Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Bisnode/opa-spring-security

Open Policy Agent for Spring Security
https://github.com/Bisnode/opa-spring-security

authentication authorization jwt opa opa-spring-filter opa-spring-security openpolicyagent spring-boot spring-security

Last synced: 24 days ago
JSON representation

Open Policy Agent for Spring Security

Host: GitHub
URL: https://github.com/Bisnode/opa-spring-security
Owner: Bisnode
License: apache-2.0
Created: 2020-02-21T07:31:31.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2021-04-13T07:48:21.000Z (over 3 years ago)
Last Synced: 2024-11-14T23:05:27.918Z (27 days ago)
Topics: authentication, authorization, jwt, opa, opa-spring-filter, opa-spring-security, openpolicyagent, spring-boot, spring-security
Language: Java
Homepage:
Size: 186 KB
Stars: 32
Watchers: 15
Forks: 6
Open Issues: 8
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-opa - Spring Security - OPA Spring Security Library (Language and Platform Integrations / Java)

README

# OPA Spring Security Library

[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.bisnode.opa/opa-filter-spring-boot-starter/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.bisnode.opa/opa-filter-spring-boot-starter) ![build](https://github.com/Bisnode/opa-spring-security/workflows/build/badge.svg)

OPA Spring Security is a library that enables using OPA for authorization in Spring applications.

## Installation

#### Prerequisites

- Java 11 or higher

#### Using the starter

Add dependency using Maven

```xml

com.bisnode.opa
opa-filter-spring-boot-starter
{version}

```

or Gradle

```groovy
implementation 'com.bisnode.opa:opa-filter-spring-boot-starter:{version}'
```

## Configuration

**All properties are prefixed with `opa.filter`**

| Property | Default value | Description | Example |
|----------------------|-------------------------|--------------------------------------------------------------------------------|--------------------------|
| `enabled` | `true` | Whether the filter should be enabled | |
| `documentPath` | | Name of OPA document path to use for queries | _"http/request/authz"_ |
| `instance` | `http://localhost:8181` | Address of OPA instance | |
| `endpointsWhitelist` | | Comma-separated list of ant patterns to use for matching whitelisted endpoints | /ping,/info,/api-docs/** |

## Policy requirements

Currently, the filter sends following information to OPA:

- `path` - path of the resource, that's being requested, e.g. `/messages/2`
- `method` - HTTP method, e.g. `GET`
- `encodedJwt` - encoded token from authorization (if found, `null` otherwise)

Those properties are available in your policy's `input`.

---

Your OPA policy response should contain following properties:

- `allow` - with value `true` if to requested resource should be allowed. `false` otherwise
- `reason` - an **optional** string containing reason behind given accessDecision, it will be supplied to exception message

Unknown properties are ignored.

> Example OPA response would look as follows:
> ```json
> {
> "result":
> {
> "allow": false,
> "reason": "You shall not pass"
> }
> }
> ```

## Published events
When library denies access to the resource, `AuthorizationFailureEvent` is published and therefore can be used in user's code.

## Developing and building
Build process and dependency management is done using Gradle.
Tests are written in Spock.

## Contribution

Interested in contributing? Please, start by reading [this document](https://github.com/Bisnode/opa-spring-security/blob/master/CONTRIBUTING.md).