Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "BaSyx / Documentation / Components / Registry / Features / Authorization"
(Created page with "= Authorization = == User Story & Use Case == ''As AAS Components user'' ''I want to authorize access on AAS & Submodels descriptor data contained in the AAS Registry ''so t...") |
|||
Line 20: | Line 20: | ||
aas.authorization=Disabled | aas.authorization=Disabled | ||
+ | <span style="color:red;font-size:150%;">[deprecated]</span> | ||
The JWT connectivity can be configured in the [[BaSyx_/_Documentation_/_Components_/_Context | context.properties]], e.g. by | The JWT connectivity can be configured in the [[BaSyx_/_Documentation_/_Components_/_Context | context.properties]], e.g. by | ||
Line 25: | Line 26: | ||
jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs | jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs | ||
jwtBearerTokenAuthenticationRequiredAud=basyx-demo | jwtBearerTokenAuthenticationRequiredAud=basyx-demo | ||
+ | |||
+ | <span style="color:green;font-size:150%;">[new way]</span> | ||
+ | The new way to configure JWT validation is via the "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider" property in [[https://github.com/eclipse-basyx/basyx-java-components/blob/main/basyx.components/basyx.components.docker/basyx.components.AASServer/src/main/resources/security.properties security.properties]] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. | ||
+ | For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties. |
Revision as of 08:40, 5 April 2023
Authorization
User Story & Use Case
As AAS Components user
I want to authorize access on AAS & Submodels descriptor data contained in the AAS Registry
so that I can store sensitive data and prevent its unauthorized access.
This feature enables AAS components user to secure the AAS & Submodels descriptors stored on the AAS Registry component.
Feature Overview
An example for the authorization can be found in the scenario with Keycloak.
Feature Configuration
Authorization is disabled by default. Basic authorization can be configured in the aas.properties:
aas.authorization=Enabled aas.authorization=Disabled
[deprecated] The JWT connectivity can be configured in the context.properties, e.g. by
jwtBearerTokenAuthenticationIssuerUri=http://127.0.0.1:9006/auth/realms/basyx-demo jwtBearerTokenAuthenticationJwkSetUri=http://127.0.0.1:9006/auth/realms/basyx-demo/protocol/openid-connect/certs jwtBearerTokenAuthenticationRequiredAud=basyx-demo
[new way] The new way to configure JWT validation is via the "authorization.strategy.jwtBearerTokenAuthenticationConfigurationProvider" property in [security.properties] where a class can be provided that returns an appropriate KeycloakJwtBearerTokenAuthenticationConfigurationProvider object. For the default behavior, uncomment the property line in the security.properties file. While the line is commented out, it will still use the old properties in the context.properties.