The module is the relaying part.
The module will check the rights, and the authorization code with the OIDC.
The module has to know some information like the OIDC address. This configuration should be available inside securityfilter.config property file
$ cat security.config discoveryURL=http://localhost:8180/auth/realms/master/.well-known/openid-configuration client_secret=0f724088-70c7-4e8b-b339-cc1286cdae81 client_id=test_id
discoveryURL
is use to set the address of the OICD configuration URL. The servlet will read the content of this URL and uses it to known the different information about the OIDC.client_id
and client_secret
are the login information of the relaying part on the OIDC.
As it, the module should refuse any requests and the rights' rules has to be set first.
To ways are availables to do it.
Each service may use a configuration file that is inside the sensinact distribution's cfgs directory
$ cat temperatures-generator.config # Specify the number of devices that must be generated (max is 8601) org.eclipse.sensinact.simulated.generator.amount=10 securityfilter[0]=anonymous:GET:* securityfilter[1]=admin:POST:*
All configuration of the security may be gathered in the global org.eclipse.sensinact.security.oAuth2.config configuration file
$ cat org.eclipse.sensinact.security.oAuth2.config discoveryURL=http://localhost:8180/auth/realms/master/.well-known/openid-configuration client_secret=0f724088-70c7-4e8b-b339-cc1286cdae81 client_id=test_id light=anonymous:GET:/sensinact/light/* light[0]=anonymous:GET:/sensinact/light/* light[1]=admin:POST:/sensinact/light/* slider[0]=anonymous:GET:/sensinact/slider/*/* slider[1]=admin:GET:/sensinact/slider/254/*
After the OIDC setting, each line describes an access's rule to a service.
Ex: slider[0]=anonymous:GET:/sensinact/slider/*/*
service: slider
rule number: [0]
role: anonymous
action: GET
regular expression: /sensinact/slider/*/*
If service is available, rule number are loaded.
The users with the anonymous
role are allowed to request a GET
on all URL that match the regular expression.
The OIDC must contain all users and their roles for the client_id
.
There is two specials users:
anonymous
: It's not real user, and all request on the regular expression will be accepted without OIDC authorization.admin
: The users with the admin
role should be allowed to access on any URL.The regular expression may be more complicated and may contain special fields (user
,group
,role
).
Ex: light[0]=users:GET:/sensinact/light/*
light[1]=users:POST:/sensinact/light/${user}/*
For the light
service all users with the role users
may GET
all URL in /sensinact/light/*
but only JDoe
with the role users
may POST
on /sensinact/light/JDoe/*