In XACML, access to resources (such as an XQuery or a Java method) can be controlled by characteristics of the subject(s) accessing the resource (a common subject is a user executing a query), the resource being accessed, the action being taken on the resource (such as 'execute query'), or the environment in which the access is being made (such as the time of the access). This part of the documentation provides an overview of what subjects, resources, and actions are available and what characteristics of those entities may be use to control access.
All types of access may be restricted by the user initiating access to a resource, currently XQueries. The user's name and the names of the groups of which the user is a member may be used to control access to any of the supported resources mentioned in the Resources section.
There is no support yet for access control based on the route taken to the resource. This type of control would allow, for example, a user to use a library module library.xqm by running query.xql but not through a query passed directly in the HTTP request.
All XQuery modules may be controlled by their source. A source has a type (Cocoon, URL, Class, File, Database, String, or ClassLoader resource) and a key. The key is specific to the source. For URLs, ClassLoader resources, and Cocoon, the key is the URI or URL of the source.
Access may also be controlled based on the method of access. The following are direct access contexts: REST, XML:DB (local), XML-RPC, WebDAV, and SOAP. Additionally, some contexts are indirectly used: eXist internally executes queries for validation, triggers may execute queries, and XInclude expansion requries evaluation of a query. There is also a context for unit tests when they directly access the query classes without going through one of the above interfaces.
Invocation of Java methods by reflection may be restricted by class and method name.
Calls to XQuery functions in modules written in Java may be restricted by the name of the implementing module's class, the module's namespace URI, and the name of the function.
Calls to XQuery functions in library modules stored in the database or the file system may be restricted by namespace URI, function name, and module source.
Query execution may be controlled by the source of the query.
Overloaded Java methods and XQuery functions share the same access control settings.
There is currently one action for each type of resource. The 'execute query' action corresponds to the XQuery main module resource, the 'call function' action corresponds to the XQuery library module resource (both internal and external), and the 'invoke method' action corresponds to the Java method resource.
The characteristics of the environment that are present are the current date and time.
You cannot control access to documents, HTTP put or get requests, which XML-RPC methods may be invoked, or anything else not explicitly mentioned above. Additionally, there is currently no supported method of using eXist's XACML-related classes for access control in your own application.