Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/sevenparadigms/reactive-spring-abac-security

Reactive Spring Security with ABAC model
https://github.com/sevenparadigms/reactive-spring-abac-security

abac jwt kotlin reactive reactor security spring webflux

Last synced: 1 day ago
JSON representation

Reactive Spring Security with ABAC model

Host: GitHub
URL: https://github.com/sevenparadigms/reactive-spring-abac-security
Owner: SevenParadigms
License: apache-2.0
Created: 2022-02-22T10:21:07.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-06-02T12:26:06.000Z (over 2 years ago)
Last Synced: 2023-12-19T16:07:35.797Z (11 months ago)
Topics: abac, jwt, kotlin, reactive, reactor, security, spring, webflux
Language: Kotlin
Homepage:
Size: 176 KB
Stars: 5
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.adoc
- License: LICENSE

Awesome Lists containing this project

README

= reactive-spring-boot-webflux-abac-security

The main advantage of the ABAC security model is the ability to describe the security policy through a set of rules based on the attributes involved in user actions. This approach allows you to fine-tune security policies to the required level.

The target area of application of ABAC is the description of the security policies of the branch system with full access control to any level of nesting and description complexity. All ABAC rules are described in the form of SpEL expressions and, unlike RBAC, are stored in a database, where they can be easily analyzed and modified accordingly.

The Maven Central dependency instead of the library `spring-data-abac-security`:

[source,xml]
----

io.github.sevenparadigms
reactive-spring-abac-security
1.5.3

----

The proposed library on the client side activates Spring Security with the ABAC security model, while caching data by token, accessing the authorization service only once. The token revocation is marked in the cache through the Spring Event, the initiation of which is left to the infrastructure logic when the user session ends.

Properties:
[source,yaml]
----
spring.security:
abac.url: r2dbc:postgresql://lgn:psw@ip/abac_rules?schema=public
jwt:
algorithm: HS512 # default
X-User-Id: true # X-User-Id, X-Login and X-Roles is read from headers
secret-key: 12345678
password-algorithm: PBKDF2WithHmacSHA512 # default [PBKDF2WithHmacSHA1,PBKDF2WithHmacSHA256]
expiration: 300 # seconds as default
signature-algorithm: HS512 # default
iteration: 512 # seconds as default
skip-token-validation: false
public-key:
keystore-path:
keystore-type: PKCS12 # default
keystore-alias: key alias
keystore-password: changeit
----

All JWT token claim parsing is cached in Spring CacheManager. If bean of CacheManager (Hazelcast) is not found then using own Caffeine CacheManager.

Token cache have named is `jwt` and it's setting in application.yml in milliseconds:

[source,yaml]
----
spring.cache:
jwt.expireAfterWrite: 300000 # milliseconds (by default 5 minutes)
jwt.maximumSize: 10000 (by default)
----

if its property is nothing then used `spring.security.jwt.expiration` property in seconds. And it both is nothing then set default expire to 5 minutes. Token caching is up performance over 15k requests per second for authenticated request.

For get bearer token from `/token` send POST:

[source,json]
----
{
"login": "login",
"password": "password"
}
----

To get new token from refresh token send authorized GET:

[source,html]
----
/token?refresh_token=[yourRefreshToken]
----

for most security, refresh token can claim only with his pair of jwt token and if jwt token is expired then refresh token is expired too.