Spring Middleware
The AsertoFilter is a Java library that provides a Spring Security filter that enables the use of Aserto's authorization service in projects that use Spring.
Requirements
- Java 8 or newer
- Spring Boot 2.7.x
- Spring Security 5.7.x
Installation
Add the fallowing dependency to your pom.xml file:
<dependency>
<groupId>com.aserto</groupId>
<artifactId>aserto-spring</artifactId>
<version>0.0.5</version>
</dependency>
The latest version is available on Maven Central.
And them execute:
mvn clean package
In order for Spring to discovery the filter, we need to add the @ComponentScan annotation to the main class of the application.
@ComponentScan("com.aserto")
Configuration
The authorization filter accepts the fallowing configuration parameters:
| Parameter name | Default Value | Description |
|---|---|---|
| aserto.authorization.enabled | true | Enable/disable the authorization filter |
| aserto.authorization.serviceUrl | localhost:8282 | The service url of the authorizer service |
| aserto.authorizer.insecure | false | Use insecure connection to the authorizer service |
| aserto.authorizer.cert.path | N/A | The path to the authorizer service certificate, useful when using local Topaz with self signed certificates |
| aserto.authorizer.decision | N/A | The decision used by the authorizer |
| logging.level.com.aserto | INFO | The log level for the Aserto Middleware |
The following configuration settings are available when connecting the middleware to Aserto's hosted authorizer service
| Parameter name | Default Value | Description |
|---|---|---|
| aserto.authorizer.apiKey | N/A | The API key to use when connecting to the authorizer service |
| aserto.tenantId | N/A | The tenant ID to use when connecting to the authorizer service |
| aserto.authorizer.policyName | N/A | The policy name used by the authorizer |
| aserto.authorizer.policyLabel | N/A | The policy label used by the authorizer |
Identity
To determine the identity of the user, the middleware can be configured to use a JWT token or a claim using the IdentityMapper. All you have to do is create a bean that return a InstanceMapper interface and the middleware will use it to determine the identity of the user.
E.g.
- use a JWT token from the
Authorizationheader:
@Bean
public IdentityMapper identityDiscoverer() {
Extractor headerExtractor = new HeaderExtractor("Authorization");
return new JwtIdentityMapper(headerExtractor);
}
- use the "sub" claim from the JWT token in the
Authorizationheader:
@Bean
public IdentityMapper identityDiscoverer() {
Extractor headerExtractor = new AuthzHeaderExtractor("Authorization", "sub");
return new SubjectIdentityMapper(headerExtractor);
}
By default the middleware uses the NoneIdentityMapper. You can also implement your own IdentityMapper by implementing the IdentityMapper interface.
Policy path
By default, when computing the policy path, the middleware:
- converts all slashes to dots
- converts any path parameters to
__<param_name> - converts uppercase characters in the URL path to lowercase
As with the identity contest, you can implement your own PolicyPathMapper by implementing the PolicyPathMapper
interface and creating a bean that returns it.
E.g.
@Bean
public PolicyMapper policyMapperDiscoverer() {
return new MyCustomPolicyPathMapper();
}
Resource
A resource can be any structured data that the authorization policy uses to evaluate decisions.
By default, the middleware extracts resources from the path parameters. For example if we have a mapping of /user/{id}
and we get a request to /user/123, the middleware will extract the resource from the path parameter id and use it.
This behavior can be changed by implementing the ResourceMapper interface and creating a bean that returns it.
E.g.
@Bean
public ResourceMapper resourceMapper() {
BodyExtractor bodyExtractor = new BodyExtractor();
return new JsonResourceMapper(bodyExtractor, new String[]{"email", "name", "aud"});
}
Config example
The fallowing is a application.properties example with all the configuration parameters:
# --- Authorizer configuration
aserto.authorizer.serviceUrl=localhost:8282
aserto.authorization.enabled=false
aserto.authorizer.policyRoot=todoApp
aserto.authorizer.decision=allowed
## Topaz
## This configuration targets a Topaz instance running locally.
aserto.authorizer.insecure=false
aserto.authorizer.grpc.caCertPath=${user.home}/.local/share/topaz/certs/grpc-ca.crt
## Aserto hosted authorizer
#aserto.tenantId=<tenant_id>
#aserto.authorizer.policyName=todo
#aserto.authorizer.policyLabel=todo
#aserto.authorizer.apiKey=<api_key>
For a minimal example please see the Spring example.