Skip to main content

The most recent patch for this version is 1.0.2.  Learn more  

JSON Parser configuration

The JSON Parser Attribute Connector is a tool that extracts values from JSON strings using JSONPathOpens in a new tab expressions. Its configuration is in XML format with the following structure:

<?xml version="1.0" encoding="UTF-8"?>
<configuration
    xmlns="http://www.axiomatics.com/attributeconnector/parser/json/configuration"
    identifier="my-json-ac-id">
    <source>
        <!-- configuration specifying the JSON source -->
    </source> 
    <mapping>
        <!-- one or more mappings associating values from the JSON source with attributes to be provided by this connector -->
        <xacmlAttribute AttributeId="authorization.status" 
                        Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                        DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <jsonPath>$.authorizations[?(@.id=='##1##')].status</jsonPath>
        <key>
            <xacmlAttribute AttributeId="user.name" 
                            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                            DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </key>
    </mapping>
    <!-- ...more mappings as needed --> 
</configuration>

A configuration starts with a root element named <configuration> and must contain an identifier and two sections:

  • The identifier is defined using the identifier attribute and must be globally unique, like a UUID. It serves two purposes. First, it helps identify the source of attribute values in host logs. Second, it generates unique identifiers for each attribute mapping within the configuration, used for runtime cache strategy configuration within the host engine.
  • The source section (<source>) specifies the source of the JSON data to be processed. It can be:
    • An XACML attribute value provided by the host.
    • The contents of a file within the host environment.
    • A literal token value embedded in the configuration.
  • The mapping section contains multiple <mapping> elements, each associating an XACML attribute with a value within the JSON source. These mappings define the attributes the connector can provide to the host.

Source section

The source section is mandatory in every configuration and specifies the source of the JSON data to be processed. The sources can be:

  • The value of an XACML attribute

    The value is dynamically provided by the connector host for each policy evaluation. For example:

    <source>
      <xacmlAttribute AttributeId="user.data" 
                      Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" 
                      DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </source>

  • The contents of a file within the environment of the connector host

    The value is read from a file during configuration and remains constant for all policy evaluations during the connector's lifetime. For example:

    <source>
      <json src="/secret/global-static-data.json"/>
    </source>

  • A literal JSON value embedded in the configuration

    The value is embedded within the configuration and remains constant for all policy evaluations during the connector's lifetime. For example:

    <source>
      <json>
        { "alice": { "role": "manager" } }
      </json>
    </source>

Optionally, the source section can include an encoded attribute. This indicates if the source content is base64-encoded instead of plain text. The default is false.

The following example showcases literal base64-encoded JSON content embedded within the configuration:

<source encoded="true">
  <json>eyJyb2xlIjoibWFuYWdlciJ9</json>
</source>

In the example above, the eyJyb2xlIjoibWFuYWdlciJ9 string decodes into {"role":"manager"}.

Mapping section

The mapping section contains multiple <mapping> elements, each outlining an attribute the connector can offer to the host. These mappings pair an XACML attribute with a value found within the JSON source. Each <mapping> element includes the following:

xacmlAttribute

The <xacmlAttribute> element contains the following attributes:

AttributeDescriptionMandatory
AttributeIdIndicates the XACML identifier of the attribute. For example, pip.payload.Yes
CategoryIndicates the category to which the XACML attribute belongs. For example, urn:oasis:names:tc:xacml:1.0:subject-category:access-subject.Yes
DataTypeIndicates the data type of the XACML attribute. For example, http://www.w3.org/2001/XMLSchema#string.Yes
IssuerIndicates the attribute's issuer but is rarely used.No

jsonPath

The <jsonPath> element contains a JSONPath expression specifying values to be collected from the JSON source.

note

The full reference for JSONPath can be found in the JSONPath - XPath for JSONOpens in a new tab webpage.

To make it adaptable, you can introduce parameters into the expression using placeholder variables in the format ##index##, where "index" denotes a number beginning at 1. For instance, $.authorizations[?(@.id=='##1##')].status demonstrates a parameterized expression.

key

This section defines a sequence of zero or more <key> elements. Each <key> represents an XACML attribute required to complete an expression using placeholder variables.

Each <key> element contains exactly one <xacmlAttribute> element, which follows the same structure described previously.

Mapping attributes

Additionally, the <mapping> element has two attributes:

AttributeDescriptionMandatory
collateWhen enabled, this option combines multiple values found from the JSONPath search into a single value, instead of presenting them as individual entries in an XACML bag.
The default value is false.		No
delimiterUsed only when collate is enabled, this option specifies the separator between collated values. The default is a comma (,).No

JSONPath search expressions

The search expressions use JSONPath whose full reference can be found in the JSONPath - XPath for JSONOpens in a new tab webpage. The following are a few useful examples:

  • The abstract name $ points to the outer level object.

  • In JSONPath, a period (.) serves as a separator between element names. For example, $.firstName points to the value associated with "firstName" in the outer level object. In the following example, it evaluates to "Joe".

    {
        "id": "1e36aef0-4e71-11e6-898d-f1931def5a85",
        "firstName": "Joe",
        "lastName": "Blog",
        "role": "manager"
    }

  • If the response contains an array of objects, you can use the square bracket notation [i] to point to a specific object within the array. For instance, to select Joe’s last name in the example below, use $[0].lastName.

    [
      {
        "id": "1e36aef0-4e71-11e6-898d-f1931def5a85",
        "firstName": "Joe",
        "lastName": "Blog",
        "role": "manager"
      },
      {
        "id": "33cd91c1-4e71-11e6-898d-f1931def5a85",
        "firstName": "Alice",
        "lastName": "Swanson",
        "role": "student"
      }
    ]

    To select items in an array based on an expression, use the filter operator ?. For example, $[?(@.id=='1e36aef0-4e71-11e6-898d-f1931def5a85')].lastName, applied to the example above will select the value "Blog".

  • To append a static prefix to the result of a search expression, use the concat function:

    concat("Bearer ",$.accessToken)

    which will yield a result such as Bearer abc123 .