Authorizing Resources Based On Who Created Them

A colleague of mine pointed out to me an interesting question on StackOverflow. They suggested that it might be a good question for me to answer because of my experience with Spring.

The question was, "how to authorize specific resources based on users who created those in REST, using annotations."

What I'm trying to do is create an annotation named @Authorize and use it on methods that need user authorization to perform some action  (the user is already authenticated at this point). For example, I have an order service with a  getOrder() method. I want only the user who created this order to access it.

My Answer on StackOverflow

To implement authorization controls on methods in Java, I highly recommend using Spring Security with an eXtensible Access Control Markup Language (XACML) implementation that has a Spring Security API.

Spring Security

Spring Security provides two main actions to protect access to methods:

For example, one of the access control rules is that the user has the ROLE_ADMIN authority before being able to invoke the method  getEvents(). The way to do that within the Spring Security framework would be to use the PreAuthorize annotation as below:

public interface Sample { ... 
@PreAuthorize("hasRole('ROLE_ADMIN')") 
Event getEvent(); } 


In essence, Spring Security uses a runtime Aspect Oriented Programming (AOP) pointcut to execute before an advice on the method and throw an o.s.s.access.AccessDeniedException if the specified security constraints are not met.

More can be found about Spring Security's Method Level Security in section 27.3 of this document.

eXtensible Access Control Markup Language (XACML) 

Spring Security does a great job of implementing access control with its expression-based access control. However, the attribute-based access control (ABAC) allows more fine-grained control of access and is recommended by the National Institute of Standards and Technology.

To address the limitations of Role Based Access Control (RBAC), NIST came up with a new model called ABAC (Attribute Based Access Control). In ABAC, you can now use more metadata/ parameters. For instance, you can consider:

All these are called attributes. Attributes are the foundation of ABAC, hence the name. You can assemble these attributes into policies. Policies are a bit like the secret sauce of ABAC. Policies can grant and deny access. For instance:

Policies can be used to express advanced scenarios. For example:

There are two main syntaxes available to write policies:

ABAC also comes with an architecture to define how the policies will get evaluated and enforced.

The architecture contains the following components:

Implementations of XACML

In full disclosure, I am on the XACML Technical Committee and work for Axiomatics, a provider of dynamic authorization that implements XACML.

Axiomatics provides a Spring Security SDK for their Axiomatics Policy Server and four expressions that can be used to query the PDP as a part of protecting a method invocation

  1. xacmlDecisionPreAuthz, called with @PreAuthorize
  2. xacmlDecisionPostAuthz, called with @PostAuthorize
  3. xacmlDecisionPreFilter, called with @PostFilter
  4. xacmlDecisionPostFilter, called with @PreFilter

The exact signatures for these methods are as follows:

  1. xacmlDecisionPreAuthz(Collection<String> attributeCats,
    Collection<String> attributeTypes, Collection<String> attributeIds,
    ArrayList<Object> attributeValues)
  2. xacmlDecisionPostAuthz(Collection<String> attributeCats,
    Collection<String> attributeTypes, Collection<String> attributeIds,
    ArrayList<Object> attributeValues)
  3. xacmlDecisionPreFilter(Collection<String> attributeCats, Collection<String>
    attributeTypes, Collection<String> attributeIds, ArrayList<Object>
    attributeValues)
  4. xacmlDecisionPostFilter (Collection<String>
    attributeCats, Collection<String> attributeTypes, Collection<String>
    attributeIds, ArrayList<Object> attributeValues)

For an entire list of XACML implementations, you can check this list on Wikipedia.

 

 

 

 

Top