Skip to main content

Spring Middleware

The AsertoFilter is a Java library that provides a Spring Security filter that enables the use of Aserto's authorization service in projects that use Spring.

Requirements

  • Java 8 or newer
  • Spring Boot 2.7.x
  • Spring Security 5.7.x

Installation

Add the fallowing dependency to your pom.xml file:

<dependency>
<groupId>com.aserto</groupId>
<artifactId>aserto-spring</artifactId>
<version>0.0.5</version>
</dependency>

The latest version is available on Maven Central.

And them execute:

mvn clean package

In order for Spring to discovery the filter, we need to add the @ComponentScan annotation to the main class of the application.

@ComponentScan("com.aserto")

Configuration

The authorization filter accepts the fallowing configuration parameters:

Parameter nameDefault ValueDescription
aserto.authorization.enabledtrueEnable/disable the authorization filter
aserto.authorization.serviceUrllocalhost:8282The service url of the authorizer service
aserto.authorizer.insecurefalseUse insecure connection to the authorizer service
aserto.authorizer.cert.pathN/AThe path to the authorizer service certificate, useful when using local Topaz with self signed certificates
aserto.authorizer.decisionN/AThe decision used by the authorizer
logging.level.com.asertoINFOThe log level for the Aserto Middleware

The following configuration settings are available when connecting the middleware to Aserto's hosted authorizer service

Parameter nameDefault ValueDescription
aserto.authorizer.apiKeyN/AThe API key to use when connecting to the authorizer service
aserto.tenantIdN/AThe tenant ID to use when connecting to the authorizer service
aserto.authorizer.policyNameN/AThe policy name used by the authorizer
aserto.authorizer.policyLabelN/AThe policy label used by the authorizer

Identity

To determine the identity of the user, the middleware can be configured to use a JWT token or a claim using the IdentityMapper. All you have to do is create a bean that return a InstanceMapper interface and the middleware will use it to determine the identity of the user.

E.g.

  • use a JWT token from the Authorization header:
    @Bean
public IdentityMapper identityDiscoverer() {
Extractor headerExtractor = new HeaderExtractor("Authorization");
return new JwtIdentityMapper(headerExtractor);
}
  • use the "sub" claim from the JWT token in the Authorization header:
    @Bean
public IdentityMapper identityDiscoverer() {
Extractor headerExtractor = new AuthzHeaderExtractor("Authorization", "sub");
return new SubjectIdentityMapper(headerExtractor);
}

By default the middleware uses the NoneIdentityMapper. You can also implement your own IdentityMapper by implementing the IdentityMapper interface.

Policy path

By default, when computing the policy path, the middleware:

  • converts all slashes to dots
  • converts any path parameters to __<param_name>
  • converts uppercase characters in the URL path to lowercase

As with the identity contest, you can implement your own PolicyPathMapper by implementing the PolicyPathMapper interface and creating a bean that returns it.

E.g.

    @Bean
public PolicyMapper policyMapperDiscoverer() {
return new MyCustomPolicyPathMapper();
}

Resource

A resource can be any structured data that the authorization policy uses to evaluate decisions. By default, the middleware extracts resources from the path parameters. For example if we have a mapping of /user/{id} and we get a request to /user/123, the middleware will extract the resource from the path parameter id and use it.

This behavior can be changed by implementing the ResourceMapper interface and creating a bean that returns it.

E.g.

    @Bean
public ResourceMapper resourceMapper() {
BodyExtractor bodyExtractor = new BodyExtractor();
return new JsonResourceMapper(bodyExtractor, new String[]{"email", "name", "aud"});
}

Config example

The fallowing is a application.properties example with all the configuration parameters:

# --- Authorizer configuration
aserto.authorizer.serviceUrl=localhost:8282
aserto.authorization.enabled=false
aserto.authorizer.policyRoot=todoApp
aserto.authorizer.decision=allowed

## Topaz
## This configuration targets a Topaz instance running locally.
aserto.authorizer.insecure=false
aserto.authorizer.grpc.caCertPath=${user.home}/.local/share/topaz/certs/grpc-ca.crt

## Aserto hosted authorizer
#aserto.tenantId=<tenant_id>
#aserto.authorizer.policyName=todo
#aserto.authorizer.policyLabel=todo
#aserto.authorizer.apiKey=<api_key>

For a minimal example please see the Spring example.