Version: 1.16

Security starter

Purpose

This starter enables security feature.

Configuration

Add starter dependency to your POM (version depends on the REGARDS BOM)

<dependency>
  <groupId>fr.cnes.regards.framework</groupId>
  <artifactId>security-regards-starter</artifactId>
</dependency>

Business dependency

<dependency>
  <groupId>fr.cnes.regards.framework</groupId>
  <artifactId>security-regards</artifactId>
</dependency>

Business dependency just containing security annotation and roles.

<dependency>
  <groupId>fr.cnes.regards.framework</groupId>
  <artifactId>security-config</artifactId>
</dependency>

Dependency :

# Authorize system to access all endpoints
regards.security.system.voter.enabled=true

# Authorize instance admin to access all endpoints
regards.security.instance.voter.enabled=true

# Authorize project admin to access all endpoints
regards.security.project.admin.voter.enabled=true

# JSON Web Token secret key
jwt.secret=

Autoconfiguration

Security starter overrides IRuntimeTenantResolver (Multitenant starter and IAuthenticationResolver (Authentication starter) default behavior to a thread safe implementation based on JWT authentification.

It autoconfigures :

An authorization service based on a REST endpoint collector IAuthoritiesProvider you have to override.
An authentication provider to retrieve authentication properties from JWT.
A set of access voter to grant or deny accesses.

How to

How to secure endpoints

If this starter is on your classpath, all REST enpoint accesses is intercepted by starter security filter. Access is granted or denied according to custom endpoint configuration.

At the beginning, all endpoints have to declare a default access level that can be changed dynamically.

To do this, annotate your endpoints with ResourceAccess as below :

@RestController
@RequestMapping("/hello")
public class HelloController {

    @ResourceAccess(description = "Say hello!", role = DefaultRole.PUBLIC)
    @RequestMapping(method = RequestMethod.GET, value = "/{name}")
    public ResponseEntity<String> sayHello(@PathVariable("name") String name) {
        return ResponseEntity.ok(String.format("Hello %s!", name));
    }

By default, all client will have granted access to this PUBLIC endpoint.

REGARDS manages five hierarchical default roles :

INSTANCE_ADMIN, a cross tenant role with very specific behaviour. Endpoints with this level of access cannot be changed and are hidden from tenant users.
PROJECT_ADMIN (default annotation role) only grant access to the tenant (i.e. project) main administrator(s). If voter is enabled, user with this role will have full access to all endpoints regardless the project access configuration.
ADMIN (tenant dependant),
REGISTERED_USER (tenant dependant),
PUBLIC (tenant dependant).

Json Web Token (JWT)

This starter depends on JWT authentication token.

To be able to decrypt the JWT :

Token has to be provided in a bearer authentication scheme,
And has to be generated with starter service JWTService that can be found in fr.cnes.regards.framework.security-regards module or artifact.

How to retrieve all default endpoint access configuration

Starter exposes a REST API.

GET /security/resources

Purpose​

Configuration​

Autoconfiguration​

How to​

How to secure endpoints​

Json Web Token (JWT)​

How to retrieve all default endpoint access configuration​