Skip to content

SevenParadigms/reactive-spring-abac-security

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.adoc
README.adoc
 
 
pom.xml
pom.xml
 
 

Repository files navigation

reactive-spring-boot-webflux-abac-security

The main advantage of the ABAC security model is the ability to describe the security policy through a set of rules based on the attributes involved in user actions. This approach allows you to fine-tune security policies to the required level.

The target area of application of ABAC is the description of the security policies of the branch system with full access control to any level of nesting and description complexity. All ABAC rules are described in the form of SpEL expressions and, unlike RBAC, are stored in a database, where they can be easily analyzed and modified accordingly.

The Maven Central dependency instead of the library spring-data-abac-security:

<dependency>
    <groupId>io.github.sevenparadigms</groupId>
    <artifactId>reactive-spring-abac-security</artifactId>
    <version>1.5.3</version>
</dependency>

The proposed library on the client side activates Spring Security with the ABAC security model, while caching data by token, accessing the authorization service only once. The token revocation is marked in the cache through the Spring Event, the initiation of which is left to the infrastructure logic when the user session ends.

Properties:

spring.security:
  abac.url: r2dbc:postgresql://lgn:psw@ip/abac_rules?schema=public
  jwt:
      algorithm: HS512 # default
      X-User-Id: true # X-User-Id, X-Login and X-Roles is read from headers
      secret-key: 12345678
      password-algorithm: PBKDF2WithHmacSHA512 # default [PBKDF2WithHmacSHA1,PBKDF2WithHmacSHA256]
      expiration: 300 # seconds as default
      signature-algorithm: HS512 # default
      iteration: 512  # seconds as default
      skip-token-validation: false
      public-key: <base64 of pem as public key>
      keystore-path: <filename.p12 from resource>
      keystore-type: PKCS12 # default
      keystore-alias: key alias
      keystore-password: changeit

All JWT token claim parsing is cached in Spring CacheManager. If bean of CacheManager (Hazelcast) is not found then using own Caffeine CacheManager.

Token cache have named is jwt and it’s setting in application.yml in milliseconds:

spring.cache:
  jwt.expireAfterWrite: 300000 # milliseconds (by default 5 minutes)
  jwt.maximumSize: 10000 (by default)

if its property is nothing then used spring.security.jwt.expiration property in seconds. And it both is nothing then set default expire to 5 minutes. Token caching is up performance over 15k requests per second for authenticated request.

For get bearer token from /token send POST:

{
  "login": "login",
  "password": "password"
}

To get new token from refresh token send authorized GET:

/token?refresh_token=[yourRefreshToken]

for most security, refresh token can claim only with his pair of jwt token and if jwt token is expired then refresh token is expired too.

About

Reactive Spring Security with ABAC model

Topics

kotlin security jwt reactive spring reactor abac webflux

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

7 stars

Watchers

2 watching

Forks

1 fork
Report repository

Languages