Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: for the plan.

Jump to: navigation, search

BaSyx / Documentation / Components / Registry / Features / Authorization


This feature enables AAS components user to secure the AAS & Submodels descriptors stored on the AAS Registry component. This is one of the security options available in the Java SDK V1 of BaSyx.

Feature Overview

An example for the authorization can be found in the scenario with Keycloak.

Feature Configuration

Authorization is disabled by default. Basic authorization can be configured in the


[deprecated] The JWT connectivity can be configured in the, e.g. by


[new way] The new way to configure JWT validation is via the "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider" property in [] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the file. While the line is commented out, it will still use the old properties in the

Further configurations for the authorization are done in the [].

Property Possible values Description Default value
registry.authorization Disabled, Enabled main switch for authorization features, when disabled, all the other fields won't be effective Disabled
registry.authorization.strategy GrantedAuthority, SimpleRbac The basic authorization strategy, see section "Provided Authorization Strategies" GrantedAuthority
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider <class> The class responsible for providing a jwt bearer token authentication configuration, has to implement the IJwtBearerTokenAuthenticationConfigurationProvider interface org.eclipse.basyx.components.aas.authorization.KeycloakJwtBearerTokenAuthenticationConfigurationProvider
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl <url> base url for the keycloak null
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm basyx-demo realm in the keycloak null
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.audience demo-client optional audience the token is for null
registry.authorization.strategy.simpleRbac.rulesFilePath <file path> (json, see schema) relative path to rbac rules for SimpleRbac strategy /rbac_rules.json
registry.authorization.strategy.simpleRbac.subjectInformationProvider <class> class that provides the Authentication object for SimpleRbac strategy, has to implemented ISubjectInformationProvider org.eclipse.basyx.extensions.shared.authorization.JWTAuthenticationContextProvider
registry.authorization.strategy.simpleRbac.roleAuthenticator <class> class that extracts the roles from the Authentication object for SimpleRbac strategy, has to implement IRoleAuthenticator org.eclipse.basyx.extensions.shared.authorization.KeycloakRoleAuthenticator
registry.authorization.strategy.grantedAuthority.subjectInformationProvider <class> class that fetches the Authentication object for GrantedAuthority strategy, hsa to implement ISubjectInformationProvider org.eclipse.basyx.extensions.shared.authorization.AuthenticationContextProvider
registry.authorization.strategy.grantedAuthority.grantedAuthorityAuthenticator <class> class that extracts the granted authorities from Authentication object for GrantedAuthority strategy, has to implement IGrantedAuthorityAuthenticator org.eclipse.basyx.extensions.shared.authorization.AuthenticationGrantedAuthorityAuthenticator
registry.authorization.strategy.custom.authorizersProvider <class> class that provides the authorizers for AAS-Server/Registry respectively for custom strategy, must implement IAuthorizersProvider, thus 3rd party authorization logic can be dynamically loaded
registry.authorization.strategy.custom.subjectInformationProvider <class> class that provides the subject information retrieval logic to go with the custom authorizers, must implement ISubjectInformationProvider

Also see BaSyx_/_Documentation_/_Components_/_Security_/_Authorization.

Back to the top