example uses an Action element to specify that the target is mymethod within the SimpleSoap Web Service.

Note:

When specifying values in the <AttributeValue> element, you must not include extraneous space characters. In particular:

Do not precede the first value with more than a single space character.
When specifying multiple values, do not separate each value by more than a single space character.
Make sure there are no space characters that follow the last value.

For example:

<AttributeValue datatype>value1, value2, value3</AttributeValue>

<Target>
  <Resources>
   <Resource>
   <ResourceMatch
    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;webservices&gt;, application=webservicesJwsSimpleEar,contextPath=/jws_basic_simple, webService=SimpleSoapPort</AttributeValue>
    <ResourceAttributeDesignator
     AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
     DataType="http://www.w3.org/2001/XMLSchema#string"
     MustBePresent="true"/>
   </ResourceMatch>
  </Resource>
  </Resources>
  <ActionMatch
    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mymethod</AttributeValue>
     <ActionAttributeDesignator
      AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
      DataType="http://www.w3.org/2001/XMLSchema#string"
      MustBePresent="true"/>
  </ActionMatch>
</Target>

Environment Identifiers

XACML uses an optional Environment element to describe conditions in the operating environment that must be met before providing access to a target. For example, an Environment element can specify a time and date range within which access is allowed.

WebLogic Server supports all of the XACML Environment identifiers (see the OASIS XACML 2.0 Core Specification at http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf) and adds support for an additional one that can appear anywhere that a standard XACML environment identifier can appear. Table A-3 lists and provides the values that can be specified for identifiers that can be used to hold values that the container passes to the provider.

Table A-3 WebLogic Server Environment Identifiers

Identifier Value and Description

Identifier	Value and Description
Attribute ID	`urn:bea:xacml:2.0:environment:context:key` In this identifier, `key` specifies a `ContextHandler` element name as defined in ContextHandlers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server. A `ContextHandler` is a WebLogic class that obtains additional context and container-specific information from the resource container and represents the information as a list of name/value pairs.
Data Type	`bea:Object`, `string`, or `double`
Value	The value of the `ContextHandler` element that you want to match.

Attribute ID

urn:bea:xacml:2.0:environment:context:key

In this identifier, key specifies a ContextHandler element name as defined in ContextHandlers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server. A ContextHandler is a WebLogic class that obtains additional context and container-specific information from the resource container and represents the information as a list of name/value pairs.

Data Type

bea:Object, string, or double

Value

The value of the ContextHandler element that you want to match.

Examples

The following example uses an Environment element to match value of a WebLogic Server listen port. Such an element could create a policy that requires a request to come through listen port 9001:

<Environment>
   <EnvironmentMatch
      MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal"> 
      <EnvironmentAttributeDesignator
           AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.cont
           extelement.channel.Port"
            DataType="http://www.w3.org/2001/XMLSchema#double"/> 
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">9001</AttributeValue>
   </EnvironmentMatch> 
</Environment>

Policy and PolicySet Identifiers

XACML uses a Policy element to contain one or more rules and a PolicySet element to contain one or more policies. Each element must include the PolicySetId attribute to provide a unique identification. The XACML specification requires PolicySetId identifiers to be legal URI values.

XACML documents use the PolicySetId to include a specific Policy or PolicySet element within another PolicySet element. WebLogic Server uses the PolicySetId as the key in the Authorization provider or Role Mapping provider's policy store.

WebLogic Server reserves URI values beginning with urn:bea: for its internal use. While you cannot create your own policies with URIs that begin with urn:bea:, you can use these values to include Oracle's policies in your policy sets.

Examples

The following example is a valid identifier for a Policy element:

<Policy
    PolicyId="urn:mycompany:myapplication:policyid:1"
...>

The following example is a valid reference to the Policy element above:

<PolicyIdReference>
    urn:mycompany:myapplication:policyid:1
</PolicyIdReference>

Resource Identifiers

XACML uses a Resource element to represent data, a service, or a system component.

WebLogic Server supports all of the XACML Resource identifiers, as described in the XACML 2.0 Core Specification.

To identify a WebLogic Server resource, use resource identifiers as described in Table A-4. For information about WebLogic Server resources, see Resource Types You Can Secure with Policies.

Table A-4 WebLogic Server Resource Identifiers

To identify a...	Use the following identifier...
Resource	Attribute ID: `urn:oasis:names:tc:xacml:1.0:resource:resource-id` Data Type: `string` Value: A collection of name and value pairs that specify the WebLogic Server resource type and the location of the resource in the WebLogic Server resource hierarchy. WebLogic Server generates these identifiers. Note that a policy that uses this identifier will not protect resources that are below the specified resource. For example, if you use this identifier for a policy on a Web Service module, the policy will not protect methods within the Web Service. See Get the ID of the Resource to Secure.
Resource and its ancestors	Attribute ID: `urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self` Data Type: `string` Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.
Parent of a resource	Attribute ID: `urn:oasis:names:tc:xacml:1.0:resource:resource-parent` Data Type: `string` Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.
Ancestor of a resource	Attribute ID: `urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor` Data Type: `string` Values: A collection of name and value pairs that specify a WebLogic Server resource type. WebLogic Server generates these identifiers. See Get the ID of the Resource to Secure.

Examples

The following example Resource element matches a Web Service named SimpleSoapPort and all methods within that Web Service:

<Resource>
   <ResourceMatch
    MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;webservices&gt;, application=webservicesJwsSimpleEar, contextPath=/jws_basic_simple, webService=SimpleSoapPort</AttributeValue>
    <ResourceAttributeDesignator
     AttributeId="urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor"
     DataType="http://www.w3.org/2001/XMLSchema#string"
     MustBePresent="true"/>
   </ResourceMatch>
</Resource>

Subject Identifiers

XACML uses a Subject element to represent an actor whose attributes may be referenced by a predicate.

WebLogic Server supports all of the XACML Subject identifiers, as described in the XACML 2.0 Core Specification.

To identify a WebLogic Server user, group, or role as defined in a WebLogic Server realm, use subject identifiers as described Table A-5.

Table A-5 WebLogic Subject Identifiers

To identify a...	Use the following identifier...
User principal	Attribute ID: `urn:oasis:names:tc:xacml:1.0:subject:subject-id` Data Type: `string` Value: Name of a WebLogic Server user principal.
Group principal	Attribute ID: `urn:oasis:names:tc:xacml:2.0:subject:group` Data Type: `string` Values: Name of a WebLogic Server group principal.
Role	Attribute ID: `urn:oasis:names:tc:xacml:2.0:subject:role` Data Type: `string` Values: Names of one or more roles as resolved by a XACML Role Mapping provider. Note: WebLogic Server supports only a subset of the RBAC Profile specification, which is the specification that defines this attribute.
Subject who has signed a SOAP document	Attribute ID: `urn:bea:xacml:2.0:subject:context:com.bea.contextelement.webservice.Integrity{{namespace}element}` where `namespace` and `element` are the namespace and element that was signed. For example: `urn:bea:xacml:2.0:subject:context:com.bea. contextelement.webservice.Integrity{{ http://schemas.xmlsoap.org/soap/envelope/}Body}` Data Type: `string` Values: The Java subject who has signed the element (either user ID or group ID).

Examples

For an example of a XACML document that uses identifiers from Table A-7 to define a security role that can be used to protect access to a Web Service, see Example 7-2.

WebLogic Server Functions for XACML

The following sections describe the functions that the WebLogic Server XACML providers support in addition to the functions described in the XACML Core Specification:

Custom Data Type Variants

The following function identifiers specify functions that are direct ports of standard XACML functions and operate on XML and WebLogic Server data types long, float, decimal and bea:Character. For a description of these data types, see com.bea.common.security.xacml.Type in Java API Reference for Oracle WebLogic Server.

In this list, type refers to the names of the data types (long, float, decimal or character):

urn:bea:xacml:2.0:function:type-equal
urn:bea:xacml:2.0:function:type-greater-than
urn:bea:xacml:2.0:function:type-greater-than-or-equal
urn:bea:xacml:2.0:function:type-less-than
urn:bea:xacml:2.0:function:type-less-than-or-equal
urn:bea:xacml:2.0:function:type-one-and-only
urn:bea:xacml:2.0:function:type-bag-size urn:bea:xacml:2.0:function:type-is-in
urn:bea:xacml:2.0:function:type-bag urn:bea:xacml:2.0:function:type-intersection
urn:bea:xacml:2.0:function:type-union
urn:bea:xacml:2.0:function:type-at-least-one-member-of
urn:bea:xacml:2.0:function:type-subset
urn:bea:xacml:2.0:function:type-set-equals

For information on functions that compare bea:Objects, see Object Comparisons.

Examples

The following example is a Condition that uses urn:bea:xacml:2.0:function:character-equal to compare two bea:characters:

<Condition>
   <Apply FunctionId="urn:bea:xacml:2.0:function:character-equal">
     <AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">Q</AttributeValue>
     <AttributeValue DataType="urn:bea:xacml:2.0:data-type:character">Q</AttributeValue>
   </Apply>
</Condition>

Miscellaneous Functions

Table A-6 lists the miscellaneous functions that WebLogic Server provides in addition to the standard XACML functions.

Table A-6 Miscellaneous WebLogic Server XACML Functions

Function	Description
`in-development-mode`	URI: `urn:bea:xacml:2.0:function:in-development-mode` Input Type: `null` Return Type: `boolean` Description: This function takes no arguments and returns true if the WebLogic Server instance that hosts the realm is in development mode See Creating a WebLogic Domain in Creating WebLogic Domains Using the Configuration Wizard.
`instance-method`	URI: `urn:bea:xacml:2.0:function:instance-method` Input Type: `bea:Object, string, Bag of bea:Class, [bea:Object ... ]` Return Type: `bea:Object` Description: This function invokes a method on a `bea:Object` that the container makes available in the current context. The function takes the following arguments: `bea:Object`. A Java object whose method will be invoked. Use the `urn:bea:xacml:2.0:environment:context:key` environment identifier to specify the `bea:Object`. See Environment Identifiers. `string`. The method name. Bag of `bea:Class`. The Java classes that are declared in the method's signature. Use Oracle's `string-to-class` function to create the required classes. See Object Type Conversions. Zero or more `bea:Objects`. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. The function returns the return value of the invoked method as a `bea:Object`. Methods that return void may not be invoked.
`instance-method-match`	URI: `urn:bea:xacml:2.0:function:instance-method-match` Input Type: `bea:Object, string, [bea:Object ... ]` Return Type: `bea:Object` Description: This function invokes a method on a `bea:Object` that the container makes available in the current context. The function takes the following arguments: `bea:Object`. A Java object whose method will be invoked. Use the `urn:bea:xacml:2.0:environment:context:key` environment identifier to specify the `bea:Object`. See Environment Identifiers. `string`. The method name. Zero or more `bea:Objects`. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. This function uses the method name and the class types of the parameter `bea:Objects` to find the appropriate method in the target `bea:Object`. If the target `bea:Object` does not exactly one method that matches the parameters, then the function result is indeterminate. The function returns the return value of the invoked method as a `bea:Object`. Methods that return void may not be invoked.
`instance-method-v2`	URI: `urn:bea:xacml:2.0:function:instance-method-v2` Input Type: `bea:Class, bea:Object, string, Bag of bea:Class, [bea:Object ... ]` Return Type: `bea:Object` Description: This function invokes a method on a `bea:Object` that the container makes available in the current context. The function takes the following arguments: `bea:Class`. The class type of the `bea:Object`. Use Oracle's `string-to-class` function to create the class. See Object Type Conversions. `bea:Object`. A Java object whose method will be invoked. Use the `urn:bea:xacml:2.0:environment:context:key` environment identifier to specify the `bea:Object`. See Environment Identifiers. `string`. The method name. Bag of `bea:Class`. The Java classes that are declared in the method's signature. Use Oracle's `string-to-class` function to create the required classes. See Object Type Conversions. Zero or more `bea:Objects`. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. The function returns the return value of the invoked method as a `bea:Object`. Methods that return void may not be invoked.
`instance-method-match-v2`	URI: `urn:bea:xacml:2.0:function:instance-method-match-v2` Input Type: `bea:Class, bea:Object, string, [bea:Object ... ]` Return Type: `bea:Object` Description: This function uses the class type of the `bea:Object`, method name, and the class types of the parameter `bea:Objects` to find the appropriate method in the target `bea:Object`. If the target `bea:Object` does not contain exactly one method that matches the parameters, then the function result is indeterminate. The function takes the following arguments: `bea:Class`. The class type of the `bea:Object`. Use Oracle's `string-to-class` function to create the class. See Object Type Conversions. `bea:Object`. A Java object whose method will be invoked. Use the `urn:bea:xacml:2.0:environment:context:key` environment identifier to specify the `bea:Object`. See Environment Identifiers. `string`. The method name. Zero or more `bea:Objects`. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. The function returns the return value of the invoked method as a `bea:Object`. Methods that return void may not be invoked.
`instance-method-match-v3`	URI: `urn:bea:xacml:2.0:function:instance-method-match-v3` Input Type: `string, bea:Object, string, Bag of string,[bea:Object... ]` Return Type: `bea:Object` Description: This function uses the class name of the `bea:Object`, method name, and the class types of the parameter `bea:Objects` to find the appropriate method in the target bea:Object. If the target `bea:Object` does not contain exactly one method that matches the parameters, then the function result is indeterminate. This function invokes uses the Java reflection API to invoke a method on a specified `bea:Object`. The function takes the following arguments: `String`. The name of the `bea:Object`'s class type. `bea:Object`. A Java object whose method will be invoked. Use the `urn:bea:xacml:2.0:environment:context:key` environment identifier to specify the bea:Object. See Environment Identifiers. `String`. The method name. Bag of `string`. The class names of the parameters in the method signature. Zero or more `bea:Objects`. Each object contains a parameter value to pass to the method. Use Oracle's object conversion functions to create the required objects. See Object Type Conversions. The function returns the return value of the invoked method as a `bea:Object`. Methods that return void may not be invoked.

Example

The following policy uses the instance-method function to invoke the HttpServletRequest.getAuthType() method on requests that match a specific URL pattern (see javax.servlet.http.HttpServletRequest.getAuthType() in the Java EE 8 Platform API Specification, available at https://javaee.github.io/javaee-spec/javadocs/javax/servlet/http/HttpServletRequest.html). The WebLogic Server ContextHandler makes this HttpServletRequest object available to the Authorization and Role Mapping providers for all requests that come through the servlet container. Any policy for a URL resource can invoke this or other HttpServletRequest methods.

Example A-1 Policy That Invokes HttpServletRequest.getAuthType()

<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
   PolicyId="urn:sample:xacml:2.0:function:instance-method"
   RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:
     first-applicable">
  <Description>function:instance-method</Description>
  <Target>
    <Resources>
      <Resource>
         <ResourceMatch
            MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">type=&lt;url&gt;, application=MedRecEAR, contextPath=,uri=/docs/*</AttributeValue>
             <ResourceAttributeDesignator
               AttributeId="urn:oasis:names:tc:xacml:2.0:resource:
                  resource-ancestor-or-self"
               DataType="http://www.w3.org/2001/XMLSchema#string"
                MustBePresent="true"/>
         </ResourceMatch>
      </Resource>
    </Resources>
  </Target>
  <!-- Declaring the instance-method function as a variable because this policy
       invokes it multiple times.
  -->
  <VariableDefinition VariableId="authType">
    <Apply FunctionId="urn:bea:xacml:2.0:function:instance-method">
      <!-- Passing the HttpServletRequest object to the function, which the
           BEA ContextHandler makes available to the security framework.
      -->
      <Apply FunctionId="urn:bea:xacml:2.0:function:object-one-and-only">
        <EnvironmentAttributeDesignator 
           DataType="urn:bea:xacml:2.0:data-type:object"
           AttributeId="urn:bea:xacml:2.0:environment:context:com.bea.
              contextelement.servlet.HttpServletRequest" />
      </Apply>
      <!--  Passing "getAuthType()" as the name of the HttpServletRequest 
             method to invoke 
      -->
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">getAuthType</AttributeValue>
      <!-- Because the getAuthType() method signature contains no parameters,
           pass an empty bag of Class.
      -->
      <Apply FunctionId="urn:bea:xacml:2.0:function:class-bag" />
    </Apply>
  </VariableDefinition>
  <!-- Creating a rule that allows access to the resource only if
       the getAuthType() returns a non-null value and if the non-null
       value is "CLIENT_CERT"
  -->
  <Rule RuleId="primary-rule" Effect="Permit">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
          <Apply FunctionId="urn:bea:xacml:2.0:function:object-is-null">
            <VariableReference VariableId="authType" />
          </Apply>
        </Apply>
        <Apply
           FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
           <!-- Because the instance-method function returns a bea:Object, 
                 this policy wraps the function in an object-to-string function,
                 which enables comparison a of the function output with another
                 string.
           -->
           <Apply FunctionId="urn:bea:xacml:2.0:function:object-to-string">
              <VariableReference VariableId="authType" />
           </Apply>
           <!--  Declaring a String object to compare to the
                 HttpServletRequest.getAuthType() return value. 
           -->
           <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLIENT_CERT</AttributeValue>
         </Apply>
       </Apply>
    </Condition>
  </Rule>
  <Rule RuleId="deny-rule" Effect="Deny" />
</Policy>

Time/Date Conversions

Table A-7 lists the functions that Oracle provides to convert XACML times and dates to different data types.

Table A-7 WebLogic Server Time/Date Conversions

Function	Description
`dateTime-dayOfMonth`	URI: `urn:bea:xacml:2.0:function:dateTime-dayOfMonth` Input Type: `dateTime` Return Type: `integer` Description: This function takes a single argument of type `dateTime` and returns an integer value that represents the day of month implied by the `dateTime` input. The first day of the month is represented with a value of 1.
`dateTime-dayOfMonthMaximum`	URI: `urn:bea:xacml:2.0:function:dateTime-dayOfMonthMaximum` Input Type: `dateTime` Return Type: `integer` Description: This function takes a single argument of type `dateTime` and returns an integer value that represents the value of the last day of the month. For example, if the `dateTime` describes a time in the month of December, the function returns 31 (because December has a maximum of 31 days). This function adjusts the value returned for February on leap years.
`dateTime-dayOfWeek`	URI: `urn:bea:xacml:2.0:function:dateTime-dayOfWeek` Input Type: `dateTime` Return Type: `integer` Description: This function takes a single argument of type `dateTime` and returns an integer value that indicates the day of the week implied by the `dateTime` input. Sunday is the first day of the week and has a value of 1.
`dateTime-secondsOfDay`	URI: `urn:bea:xacml:2.0:function:dateTime-secondsOfDay` Input Type: `dateTime` Return Type: `integer` Description: This function takes a single argument of type `dateTime` and returns an integer value that indicates the number of whole seconds that have elapsed in the day that is indicated by the `dateTime` input.
`dayTimeDuration-timeZoneOffset`	URI: `urn:bea:xacml:2.0:function:dayTimeDuration-timeZoneOffset` Input Type: `null` Return Type: `dayTimeDuration` Description: This function takes no arguments and returns a `dayTimeDuration` value that indicates the time-zone offset between the local time and GMT time.
`string-to-dateTime`	URI: `urn:bea:xacml:2.0:function:string-to-dateTime` Input Type: `string` Return Type: `dateTime` Description: This function takes a single argument of type `string` and returns the argument as a `dateTime`.
`string-to-date`	URI: `urn:bea:xacml:2.0:function:string-to-date` Input Type: `string` Return Type: `date` Description: This function takes a single argument of type `string` and returns the argument as a `date`.
`object-to-dateTime`	URI: `urn:bea:xacml:2.0:function:object-to-dateTime` Input Type: `bea:Object` Return Type: `dateTime` Description: This function takes a single argument of type `bea:Object` and returns the value as a `dateTime` object. If the `bea:Object` is an instance of `java.util.Calendar`, then its value is returned directly. If the `bea:Object` is an instance of `java.security.Timestamp` or `java.util.Date`, this function converts the `bea:Object` to `java.util.Calendar` and returns the `Calendar` value. Otherwise, this function converts the `bea:Object` to `java.lang.String` and parses the `String` into a `dateTime` value.
`object-to-date`	URI: `urn:bea:xacml:2.0:function:object-to-date` Input Type: `bea:Object` Return Type: `date` Description: This function takes a single argument of type `bea:Object` and returns the value as a `date` object. If the `bea:Object` is an instance of `java.util.Calendar`, then its value is returned directly. If the `bea:Object` is an instance of `java.util.Date`, this function converts the `bea:Object` to `java.util.Calendar` and returns the `Calendar` value. Otherwise, this function converts the `bea:Object` to `java.lang.String` and parses the `String` into a `date` value.

Arithmetic Conversions and Functions

Table A-8 lists the functions that Oracle provides to convert arithmetic values to different Input Types and to extend the basic set of arithmetic functions specified by XACML.

Table A-8 WebLogic Server Arithmetic Conversions and Functions

Function	Description
`float-to-double`	URI: `urn:bea:xacml:2.0:function:float-to-double` Input Type: `float` Return Type: `double` Description: This function takes a single argument of type `float` and returns the argument as a `double`.
`long-to-double`	URI: `urn:bea:xacml:2.0:function:long-to-double` Input Type: `long` Return Type: `double` Description: This function takes a single argument of type `long` and returns the argument as a `double`.
`long-to-float`	URI: `urn:bea:xacml:2.0:function:long-to-float` Input Type: `long` Return Type: `float` Description: This function takes a single argument of type `long` and returns the argument as a `float`.
`integer-to-float`	URI: `urn:bea:xacml:2.0:function:integer-to-float` Input Type: `integer` Return Type: `float` Description: This function takes a single argument of type `integer` and returns the argument as a `float`.
`integer-to-long`	URI: `urn:bea:xacml:2.0:function:integer-to-long` Input Type: `integer` Return Type: `long` Description: This function takes a single argument of type `integer` and returns the argument as a `long`.
`string-to-double`	URI: `urn:bea:xacml:2.0:function:string-to-double` Input Type: `string` Return Type: `double` Description: This function takes a single argument of type `string` and returns the argument as a `double`.
`string-to-long`	URI: `urn:bea:xacml:2.0:function:string-to-long` Input Type: `string` Return Type: `long` Description: This function takes a single argument of type `string` and returns the argument as a `long`.
`string-to-integer`	URI: `urn:bea:xacml:2.0:function:string-to-integer` Input Type: `string` Return Type: `integer` Description: This function takes a single argument of type `string` and returns the argument as a `integer`.
`string-to-float`	URI: `urn:bea:xacml:2.0:function:integer-to-long` Input Type: `string` Return Type: `float` Description: This function takes a single argument of type `string` and returns the argument as a `float`.
`to-degrees`	URI: `urn:bea:xacml:2.0:function:to-degrees` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double`, converts the value from radians to degrees, and returns the degrees value as a `double`.
`to-radians`	URI: `urn:bea:xacml:2.0:function:to-radians` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double`, converts the value from degrees to radians, and returns the radians value as a `double`.
`acos`	URI: `urn:bea:xacml:2.0:function:acos` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns the arc cosine of the argument as a `double`.
`asin`	URI: `urn:bea:xacml:2.0:function:asin` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns the arc sine of the argument as a `double`.
`atan`	URI: `urn:bea:xacml:2.0:function:atan` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns the arc tangent of the argument as a `double`.
`atan2`	URI: `urn:bea:xacml:2.0:function:atan2` Input Type: `double` Return Type: `double` Description: This function takes two arguments of type double that represent the x and y coordinates of a point. It returns a double value which is the theta component of the point in polar coordinates for the r value that corresponds to the x coordinate.
`ceil`	URI: `urn:bea:xacml:2.0:function:ceil` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns a `double` value that is the smallest mathematical integer that is greater than or equal to the argument value.
`cos`	URI: `urn:bea:xacml:2.0:function:cos` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns the cosine of the argument as a `double`.
`exp`	URI: `urn:bea:xacml:2.0:function:exp` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns a `double` value that is Euler's number, `e`, raised to the power of the argument value.
`ieee-remainder`	URI: `urn:bea:xacml:2.0:function:ieee-remainder` Input Type: `double` Return Type: `double` Description: This function takes two arguments of type `double` and returns a `double` value that is the remainder operation result of the two arguments as described in the IEEE 754 standard. See `https://ieeexplore.ieee.org/document/5976968`.
`log`	URI: `urn:bea:xacml:2.0:function:log` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and the natural logarithm as a `double`.
`maximum`	URI: `urn:bea:xacml:2.0:function:maximum` Input Type: `double` Return Type: `double` Description: This function takes two arguments of type `double` and returns the larger of the two values as a `double`.
`minimum`	URI: `urn:bea:xacml:2.0:function:minimum` Input Type: `double` Return Type: `double` Description: This function takes two arguments of type `double` and returns the smaller of the two values as a `double`.
`pow`	URI: `urn:bea:xacml:2.0:function:pow` Input Type: `double` Return Type: `double` Description: This function takes two arguments of type `double` and returns a `double` value that is the result of taking the first argument value to the power of the second argument value.
`random-number`	URI: `urn:bea:xacml:2.0:function:random-number` Input Type: `double` Return Type: `double` Description: This function takes two arguments of type `double` and returns a `double` value that is a random number greater than or equal to the first argument and less than the second argument.
`rint`	URI: `urn:bea:xacml:2.0:function:rint` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns a `double` value that is the mathematical integer that is closest to the argument value. If the higher and lower integer values are equally close, then the even value is returned.
`sqrt`	URI: `urn:bea:xacml:2.0:function:sqrt` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns the square root as a `double`.
`tan`	URI: `urn:bea:xacml:2.0:function:tan` Input Type: `double` Return Type: `double` Description: This function takes a single argument of type `double` and returns the tangent as a `double`.

Object Type Conversions

WebLogic Server provides a collection of functions for converting XACML data into Java objects. The URI for each function in this collection is as follows:

urn:bea:xacml:2.0:function:type-to-object

where type is the name of a XACML data type. Table A-9 lists all data types and the Java object that the corresponding function returns.

For example, this function returns test as a java.lang.String object:

<Apply
  FunctionId="urn:bea:xacml:2.0:function:string-to-object">test</Apply>

Table A-9 Data to Java Object Conversion

When type equals...	The urn:bea:xacml:2.0:function:type-to-object function returns...
character	`java.lang.Character`
string	`java.lang.String`
boolean	`java.lang.Boolean`
integer	`java.lang.Integer`
double	`java.lang.Double`
float	`java.lang.Float`
long	`java.lang.Long`
decimal	`java.lang.Double`
base64Binary	`java.lang.Byte[]`
hexBinary	`java.lang.Byte[]`
date	`java.util.Calendar`
time	`java.util.Calendar`
dateTime	`java.util.Calendar`
dayTimeDuration	`java.lang.Long`
yearMonthDuration	`java.lang.Integer`
rfc822Name	`java.lang.String`
x500Name	`java.lang.String`
anyURI	`java.net.URI`
ipAddress	`java.lang.String`
dnsAddress	`java.lang.String`

Table A-10 lists the functions that Oracle provides to convert strings or Java objects to different data or object types. To pass objects that the container makes available to the current context, use the urn:bea:xacml:2.0:environment:context:key environment identifier to specify the bea:Object. See Environment Identifiers.

Table A-10 WebLogic Server Object Conversions

Function	Description
`string-to-class`	URI: `urn:bea:xacml:2.0:function:string-to-class` Input Type: `string` Return Type: `bea:Class` Description: This function takes a single argument of type `string`, invokes `java.lang.Class.forName()` on the argument value, and returns the result as a `bea:Class`.
`object-to-string`	URI: `urn:bea:xacml:2.0:function:object-to-string` Input Type: `bea:Object` Return Type: `string` Description: This function takes a single argument of type `bea:Object`, invokes `java.lang.Object.toString()` on the argument value, and returns the result as a `string`.
`object-to-double`	URI: `urn:bea:xacml:2.0:function:object-to-double` Input Type: `bea:Object` Return Type: `double` Description: This function takes a single argument of type `bea:Object` and returns the value as a `double`. If the `bea:Object` is an instance of `double`, then its value is used directly. If the `bea:Object` is an instance of `java.lang.Number`, then this function invokes `Number.doubleValue()` on the value. Otherwise, this function converts the `bea:Object` to a `java.lang.String` and parses the `String` into a `double`.
`object-to-integer`	URI: `urn:bea:xacml:2.0:function:object-to-integer` Input Type: `bea:Object` Return Type: `integer` Description: This function takes a single argument of type `bea:Object` and returns the value as `integer`. If the `bea:Object` is an instance of `java.lang.Integer`, then its value is used directly. If the `bea:Object` is an instance of `java.lang.Number`, then this function invokes `Number.intValue()` on the value. Otherwise, this function converts the `bea:Object` to `java.lang.String` and parses the `String` into an `integer`.

Object Comparisons

Table A-11 lists the functions that Oracle provides to compare Java objects.

Table A-11 WebLogic Server Object Comparisons

Function	Description
`object-is-null`	URI: `urn:bea:xacml:2.0:function:object-is-null` Input Type: `bea:Object` Return Type: `boolean` Description: This function takes a single argument of type `bea:Object` and returns a boolean value indicating whether the object reference is equal to the Java keyword null. If there is no object that corresponds to the given object reference, this function returns true.
`object-equal`	URI: `urn:bea:xacml:2.0:function:object-equal` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object`, invokes `java.lang.Object.equals()`, and returns a `boolean` value indicating whether the two `Object`s are equal. For information about the `java.lang.Object.equals()` method, see Object in Jakarta SE and JDK API Specification.
`object-greater-than`	URI: `urn:bea:xacml:2.0:function:object-greater-than` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object` and returns a `boolean` value indicating whether the first `bea:Object` is greater than the second `bea:Object`. The two `bea:Object`s must implement `java.lang.Comparable`, else the evaluation is indeterminate.
`object-greater-than-or-equal`	URI: `urn:bea:xacml:2.0:function:object-greater-than-or-equal` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object` and returns a `boolean` value indicating whether the first `bea:Object` is greater than or equal to the second bea:Object. The two `bea:Object`s must implement `java.lang.Comparable`, else the evaluation is indeterminate.
`object-less-than`	URI: `urn:bea:xacml:2.0:function:object-less-than` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object` and returns a `boolean` value indicating whether the first `bea:Object` is less than the second `bea:Object`. The two `bea:Object`s must implement `java.lang.Comparable`, else the evaluation is indeterminate.
`object-less-than-or-equal`	URI: `urn:bea:xacml:2.0:function:object-less-than-or-equal` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object` and returns a `boolean` value indicating whether the first `bea:Object` is less than or equal to the second `bea:Object`. The two `bea:Object`s must implement `java.lang.Comparable`, else the evaluation is indeterminate.
`object-collection-contains`	URI: `urn:bea:xacml:2.0:function:object-collection-contains` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object` and returns a `boolean` that indicates whether the first `bea:Object` contains the second `bea:Object,` as determined by `Collection.contains()`. The first `bea:Object` must implement `java.util.Collection`, else the evaluation is indeterminate. For information about the `Collection.contains()` method, see Interface Collection <E> in Jakarta SE and JDK API Specification .
`object-collection-contains-all`	URI: `urn:bea:xacml:2.0:function:object-collection-contains-all` Input Type: `bea:Object`, `bea:Object` Return Type: `boolean` Description: This function takes two arguments of type `bea:Object` and returns a `boolean` that indicates whether the first `bea:Object` contains all of the second `bea:Object` as determined by `Collection.containsAll()`. Both `bea:Object`s must implement `java.util.Collection`, else the evaluation is indeterminate. For information about the `Collection.containsAll()` method, see Interface Collection <E> in Jakarta SE and JDK API Specification.

String Comparisons and Manipulations

Table A-12 lists the functions that Oracle provides to compare Java objects.

Table A-12 WebLogic Server String Comparisons and Manipulations

Function	Description
`string-char-at`	URI: `urn:bea:xacml:2.0:function:string-char-at` Input Type: `string`, `integer` Return Type: `bea:Character` Description: This function takes two arguments of type `string` and `integer`, searches in the `string` for the character that is in the position indicated by the `Integer`, and returns the character as a `bea:Character`.
`string-compare-to-ignore-case`	URI: `urn:bea:xacml:2.0:function:string-compare-to-ignore-case` Input Type: `string`, `string` Return Type: `integer` This function takes two arguments of type `string` and returns an `integer` that indicates how the two string arguments compare: `0` if the strings are identical Less than `0` if the first string lexically precedes the second string Greater than `0` if the first string lexically follows the second string Comparisons are preformed without considering case.
`string-contains`	URI: `urn:bea:xacml:2.0:function:string-contains` Input Type: `string`, `string` Return Type: `boolean` Description: This function takes two arguments of type `string` and returns a `boolean` value that indicates whether the first `string` contains the value of the second `string` as a substring.
`string-starts-with`	URI: `urn:bea:xacml:2.0:function:string-starts-with` Input Type: `string`, `string` Return Type: `boolean` Description: This function takes two arguments of type `string` and returns a `boolean` value that indicates whether the first `string` value starts with the value of the second `string`.
`string-ends-with`	URI: `urn:bea:xacml:2.0:function:string-ends-with` Input Type: `string`, `string` Return Type: `boolean` Description: This function takes two arguments of type `string` and returns a `boolean` that indicates whether the first `string` value ends with the value of the second `string`.
`string-length`	URI: `urn:bea:xacml:2.0:function:string-length` Input Type: `string` Return Type: `integer` Description: This function takes a single argument of type `string` and returns an `integer` that indicates the length of the string value.
`string-replace`	URI: `urn:bea:xacml:2.0:function:string-replace` Input Type: `string`, `bea:Character`, `bea:Character` Return Type: `string` Description: This function takes three arguments of type `string`, `bea:Character`, and `bea:Character`, replaces in the `string` all instances of the first `bea:Character` value with the value of the second `bea:Character`, and returns the result as a `string`.
`string-substring`	URI: `urn:bea:xacml:2.0:function:string-substring` Input Type: `string`, `integer`, `integer` Return Type: `string` Description: This function takes three arguments of type `string`, `integer`, and `integer`, and returns a `string` that is the substring of the `string` argument from and including the index of the first `integer` argument to but excluding the index of the second `integer` argument.
`string-normalize-to-upper-case`	URI: `urn:bea:xacml:2.0:function:string-normalize-to-upper-case` Input Type: `string` Return Type: `string` Description: This function takes a single argument of type `string`, normalizes it to upper case, and returns the result as a `string`.

Rule and Policy-Combining Algorithm

If multiple PolicySets apply to a decision, their results are combined using the following algorithm:

urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides