{"id":18644627,"url":"https://github.com/sevenparadigms/reactive-spring-abac-security","last_synced_at":"2025-04-11T12:31:06.269Z","repository":{"id":57734801,"uuid":"462243748","full_name":"SevenParadigms/reactive-spring-abac-security","owner":"SevenParadigms","description":"Reactive Spring Security with ABAC model","archived":false,"fork":false,"pushed_at":"2022-06-02T12:26:06.000Z","size":180,"stargazers_count":9,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-25T13:46:17.851Z","etag":null,"topics":["abac","jwt","kotlin","reactive","reactor","security","spring","webflux"],"latest_commit_sha":null,"homepage":"","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SevenParadigms.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-02-22T10:21:07.000Z","updated_at":"2025-01-01T20:17:23.000Z","dependencies_parsed_at":"2022-09-26T22:11:04.503Z","dependency_job_id":null,"html_url":"https://github.com/SevenParadigms/reactive-spring-abac-security","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SevenParadigms%2Freactive-spring-abac-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SevenParadigms%2Freactive-spring-abac-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SevenParadigms%2Freactive-spring-abac-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SevenParadigms%2Freactive-spring-abac-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SevenParadigms","download_url":"https://codeload.github.com/SevenParadigms/reactive-spring-abac-security/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248401945,"owners_count":21097328,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","jwt","kotlin","reactive","reactor","security","spring","webflux"],"created_at":"2024-11-07T06:13:05.760Z","updated_at":"2025-04-11T12:31:06.010Z","avatar_url":"https://github.com/SevenParadigms.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"= reactive-spring-boot-webflux-abac-security\n\nThe main advantage of the ABAC security model is the ability to describe the security policy through a set of rules based on the attributes involved in user actions. This approach allows you to fine-tune security policies to the required level.\n\nThe target area of application of ABAC is the description of the security policies of the branch system with full access control to any level of nesting and description complexity. All ABAC rules are described in the form of SpEL expressions and, unlike RBAC, are stored in a database, where they can be easily analyzed and modified accordingly.\n\nThe Maven Central dependency instead of the library `spring-data-abac-security`:\n\n[source,xml]\n----\n\u003cdependency\u003e\n    \u003cgroupId\u003eio.github.sevenparadigms\u003c/groupId\u003e\n    \u003cartifactId\u003ereactive-spring-abac-security\u003c/artifactId\u003e\n    \u003cversion\u003e1.5.3\u003c/version\u003e\n\u003c/dependency\u003e\n----\n\nThe proposed library on the client side activates Spring Security with the ABAC security model, while caching data by token, accessing the authorization service only once. The token revocation is marked in the cache through the Spring Event, the initiation of which is left to the infrastructure logic when the user session ends.\n\nProperties:\n[source,yaml]\n----\nspring.security:\n  abac.url: r2dbc:postgresql://lgn:psw@ip/abac_rules?schema=public\n  jwt:\n      algorithm: HS512 # default\n      X-User-Id: true # X-User-Id, X-Login and X-Roles is read from headers\n      secret-key: 12345678\n      password-algorithm: PBKDF2WithHmacSHA512 # default [PBKDF2WithHmacSHA1,PBKDF2WithHmacSHA256]\n      expiration: 300 # seconds as default\n      signature-algorithm: HS512 # default\n      iteration: 512  # seconds as default\n      skip-token-validation: false\n      public-key: \u003cbase64 of pem as public key\u003e\n      keystore-path: \u003cfilename.p12 from resource\u003e\n      keystore-type: PKCS12 # default\n      keystore-alias: key alias\n      keystore-password: changeit\n----\n\nAll JWT token claim parsing is cached in Spring CacheManager. If bean of CacheManager (Hazelcast) is not found then using own Caffeine CacheManager.\n\nToken cache have named is `jwt` and it's setting in application.yml in milliseconds:\n\n[source,yaml]\n----\nspring.cache:\n  jwt.expireAfterWrite: 300000 # milliseconds (by default 5 minutes)\n  jwt.maximumSize: 10000 (by default)\n----\n\nif its property is nothing then used `spring.security.jwt.expiration` property in seconds. And it both is nothing then set default expire to 5 minutes. Token caching is up performance over 15k requests per second for authenticated request.\n\nFor get bearer token from `/token` send POST:\n\n[source,json]\n----\n{\n  \"login\": \"login\",\n  \"password\": \"password\"\n}\n----\n\nTo get new token from refresh token send authorized GET:\n\n[source,html]\n----\n/token?refresh_token=[yourRefreshToken]\n----\n\nfor most security, refresh token can claim only with his pair of jwt token and if jwt token is expired then refresh token is expired too.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsevenparadigms%2Freactive-spring-abac-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsevenparadigms%2Freactive-spring-abac-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsevenparadigms%2Freactive-spring-abac-security/lists"}