既然你已经添加了 http://wso2.org/claims/role 作为主题的AttributeId,以下应该是您的XACML请求
http://wso2.org/claims/role
<?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> <Attribute AttributeId="http://wso2.org/claims/role" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue> </Attribute> </Attributes> </Request>
在XAML值与AttributeId匹配时,必须使用相同的AttributeId。你已经习惯了 urn:oasis:names:tc:xacml:1.0:subject:subject-id 作为请求中的AttributeId。
urn:oasis:names:tc:xacml:1.0:subject:subject-id