This is an authentication and authorization library implementing role based access control, which is to be plugged into Spring Security Framework.
- Role based authorization. Can be configured using SPEL expression.
- Local authentication provider. Password is encoded using HMAC-SHA256. Can be used w/wo 1).
- Active Directory authentication provider. Can be only be used with 4)
- Composite authentication provider. Support mixed authentication mechanism in a single app. Can be used w/wo 1).
- Restful authentication filter. Support authenticate via a JSON-format REST request. Can be used w/wo above all.
-
add rbac-lib to your maven dependency
<dependency> <groupId>org.binyu</groupId> <artifactId>rbac-lib</artifactId> <version>0.0.1</version> </dependency>
-
prepare a db for persisting RBAC objects: for MySQL, you can use rbac-lib-example/src/main/resources/schema-mysql.sql,data-mysql.sql to initialize the database.
-
register a DataSource to Spring container.
-
initialize a RBACContextLoader:
RBACContextLoader rbac=new RBACContextLoader(dataSource);
-
to use Local|Composite authenticatio provider in your spring security config
Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired RBACContextLoader rbac; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.authenticationProvider(rbac.getLocalAuthenticationProvider()); //or rbac.getCompositeAuthenticationProvider() }
-
to use Role based authorization:
@Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired RBACContextLoader rbac; ... protected void configure(HttpSecurity http) throws Exception { ... //register our custom SPEL expression handler http.authorizeRequests().expressionHandler(rbac.getExpressionHandler()); //define the access expression for each URL. http.authorizeRequests().antMatchers("/hello/**").access("authenticated and #rbac.accessRes('users')");
-
to use Restful authentication filter:
protected void configure(HttpSecurity http) throws Exception { ... //use our custom RESTfule authentication filter http.apply(rbac.getRestAuthConfigure());
-
use Spring security remember-me authentication with our authentication providers:
http.rememberMe().userDetailsService(rbac.getUserDetailsService());