I tried the first sample from http://www.webfarmr.eu/2011/08/xacml-102-xpath-and-xacml/, section "XPath used in a single XACML request". Just in case here is the XACML policy:
<?xml version="1.0" encoding="UTF-8"?><xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="xpath-target-single-req" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1">
<xacml3:Description/>
<xacml3:PolicyDefaults><xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion></xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Gulliver's travels</xacml3:AttributeValue>
<xacml3:AttributeSelector Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" Path="/book/title/text()"/>
</xacml3:Match>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">18</xacml3:AttributeValue>
<xacml3:AttributeDesignator AttributeId="age" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule Effect="Permit" RuleId="allow-read">
<xacml3:Description/>
<xacml3:Target/>
</xacml3:Rule>
</xacml3:Policy>
When I use the "Try" option from the Policy Administration page and evaluate my XACML request - the response returns the Permit decision. Notice that the policy has not been published yet.
After that I publish the policy, enable it and use the "Try" option from the Tools->XACML menu. Result is "NotApplicable".
I have no any other policies neither in the Policy Administration nor in Policy View.
Do XACML policies that contain XPath expressions need some additional configuration? What is wrong with the provided scenario?
EDIT: Found this message in logs:
[2014-07-03 11:13:25,021] INFO {org.wso2.balana.finder.AttributeFinder} - Failed to resolve any values for /book/title/text()
Yes. This is a bug in the Identity Server. Please refer to the public jira. However, This is not because that XPAth is not implemented in Balana and not an issue with Balana. It is related to Identity Server and Identity Server is not properly initializing the Balana engine.
You can even find the fix that is attached to public jira and you can try with that fix. You can find more details about XPath example with Identity Server from here