Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
src/main/java/org/openpolicyagent/voter
.gitignore
README.md Add simple AccessDecisionVoter for Spring Security Feb 21, 2018
pom.xml Add simple AccessDecisionVoter for Spring Security Feb 21, 2018

README.md

Spring AccessDecisionVoter using OPA

This directory contains a simple implementation of an AccessDecisionVoter for Spring Security that uses OPA for making authorization decisions.

Prerequisites

  • Java (tested with 1.8)
  • Maven (tested with 3.3.9)

Usage

To build the JAR file:

mvn package

To use the JAR file:

mvn install:install-file -Dfile=target/voter-1.0-SNAPSHOT.jar -DpomFile=pom.xml

Add a dependency on the package to your project (pom.xml):

<dependency>
	<groupId>org.openpolicyagent</groupId>
	<artifactId>voter</artifactId>
	<version>1.0-SNAPSHOT</version>
</dependency>

Web Security Configuration

To enable the voter inside your application, you must configure it. Spring Security has sophisticated support for XML and Java-based configuration.

The example below is a simplistic Java-based configuration that you can use to test the voter. Drop this file into your project.

package com.acmecorp.example.config;

import java.util.Arrays;
import java.util.List;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.vote.UnanimousBased;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.*;

import org.openpolicyagent.voter.OPAVoter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated().accessDecisionManager(accessDecisionManager());
    }

    @Bean
    public AccessDecisionManager accessDecisionManager() {
        List<AccessDecisionVoter<? extends Object>> decisionVoters = Arrays
                .asList(new OPAVoter("http://localhost:8181/v1/data/http/authz/allow"));
        return new UnanimousBased(decisionVoters);
    }

}

Testing

Obtain the latest version of OPA and start your application (e.g., using mvn sprint-boot:run).

Create a test policy (example.rego):

example.rego:

package http.authz

allow = true

Run OPA in server mode with file watching enabled:

opa run -s -w example.rego

Test that you can access your application's API:

curl localhost:8080

Modify the policy to deny all requests.

example.rego:

package http.authz

allow = false

Test that your application's API requests are rejected:

curl localhost:8080
You can’t perform that action at this time.