0

So I'm currently using the WebSecurityConfig proposed in ch4mpy's repository - or just the package spring-addons-webmvc-jwt-resource-server.

A controller therefore can be annotated via a classical RBAC pattern approach such as the following small snippet:

@GetMapping("/admin")
@PreAuthorize("hasAuthority('ROOT')")
public MessageDto isAdmin() {
    return new MessageDto("You are an admin!");
}

Now I'm looking to implement a mixed approach between RBAC and ABAC - sort of a hybrid as in some situations an employee on the same level in a system might have access to one or two endpoints more than another employee (same job e.g.)! Splitting the roles up hierarchically might be a choice if the hybrid solution turns out to be too complex.

I wasn't able to find anything from real significance to this issue (besides some outdated or over-complex solutions).

Can anyone help me implement this sort of hybrid using KeyCloak as an authorization server?

J. M. Arnold
  • 6,261
  • 3
  • 20
  • 38
  • 1
    Could you clarify what's the issue you have? Did you get any error? you don't know how to setup a keycloack server? do you have an issue trying to add the conditions to secure your endpoint using RBAC and ABAC at the same time? I suggest to read [how to ask](https://stackoverflow.com/help/how-to-ask) and if it is possible provide a [minimal reproducible example](https://stackoverflow.com/help/minimal-reproducible-example). If you have more than one issue, make [one question per post](https://meta.stackoverflow.com/questions/275908/more-than-one-question-per-post) – Gastón Schabas Jul 02 '23 at 15:24
  • @GastónSchabas The issue is, that I cannot find a way to verify / integrate a ABAC approach. I showed how I've done it with RBAC - and that my `WebSecurityConfig` is sufficient for handling incoming http requests and verifying on a method basis that certain permissions are granted. What I cannot grasp is how one restrict a method based upon a "role" with KeyCloak as an authorization server. – J. M. Arnold Jul 02 '23 at 20:36
  • The question [Use Keycloak Spring Adapter with Spring Boot 3](https://stackoverflow.com/questions/74571191/use-keycloak-spring-adapter-with-spring-boot-3) was answered by [ch4mp](https://stackoverflow.com/users/619830/ch4mp) detailing [how to setup keycloack as an authorization server](https://stackoverflow.com/a/74572732/7214091). – Gastón Schabas Jul 03 '23 at 16:48
  • As mentioned.. That works. I got a working authorization server and the resource server is also properly configured to accept the roles / verify on a method-basis if the requester has the appropriate role needed to access it. My question is: How can one verify granted permissions instead of roles? I.e. merging the implemented RBAC with a not implemented ABAC? – J. M. Arnold Jul 03 '23 at 18:05
  • you can [express Authorization with SpEL](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#authorization-expressions). [SpEL supports logical operators](https://docs.spring.io/spring-framework/reference/core/expressions/language-ref/operators.html#expressions-operators-logical). With that, you have different [auth expressions](https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#using-authorization-expression-fields-and-methods) such as `hasAuthority`, `hasPermission` and else. – Gastón Schabas Jul 03 '23 at 22:39
  • If my previous comment doesn't help, please edit your post trying to show more details. Such as the requests, the expected behavior, the actual behvior, etc. maybe you could share what it works separately but doesn't works mixed – Gastón Schabas Jul 03 '23 at 22:42

0 Answers0