Firstly, I created a Spring Boot project on IntelliJ basen on [blog]:https://www.javadevjournal.com/spring-boot/spring-boot-application-intellij/. Then, I generated a controller and service with @PostMapping inside of it. I used balana [github]:https://github.com/wso2/balana to implement XACML engine.
When[blog]:https://docs.wso2.com/display/IS570/Writing+XACML+3+Policies+in+WSO2+Identity+Server+-+7 is followed, a policy and xacml request created as hardcoded. When the service is called via Postman as http post (http://localhost:8080/evaluate), xacml response worked as excepted with PERMIT and DENY decisions. Everything is okey up to here.
When I want to publish it into azure web app, response includes NotApplicable as decision. Is there any anomaly into my policy and request or did I miss something?
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>sample policy</Description>
<Target></Target>
<Rule Effect="Permit" RuleId="primary-group-customer-rule">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"> </AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="group" Category="urn:oasis:names:tc:xacml:3.0:group" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny-rule"></Rule>
</Policy>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:group">
<Attribute AttributeId="group" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
</Attribute>
</Attributes>
</Request>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status>
</Result>
</Response>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>NotApplicable</Decision>
<Status><StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/></Status>
</Result>
</Response>
There should be no difference in terms of decision making (PERMIT or DENY) based on where your application is deployed.
I can tell you how to determine whether or not the issue is with your application, your policy, or an error in your request.
First, just to verify the requests are the same, have you checked the logs for the PDP on both Azure and your localhost to make sure the requests are indeed coming up the same?
If so, next I suggest you set up a very, very simple rule that will return DENY no matter what. Then ensure that you get DENY on locally running the Spring Boot application locally (i.e. $ mvn spring-boot:run on your computer) and on a deployed server.
If you can't get a DENY on both, you need to revisit your application logic and such.
Once you get a DENY, set up a simple policy that takes one parameter. I.E. if someNumber == 2, return PERMIT. Then try this on both your localhost and on Azure. Once you have this working, you are ready to try the policy you mentioned in your question.
FYI I have multiple Spring Boot projects that communicate with a XACML engine (Axiomatics, not WSO2) in my Github, such as: https://github.com/michaelcgood/Axiomatics-Yet-Another-PEP .
I also have multiple articles about Spring Boot on my website: https://michaelcgood.com/category/spring/ . If you have questions about the content or code, you can contact me (info on contact page) and I'll respond as I'm able to.