Michael C. Good
Software Engineer and Cyber Security Professional
0

No products in the cart.

Michael C. Good
Software Engineer and Cyber Security Professional

Blog Post

Expression-Based Access Control

1. Overview

Today, we’ll be reviewing the differences between Expression-Based Access Control (EBAC), Role Based Access Control (RBAC), and Attribute Based Access Control (ABAC), with a deeper focus on EBAC.

2. What is Expression-Based Access Control?

Simply put, Expression-Based Access Control is the use of expressions to write authorization.

The phrase Expression-Based Access Control (EBAC) is currently most commonly associated with the use of the Spring Expression Language expressions to write authorization.

It was in Spring Security 3.0 that the ability to use Spring EL expressions as an authorization mechanism in addition to the simple use of configuration attributes and access-decision voters was introduced.

However, using expressions for access control is NOT limited to just Spring Security! This blog post is partially a request to the greater community to recognize the use of expressions in authorization as Expression-Based Access Control (EBAC), since it is uniquely different than other forms of access control, due to its ability to let you implement other forms of access control such as RBAC and ABAC.

Other examples of EBAC include the Access Control Expressions (ACE) in MapR and Dynamic Access Control in Windows. There may others as well, such as the PHP Framework Symfony.

Is Expression-Based Access Control (EBAC) Equivalent to Attribute Based Access Control (ABAC)?

No, but ABAC can be implemented with EBAC.

Here is a high level definition of ABAC according to NIST Special Publication 800-162:

An access control method where subject requests to perform
operations on objects are granted or denied based on assigned attributes of the subject, assigned
attributes of the object, environment conditions, and a set of policies that are specified in terms of those
attributes and conditions

With this in mind, we could write our own using an expression language, such as Spring Expression Language based expressions, that can then call with the existing @PreAuthorize, @PostAuthorize, @PreFilter and @PostFiler, sec:authorize tags and even from intercept-url conditions.

Is Expression-Based Access Control (EBAC) Equivalent Role Based Access Control (RBAC)?

No, EBAC is not equivalent to RBAC, but RBAC comes built-in to certain expression languages such as Spring EL. For instance, there are these two common expressions that allow us to implement RBAC with ease:

  • hasRole([role])
  • hasAnyRole([role1,role2])

However, when writing fine-grained authorization rules, we easily begin to write expressions that surpass the granularity level of RBAC.

3. Web Security Expressions

EBAC implementations, such as Spring Security, allow us to secure URLs. The expressions should evaluate to true or false, defining whether or not access is granted. An example of restricting access in a RESTful application base on userID in a Java configuration:

http
.authorizeRequests()
.antMatchers("/user/{userId}/**").access("@webSecurity.checkUserId(authentication,#userId)")
...

4. Method Security Expressions

Method security is more complicated than permit or deny.

For example, in Spring Security, there are four annotations that take expression attributes to perform pre and post-invocation authorization checks and also to support filtering of submitted collection arguments or return values.

@PreAuthorize, which is the most commonly used, decides whether a method can actually be invoked or not.

@PostAuthorize, an uncommonly used annotation, performs an access-control check after the method has been invoked.

With @PostFilter, Spring Security iterates through the returned collection and removes any items for which the provided expression is false.

@PreFilter allows us to filter before the method call, but this is less commonly used.

Below we have an example of combining PreAuthorize with @PostFilter for more fine-grained security:


@PreAuthorize("hasRole('USER')")
@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')")
public List<contact> getAll();

5. When to Use Expression-Based Access Control (EBAC)?

If the security we need requires more granularity than simple Access Control Lists (ACLs), then we need to use EBAC. How we decide to implement EBAC is a matter what resources we have available to us. For instance, in an organization that uses Spring Security, then why not use their Spring EL? Likewise, if we have MapR, then we’d use their Access Control Expressions.

In other situations, in order to meet the needs of the organization, it may be required to write our own expression language in the favored language in order to implement EBAC. The reason why we’d spend time doing this, of course, is to allow us to implement whatever kind of access control we want, with the conditions we want. Once we have the adequate expression language to accomplish this, another benefit is that we are less likely to rely on others – whether commercial off the shelf products or open source.

6. Conclusion

Various software comes with the ability to write authorization using expressions, such as MapR, Windows, and, of course, Spring Security. If fine-grained access control can be accomplished using the expressions, I refer to it – and suggest you refer to it – as Expression-Based Access Control (EBAC). By giving it a name, we are more likely to use it to secure our systems over traditional RBAC. This is good because fine-grained access control, when done properly, is more likely to prevent breaches.


4 Comments
  • Java Weekly, Issue 262 | Baeldung 3:05 am January 4, 2019 Reply

    […] >> Expression-Based Access Control [michaelcgood.com] […]

  • […] The four annotations typically available in Spring Security are available for use with Spring Expression Language (SpEL) expressions to perform Expression-Based Access Control: […]

  • Zac 11:53 pm January 13, 2019 Reply

    EBAC seems to be an implementation where as ABAC / RBAC are specifications or models.

  • Paul Frischknecht 3:46 am January 21, 2019 Reply

    You need to change the font of this blog. The thin lines of this serif font are way too thin compared to the thick parts, especially on 4k/high dpi. It is hard on the eyes.

Write a comment