Reputation: 51
Spring abac data filtering vs Spring @PostFilter
I am using ABAC model for securing access to some entities in project. According to https://dzone.com/articles/simple-attribute-based-access-control-with-spring, I can easily define some policy rules for updating/deleting entities in project.
After many hours of searching, I came across the only normally documented way to filter data available to the user: using Spring security @PostFilter.
The problem is the performance of this approach. What are the available ways to shift the responsibility for filtering data to the database, while not mixing business and the logic of the role model?
So far I have tried only coding up the JPA Specification: the module responsible for the role model takes into account the user's parameters (id, group_id / organization_id) to compose logical expressions, and all the parameters by which the business needs to filter are added to composed of such Specification expressions. But this solution forces to use only specification for data retrieval. Moreover, it is not very clear how to store these expressions in the policy store.
Upvotes: 5
Views: 1187
Answers (1)
Reputation: 13834
You're hitting an aspect that has to do with types of authorization. I like to break it down into 3 types:
- functional authorization (can I print?)
- transactional authorization (can I print doc #123?)
- data-centric authorization (list the docs I can print)
The first 2 types are binary yes/no questions and they scale well i.e. you ask about one item / record and you get one answer.
The third type is trickier because it's about filtering more so than authorization. Imagine you have a million records. You're not going to iteratively ask whether you can view / edit / print the given record. It wouldn't scale. What you need to do is reverse the process and use what's known as a partial evaluation or a reverse query.
Some database vendors (Informatica...) and authorization vendors (Axiomatics...) provide the ability to dynamically filter data to achieve scalable authorization. I would look down that path.
Upvotes: 3
Related Questions
- Valid use case for @PostAuthorize And @PostFilter annotations
- How do @PostFilter and @PreFilter work in Spring Security?
- @PostFilter on Optional
- Java Spring Security @PostFilter performance
- Spring Security and ABAC (Attribute Based Access Control)
- spring authentication provider VS authentication processing filter
- Advantages of using spring security vs custom filters?
- Applying @PostFilter annotation to a generic Spring Data Jpa repository method
- When does a Spring @PostFilter execute?
- Spring security and @PostFilter