Authorization#
This feature enables registry components user to secure the registry & Submodels stored on the registry Server component. This is one of the security options available in the Java SDK V1 of BaSyx.
Feature Overview#
An example for the authorization can be found in the scenario with Keycloak.
Feature Configuration#
Authorization is disabled by default. Basic authorization can be configured in the registry.properties:
registry.authorization=Enabled
registry.authorization=Disabled
[deprecated] The JWT connectivity can be configured in the context.properties, e.g. by
jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo
jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs
jwtBearerTokenAuthenticationRequiredAud=basyx-demo
[new way] The new way to configure JWT validation is via the “authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider” property in [security.properties] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties.
Further configurations for the authorization are done in the [security.properties].
Property |
Possible values |
Description |
Default value |
|---|---|---|---|
registry.authorization |
Disabled, Enabled |
main switch for authorization features, when disabled, all the other fields won’t be effective |
Disabled |
registry.authorization.strategy |
GrantedAuthority, SimpleRbac |
The basic authorization strategy, see section “Provided Authorization Strategies” |
GrantedAuthority |
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider |
<class> |
The class responsible for providing a jwt bearer token authentication configuration, has to implement the IJwtBearerTokenAuthenticationConfigurationProvider interface |
org.eclipse.basyx.components.registry.authorization.KeycloakJwtBearerTokenAuthenticationConfigurationProvider |
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.serverUrl |
<url> |
base url for the keycloak |
null |
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.realm |
basyx-demo |
realm in the keycloak |
null |
registry.authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider.keycloak.audience |
demo-client |
optional audience the token is for |
null |
registry.authorization.strategy.simpleRbac.rulesFilePath |
<file path> (json, see schema) |
relative path to rbac rules for SimpleRbac strategy |
/rbac_rules.json |
registry.authorization.strategy.simpleRbac.subjectInformationProvider |
<class> |
class that provides the Authentication object for SimpleRbac strategy, has to implemented ISubjectInformationProvider |
org.eclipse.basyx.extensions.shared.authorization.JWTAuthenticationContextProvider |
registry.authorization.strategy.simpleRbac.roleAuthenticator |
<class> |
class that extracts the roles from the Authentication object for SimpleRbac strategy, has to implement IRoleAuthenticator |
org.eclipse.basyx.extensions.shared.authorization.KeycloakRoleAuthenticator |
registry.authorization.strategy.grantedAuthority.subjectInformationProvider |
<class> |
class that fetches the Authentication object for GrantedAuthority strategy, hsa to implement ISubjectInformationProvider |
org.eclipse.basyx.extensions.shared.authorization.AuthenticationContextProvider |
registry.authorization.strategy.grantedAuthority.grantedAuthorityAuthenticator |
<class> |
class that extracts the granted authorities from Authentication object for GrantedAuthority strategy, has to implement IGrantedAuthorityAuthenticator |
org.eclipse.basyx.extensions.shared.authorization.AuthenticationGrantedAuthorityAuthenticator |
registry.authorization.strategy.custom.authorizersProvider |
<class> |
class that provides the authorizers for registry-Server/Registry respectively for custom strategy, must implement IAuthorizersProvider, thus 3rd party authorization logic can be dynamically loaded |
|
registry.authorization.strategy.custom.subjectInformationProvider |
<class> |
class that provides the subject information retrieval logic to go with the custom authorizers, must implement ISubjectInformationProvider |
Also see Authorization.