Uploaded image for project: 'Apache Fineract'
  1. Apache Fineract
  2. FINERACT-1908

Modular Security Architecture

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: In Progress
    • Major
    • Resolution: Unresolved
    • None
    • 1.11.0
    • None

    Description

      Background and Motivation

       

      Our current security architecture is based on a example in Spring Security’s documentation and implemented on top of JDBC. For a long time we’ve only supported basic authentication which was later complemented with a homegrown OAuth implementation and another module for one time passwords. On the authorization side we support a straight forward RBAC (role based access control) model again implemented on top of JDBC. This approach worked for quite a while, but end users and integrators wish a more flexible solution. Effectively, we are forcing users to adapt to our current security model. In most cases they have already existing security infrastructure (e.g. ActiveDirectory/LDAP for user info storage and role assignments) and would like to integrate Fineract with it. And last, in some more advanced and more complex setups the role/permission based access concept might not be sufficient for authorization; sometimes additional information (external to Fineract) might be needed for additional evaluation. The current setup makes it at the least very hard (if not impossible) to achieve these goals.

       

      Target Personas

       

      • integrators
      • end users
      • BaaS

       

      Goals

       

      • separate the current security infrastructure as much as possible from Fineract’s core; i. e. make it a custom module
      • create the OAuth Client aka Keycloak module as a drop-in replacement for the current security mechanics
      • delegate everything authentication/authorization related to 3rd party libs/frameworks/products/services
      • re-use 3rd party libs/frameworks/products/services user interfaces and remove corresponding views (e. g. user management) from Fineract web app
      • as minimal refactoring as possible in the short/mid term
      • keep backwards compatibility for a couple of major releases
      • provide good documentation and/or automated tools for migration

       

      Non-Goals

       

      • Fineract as a standalone identity server

       

      Proposed API Changes

       

      AppUser

       
      Unfortunately this class is both JPA entity class and implements Spring Security’s "User" interface. The current dependencies and usage in code is not ideal (at least when it’s business logic), but the main challenge is that the database table behind this JPA entity is related pretty much all over the place via joins.

       

      PlatformUserDetailsService

       
      Ideally this service should not be used directly anymore in Fineract’s core.

       

      OAuth Client Auto Configuration

       
      After years of having multiple competing OAuth packages Spring consolidated their efforts in two libraries:

       
      implementation "org.springframework.boot:spring-boot-starter-oauth2-client"
      implementation "org.springframework.boot:spring-boot-starter-oauth2-resource-server"
       

      Especially the Keycloak configuration is very easy (3 lines in application.properties).

       

      BCrypt Support Module for Keycloak

       
      Unfortunately Keycloak doesn’t support BCrypt hashing for passwords out of the box, but BCrypt is widely used in Spring Boot applications and the default for Fineract. It’s very easy to create an extension module for Keycloak to supprot BCrypt too; that way we can migrate existing user accounts out of Fineract’s database tables without forcing everyone to reset their passwords. Not a strict technical requirement, but helps to smooth the transition.

       

      Open Policy Agent integration

       
      To my knowledge there is no official Spring Security module/support for Open Policy Agent. Doesn’t really matter that much, because the communication with the OPA server is pretty much handled via one endpoint (again, for Java there is no official client, but the implementation is easy). Enforcing the OPA rules happens then with a Spring Security Voter. Some more thought needs to go into what information we send to OPA. At the least we would need:

      • user name
      • authorities/roles
      • service name and function name that is being executed
      • optional: parameters that are passed to the function
        It should be possible to intercept these calls with minimal coding effort via annotations and aspect oriented programming.

       

      Risks

       
      TBD

       

      ETA

       
      TBD

      Diagrams

      Attachments

        1. FIPS-0001.pdf
          380 kB
          Aleksandar Vidakovic
        2. image (9).png
          1.84 MB
          Ed Cable

        Issue Links

          Activity

            People

              aleks Aleksandar Vidakovic
              aleks Aleksandar Vidakovic
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: