Skip to content
/ spring-security-abac Public

Even though spring security provides role-based access control it doesn’t allow users to perform policy-based authorization. The main goal of this project is to write an agent which can be used to perform attribute-based access control for Spring security.

License

Apache-2.0 license
10 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rnavagamuwa/spring-security-abac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
sample
sample
 
 
sdk
sdk
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

XACML based authorization for Spring security

Overview

Even though spring security provides role-based access control it doesn’t allow users to perform policy-based authorization. The main goal of this project is to write an agent which can be used to perform attribute-based access control for Spring security.

Implementation

Spring security provides an annotation for custom authorization evaluations.

As the initial version, I have managed to write a working sample for this use case. This sample talks to WSO2 PDP for authorization.

The high-level sequence diagram

Usage

  1. Create a keystore and a trustStore in Resources directory.

  2. Create a file named xacmlConfig.json in Resources directory. This file contains the body of the XACML request.

    • This file is a json file and this can have more than one Target Domain Objects. In this case let's define our target domain object as admin_xacml.
    • All the variables should start with '$'. For example if action-id is the variable it should be defined in the xacmlConfig.sjon as $action-id.

    A sample xacmlConfig.json file is as follows.

    {
  "admin_xacml": {
    "Request": {
      "Action": {
        "Attribute": [
          {
            "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id",
            "Value": "$action-id"
          }
        ]
      },
      "Resource": {
        "Attribute": [
          {
            "AttributeId": "urn:oasis:names:tc:xacml:1.0:resource:resource-id",
            "Value": "$resource-id"
          }
        ]
      }
    }
  }
}

  3. Extend GlobalMethodSecurityConfiguration class and set AttributeEvaluator as the new PermissionEvaluator

    @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {

        DefaultMethodSecurityExpressionHandler expressionHandler =
                new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setPermissionEvaluator(new AttributeEvaluator());
        return expressionHandler;
    }
}

  4. Now add the @PreAuthorize("hasPermission()") or @PostAuthorize("hasPermission()") annotation as required before the correct controller method. Target Domain Object and the Permissions should be passed to this annotaion as parameters.Permissions is a json object which contains the key value pairs. These permission values will be extracted from the headers.

     @PreAuthorize("hasPermission('admin_xacml','{$action-id:action-id,$resource-id:resource-id}')")

About

Even though spring security provides role-based access control it doesn’t allow users to perform policy-based authorization. The main goal of this project is to write an agent which can be used to perform attribute-based access control for Spring security.

Topics

spring-boot iam saml2 wso2-identity-server xacml single-sign-on

Resources

Readme

License

Apache-2.0 license
Activity

Stars

10 stars

Watchers

6 watching

Forks

7 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages