Geek Answers Handbook

Spring Security and ABAC (Attribute Based Access Control)

We have a medium-sized business application, and we use Spring roles and security permissions (RBAC), with a large kludge, to enable and disable roles for specific instances, as well as rules hidden in SpEL in @PreAuthorize tags.

I think we actually implemented (not knowing that it is ABAC). XACML looks very complex and bloated, so I am not keen on the answer here:

How to change Spring security roles by context?

Has anyone done a small implementation of ABAC without XACML? I have hopes that would allow us to sort out the problems, as domain objects just do @PreAuthorize (WRITE) etc., and our authorization policy will be separated from it.

From what I read, the basic principle of ABAC is very simple. You have an action (very similar to resolution) and a mechanism for resolution if the current Principal has this permission for this object.

I know AccessDecisionVoter, which is roughly the right kind of interface, but I don't think it was designed to vote on permissions. However, implementing our authorization policy with examples of something like this seems very attractive.

Sorry for the incoherent question! I am mostly interested in ABAC, but would like to avoid brew at home, but was worried that XACML is a giant plane when we need Cessna.

+7
spring-security rbac xacml abac
source share
1 answer

There seem to be two things you are aiming for:

  • external authorization, where you want to transfer access control policies from code (or at least to a central place in the code and are not scattered throughout Spring code)
  • attribute based authorization where you want to use richer attributes than roles and permissions

I am not very sure of (2), because, as you say, you want to do β€œan action and a mechanism for resolution, if the current Principal has this permission”, as before in my RBAC books. Do you have other conditions on which access decisions should be based? The location of the user, the time of day, the value of certain data in the database, the properties of the resource acting on, etc.? If so, we wander into the world of ABAC. In any case, I would say that RBAC is a subset of ABAC, since a role is just one attribute.

Now, as for (1), a common template would be to first centralize the authorization mechanism and use Spring annotations to invoke this authz. access decision making mechanism. Here you have two options:

  • built-in authz. engine: where the library implements the engine and is called by the code as a Java function. It may be the XACML engine or it may be your own RBAC / ABAC implementation.
  • as a network service: where a network-based (micro) service answers access control questions. It may be the XACML engine or it may be your own RBAC / ABAC implementation.

To get Spring code to call this authz. One way would be to write your own Spring Security Selector. Another way that I found much easier would be to write your own Spring Expression Language expressions, which you can then call using the existing @PreAutorize, @PostAuthorize, @PreFilter and @PostFiler, sec: authorize tags, and even from intercepting -url.

This is what I used when working on the Spring Security XACML PEP SDK . This approach should work equally well, even if you decide not to use XACML for your decision policies or for communicating with the request / response.

+9
source share

More articles:


All Articles