OPA Spring Security filter

Spring filter that uses Open Policy Agent to allow and deny access

License

License

GroupId

GroupId

com.bisnode.opa
ArtifactId

ArtifactId

opa-filter-core
Last Version

Last Version

1.3.0
Release Date

Release Date

Type

Type

pom.sha512
Description

Description

OPA Spring Security filter
Spring filter that uses Open Policy Agent to allow and deny access
Project URL

Project URL

https://github.com/Bisnode/opa-spring-security
Source Code Management

Source Code Management

https://github.com/Bisnode/opa-spring-security.git

Download opa-filter-core

Dependencies

compile (1)

Group / Artifact Type Version
com.bisnode.opa : opa-java-client jar 0.0.2

runtime (3)

Group / Artifact Type Version
org.slf4j : slf4j-api jar 1.7.30
org.springframework.security : spring-security-web jar 5.2.2.RELEASE
javax.servlet : javax.servlet-api jar 4.0.1

Project Modules

There are no modules declared in this project.

OPA Spring Security Library

Maven Central build

OPA Spring Security is a library that enables using OPA for authorization in Spring applications.

Installation

Prerequisites

  • Java 11 or higher

Using the starter

Add dependency using Maven

Maven Central

<dependency>
    <groupId>com.bisnode.opa</groupId>
    <artifactId>opa-filter-spring-boot-starter</artifactId>
    <version>{version}</version>
</dependency>

or Gradle

implementation 'com.bisnode.opa:opa-filter-spring-boot-starter:{version}'

Configuration

All properties are prefixed with opa.filter

Property Default value Description Example
enabled true Whether the filter should be enabled
documentPath Name of OPA document path to use for queries "http/request/authz"
instance http://localhost:8181 Address of OPA instance
endpointsWhitelist Comma-separated list of ant patterns to use for matching whitelisted endpoints /ping,/info,/api-docs/**

Policy requirements

Currently, the filter sends following information to OPA:

  • path - path of the resource, that's being requested, e.g. /messages/2
  • method - HTTP method, e.g. GET
  • encodedJwt - encoded token from authorization (if found, null otherwise)

Those properties are available in your policy's input.


Your OPA policy response should contain following properties:

  • allow - with value true if to requested resource should be allowed. false otherwise
  • reason - an optional string containing reason behind given accessDecision, it will be supplied to exception message

Unknown properties are ignored.

Example OPA response would look as follows:

{
  "result": 
  {
      "allow": false,
      "reason": "You shall not pass"
  }
}

Published events

When library denies access to the resource, AuthorizationFailureEvent is published and therefore can be used in user's code.

Developing and building

Build process and dependency management is done using Gradle. Tests are written in Spock.

Contribution

Interested in contributing? Please, start by reading this document.

com.bisnode.opa

Bisnode

Open source @ Bisnode

Versions

Version
1.3.0
1.2.0
1.1.1
1.1.0
1.0.0
0.0.5
0.0.4
0.0.3
0.0.1