BaSyx / Documentation / Components / Registry / Features / Authorization
Authorization
This feature enables AAS components user to secure the AAS & Submodels descriptors stored on the AAS Registry component.
Feature Overview
An example for the authorization can be found in the scenario with Keycloak.
Feature Configuration
Authorization is disabled by default. Basic authorization can be configured in the aas.properties:
aas.authorization=Enabled aas.authorization=Disabled
[deprecated] The JWT connectivity can be configured in the context.properties, e.g. by
jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs jwtBearerTokenAuthenticationRequiredAud=basyx-demo
[new way] The new way to configure JWT validation is via the "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider" property in [security.properties] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties.
Further configurations for the authorization are done in the [security.properties].
| Property | Possible values | Description | Default value |
|---|---|---|---|
| registry.authorization | Disabled, Enabled | main switch for authorization features, when disabled, all the other fields won't be effective | Disabled |
| registry.authorization.strategy | GrantedAuthority, SimpleRbac | The basic authorization strategy, see section "Provided Authorization Strategies" | GrantedAuthority |
| registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider | <class> | The class responsible for providing a jwt bearer token authentication configuration, has to implement the IJwtBearerTokenAuthenticationConfigurationProvider interface | org.eclipse.basyx.components.aas.authorization.KeycloakJwtBearerTokenAuthenticationConfigurationProvider |
| registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl | <url> | base url for the keycloak | null |
| registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm | basyx-demo | realm in the keycloak | null |
| registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.audience | demo-client | optional audience the token is for | null |
| registry.authorization.strategy.simpleRbac.rulesFilePath | <file path> (json, see schema) | relative path to rbac rules for SimpleRbac strategy | /rbac_rules.json |
| registry.authorization.strategy.simpleRbac.subjectInformationProvider | <class> | class that provides the Authentication object for SimpleRbac strategy, has to implemented ISubjectInformationProvider | org.eclipse.basyx.extensions.shared.authorization.JWTAuthenticationContextProvider |
| registry.authorization.strategy.simpleRbac.roleAuthenticator | <class> | class that extracts the roles from the Authentication object for SimpleRbac strategy, has to implement IRoleAuthenticator | org.eclipse.basyx.extensions.shared.authorization.KeycloakRoleAuthenticator |
| registry.authorization.strategy.grantedAuthority.subjectInformationProvider | <class> | class that fetches the Authentication object for GrantedAuthority strategy, hsa to implement ISubjectInformationProvider | org.eclipse.basyx.extensions.shared.authorization.AuthenticationContextProvider |
| registry.authorization.strategy.grantedAuthority.grantedAuthorityAuthenticator | <class> | class that extracts the granted authorities from Authentication object for GrantedAuthority strategy, has to implement IGrantedAuthorityAuthenticator | org.eclipse.basyx.extensions.shared.authorization.AuthenticationGrantedAuthorityAuthenticator |
| registry.authorization.strategy.custom.authorizersProvider | <class> | class that provides the authorizers for AAS-Server/Registry respectively for custom strategy, must implement IAuthorizersProvider, thus 3rd party authorization logic can be dynamically loaded | |
| registry.authorization.strategy.custom.subjectInformationProvider | <class> | class that provides the subject information retrieval logic to go with the custom authorizers, must implement ISubjectInformationProvider |
Also see BaSyx_/_Documentation_/_Components_/_Security_/_Authorization.