Authorization#
This feature enables AAS components user to secure the AAS & Submodels stored on the AAS Server component. This is one of the security options available in the Java SDK V1 of BaSyx.
Feature Overview#
The authorization is a basic implementation to enable only authorized requests for WHITE and READ operations for both the AAS and the submodels. This implementation uses OAuth2 tokens and scopes, with the scopes being defined [for submodels] and [for the AAS]. As long as the token includes the respective scopes, an operation can be performed if the authorization is enabled.
An example for the authorization can be found in the scenario with Keycloak.
Feature Configuration#
Authorization is disabled by default. Basic authorization can be configured in the aas.properties:
aas.authorization=Enabled
aas.authorization=Disabled
[deprecated] The JWT connectivity can be configured in the context.properties, e.g. by
jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo
jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs
jwtBearerTokenAuthenticationRequiredAud=basyx-demo
[new way] The new way to configure JWT validation is via the “authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider” property in [security.properties] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties.
Further configurations for the authorization are done in the [security.properties].
Property |
Possible values |
Description |
Default value |
|---|---|---|---|
aas.authorization |
Disabled, Enabled |
main switch for authorization features, when disabled, all the other fields won’t be effective |
Disabled |
aas.authorization.strategy |
GrantedAuthority, SimpleRbac |
The basic authorization strategy, see section “Provided Authorization Strategies” |
GrantedAuthority |
aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider |
<class> |
The class responsible for providing a jwt bearer token authentication configuration, has to implement the IJwtBearerTokenAuthenticationConfigurationProvider interface |
org.eclipse.basyx.components.aas.authorization.KeycloakJwtBearerTokenAuthenticationConfigurationProvider |
aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl |
<url> |
base url for the keycloak |
null |
aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm |
basyx-demo |
realm in the keycloak |
null |
aas.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.audience |
demo-client |
optional audience the token is for |
null |
aas.authorization.strategy.simpleRbac.rulesFilePath |
<file path> (json, see schema) |
relative path to rbac rules for SimpleRbac strategy |
/rbac_rules.json |
aas.authorization.strategy.simpleRbac.subjectInformationProvider |
<class> |
class that provides the Authentication object for SimpleRbac strategy, has to implemented ISubjectInformationProvider |
org.eclipse.basyx.extensions.shared.authorization.JWTAuthenticationContextProvider |
aas.authorization.strategy.simpleRbac.roleAuthenticator |
<class> |
class that extracts the roles from the Authentication object for SimpleRbac strategy, has to implement IRoleAuthenticator |
org.eclipse.basyx.extensions.shared.authorization.KeycloakRoleAuthenticator |
aas.authorization.strategy.grantedAuthority.subjectInformationProvider |
<class> |
class that fetches the Authentication object for GrantedAuthority strategy, hsa to implement ISubjectInformationProvider |
org.eclipse.basyx.extensions.shared.authorization.AuthenticationContextProvider |
aas.authorization.strategy.grantedAuthority.grantedAuthorityAuthenticator |
<class> |
class that extracts the granted authorities from Authentication object for GrantedAuthority strategy, has to implement IGrantedAuthorityAuthenticator |
org.eclipse.basyx.extensions.shared.authorization.AuthenticationGrantedAuthorityAuthenticator |
aas.authorization.strategy.custom.authorizersProvider |
<class> |
class that provides the authorizers for AAS-Server/Registry respectively for custom strategy, must implement IAuthorizersProvider, thus 3rd party authorization logic can be dynamically loaded |
|
aas.authorization.strategy.custom.subjectInformationProvider |
<class> |
class that provides the subject information retrieval logic to go with the custom authorizers, must implement ISubjectInformationProvider |
Also see Authorization.