XACML for Spring Cloud

Question

I'm going to secure my Spring Cloud Application with OAuth2 and XACML (using AuthZForce, Balana, AT&T XACML or something similar).

I want to use the microservices from Spring-Cloud(-Netflix). To make XACML available I think that I need this:

1. PEP for each existing API-service
2. PDP's as new services, that are used by PEP's. Because Spring-Cloud(-Netflix) has load-balancing functions (Eureka) I need to register this services on Eureka and implement a REST-API.
3. Because all PDP's should use the same policies, they need to be stored centrally (Policy Provider)

Which framework is most suitable for this approach.

update 1 It should be possible with AuthZForce (according to the feature description), but I'm not really sure how (there are no detailed documentations or tutorials).

Answer 1

I don't know all the frameworks as much, so I cannot give an objective answer to which framework is most suitable. But I can give an answer for AuthzForce.

For the PDP part, you can use AuthzForce Core as Java library. The wiki gives information about Policy Providers and how to add your own to the framework if necessary. There is one mentioned there that gets policies from a MongoDB database. Note that if you want PDPs to use the same policies, a central storage is one solution, but another is to use replication/synchronization. For example, if you use the Policy Provider that supports getting policies on the local filesystem, a decentralized cluster synchronization tool like csync2 can do the job without a single point of failure.

Besides, you may be interested in AuthzForce Server which provides a multi-tenant REST API for both PDP and PAP (policy administration) in compliance with XACML REST profile (for the PDP part). It is probably overkill if you only need PDPs, but it may be worth looking at if your requirements go in that direction.

For the PEP part, you can reuse authzforce-ce-xacml-model (and dependencies) available on Maven Central (groupId=org.ow2.authzforce, artifactId=authzforce-ce-xacml-model) to manipulate the XACML Requests/Responses exchanged with your PDPs' REST API. This mostly contains all JAXB-annotated classes derived from the XACML schema, and Enums for standard XACML identifiers: categories, attributes, data types, etc.