Java Library
    • 24 Nov 2024
    • 5 Minutes to read
    • Dark
      Light
    • PDF

    Java Library

    • Dark
      Light
    • PDF

    Article summary

    Introduction

    This library enables the use of the PlainID SQL-PDP service with Java SpringBoot and applies SQL filtering
    rules to SQL queries generated by SpringBoot Hibernate.
    A minimum Java version of 1.8 and Spring Boot version 2.0.0 or higher is required.

    Usage

    To include this library using Maven, add the following dependency to your pom.xml:

    
    <dependency>
        <groupId>com.plainid.libs</groupId>
        <artifactId>plainid-sql-pdp-auth-lib</artifactId>
        <version>1.2.17</version>
    </dependency>
    

    Initializing the Library Configuration

    Configure the library by adding the following settings to your application.yamlor application.properties. Alternatively, you can choose not to define properties in your application.properties file and instead, set everything through Environment variables:

    plainid.sqlpdp.pdpUrl=http://localhost:8080/sql
    plainid.sqlpdp.clientID=XXXXXX
    plainid.sqlpdp.clientSecret=XXXXXXXXXX
    plainid.sqlpdp.entityTypeId=Main
    plainid.sqlpdp.emptyCLSTreatAsPermitted=true
    plainid.sqlpdp.emptyRLSTreatAsDenied=false
    plainid.sqlpdp.ignoreRuntimeCLSResponse=true
    plainid.sqlpdp.ignoreSqlPdpServiceErrors=true 
    plainid.sqlpdp.oppositeColumnFilteringBehavior=true
    plainid.sqlpdp.expandStarColumn=true
    plainid.sqlpdp.policiesJoinOperation=OR
    plainid.sqlpdp.runtimeCLSAsMasked=true
    plainid.sqlpdp.requestMapping='[JSON_ARRAY_OF_REQUEST_MAPPING_CONFIGS]'
    plainid.sqlpdp.jwtPassthrough=true
    plainid.sqlpdp.entityIdJwtMapping=user_id
    plainid.sqlpdp.columnsResourceType=CustomColumns
    

    To configure the way a request is sent to the PDP service, create a bean of type
    QueryModificationFlags and set the desired flags according to the following parameters or set everything via the Environment variables:

    @Bean
    public QueryModificationFlags queryModificationFlags() {
        return new QueryModificationFlags(true, true, false, true, true, "OR", true);
    }
    
    FlagDescriptionEnv. Variable.
    clientIdThe Client ID for the PDP service.PLAINID_CLIENT_ID
    clientSecretThe Client Secret for the PDP service.PLAINID_CLIENT_SECRET
    entityTypeIdThe entity type Id.PLAINID_ENTITY_TYPE_ID
    pdpUrlThe URL for the SQL-PDP service.PLAINID_SQLPDP_SERVICE_URL
    emptyCLSTreatAsPermittedIf true, all columns are allowed when there are no column restrictions.PLAINID_EMPTY_CLS_TREAT_AS_PERMITTED
    emptyRLSTreatAsDeniedIf true and there are no filtering rules, an empty statement is returned.PLAINID_EMPTY_RLS_TREAT_AS_DENIED
    ignoreRuntimeCLSResponseIf true, the library ignores any column restrictions.PLAINID_IGNORE_RUNTIME_CLS_RESPONSE
    ignoreSqlPdpServiceErrorsIf true, the library ignores any errors occurred during Policy resolution; otherwise, errors propagate.PLAINID_IGNORE_SQL_PDP_SERVICE_ERRORS
    oppositeColumnFilteringBehaviorIf true, the library filters the columns that are not listed. If false, the library filters the columns that are listed.PLAINID_OPPOSITE_COLUMN_FILTERING_BEHAVIOR
    expandStarColumnEnables the DB schema structure resolutionPLAINID_EXPAND_STAR_COLUMN
    policiesJoinOperationThe join operation between Policies. (default OR)PLAINID_POLICIES_JOIN_OPERATION
    runtimeCLSAsMaskedConsiders the allowed Runtime field masked.PLAINID_RUNTIME_CLS_AS_MASKED
    requestMappingMaps context request parameters (headers, uri, etc.) to Runtime sections (see below for more details in Request Mapping).PLAINID_RUNTIME_REQUEST_MAPPING
    jwtPassthroughPasses the JWT supplied in the Authorization header to the Runtime request
    If the java application that is using this library receives a request with JWT inside an HTTP authorization header,
    it will pass this header to the pdp-service to be used by it to extract claims and credentials.
    PLAINID_RUNTIME_JWT_PASSTHROUGH
    entityIdJwtMappingExtracts the claim from the JWT and pass it as entityId to the Runtime request.
    If JWT is being sent to the Java service using this library, the userid from within this JWT is identified by some field. Use this parameter to define this field inside the JWT in order to extract it and pass it as an identity/entityid to the pdp-service request.
    PLAINID_ENTITY_ID_JWT_MAPPING
    columnsResourceTypeAllows users to specify a custom resource type for column-level access control at the library level when parsing resolutions and modifying queries, improving flexibility in query handling. If the Column Resource Type is not specified in the library or as an Environment Variable, the default value will be columns.PLAINID_COLUMNS_RESOURCE_TYPE

    Request Mapping

    The parameter accepts configuration properties that define mappings between various sources and their mapping targets in the PDP/Runtime calls. A source refers where data is retrieved from and a target specifies where the data should be mapped.

    Sources

    The following sources are supported:

    • headers: Data is retrieved from the request headers.
    • url: Data is extracted from the request URL based on a regex pattern.
    • qs (query-string parameter): Data is retrieved from the query string parameters of the request.
    • env (environment variable): Data is retrieved from the environment variables of the application.

    Targets

    The following targets are supported:

    • entityAttributes: The data is mapped to the entityAttributes section in the Policy resolution call.
    • environment: The data is mapped to the Environment section in the Policy resolution call.
    • contextData: The data is mapped to the contextData section in the Policy resolution call.

    Configuration Structure

    The configuration parameter is passed as a key / value mapping entries. Each object should have the following structure:

    { "source.sourceKey": "target.targetKey" }
    

    Fields:

    • source: Specifies the source type. It can be headers, url, env or qs.
    • sourceKey: For headers it is the header to look for, following an optional possible JSON path extraction rule, for qs, this is the exact key to look for. For url, this is a regex pattern to match and extract data.
    • target: Specifies the target type. It can be entityAttributes, environment, or contextData.
    • targetKey: This is the key under which the data from the source is stored in the target.

    Example of a configuration:

    {
    {
      "env.MY_ENV_VAR": "entityAttributes.myEnvVar",
      "headers.x-user-info.$.user.department": "contextData.userInfo",
      "headers.Accept-Encoding": "entityAttributes.Accept-Encoding-Target",
      "qs.difficulty": "environment.difficulty",
      "url./api/([^/]+)(/|$)": "environment.urlPartExample"
    }
    
    • Data from the MY_ENV_VAR environment variable is mapped to entityAttributes section under the key myEnvVar.
    • Data from the x-user-info header is extracted and mapped through json path $.user.department to contextData section under the key userInfo.
    • Data from the Accept-Encoding header is mapped to contextData section under the key Accept-Encoding-Target.
    • Data from the difficulty querystring parameter is mapped to the environment section.
    • Data matching the regex pattern /api/([^/]+)(/|$) from the URL is mapped to entityAttributes under the key urlPartExample, for example this extracts users from the URL http://localhost:8080/api/users.

    The configuration should be passed as a JSON string to the plainid.sqlpdp.requestMapping property or environment variable: PLAINID_RUNTIME_REQUEST_MAPPING.

    Using Context and Authorization

    To fetch the current user and security context sent to the SQL Database Authorizer Service, the library retrieves the information through a call to Spring Security Core Context by default:

     Authentication authentication=SecurityContextHolder.getContext().getAuthentication();
    String u=authentication==null null:authentication.getName();
    

    To override this behavior and inject your user ID and context, use the following code before performing database actions:

     com.plainid.sqlpdplib.Context.setUsername("YOUR_USERNAME");
    

    To inject entity attributes within the Runtime for further Policy resolution based on Dynamic Groups, insert the following code before performing any database actions:

    EntityAttributes entityAttributes = new EntityAttributes();
    entityAttributes.addAttribute("ATTRIBUTE_NAME", "ATTRIBUTE_VALUE");
    com.plainid.sqlpdplib.Context.setEntityAttributes(entityAttributes);
    

    API Documentation

    The ReSQL API is a powerful tool that enables you to modify SQL queries over HTTP.
    It provides several customization options, which are encapsulated within a request, allowing users to fine-tune their SQL query behavior based on PlainID policies as needed.
    The API also returns a structured JSON response, containing potential error messages and indicating whether the query was modified.

    For more information API Documentation, check out the Authorizer Service article.


    Was this article helpful?

    What's Next