Unlock Micronaut Security: A Simple Guide to Role-Based Access Control

java

Unlock Micronaut Security: A Simple Guide to Role-Based Access Control

Securing Micronaut Microservices with Role-Based Access and Custom JWT Parsing

Apr 9, 2023

Unlock Micronaut Security: A Simple Guide to Role-Based Access Control

Implementing role-based access control (RBAC) in a Micronaut application is a fantastic way to keep your microservices locked down and secure. With RBAC, you can manage who gets to access what within your app based on their assigned roles. This ensures a streamlined and scalable security setup. Let’s break it down step-by-step and get you rolling with Micronaut Security.

First things first, you need to set up Micronaut Security in your project. For this, you’d throw in the necessary dependencies into your build.gradle or pom.xml file.

If you’re using Gradle, your build.gradle file will look something like this:

dependencies {
    implementation 'io.micronaut.security:micronaut-security-jwt'
    implementation 'io.micronaut.security:micronaut-security-token-jwt'
}

For Maven folks, the pom.xml file needs this bit of code:

<dependency>
    <groupId>io.micronaut.security</groupId>
    <artifactId>micronaut-security-jwt</artifactId>
</dependency>
<dependency>
    <groupId>io.micronaut.security</groupId>
    <artifactId>micronaut-security-token-jwt</artifactId>
</dependency>

Now that we’ve got the initial setup done, it’s time to dive into configuring the security settings. This is where you tweak your application.yml file. Here’s an example that showcases how to enable security and set up OAuth 2.0 with OpenID Connect:

micronaut:
  security:
    enabled: true
    token:
      jwt:
        enabled: true
        signatures:
          secret:
            generator:
              secret: your-secret-key
    oauth2:
      clients:
        your-client-id:
          client-id: your-client-id
          client-secret: your-client-secret
          openid:
            issuer: https://your-issuer-url.com

Pretty straightforward, right? This makes sure your application is ready to handle JWTs and OAuth 2.0 authentication.

Next, let’s talk about securing methods using the @Secured annotation. This annotation ensures that only users with the appropriate roles can access specific methods. Here’s how you can use it in a controller:

import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.Produces;
import io.micronaut.security.annotation.Secured;
import io.micronaut.security.rules.SecurityRule;

@Controller
public class HomeController {

    @Get("/")
    @Produces(MediaType.TEXT_PLAIN)
    @Secured(SecurityRule.IS_AUTHENTICATED)
    public String hello(Principal principal) {
        return "Hello, " + principal.getName() + "!";
    }

    @Get("/roles")
    @Produces(MediaType.TEXT_PLAIN)
    @Secured(SecurityRule.IS_AUTHENTICATED)
    public String roles(Authentication auth) {
        return auth.getRoles().toString();
    }
}

In this piece of code, both the hello and roles methods are set to be accessed only by authenticated users.

Moving on, if you’re using Auth0 for authentication, there’s an extra step: mapping Auth0 roles to Micronaut roles. This ensures that the roles defined in Auth0 are correctly recognized by your Micronaut app. Here’s a simplified example of how that can be done:

import io.micronaut.security.authentication.Authentication;
import io.micronaut.security.token.jwt.validator.RefreshTokenValidator;
import io.micronaut.security.token.jwt.validator.TokenValidator;

public class Auth0RoleMapper implements TokenValidator {

    @Override
    public Authentication validate(TokenRefreshRequest tokenRefreshRequest, HttpRequest<?> httpRequest) {
        List<String> roles = tokenRefreshRequest.getClaims().get("roles", List.class);
        List<String> micronautRoles = new ArrayList<>();
        for (String role : roles) {
            if (role.equals("auth0-role")) {
                micronautRoles.add("micronaut-role");
            }
        }
        return Authentication.build(tokenRefreshRequest.getUsername())
                .withRoles(micronautRoles)
                .build();
    }
}

This piece of code fetches roles from the Auth0 token and maps them to the roles recognized by Micronaut.

Once the roles are mapped, you can secure methods to require specific roles, using the @RolesAllowed annotation. Here’s an example:

import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.Produces;
import io.micronaut.security.annotation.RolesAllowed;

@Controller
public class RoleController {

    @Get("/admin-only")
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed({"Administrator"})
    public String adminOnly() {
        return "This is an admin-only page.";
    }

    @Get("/user-only")
    @Produces(MediaType.TEXT_PLAIN)
    @RolesAllowed({"User"})
    public String userOnly() {
        return "This is a user-only page.";
    }
}

In this snippet, the adminOnly method is accessible only to users with the Administrator role, while the userOnly method is limited to users with the User role.

Sometimes, the default role parsing mechanism might not cut it, especially if you’re dealing with complex JWT structures. In such cases, creating a custom role parser can save the day. Here’s how to build one:

import io.micronaut.security.token.jwt.validator.RolesParser;
import io.micronaut.security.token.jwt.validator.RefreshTokenValidator;
import io.micronaut.security.token.jwt.validator.TokenValidator;

public class CustomRolesParser implements RolesParser {

    @Override
    public List<String> parse(RefreshToken token) {
        List<String> roles = new ArrayList<>();
        if (token.getClaims().containsKey("realm_access")) {
            Map<String, Object> realmAccess = token.getClaims().get("realm_access", Map.class);
            if (realmAccess.containsKey("roles")) {
                roles.addAll((List<String>) realmAccess.get("roles"));
            }
        }
        return roles;
    }
}

And you’ll need to register this custom parser in your application.yml file:

micronaut:
  security:
    token:
      jwt:
        roles-parser:
          class: com.example.CustomRolesParser

Having custom parsing ensures that the roles from your JWT are correctly interpreted, no matter how they’re structured.

You can also configure security settings using an intercept URL map. This method is handy for securing specific URLs based on roles and HTTP methods. Here’s an example:

micronaut:
  security:
    intercept-url-map:
      - pattern: /images/*
        http-method: GET
        access:
          - isAnonymous()
      - pattern: /books
        access:
          - isAuthenticated()
      - pattern: /books/grails
        http-method: POST
        access:
          - ROLE_GRAILS
          - ROLE_GROOVY
      - pattern: /books/grails
        http-method: PUT
        access:
          - ROLE_ADMIN

In this config, the /images/* URL can be accessed by anyone, /books requires authentication, and /books/grails has different role requirements based on the HTTP method.

Implementing RBAC in a Micronaut application isn’t just a necessity; it’s a powerful way to ensure your microservices are secure and manageable. From setting up initial configurations to custom role parsing and specific endpoint security, Micronaut offers a robust suite of tools to get the job done. By using annotations like @Secured and @RolesAllowed, you can have a tight grip on who gets to see or do what in your app.

And there you have it! With these steps, you are well on your way to creating a secure Micronaut application that respects role-based access controls.