ABAC support for Spring Security or Apache Shiro - spring

I'm trying to find any open-source or commercial implementation of Attribute-Based Access Control(ABAC) paradigm that will work together with Spring Security or Apache Shiro frameworks. Right now I can't find any of them.
I don't think I'm a first one who needs such kind of functionality - so could you please recommend frameworks that will support this ?
Also, can Permissions in Apache Shiro be considered as a particular case of ABAC paradigm implementation ?

jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models. ABAC is one of the models that is supported by jCasbin.
ABAC: syntax sugar like a resource. The owner can be used to get the attribute for the resource.
In jCasbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matches). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.
It supports Spring boot via plugin: jcasbinspring-boott-plugin
Also, there is another opensource project called EasyAback. (The original project documents are written in Russian and I translated them and moreover added some other documents and diagram link)

This github sample shows how ABAC can be implemented on top of spring-security framework using Spring Expression Language (SPEL). An excellent blog describes the sample code using a simple web app. Having come from an XACML background I found this project to be very familiar to XACML. It essentially maps XACML concepts to define policy's in JSON (instead of XACML / XML) and using a familiar spring-security API and framework.

Disclaimer: I work for Axiomatics
Axiomatics provides an Attribute Based Access Control (ABAC) implementation that integrates with different environments:
Native Spring Security integration
integration with other Java apps via our SDK and API
integration with API gateways e.g. Apigee
database security
We have had customers integrate with Apache Shiro . Apache Shiro are a simplified form of ABAC. They can be integrated with ABAC.
Axiomatics' implementation relies on XACML.

For an open source Java alternative, you can find several on the XACML Wikipedia page: AuthzForce, Apache OpenAZ, WSO2 Balana. For AuthzForce, you can find Java code samples of ABAC/XACML authorization filters using either an embedded Java PDP or a (remote) RESTful PDP.

Related

Dynamic Camel route configuration at deployment time: Java DSL or XML DSL?

Let me preface this with the fact that I am still very new to Apache Camel. I'm still trying to understand how it all works, and what needs to be done (and HOW to do it) to achieve a particular effect.
I am trying to develop a Spring Boot application that will use Apache Camel to handle the transmission (and possibly also receipt) of data to/from a number of possible sources and destinations. The purpose of the application is to provide a means to produce/generate network traffic, at the network application level, that will be fed into another Spring Boot application - let's call this the target. We are trying to observe and measure the effects various network loads have on the target.
We would like to be able to transmit data via a number of protocols, including: ftp, http/s, file systems (nfs), various mail protocols (smtp, pop) and data streaming protocols for voice and video. There may be other protocols added at a later time. The data itself is irrelevant, we just need to be able to transmit data via various protocols with various loads.
These applications/services will be running in a containerized environment (Docker) that will be run within our local development and test environment, as well as possibly in a cloud environment, such as AWS. We have used Docker, Ansible, Terraform and are currently working towards using Kubernetes and Istio to manage the configuration, deployment, and operation of these applications.
We need to be able to provide specific configurations of Camel routes for particular deployments.
It would appear that the preferred method to configure Camel routes is via Java DSL, rather than XML DSL. The Camel documentation and nearly every other source of information I've found have a strong bias towards using Java DSL. Examples of XML DSL route configuration are far and few.
My initial impression is that going the Java DSL route (excuse the pun), would not work well with our need to be able to deploy a Camel application with a specific route configuration. It seems like you are required to have Java DSL defined route configurations hardwired into the code.
We think that it will be easier to provide a specific route configuration via an XML file that can be included in a deployment, hence why I've been trying to investigate and experiment with XML DSL. Perhaps we are mistaken in this regard.
My question to the community is: Considering what I've described above, can the Java DSL approach be used to meet the requirements as I've described them? Can we use Java DSL in a way that allows for dynamic route configuration? Keep in mind we would not be attempting to change configuration during operation, just in the course of performing a deployment.
If Java DSL could be used for this purpose, it would be very much appreciated if pointers to documentation, examples, etc. could be provided.
For your use cases you could use XML DSL also. Anyhow below book covers most aspects Camel development with examples. In this book authors describes XML DSL use for most of java DSL examples.
https://www.manning.com/books/camel-in-action-second-edition
In below github repository you can find the source code for all the examples listed in above book.
https://github.com/camelinaction/camelinaction2
Simple tutorial and github repository for Apache Camel using Spring boot.
https://www.baeldung.com/apache-camel-spring-boot
https://github.com/eugenp/tutorials/tree/master/spring-boot-modules/spring-boot-camel
Maven Plugin for build and deployment of spring boot container application into Kubernetes cluster
https://maven.fabric8.io/
In case if your company can afford some funding for your effort look at below link which provides commercial offerings around Camel.
https://camel.apache.org/manual/latest/commercial-camel-offerings.html
Thanks
Madhu Gupta
Our team has a few projects which use the Java DSL for building routes. In order to make them dynamic, there are control structures for iterating and setting endpoints based off configurations. That works for us because the routes are basically all the same, just with different sources and sinks.
If you could dynamically add/change the XML DSL files in a way that doesn't involve redeploying your application, that might be a viable route to follow. One might, for example, change the camel.springboot.xml-routes property to point to a folder which changes as needed.

Hybris sap use Spring?

I all,
I have experience with oracle atg and now i want to merge to hybris sap, so i have some questions about hybris.
For development, does hybris uses spring, that means when i develop an hybris application do i use spring ioc, spring mvc and spring security (#autowired, #controller, #service...) or just like atg the usage of spring is done in the background and when i use angular with hybris do i have to use spring (#RESTController) and for data access do i have to use hibernate or does it have his own methods? And do we have to use spring boot and spring data with it?
I haven't got knowledge about oracle ATG. Hybris is a platform which has a lot of module. Some modules developed with spring (xml based config), for example web services and customer ui (store front). Hybris has own ORM, so spring data not used. Hybris using a lot of technologies, some of them:
Spring
Apache Solr
ZK Framework
Apache Ant
Apache Tomcat
Junit
JQuery
Also we use a lot of languages for this technologies:
Html
Java
Javascript
Flex Query
Bean shell
Groovy
Jsp
Lucene
Cron
You can use other frameworks look like React for store front with developing custom controls. But hybris has a lot of out of the box functions for managing ui and customization on the fly. These functionalities may be not usable with different framework or it needs a lot of work.
I don't know about ATG, but in hybris there are many modules using which you can quickly setup a live production website within 4-6 months.
Front-End:
JSP, JSTL, EL
Javascript, HTML, CSS
Bootstrap
jQuery
Backend:
Java for handling and writing the logic
Spring Core, Spring MVC, Spring Security
Spring EL
Database:
More than 6 databases are supported:
- SAP
- HANA
- HSQLDB
- MySQL
- SQL Server
- Oracle
- PostgreSQL and many are added
For searching:
Hybris has its own search engine.
Lucene, Apache Solr
Now you can use Google cloud search as well.
For scripting:
beanshell
JavaScript
Groovy
Please keep an eye on the Hybris Commerce roadmap. Thin Angular.JS based UI is probably the future.
UI development is typically done in Hybris Commerce using the Hybris Commerce WCMS framework, and extending or creating new pages, widgets, etc. The stuff provided out-of-the-box in accelerators and extensions is very feature rich. Angular is already in there, if you know where to look.
Hybris Commerce also provides OCC (Omni Commerce Connect) REST API extension. REST endpoints are automatically generated at compile time. This is very mature, and has been the primary integration strategy for native mobile commerce apps and separate digital asset management (DAM) tools.
More ideas:
https://hybrismart.com/2016/09/03/angularjs-v-2-and-hybris/
The basis of Hybris is mostly spring mvc, so yes, you can use spring mvc annotations for mapping, mostly all the code in hybris is done using the spring standard, including autowiring, annotations and xml files.
Unlike ATG where you have formhandlers, droplets etc to deal with UI and backend connection, Hybris uses the facade design pattern. That is,
You have a facade layer that acts as a sort of barrier between your request handling logic and your service logic.
Therefore, variables used in the service layer (Model Objects) are not carried forward to the request handling layer and separate variables are used (Data Objects)
Regarding database, Hybris has its own ORM, and they are called as Models and items, the concept is similar to repositories in ATG. For example, to create a new item entry, add the same to an items.xml file, providing the name of the model, the table used for persisting and the various attributes (corresponding to the fields in the table). So when you run ant all for building your application, Hybris uses this mapping to create a model class for your item, this is basically a pojo class, that has getters and setters for all your attributes. So if you save a model object, you will be persisting the data in the database.
To query the data, there is a special query language called as flexible search,it is nearly same as sql but with a few syntax differences, so instead of querying tables, you query items, much like using RQL in ATG.
You can also access data using model objects.
Relations too can be created using items.
Hope this gives you a more clearer picture.
to Start with Hybris, you need to be good at java,jsp,html,css.
And framework such as Spring and Hibernate.
Last but not the least:you should good in any Query language,which helps you lot while coding in Hybris, because hybris have there own language called as Flexible Search Query.

Secure Spring REST Service using spring-security-oauth2 2.0.5.RELEASE

I have been searching for an example Spring Webservice which is being protected using oauth 2.0..
Looking around I found https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2 but there some files seems to be missing from the project.
Two things that I am looking for is :
When user authenticates, user name and password goes to /login.do , now I can not understand how this Servlet is being configured, if its not controller. web.xml is missing.
When I try to see how beans configured then applicationContext.xml is also missing. I am not able to find those files in order to see how things are configured.
Help Required :
Should I use annotation in order to configure my web service or xml configuration. I am willing to use the latest version, and leverage advanced configurations, for better security.
I have another Single page application ( HTML5 ) , which accesses data from this spring web service, which is being hosted on Google App Engine. My ultimate objective is to create a chrome plugin of (html5) pages and use my service from there..
Please suggest a better path so that I can achieve my objectives.
Best regards,
Shashank Pratap
Apologize for late reply.
1) Regarding Oauth2.0 implementation : Since GAE does not support Servlet 3.0 therefore, developer is restricted to servlet 2.5. Therefore I found that we are restricted to 1.0.5.RELEASE. I was able to configure it successfully.
Best Practice on GAE : Rather than following this approach, I would suggest others to use Google Endpoints. As it supports oauth2.0 as well as we can develop REST API relatively quickly.
Scale ability and Response time : Since I was using Spring dependency injection along with spring security, application responded slower than the combination of Google Endpoints and Google Juice, as juice does injection just in time, where as spring prepares everything as soon as new instance starts, which created problem for me.
2) Chrome Plugin is completely different story. :-)
Please correct if I am wrong.
Thanks,
Shashank Pratap

Document Management System

At the company I work for, we are developing a billing web application with Spring and Vaadin. The trouble is that the number of files to manage is becoming too large; bill,offers contract, etc. We currently store each document as a file on the server, but in this way it is too hard to manage them. This is tedious and error-prone, and it also means we lack any sort of security for accessing these documents.
Now, I'm looking a Document Management System to manage this document. I saw Alfresco Document Management, but I don't know how to integrate it with my application.
Any suggestions?
Alfresco has REST API, so you can use it in your Spring + Vaadin application. Spring has RestTemplate based on Jackson who will help you with REST client implementation.
There are several ways to integrate with alfresco. My two favorite ways to integrate with Alfresco are:
Using the CMIS api
http://wiki.alfresco.com/wiki/CMIS
Using your own custom webscripts or java back end webscripts. These allow you to quickly develop your own rest api with alfresco.
http://docs.alfresco.com/4.0/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Fconcepts%2Fws-architecture.html
There are many different ways to integrate. They have webdav, cifs, ftp, and several other ways to integrate. Here is some documentation from alfresco about it
http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Fconcepts%2Fintegration-options.html

Spring Security features

What security features does Spring provide that are not already provided by the Java EE specs?
In the Java EE specs we have:
A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
Possibility to annotate any EJB and only allow certain roles execute certain methods
Ability to check user principle at runtime programmatically
So what security extras does Spring 3.0 give me?
Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.
Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.
What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.
That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.
(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)
One killer Feature are ACLs!
#See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)
And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.

Resources