{"id":22787376,"url":"https://github.com/aserto-dev/aserto-spring","last_synced_at":"2025-04-15T23:38:37.448Z","repository":{"id":189189303,"uuid":"679711646","full_name":"aserto-dev/aserto-spring","owner":"aserto-dev","description":"Aserto authorization filter for Spring Security.","archived":false,"fork":false,"pushed_at":"2024-10-15T16:01:14.000Z","size":96,"stargazers_count":3,"open_issues_count":1,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-29T02:41:59.887Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aserto-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-17T12:57:05.000Z","updated_at":"2024-10-15T16:00:43.000Z","dependencies_parsed_at":null,"dependency_job_id":"c19288d9-ae46-4f9c-a287-1c6b558fd9e6","html_url":"https://github.com/aserto-dev/aserto-spring","commit_stats":null,"previous_names":["aserto-dev/aserto-spring"],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Faserto-spring","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Faserto-spring/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Faserto-spring/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aserto-dev%2Faserto-spring/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aserto-dev","download_url":"https://codeload.github.com/aserto-dev/aserto-spring/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249173059,"owners_count":21224481,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T00:55:11.116Z","updated_at":"2025-04-15T23:38:37.430Z","avatar_url":"https://github.com/aserto-dev.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"![slack](https://img.shields.io/badge/slack-Aserto%20Community-brightgreen)\n\n# aserto-spring\nAserto authorization filter for Spring Security.\n`aserto-spring` implements middleware for Spring Security that uses the [Aserto](https://aserto.com) authorizer.\n\nThe package adds a spring security filter that intercepts requests. Once a request is intercepted an authorization call\nis made to the Aserto Authorizer. Is the request is authorized it is allowed to continue, otherwise a 401 is returned.\n\nBuilt on top of the [Aserto Java SDK](https://github.com/aserto-dev/aserto-java)\n\n## Prerequisites\n- Java 17 or newer\n- Spring Boot 3.1.12 or newer\n- Spring Security 6.1.5 or newer\n\n## Building\n\n```mvn clean install```\n\nAdd the middleware to your project\n\n```xml\n\u003cdependency\u003e\n \u003cgroupId\u003ecom.aserto\u003c/groupId\u003e\n \u003cartifactId\u003easerto-spring\u003c/artifactId\u003e\n\u003c/dependency\u003e\n```\n\n## Configuration\nThe following configuration settings are required for authorization:\n\n### Topaz\n- aserto.authorizer.serviceUrl\n- aserto.authorizer.insecure\n- aserto.authorizer.policyRoot\n- aserto.authorizer.grpc.caCertPath\n- aserto.authorizer.policyName\n- aserto.authorizer.policyLabel\n- aserto.authorizer.token\n- aserto.authorizer.decision\n\n\n### Aserto\n- aserto.authorizer.serviceUrl\n- aserto.authorizer.policyRoot\n- #aserto.authorizer.apiKey\n- aserto.authorizer.policyName\n- aserto.authorizer.policyLabel\n- aserto.authorizer.token\n- aserto.authorizer.decision\n\n## Usage\nIn order to use the middleware you just need to add the annotation for component scan to your main class.\n```java\n@ComponentScan(\"com.aserto\")\n```\n\nand configure the security filter chain to use the middleware.\n\n```java\n @Bean\n public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {\n http\n .authorizeHttpRequests(authorize -\u003e authorize\n .anyRequest().access(new AsertoAuthorizationManager(authzCfg))\n );\n return http.build();\n }\n```\n### Middleware defaults\nBy default, the middleware extracts\n- the policy path is extracted from the rest controller mappings e.g. `@GetMapping(\"/users/{userID}\")` will generate the policy path `\u003cpolicy_path\u003e.GET.users.__userID`\n- the resource context is not included by default in the authorization call. \nThe middleware does not extract the identity by default. You can easily configure an identity mapper by using one of the ones we provided or by creating your own.\ne.g.\n```java\n @Bean\n public IdentityMapper identityMapper() {\n Extractor hostNameExtractor = new HeaderExtractor(\"authorization\");\n return new JwtIdentityMapper(hostNameExtractor);\n }\n```\n\n## Customizing the middleware\n\nYou are able to change the identity mapper, policy path mapper or resource mapper.\nAll you have to do is provide a bean that returns an instance that implement the IdentityMapper, PolicyMapper or ResourceMapper interface.\n\n### IdentityMapper\n\n```java\n @Bean\n public IdentityMapper identityMapper() {\n Extractor authzHeaderExtractor = new AuthzHeaderExtractor();\n return new SubjectIdentityMapper(hostNameExtractor);\n }\n```\n\n### PolicyMapper\n\n```java\n @Bean\n public PolicyMapper policyMapper() {\n return new CustomPolicyMapper();\n }\n```\n\n### ResourceMapper\n\n```java\n @Bean\n public ResourceMapper resourceMapper() {\n BodyExtractor bodyExtractor = new BodyExtractor();\n return new JsonResourceMapper(bodyExtractor, new String[]{\"email\", \"name\", \"aud\"});\n }\n```\n\n## Configuring the middleware for check calls\nThe check call is a specialized is call. It allows us to specify an object type, an object id and a relation.\ne.g.\n\n```java\n @Bean\npublic SecurityFilterChain filterChain(HttpSecurity http) throws Exception {\n http\n .authorizeHttpRequests(authorize -\u003e authorize\n .requestMatchers(HttpMethod.GET, \"/todos\")\n .access(new CheckConfig(authzCfg, \"group\", \"viewer\", \"member\").getAuthManager())\n );\n return http.build();\n}\n```\n\n### Method level authorization\nThe check call can be used at a method level as well.\ne.g.\n```java\n @GetMapping(\"/todos\")\n @PreAuthorize(\"@aserto.check('group', 'viewer', 'member')\")\n public String getTodo() {\n return \"Hello from route GET /todos\";\n }\n```\nThe check call accept hard coded values or implementations of the [ObjectTypeMapper.java](src%2Fmain%2Fjava%2Fcom%2Faserto%2Fauthorizer%2Fmapper%2Fobject%2FObjectTypeMapper.java),\n[ObjectTypeMapper.java](src%2Fmain%2Fjava%2Fcom%2Faserto%2Fauthorizer%2Fmapper%2Fobject%2FObjectTypeMapper.java) and [RelationMapper.java](src%2Fmain%2Fjava%2Fcom%2Faserto%2Fauthorizer%2Fmapper%2Frelation%2FRelationMapper.java)\ninterfaces\n\n## Example\n\nAn example can be found in the [example](https://github.com/aserto-dev/aserto-spring/tree/main/examples) directory.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faserto-dev%2Faserto-spring","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faserto-dev%2Faserto-spring","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faserto-dev%2Faserto-spring/lists"}