Skip to content

sturex/abac

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
gradle/wrapper
gradle/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

Simple ABAC model with Spring Security

The motivation

  • The code will allow you to reduce boilerplate permissions checking inside methods of service layer in your application.
  • All policy rules will now concentrate in a single config file allowing to use concise annotation-based programming model.

Consider the following scenario

  • Delete a post authored by some user by current user.
  • Also we want to comply to the policy rule demanding only posts author is allowed to delete the posts.

Show me how to use it!

The @PreAuthorize annotation with the required parameters just put above service (or controller) method. Hereby we ask Spring Security to check the method access security.

@PreAuthorize("hasPermission(#post, 'delete')")
public Post deletePost(Post post) {
    return postRepository.deletePost(post);
}

The action delete applying to the instance object post is configured in separate config class.

AbacPermissionContainer container = new AbacPermissionContainer();
container.put("delete", Post.class, environment -> {
    Post post = environment.getTargetObject();
    User user = environment.getUser();
    return post.getAuthor().equals(user);
});
return container;

What kind of API here?

Just a several GraphQL queries and mutations available on 8080 port right after running the Spring application

About

Simple ABAC security model

medium.com/@sturex/791d400dcb1a

Topics

java graphql spring web-application spring-security abac

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Languages