RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.
Refer to PathActionMatcher
class CustomActionMatcherFactory : ActionMatcherFactory {
companion object {
const val TYPE = "[CustomActionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomActionMatcher(configuration)
}
}
class CustomActionMatcher(override val configuration: Configuration) : ActionMatcher {
override val type: String
get() = CustomActionMatcherFactory.TYPE
override fun match(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
Refer to ContainsConditionMatcher
class CustomConditionMatcherFactory : ConditionMatcherFactory {
companion object {
const val TYPE = "[CustomConditionType]"
}
override val type: String
get() = TYPE
override fun create(configuration: Configuration): ConditionMatcher {
return CustomConditionMatcher(configuration)
}
}
class CustomConditionMatcher(configuration: Configuration) :
AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {
override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
//Custom matching logic
}
}
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
Configure Policy Schema to support IDE (IntelliJ IDEA) input autocompletion.
Policy Demo
{
"id": "id",
"name": "name",
"category": "category",
"description": "description",
"type": "global",
"tenantId": "tenantId",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"rateLimiter": {
"permitsPerSecond": 10
}
}
]
}
},
"statements": [
{
"action": {
"path": {
"pattern": "/user/#{principal.id}/*",
"options": {
"caseSensitive": false,
"separator": "/",
"decodeAndParseSegments": false
}
}
}
},
{
"name": "Anonymous",
"action": [
"/auth/register",
"/auth/login"
]
},
{
"name": "UserScope",
"action": "/user/#{principal.id}/*",
"condition": {
"authenticated": {}
}
},
{
"name": "Developer",
"action": "*",
"condition": {
"in": {
"part": "context.principal.id",
"value": [
"developerId"
]
}
}
},
{
"name": "RequestOriginDeny",
"effect": "deny",
"action": "*",
"condition": {
"regular": {
"negate": true,
"part": "request.origin",
"pattern": "^(http|https)://github.com"
}
}
},
{
"name": "IpBlacklist",
"effect": "deny",
"action": "*",
"condition": {
"path": {
"part": "request.remoteIp",
"pattern": "192.168.0.*",
"options": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
}
}
}
},
{
"name": "RegionWhitelist",
"effect": "deny",
"action": "*",
"condition": {
"regular": {
"negate": true,
"part": "request.attributes.ipRegion",
"pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
}
}
},
{
"name": "AllowDeveloperOrIpRange",
"action": "*",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
}
],
"or": [
{
"in": {
"part": "context.principal.id",
"value": [
"developerId"
]
}
},
{
"path": {
"part": "request.remoteIp",
"pattern": "192.168.0.*",
"options": {
"caseSensitive": false,
"separator": ".",
"decodeAndParseSegments": false
}
}
}
]
}
}
},
{
"name": "TestContains",
"effect": "allow",
"action": "*",
"condition": {
"contains": {
"part": "request.attributes.ipRegion",
"value": "上海"
}
}
},
{
"name": "TestStartsWith",
"effect": "allow",
"action": "*",
"condition": {
"startsWith": {
"part": "request.attributes.ipRegion",
"value": "中国"
}
}
},
{
"name": "TestEndsWith",
"effect": "allow",
"action": "*",
"condition": {
"endsWith": {
"part": "request.attributes.remoteIp",
"value": ".168.0.1"
}
}
}
]
}
Configure App Permission Schema to support IDE (IntelliJ IDEA) input autocompletion.
App Permission Demo
{
"id": "manage",
"condition": {
"bool": {
"and": [
{
"authenticated": {}
},
{
"groupedRateLimiter": {
"part": "request.remoteIp",
"permitsPerSecond": 10,
"expireAfterAccessSecond": 1000
}
},
{
"inTenant": {
"value": "default"
}
}
]
}
},
"groups": [
{
"name": "order",
"description": "order management",
"permissions": [
{
"id": "manage.order.ship",
"name": "Ship",
"description": "Ship",
"action": "/order/ship"
},
{
"id": "manage.order.issueInvoice",
"name": "Issue an invoice",
"description": "Issue an invoice",
"action": "/order/issueInvoice"
}
]
}
]
}
Mono.deferContextual {
val securityContext = it.getSecurityContext()
//TODO
}
SecurityContextHolder.context
CoSec follows the OpenTelemetry General identity attributes specification。
CoSec permission policy design refers to AWS IAM .