Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "BaSyx / Documentation / Components / AAS Server / Features / Authorization"
m (Adds link to overview) |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
= Authorization = | = Authorization = | ||
| − | |||
| − | |||
| − | + | This feature enables AAS components user to secure the AAS & Submodels stored on the AAS Server component. This is one of the [[BaSyx_/_Documentation_/_Components_/_Security | security options]] available in the Java SDK V1 of BaSyx. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | This feature enables AAS components user to secure the AAS & Submodels stored on the AAS Server component. | + | |
== Feature Overview == | == Feature Overview == | ||
| Line 35: | Line 28: | ||
For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties. | For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties. | ||
| − | Further configurations for the authorization are done in the security.properties. | + | Further configurations for the authorization are done in the [[https://github.com/eclipse-basyx/basyx-java-components/blob/main/basyx.components/basyx.components.docker/basyx.components.AASServer/src/main/resources/security.properties security.properties]]. |
{| class="wikitable" | {| class="wikitable" | ||
| − | |||
| − | |||
! Property !! Possible values !! Description !! Default value | ! Property !! Possible values !! Description !! Default value | ||
|- | |- | ||
| Line 69: | Line 60: | ||
|} | |} | ||
| − | Also see [[BaSyx_/_Components_/_Security_/_Authorization]]. | + | Also see [[BaSyx_/_Documentation_/_Components_/_Security_/_Authorization]]. |
Latest revision as of 04:22, 15 September 2023
Authorization
This feature enables AAS components user to secure the AAS & Submodels stored on the AAS Server component. This is one of the security options available in the Java SDK V1 of BaSyx.
Feature Overview
The authorization is a basic implementation to enable only authorized requests for WRITE and READ operations for both the AAS and the submodels.
This implementation uses OAuth2 tokens and scopes, with the scopes being defined [for submodels] and [for the AAS].
As long as the token includes the respective scopes, an operation can be performed if the authorization is enabled.
An example for the authorization can be found in the scenario with Keycloak.
Feature Configuration
Authorization is disabled by default. Basic authorization can be configured in the aas.properties:
aas.authorization=Enabled aas.authorization=Disabled
[deprecated] The JWT connectivity can be configured in the context.properties, e.g. by
jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs jwtBearerTokenAuthenticationRequiredAud=basyx-demo
[new way] The new way to configure JWT validation is via the "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider" property in [security.properties] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties.
Further configurations for the authorization are done in the [security.properties].
| Property | Possible values | Description | Default value |
|---|---|---|---|
| aas.authorization | Disabled, Enabled | main switch for authorization features, when disabled, all the other fields won't be effective | Disabled |
| aas.authorization.strategy | GrantedAuthority, SimpleRbac | The basic authorization strategy, see section "Provided Authorization Strategies" | GrantedAuthority |
| aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider | <class> | The class responsible for providing a jwt bearer token authentication configuration, has to implement the IJwtBearerTokenAuthenticationConfigurationProvider interface | org.eclipse.basyx.components.aas.authorization.KeycloakJwtBearerTokenAuthenticationConfigurationProvider |
| aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl | <url> | base url for the keycloak | null |
| aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm | basyx-demo | realm in the keycloak | null |
| aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.audience | demo-client | optional audience the token is for | null |
| aas.authorization.strategy.simpleRbac.rulesFilePath | <file path> (json, see schema) | relative path to rbac rules for SimpleRbac strategy | /rbac_rules.json |
| aas.authorization.strategy.simpleRbac.subjectInformationProvider | <class> | class that provides the Authentication object for SimpleRbac strategy, has to implemented ISubjectInformationProvider | org.eclipse.basyx.extensions.shared.authorization.JWTAuthenticationContextProvider |
| aas.authorization.strategy.simpleRbac.roleAuthenticator | <class> | class that extracts the roles from the Authentication object for SimpleRbac strategy, has to implement IRoleAuthenticator | org.eclipse.basyx.extensions.shared.authorization.KeycloakRoleAuthenticator |
| aas.authorization.strategy.grantedAuthority.subjectInformationProvider | <class> | class that fetches the Authentication object for GrantedAuthority strategy, hsa to implement ISubjectInformationProvider | org.eclipse.basyx.extensions.shared.authorization.AuthenticationContextProvider |
| aas.authorization.strategy.grantedAuthority.grantedAuthorityAuthenticator | <class> | class that extracts the granted authorities from Authentication object for GrantedAuthority strategy, has to implement IGrantedAuthorityAuthenticator | org.eclipse.basyx.extensions.shared.authorization.AuthenticationGrantedAuthorityAuthenticator |
| aas.authorization.strategy.custom.authorizersProvider | <class> | class that provides the authorizers for AAS-Server/Registry respectively for custom strategy, must implement IAuthorizersProvider, thus 3rd party authorization logic can be dynamically loaded | |
| aas.authorization.strategy.custom.subjectInformationProvider | <class> | class that provides the subject information retrieval logic to go with the custom authorizers, must implement ISubjectInformationProvider |
Also see BaSyx_/_Documentation_/_Components_/_Security_/_Authorization.