Skip to content

Latest commit

 

History

History

spring_authz

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

Spring AccessDecisionVoter using OPA

This directory contains a simple implementation of an AccessDecisionVoter for Spring Security that uses OPA for making authorization decisions.

Prerequisites

  • Java (tested with 1.8)
  • Maven (tested with 3.3.9)

Usage

To build the JAR file:

mvn package

To use the JAR file:

mvn install:install-file -Dfile=target/voter-1.0-SNAPSHOT.jar -DpomFile=pom.xml

Add a dependency on the package to your project (pom.xml):

<dependency>
	<groupId>org.openpolicyagent</groupId>
	<artifactId>voter</artifactId>
	<version>1.0-SNAPSHOT</version>
</dependency>

Or in gradle: (build.gradle)

implementation 'org.openpolicyagent:voter:1.0-SNAPSHOT'

(Make sure you also include mavenLocal() in your repositories list)

Web Security Configuration

To enable the voter inside your application, you must configure it. Spring Security has sophisticated support for XML and Java-based configuration.

The example below is a simplistic Java-based configuration that you can use to test the voter. Drop this file into your project.

package com.acmecorp.example.config;

import java.util.Arrays;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.vote.UnanimousBased;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;

import org.openpolicyagent.voter.OPAVoter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().accessDecisionManager(accessDecisionManager());
    }

    @Bean
    public AccessDecisionManager accessDecisionManager() {
        List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays
                .asList(new OPAVoter("http://localhost:8181/v1/data/http/authz/allow"));
        return new UnanimousBased(decisionVoters);
    }

}

Testing

Obtain the latest version of OPA and start your application (e.g., using mvn sprint-boot:run).

Create a test policy (example.rego):

example.rego:

package http.authz

allow = true

Run OPA in server mode with file watching enabled:

opa run -s -w example.rego

To view the data going between the application and OPA:

opa run -l debug -s -w example.rego

Test that you can access your application's API:

curl localhost:8080

Modify the policy to deny all requests.

example.rego:

package http.authz

allow = false

Test that your application's API requests are rejected:

curl localhost:8080