OPA Spring Security Library
OPA Spring Security is a library that enables using OPA for authorization in Spring applications.
Installation
Prerequisites
- Java 11 or higher
Using the starter
Add dependency using Maven
<dependency>
<groupId>com.bisnode.opa</groupId>
<artifactId>opa-filter-spring-boot-starter</artifactId>
<version>{version}</version>
</dependency>or Gradle
implementation 'com.bisnode.opa:opa-filter-spring-boot-starter:{version}'Configuration
All properties are prefixed with opa.filter
| Property | Default value | Description | Example |
|---|---|---|---|
enabled |
true |
Whether the filter should be enabled | |
documentPath |
Name of OPA document path to use for queries | "http/request/authz" | |
instance |
http://localhost:8181 |
Address of OPA instance | |
endpointsWhitelist |
Comma-separated list of ant patterns to use for matching whitelisted endpoints | /ping,/info,/api-docs/** |
Policy requirements
Currently, the filter sends following information to OPA:
path- path of the resource, that's being requested, e.g./messages/2method- HTTP method, e.g.GETencodedJwt- encoded token from authorization (if found,nullotherwise)
Those properties are available in your policy's input.
Your OPA policy response should contain following properties:
allow- with valuetrueif to requested resource should be allowed.falseotherwisereason- an optional string containing reason behind given accessDecision, it will be supplied to exception message
Unknown properties are ignored.
Example OPA response would look as follows:
{ "result": { "allow": false, "reason": "You shall not pass" } }
Published events
When library denies access to the resource, AuthorizationFailureEvent is published and therefore can be used in user's code.
Developing and building
Build process and dependency management is done using Gradle. Tests are written in Spock.
Contribution
Interested in contributing? Please, start by reading this document.