Fine-grained authorization for your Java apps
Access controls in Java
Java is a popular programming language used for coding web applications. It was designed to have as few implementation dependencies as possible. It is a multi-platform, object-oriented language that can be used as a platform in itself. It is fast, secure, and reliable.
Aserto is an application authorization platform that brings secure, distributed, auditable access management to Java apps. Built on trusted open-source projects like Open Policy Agent (OPA) Open Container Initiative (OCIv2), and Topaz, Aserto brings role-based access control (RBAC), attribute-based access control (ABAC), and relationship-based access controls (ReBAC) to Java applications.
Why use Aserto over libraries, like Spring Security or Apache Shiro?
There are a few key differences that set Aserto apart from the Java libraries you might be familiar with:
Authorize locally, manage centrally
Libraries in Java are embedded directly into the application. When implementing authorization into the application, this means each microservice has to define its own authorization policy and manage that data independently. It also needs to capture, and handle decision logs, which means that you'll need to build a centralized management plane for a unified audit trail of authorization decisions required for compliance.
If your application consists of multiple services, and runs multiple instances of these services, central management of all the authorization artifacts and decision logs creates a streamlined path to operating a distributed and/or modern microservices architecture. Aserto provides this centralized control plane for identities, policies, data, and decision logs.
Separation of concerns
Aserto authorization service also extracts authorization logic out of the application code and into a policy. It also stores and versions the policy as its own code artifact. This is called separation of concerns, and it allows security engineers to evolve the authorization policy independently of the application code. This brings a policy-as-code approach to developing, changing policies rather than the old approach of hardwiring permission logic in application code.
Users as first-class citizens
Additionally, Aserto treats users and roles as first-class citizens. The user/relationship directory is continuously synchronized with the Aserto authorizer instances so that Aserto can reason about users and roles as a part of the policy without requiring role resolution as an additional external step.
Having user and role information come from the Aserto directory mitigates the risks of coding errors feeding incorrect data into the decision engine.
Setting things up
To get started you’ll want to leverage the Java SDK to add authorization middleware. This package allows Java applications to use Aserto as the Authorization provider.
Deployment options
Creating a tenant in Aserto will automatically create a corresponding Authorizer instance with which you can develop and test. The Java SDK uses the gRPC API bindings to make it easy to integrate the Aserto authorizer into Java apps.
For production workloads, the Aserto Authorizer can be deployed as a sidecar, or local service right next to your application instance to provide minimal latency and 100% availability tied to your application’s uptime.
Decision logging
Out-of-box decision logging creates an easy audit trail for security and compliance. All decisions made by the Aserto authorizer can be easily viewed and tracked via the Aserto control plane. Easily stream these logs to your SIEM tool or favoriate log analysis tool.
Topaz: the authorizer
We have open-sourced the Aserto authorizer, Topaz, so you can launch it in your cloud today to begin to enjoy the benefits of modern application authorization.
Topaz makes authorization decisions based on three important inputs:
1. Policies from your policy registry
2. Users, attributes, and roles from your identity provider (e.g. Okta, Auth0, etc.) supplemented with application-specific information stored in the Aserto directory
3. Resource context passed by in your application
Any changes made to your directory (i.e. in your IDP or enterprise directory) are automatically synchronized into the Aserto directory. Aserto pushes updates to the edge authorizers in near real-time, ensuring your decisions are based on up-to-date information.
Aserto comes with the following benefits:
- Out-of-the-box support for audit trails, custom roles, RBAC, ABAC, and ReBAC
- Open-source authorizer you can deploy in your cloud today
- Use a policy-as-code workflow to build, tag, push, version, and pull policy images just like docker images
- Quick onboarding via first-class citizen integrations with your identity provider, artifact registry, logging system, backend programming language, and frontend framework.
- Built on top of a trusted open source projects, including the Open Policy Agent (OPA) and Topaz