Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
115 lines (78 sloc) 2.86 KB

Spring AccessDecisionVoter using OPA

This directory contains a simple implementation of an AccessDecisionVoter for Spring Security that uses OPA for making authorization decisions.


  • Java (tested with 1.8)
  • Maven (tested with 3.3.9)


To build the JAR file:

mvn package

To use the JAR file:

mvn install:install-file -Dfile=target/voter-1.0-SNAPSHOT.jar -DpomFile=pom.xml

Add a dependency on the package to your project (pom.xml):


Web Security Configuration

To enable the voter inside your application, you must configure it. Spring Security has sophisticated support for XML and Java-based configuration.

The example below is a simplistic Java-based configuration that you can use to test the voter. Drop this file into your project.

package com.acmecorp.example.config;

import java.util.Arrays;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import org.openpolicyagent.voter.OPAVoter;

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {

    public AccessDecisionManager accessDecisionManager() {
        List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays
                .asList(new OPAVoter("http://localhost:8181/v1/data/http/authz/allow"));
        return new UnanimousBased(decisionVoters);



Obtain the latest version of OPA and start your application (e.g., using mvn sprint-boot:run).

Create a test policy (example.rego):


package http.authz

allow = true

Run OPA in server mode with file watching enabled:

opa run -s -w example.rego

Test that you can access your application's API:

curl localhost:8080

Modify the policy to deny all requests.


package http.authz

allow = false

Test that your application's API requests are rejected:

curl localhost:8080
You can’t perform that action at this time.