The main advantage of the ABAC security model is the ability to describe the security policy through a set of rules based on the attributes involved in user actions. This approach allows you to fine-tune security policies to the required level.
The target area of application of ABAC is the description of the security policies of the branch system with full access control to any level of nesting and description complexity. All ABAC rules are described in the form of SpEL expressions and, unlike RBAC, are stored in a database, where they can be easily analyzed and modified accordingly.
The Maven Central dependency instead of the library spring-data-abac-security:
<dependency>
<groupId>io.github.sevenparadigms</groupId>
<artifactId>reactive-spring-abac-security</artifactId>
<version>1.5.3</version>
</dependency>The proposed library on the client side activates Spring Security with the ABAC security model, while caching data by token, accessing the authorization service only once. The token revocation is marked in the cache through the Spring Event, the initiation of which is left to the infrastructure logic when the user session ends.
Properties:
spring.security:
abac.url: r2dbc:postgresql://lgn:psw@ip/abac_rules?schema=public
jwt:
algorithm: HS512 # default
X-User-Id: true # X-User-Id, X-Login and X-Roles is read from headers
secret-key: 12345678
password-algorithm: PBKDF2WithHmacSHA512 # default [PBKDF2WithHmacSHA1,PBKDF2WithHmacSHA256]
expiration: 300 # seconds as default
signature-algorithm: HS512 # default
iteration: 512 # seconds as default
skip-token-validation: false
public-key: <base64 of pem as public key>
keystore-path: <filename.p12 from resource>
keystore-type: PKCS12 # default
keystore-alias: key alias
keystore-password: changeitAll JWT token claim parsing is cached in Spring CacheManager. If bean of CacheManager (Hazelcast) is not found then using own Caffeine CacheManager.
Token cache have named is jwt and itβs setting in application.yml in milliseconds:
spring.cache:
jwt.expireAfterWrite: 300000 # milliseconds (by default 5 minutes)
jwt.maximumSize: 10000 (by default)if its property is nothing then used spring.security.jwt.expiration property in seconds. And it both is nothing then set default expire to 5 minutes. Token caching is up performance over 15k requests per second for authenticated request.
For get bearer token from /token send POST:
{
"login": "login",
"password": "password"
}To get new token from refresh token send authorized GET:
/token?refresh_token=[yourRefreshToken]for most security, refresh token can claim only with his pair of jwt token and if jwt token is expired then refresh token is expired too.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent