Authorization decisions
Below are some examples of requests and responses for the four possible decisions, as well as the results returned in certain error conditions:
Decision or error condition | When | HTTP |
---|---|---|
Permit | The access request has been permitted. | HTTP 200 OK |
Deny | The access request has been denied. | HTTP 200 OK |
NotApplicable | The policy is not applicable to the access request. | HTTP 200 OK |
Indeterminate | There has been an error processing the request. | HTTP 200 OK |
Syntax error | Syntactical errors in the request. | HTTP 400 Bad Request |
Technical error | For example, when an attribute connector cannot connect to its policy information point. | HTTP 500 Internal Server Error |
Authorization decisions
Profile specifications
More information about requests and responses are available in the XACML REST, XACML JSON, and XACML Core profile specifications ,respectively.
Note: The deprecated authorization endpoint /asm-pdp/authorize is compatible with JSON Profile of XACML 3.0 Version 1.0 and XACML REST Profile Version 1.0. It is not compatible with JSON Profile of XACML 3.0 Version 1.1 or XACML REST Profile Version 1.1.
Example
The following is an example using curl (see https://curl.haxx.se/).
Preconditions
Access Decision Service is running on localhost, port 8080
TLS is not used
The Authentication property is set to
Basic
(that is, turned on)The domain property is configured with a file reference to the YAML-format configuration file provided in the appendix Authorization decisions domain file.
Note: The YAML-format authorization domain file mentioned above must be used when running the requests described below. Otherwise the sample responses listed below will not match the corresponding request.
Request
curl --data @request_permit.json -H content-type:application/xacml+json http://localhost:8080/authorize -u ads-user:secret
Explanation
The content-type
header tells Access Decision Service that the request will contain a XACML request in JSON format.
The --data
flag indicates that content is stored in a file called request_permit.json
.
Permit
Request
A sample (request_permit.json
) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.
Response
{
"Response": [
{
"Decision": "Permit"
}
]
}
Deny
Request
A sample (request_deny.json
) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.
Response
{
"Response": [
{
"Decision": "Deny"
}
]
}
NotApplicable
Request
A sample (request_notapplicable.json
) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.
Response
{
"Response": [
{
"Decision": "NotApplicable"
}
]
}
Indeterminate
Request
A sample (request_indeterminate.json
) containing a request message body for Permit is available in the appendix JSON-format request samples. It will produce the response given below.
Response
{
"Response": [
{
"Decision": "Indeterminate",
"Status": {
"StatusMessage": "urn:oasis:names:tc:xacml:1.0:function:boolean-one-and-only
expects a bag that contains a single element,got a bag with 0 elements",
"StatusCode": {
"Value": "urn:oasis:names:tc:xacml:1.0:status:processing-error"
}
}
}
]
}
XML
XML versions of the request message body samples are available in the appendix XML-format request samples.