本文介绍了适用于Spring Cloud的XACML的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我将使用OAuth2和XACML(使用AuthZForce,Balana,AT& T XACML或类似的东西)保护我的Spring Cloud应用程序.

I'm going to secure my Spring Cloud Application with OAuth2 and XACML (using AuthZForce, Balana, AT&T XACML or something similar).

我想使用Spring-Cloud(-Netflix)的微服务.为了使XACML可用,我认为我需要这样做:

I want to use the microservices from Spring-Cloud(-Netflix). To make XACML available I think that I need this:

  1. 每个现有API服务的PEP
  2. Pli作为PEP所使用的新服务.因为Spring-Cloud(-Netflix)具有负载平衡功能(Eureka),所以我需要在Eureka上注册此服务并实现REST-API.
  3. 由于所有PDP都应使用相同的策略,因此需要将它们集中存储(策略提供者)
  1. PEP for each existing API-service
  2. PDP's as new services, that are used by PEP's. Because Spring-Cloud(-Netflix) has load-balancing functions (Eureka) I need to register this services on Eureka and implement a REST-API.
  3. Because all PDP's should use the same policies, they need to be stored centrally (Policy Provider)

哪种框架最适合这种方法.

Which framework is most suitable for this approach.

更新1 AuthZForce应该可以实现(根据功能描述),但是我不确定如何实现(没有详细的文档或教程).

update 1It should be possible with AuthZForce (according to the feature description), but I'm not really sure how (there are no detailed documentations or tutorials).

推荐答案

我不太了解所有框架,因此我无法客观地回答哪种框架最合适.但是我可以为AuthzForce给出答案.

I don't know all the frameworks as much, so I cannot give an objective answer to which framework is most suitable. But I can give an answer for AuthzForce.

对于PDP部分,您可以将 AuthzForce Core 用作Java库. wiki 提供有关策略提供程序以及如何向框架添加自己的信息.如有必要.这里提到的是一种从MongoDB数据库获取策略的方法.请注意,如果您希望PDP使用相同的策略,则中央存储是一种解决方案,而另一种解决方案是使用复制/同步.例如,如果您使用支持在本地文件系统上获取策略的策略提供程序,则可以使用分散式群集同步工具,例如 csync2 可以完成工作而不会出现单点故障.

For the PDP part, you can use AuthzForce Core as Java library. The wiki gives information about Policy Providers and how to add your own to the framework if necessary. There is one mentioned there that gets policies from a MongoDB database. Note that if you want PDPs to use the same policies, a central storage is one solution, but another is to use replication/synchronization. For example, if you use the Policy Provider that supports getting policies on the local filesystem, a decentralized cluster synchronization tool like csync2 can do the job without a single point of failure.

此外,您可能对 AuthzForce服务器感兴趣,该服务器提供了适用于PDP和PAP的多租户REST API (策略管理), XACML REST配置文件(对于PDP部分).如果仅需要PDP,这可能会适得其反,但是如果您的要求朝那个方向发展,则可能值得一看.

Besides, you may be interested in AuthzForce Server which provides a multi-tenant REST API for both PDP and PAP (policy administration) in compliance with XACML REST profile (for the PDP part). It is probably overkill if you only need PDPs, but it may be worth looking at if your requirements go in that direction.

对于PEP部分,您可以重复使用 Maven Central上可用的authzforce-ce-xacml-model (和依赖项)(groupId = org.ow2.authzforce,artifactId = authzforce-ce-xacml-model)来操纵与您的PDP交换的XACML请求/响应REST API.它主要包含从XACML架构派生的所有带有JAXB注释的类,以及用于标准XACML标识符的Enums:类别,属性,数据类型等.

For the PEP part, you can reuse authzforce-ce-xacml-model (and dependencies) available on Maven Central (groupId=org.ow2.authzforce, artifactId=authzforce-ce-xacml-model) to manipulate the XACML Requests/Responses exchanged with your PDPs' REST API. This mostly contains all JAXB-annotated classes derived from the XACML schema, and Enums for standard XACML identifiers: categories, attributes, data types, etc.

这篇关于适用于Spring Cloud的XACML的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-15 03:06