Even though spring security provides role-based access control it doesn’t allow users to perform policy-based authorization. The main goal of this project is to write an agent which can be used to perform attribute-based access control for Spring security.
Spring security provides an annotation for custom authorization evaluations.
As the initial version, I have managed to write a working sample for this use case. This sample talks to WSO2 PDP for authorization.
-
Start WSO2-IS by following Installation Guide.
-
Publish the following XAML Policy by following Publishing a XACML Policy.
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="samplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0"> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="https://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="https://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator> </Match> </AllOf> </AnyOf> </Target> <Rule Effect="Permit" RuleId="permit"></Rule> </Policy>
-
Configure SSO by following Configure Single Sign-On
- Issuer id : com:rnavagamuwa:springsecurity
- Assertion consumer URL : https://localhost:8080/saml/SSO
- SLO response\request URL : https://localhost:8080/saml/SingleLogout
-
Replace the
keystore,jks
and atrustStore,jks
in Resources directory with the correct ones. -
Define following properties in the
application.properties
file.xacml.pdp.url.entitlement.service=https://localhost:9443/api/identity/entitlement/decision xacml.pdp.url.resourceList=https://localhost:9443/api/identity/entitlement/decision/home xacml.pdp.trustStore=truststore.jks xacml.pdp.trustStore.password=password xacml.pdp.keyStore=keystore.jks xacml.pdp.keyStore.password=password
-
Run the spring boot app by executing
mvn spring-boot:run
-
Navigate to https://localhost:8080 and you'll be redirected to the following page.
-
Provide the username and password. (Default is
admin
,admin
). Then you'll be redirected to the landing page. -
Then click on
Hello
button. Add the following authorization headers and click onSubmit Request
- Header Key : action-id | Header Value : read
- Header Key : resource-id | Header Value : https://127.0.0.1/service/very_secure/
You should get the message
Successfully authorized
message if authorized. -
In addition to this you can remove the headers and submit.