Axiomatics Featured in KuppingerCole Market Compass for Policy-Based Access Management (PBAM) Learn more  

How Can an Authorization Request Be Simulated?

We are rolling out a new format on our blog – the “Question of the Week” – an ongoing feature that will tackle all sorts of questions and general wonderings. We’ll have input from our sales engineers, customer relations and engineering teams. If you have a question to consider, please send it to webinfo@axiomatics.com.

There are several ways to simulate an authorization request sent to a PDP. The purpose of simulation is most often to test the policy in place to make sure that it works as expected, or to troubleshoot a policy for errors.

Axiomatics Policy Administration Point (PAP)

The PAP application is distributed as part of the Axiomatics Policy Server (APS). [As of APS 6.1.2 it is in its own separate folder called pap where installation instructions can be found.]

It is possible to use the PAP to simulate a request internally or externally. Internally means that a simulation is performed within the PAP itself against the policy that is being authored (or is loaded) within the PAP. This does not send a request to a PDP. Simulation externally sends a request to a specified PDP that holds the policy that will be evaluated.

Within the PAP, right click on the Policy Package in the tree on the left hand side (note, for external simulation it doesn’t matter what Policy Package is loaded in the PAP) and choose “Simulate”. A simulation configuration pane opens up to the right. This is where the simulated request will be built up. Add the attributes needed in the request and their value(s). Choose to simulate internally or set needed parameters to send the simulated request to a PDP. Finally click Simulate to send the request.

A new tab will be opened showing the response and an evaluation trace with details describing how the request was evaluated.

Axiomatics Policy Enforcement Point (PEP)

This option for simulation requires some programming knowledge. There are essentially three ways to write a simple PEP that can send a request to a PDP for simulation. The basic approach of writing this PEP is the same as writing any PEP, regardless if simulation is the goal. The PEP constructs a request, sends it to the PDP and the response is captured.

  1. Leverage any programming language that can send a JSON payload to a REST services. The Axiomatics PDP exposes a REST interface and also supports the JSON profile.
  2. Leverage the Axiomatics Java PEP SDK. The SDK can be downloaded from the Axiomatics support web and contains several examples of PEP code, including samples for Axiomatics Reverse Query (ARQ).
  3. Similar to option 2, Axiomatics also offer a .NET PEP SDK. This is also available through the Axiomatics Support web and contains sample code.


SoapUI and Postman are two different Web Service testing applications. These are just two examples of popular tools, in principle, any other similar tool could also be used.

Postman can easily be configured to send a request to the Axiomatics PDP. Here’s an example:

  1. Select POST as the http verb
  2. Enter the Axiomatics PDP REST URL – Ex. http://server:9092/asm-pdp/authorize
  3. In Authorization, select authentication type (usually Basic Auth). Enter the username and password for the PDP.
  4. In Headers – Add a header with the key Content-Type and Value application/xacml+json. There should already be an Authentication key there if the Authorization step above is completed.
  5. In the Body section, choose raw and enter the XACML request encoded as JSON. Example:
[ {"AttributeId":"user.name","Value":"jonasi"} ]
[ {"AttributeId":"resource.objectType","Value":"insurance claim"} ]
[ {"AttributeId":"action-id","Value":"view"}]
  1. Finally, click send and review the response.


Using Curl is a very light weight option for request simulation. It does involve building up a request manually. The request could be encoded in either XML or JSON and saved in a file. The Curl command is then used to send that request to either the REST or SOAP endpoint URL of the PDP.


curl -X POST -H ‘Content-type:application/xacml+json’ -T Request.json http://server:9092/asm-pdp/authorize –user pep-user:password
curl -X POST -H ‘Content-type:application/xacml+json’ -T Request.json https://server:9092/asm-pdp/authorize –cacert ca.crt –user pdp-user:password


curl -X POST -H ‘Content-type:text/xml’ -T Request.xml http://server:9092/asm-pdp/authorize –user pep-user:password
curl -X POST -H ‘Content-type:text/xml’ -T Request.xml https://server:9092/asm-pdp/authorize –cacert ca.crt –user pdp-user:password


curl -X POST -H ‘Content-type:text/xml’ -T Request.xml http://server:9092/asm-pdp/pdp?wsdl –user pep-user:password
curl -X POST -H ‘Content-type:text/xml’ -T Request.xml https://server:9092/asm-pdp/pdp?wsdl –cacert ca.crt –user pdp-user:password


curl -X POST -H ‘Content-type:text/xml’ -T ARQ_Raw_Request.xml http://server:9092/asm-pdp/arqraw?wsdl –user pep-user:password
curl -X POST -H ‘Content-type:text/xml’ -T ARQ_Raw_Request.xml https://server:9092/asm-pdp/arqraw?wsdl –cacert ca.crt –user pdp-user:password

Additional Reading on This Topic

To be able to view the links below you need to be a registered user on our support web.


A sample HTML PEP that leverages JSON is available in this tutorial (Requires Axiomatics Support account).

Read more

JUnit Testing

Some further reading that relates to this option of simulation can be found in this Knowledge Base article that discuss the topic of automated testing using JUnit:

Read more


A detailed description of how to use SoapUI for various types of simulation scenarios including Multi-Decision Profile (MDP) Requests, Axiomatics Reverse Query (ARQ) Requests as well as using REST/JSON is outlined in this Knowledge Base article:

Read more

Archived under:
About the author