XML Parser configuration
The XML Parser Attribute Connector is a tool that extracts values from XML strings using XPathOpens in a new tab expressions.
Its configuration is in XML format with the following structure:
<?xml version="1.0" encoding="UTF-8"?>
<configuration
xmlns="http://www.axiomatics.com/attributeconnector/parser/xml/configuration"
identifier="my-xml-ac-id">
<source>
<!-- configuration specifying the XML source -->
</source>
<!-- one or more mappings associating values from the XML source with attributes to be provided by this connector -->
<mapping>
<xacmlAttribute AttributeId="student.lastname"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<xPath>/class/student[1]/lastname/text()</xPath>
</mapping>
<!-- ...more mappings as needed -->
</configuration>
A configuration starts with a root element named <configuration> and must contain an identifier and two sections:
The identifier is defined using the
identifierattribute and must be globally unique, like a UUID. It serves two purposes. First, it helps identify the source of attribute values in host logs. Second, it generates unique identifiers for each attribute mapping within the configuration, used for runtime cache strategy configuration within the host engine.The source section (
<source>) specifies the source of the XML data to be processed. It can be:- An XACML attribute value provided by the host
- The contents of a file within the host environment
- A literal token value embedded in the configuration
The mapping section contains multiple <mapping> elements, each associating an XACML attribute with a value within the XML source. These mappings define the attributes the connector can provide to the host.
Source section
The source section is mandatory in every configuration and specifies the source of the XML data to be processed. The sources can be:
The value of an XACML attribute
The value will be provided by the connector host dynamically for each individual policy evaluation. For example:
<source>
<xacmlAttribute AttributeId="user.data"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</source>The contents of a file within the environment of the connector host
The value is read from a file during configuration and remains constant for all policy evaluations during the connector's lifetime. For example:
<source>
<xml src="/secret/global-static-data.xml"/>
</source>A literal XML value embedded in the configuration
The value is embedded within the configuration and remains constant for all policy evaluations during the connector's lifetime. For example:
<source>
<xml>
<![CDATA[<users><alice><role>manager</role></alice></users>]]>
</xml>
</source>
Optionally, the source section can include an encoded attribute. This indicates if the source content is base64-encoded instead of plain text. The default is false.
The following example showcases literal base64-encoded XML content embedded within the configuration:
<source encoded="true">
<xml>PHJvbGU+bWFuYWdlcjwvcm9sZT4=</xml>
</source>
In the example above, the PHJvbGU+bWFuYWdlcjwvcm9sZT4= string decodes into <role>manager</role>.
Mappings section
The mapping section contains multiple <mapping> elements, each outlining an attribute the connector can offer to the host. These mappings pair an XACML attribute with a value found within the JSON source. Each <mapping> element includes the following:
xacmlAttribute
The xacmlAttribute element contains the following attributes:
| Attribute | Description | Mandatory |
|---|---|---|
AttributeId | Indicates the XACML identifier of the attribute. For example, user.role. | Yes |
Category | Indicates the category to which the XACML attribute belongs. For example, urn:oasis:names:tc:xacml:1.0:subject-category:access-subject. | Yes |
DataType | Indicates the data type of the XACML attribute. For example, http://www.w3.org/2001/XMLSchema#string. | Yes |
Issuer | Indicates the attribute's issuer but is rarely used. | No |
xPath
The <xPath> element contains a XPath expression specifying values to be collected from the XML source.
Read the XPath documentation and samplesOpens in a new tab for details.
To make it adaptable, you can introduce parameters into the expression using placeholder variables in the format ##index##, where "index" denotes a number beginning at 1. For example, /users/##1##/role/text().
key
This section defines a sequence of zero or more <key> elements. Each <key> represents an XACML attribute required to complete an expression using placeholder variables.
Each <key> element contains exactly one <xacmlAttribute> element, which follows the same structure described previously.
Mapping attributes
Additionally, the <mapping> element has two attributes:
| Attribute | Description | Mandatory |
|---|---|---|
collate | When enabled, this option combines multiple values found from the XPath search into a single value, instead of presenting them as individual entries in an XACML bag. The default value is false. | No |
delimiter | Used only when collate is enabled, this option specifies the separator between collated values. The default is a comma (,). | No |
XPath search expressions
The search expressions use XPath expressions that will return values. For example, the expression /class/student/name/text() is used to return the student’s name.
There are several online resources available to test XPath expressions such as the XPath TesterOpens in a new tab. Additionally, the XPath SyntaxOpens in a new tab webpage covers some of the most commonly used XPath expressions.