Even though Spring Security provides role-based access control, it doesn’t allow users to perform policy-based authorization. This demonstrates an SDK which can be used to perform policy-based authorization along with single sign-on and single log-out with WSO2 Identity Server.
3. 3
SAML2 Single Sign-On
(SSO)
Single sign-on (SSO) is an
authentication process that
allows a user to access multiple
applications with one set of login
credentials
4. Single Log-Out (SLO)
With single logout , users can log out from a single application and be
automatically logged out from all connected apps.
4
Front channel SLO
● Spring App
● Service
Provider-A
Back channel SLO
● Service
provider-B
5. Prerequisites
1. Configure (https://docs.spring.io/autorepo/docs/spring-security-saml/1.0.x-SNAPSHOT/reference/htmlsingle/)
a. SSO (https://docs.wso2.com/display/IS570/Configuring+Single+Sign-On)
i. Issuer ID : com:rnavagamuwa:springsecurity
ii. Assertion consumer URL : http://localhost:8080/saml/SSO
b. SLO (https://docs.wso2.com/display/IS570/Configuring+Single+Sign-On)
i. SLO response URL : http://localhost:8080/saml/SingleLogout
ii. SLO request URL : http://localhost:8080/saml/SingleLogout
2. Now we need to publish our sample XACML policy from the policy administration point
(PAP) to the policy decision point (PDP)
(https://docs.wso2.com/display/IS570/Publishing+a+XACML+Policy)
a. Sample policy file : https://github.com/rnavagamuwa/spring-security-
abac/blob/master/sample/src/main/resources/xacmlPolicy.xml
3. Enable mutual TLS(https://docs.wso2.com/display/IS570/Authenticating+and+Authorizing+REST+APIs)
5
8. XACML Request Templating
• Headers
– Pass the value as “header.{name}”
• Query params
– Pass the value as “queryParam.{name}”
• Path params
– Pass the value as “pathParam.{name}”
• Form data
– Pass the value as “formData.{name}”
• Cookies
– Pass the value as “cookie.{name}”
8
@PreAuthorize("hasPermission('admin_xacml','{actionid:header.action-id,resourceid:header.resource-id}')")
9. Future Improvements
1. Embedding Balana XACML Engine to Spring Security.
1. Administering multiple Spring Security PDPs from single PAP in WSO2 IS.
1. Improved caching implementations.
9