2

I'm going to secure my Spring Cloud Application with OAuth2 and XACML (using AuthZForce, Balana, AT&T XACML or something similar).

I want to use the microservices from Spring-Cloud(-Netflix). To make XACML available I think that I need this:

  1. PEP for each existing API-service
  2. PDP's as new services, that are used by PEP's. Because Spring-Cloud(-Netflix) has load-balancing functions (Eureka) I need to register this services on Eureka and implement a REST-API.
  3. Because all PDP's should use the same policies, they need to be stored centrally (Policy Provider)

Which framework is most suitable for this approach.

update 1 It should be possible with AuthZForce (according to the feature description), but I'm not really sure how (there are no detailed documentations or tutorials).

cdan
  • 3,470
  • 13
  • 27
benkuly
  • 1,144
  • 10
  • 28

1 Answers1

5

I don't know all the frameworks as much, so I cannot give an objective answer to which framework is most suitable. But I can give an answer for AuthzForce.

For the PDP part, you can use AuthzForce Core as Java library. The wiki gives information about Policy Providers and how to add your own to the framework if necessary. There is one mentioned there that gets policies from a MongoDB database. Note that if you want PDPs to use the same policies, a central storage is one solution, but another is to use replication/synchronization. For example, if you use the Policy Provider that supports getting policies on the local filesystem, a decentralized cluster synchronization tool like csync2 can do the job without a single point of failure.

Besides, you may be interested in AuthzForce Server which provides a multi-tenant REST API for both PDP and PAP (policy administration) in compliance with XACML REST profile (for the PDP part). It is probably overkill if you only need PDPs, but it may be worth looking at if your requirements go in that direction.

For the PEP part, you can reuse authzforce-ce-xacml-model (and dependencies) available on Maven Central (groupId=org.ow2.authzforce, artifactId=authzforce-ce-xacml-model) to manipulate the XACML Requests/Responses exchanged with your PDPs' REST API. This mostly contains all JAXB-annotated classes derived from the XACML schema, and Enums for standard XACML identifiers: categories, attributes, data types, etc.

cdan
  • 3,470
  • 13
  • 27
  • Thank's for the answer and that you added a wiki to the Core-Repo. I will give AuthZForce another chance and will accept this answer if I get it work. – benkuly Jul 02 '17 at 12:19
  • Okay. AuthZForce Core doesn't provide OASIS XACML JSON Profile v1.0 so it is unfortunately not suitable for me. Sorry :( If Core at least get's support for REST profile it could change my mind, but actually I miss this feature. – benkuly Jul 02 '17 at 16:29
  • If you need JSON support and REST Profile – cdan Jul 04 '17 at 20:03
  • ..., AuthzForce Core is not enough indeed, but AuthzForce Server is. Supports XML/JSON (and FI) on its REST API. It does not support JSON as specified by XACML JSON Profile, but using the 'mapped' convention which is more generic since it applies to any existing XML model, and natively supported by web service frameworks such as [Apache CXF](http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-Jettison) (so no XACML-specific JSON profile implementation is required). – cdan Jul 04 '17 at 20:25
  • 1
    AuthzForce Core and Server now both support JSON Profile of XACML. AuthzForce also provides a minimal [RESTful PDP](https://github.com/authzforce/restful-pdp) based on the Core, either packaged as a Spring-boot app, or simply the JAX-RS implementation for reuse in any JAX-RS framework. – cdan Feb 26 '18 at 20:34