CoSec

RBAC-based And Policy-based Multi-Tenant Reactive Security Framework.

Authentication

Social Authentication

Authorization

Modeling

Gateway

Authorization Policy

Build In Policy

ActionMatcher

How to customize `ActionMatcher` (SPI)

Refer to PathActionMatcher

class CustomActionMatcherFactory : ActionMatcherFactory {
    companion object {
        const val TYPE = "[CustomActionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomActionMatcher(configuration)
    }
}
class CustomActionMatcher(override val configuration: Configuration) : ActionMatcher {

    override val type: String
        get() = CustomActionMatcherFactory.TYPE

    override fun match(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory

# CustomActionMatcherFactory fully qualified name

ConditionMatcher

How to customize `ConditionMatcher` (SPI)

Refer to ContainsConditionMatcher

class CustomConditionMatcherFactory : ConditionMatcherFactory {
    companion object {
        const val TYPE = "[CustomConditionType]"
    }

    override val type: String
        get() = TYPE

    override fun create(configuration: Configuration): ConditionMatcher {
        return CustomConditionMatcher(configuration)
    }
}
class CustomConditionMatcher(configuration: Configuration) :
    AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) {

    override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean {
        //Custom matching logic
    }
}

META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory

# CustomConditionMatcherFactory fully qualified name

Policy Schema

Configure Policy Schema to support IDE (IntelliJ IDEA) input autocompletion.

Policy Demo

{
  "id": "id",
  "name": "name",
  "category": "category",
  "description": "description",
  "type": "global",
  "tenantId": "tenantId",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "rateLimiter": {
            "permitsPerSecond": 10
          }
        }
      ]
    }
  },
  "statements": [
    {
      "action": {
        "path": {
          "pattern": "/user/#{principal.id}/*",
          "options": {
            "caseSensitive": false,
            "separator": "/",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "Anonymous",
      "action": [
        "/auth/register",
        "/auth/login"
      ]
    },
    {
      "name": "UserScope",
      "action": "/user/#{principal.id}/*",
      "condition": {
        "authenticated": {}
      }
    },
    {
      "name": "Developer",
      "action": "*",
      "condition": {
        "in": {
          "part": "context.principal.id",
          "value": [
            "developerId"
          ]
        }
      }
    },
    {
      "name": "RequestOriginDeny",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.origin",
          "pattern": "^(http|https)://github.com"
        }
      }
    },
    {
      "name": "IpBlacklist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "path": {
          "part": "request.remoteIp",
          "pattern": "192.168.0.*",
          "options": {
            "caseSensitive": false,
            "separator": ".",
            "decodeAndParseSegments": false
          }
        }
      }
    },
    {
      "name": "RegionWhitelist",
      "effect": "deny",
      "action": "*",
      "condition": {
        "regular": {
          "negate": true,
          "part": "request.attributes.ipRegion",
          "pattern": "^中国\\|0\\|(上海|广东省)\\|.*"
        }
      }
    },
    {
      "name": "AllowDeveloperOrIpRange",
      "action": "*",
      "condition": {
        "bool": {
          "and": [
            {
              "authenticated": {}
            }
          ],
          "or": [
            {
              "in": {
                "part": "context.principal.id",
                "value": [
                  "developerId"
                ]
              }
            },
            {
              "path": {
                "part": "request.remoteIp",
                "pattern": "192.168.0.*",
                "options": {
                  "caseSensitive": false,
                  "separator": ".",
                  "decodeAndParseSegments": false
                }
              }
            }
          ]
        }
      }
    },
    {
      "name": "TestContains",
      "effect": "allow",
      "action": "*",
      "condition": {
        "contains": {
          "part": "request.attributes.ipRegion",
          "value": "上海"
        }
      }
    },
    {
      "name": "TestStartsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "startsWith": {
          "part": "request.attributes.ipRegion",
          "value": "中国"
        }
      }
    },
    {
      "name": "TestEndsWith",
      "effect": "allow",
      "action": "*",
      "condition": {
        "endsWith": {
          "part": "request.attributes.remoteIp",
          "value": ".168.0.1"
        }
      }
    }
  ]
}

App Permission Metadata Schema

Configure App Permission Schema to support IDE (IntelliJ IDEA) input autocompletion.

App Permission Demo

{
  "id": "manage",
  "condition": {
    "bool": {
      "and": [
        {
          "authenticated": {}
        },
        {
          "groupedRateLimiter": {
            "part": "request.remoteIp",
            "permitsPerSecond": 10,
            "expireAfterAccessSecond": 1000
          }
        },
        {
          "inTenant": {
            "value": "default"
          }
        }
      ]
    }
  },
  "groups": [
    {
      "name": "order",
      "description": "order management",
      "permissions": [
        {
          "id": "manage.order.ship",
          "name": "Ship",
          "description": "Ship",
          "action": "/order/ship"
        },
        {
          "id": "manage.order.issueInvoice",
          "name": "Issue an invoice",
          "description": "Issue an invoice",
          "action": "/order/issueInvoice"
        }
      ]
    }
  ]
}

Obtain the current security context

WebFlux

     Mono.deferContextual {
        val securityContext = it.getSecurityContext()
        //TODO
    }

WebMvc

SecurityContextHolder.context

OpenTelemetry

CoSec-OpenTelemetry

CoSec follows the OpenTelemetry General identity attributes specification。

Thanks

CoSec permission policy design refers to AWS IAM .

Name	Name	Last commit message	Last commit date
Latest commit renovate[bot] and Ahoo-Wang fix(deps): update dependency me.ahoo.cocache:cocache-bom to v3.6.1 Mar 22, 2025 d955e5c · Mar 22, 2025 History 637 Commits
.github	.github	ci(github-actions): update workflow for CoSec-CoCache testing	Mar 4, 2025
code-coverage-report	code-coverage-report	build(code-coverage-report): update test suite name for code coverage…	Feb 26, 2025
config	config	feat(webflux): support return null for `getSecurityContext` (#355 )	Jun 5, 2024
cosec-api	cosec-api	Refactoring: rename `asPrincipal` to `toPrincipal` (#426 )	Dec 16, 2024
cosec-bom	cosec-bom	CoSec : RBAC-based And Policy-based Multi-Tenant Security Framework (#1 )	Nov 19, 2022
cosec-cocache	cosec-cocache	build(deps): add kotlin-logging dependency	Mar 22, 2025
cosec-core	cosec-core	build(deps): update dependencies and move logging to api scope	Mar 22, 2025
cosec-dependencies	cosec-dependencies	build(deps): add kotlin-logging dependency	Mar 22, 2025
cosec-gateway-server	cosec-gateway-server	feat(cosec-gateway-server): add cache configuration for policy and role	Mar 6, 2025
cosec-gateway	cosec-gateway	refactor: `SecurityContextParser` (#220 )	Aug 1, 2023
cosec-generator	cosec-generator	fix: missing `Statement.name` (#335 )	Apr 8, 2024
cosec-ip2region	cosec-ip2region	build(deps): add kotlin-logging dependency	Mar 22, 2025
cosec-jwt	cosec-jwt	feat: Support custom generation of token validity period (#428 )	Dec 16, 2024
cosec-opentelemetry	cosec-opentelemetry	feat: remove opentelemetrySemconv deps (#435 )	Dec 25, 2024
cosec-social	cosec-social	feat: support `SocialAuthentication` (#307 )	Feb 19, 2024
cosec-spring-boot-starter	cosec-spring-boot-starter	feat(cache): add client-side cache for policy and role	Mar 6, 2025
cosec-webflux	cosec-webflux	build(deps): add kotlin-logging dependency	Mar 22, 2025
cosec-webmvc	cosec-webmvc	feat(webflux): Support setRequest for `ReactiveInjectSecurityContextW…	Jun 6, 2024
document/design	document/design	feat: support `SocialAuthentication` (#307 )	Feb 19, 2024
gradle	gradle	fix(deps): update dependency me.ahoo.cocache:cocache-bom to v3.6.1	Mar 22, 2025
k8s	k8s	feat(deply): Update cosec-gateway-config.yaml	Dec 11, 2024
schema	schema	feat: support Path Matching for `LocalPolicyLoader` (#241 )	Aug 24, 2023
.editorconfig	.editorconfig	refactor: code style	May 24, 2023
.gitignore	.gitignore	Initial commit	Nov 19, 2022
LICENSE	LICENSE	CoSec : RBAC-based And Policy-based Multi-Tenant Security Framework (#1 )	Nov 19, 2022
README.md	README.md	feat(doc): Update README	Nov 1, 2024
README.zh-CN.md	README.zh-CN.md	feat(doc): Update README	Nov 1, 2024
build.gradle.kts	build.gradle.kts	build(deps): update dependencies and move logging to api scope	Mar 22, 2025
codecov.yml	codecov.yml	add `Policy Schema` to README.md	Jan 2, 2023
gradle.properties	gradle.properties	Update Version	Mar 22, 2025
gradlew	gradlew	chore(deps): update dependency gradle to v8.13	Feb 26, 2025
gradlew.bat	gradlew.bat	chore(deps): update dependency gradle to v8.9 (#367 )	Jul 12, 2024
renovate.json	renovate.json	CoSec : RBAC-based And Policy-based Multi-Tenant Security Framework (#1 )	Nov 19, 2022
settings.gradle.kts	settings.gradle.kts	refactor(cache): rename redis module to cocache and update related pa…	Mar 4, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

CoSec

Authentication

Social Authentication

Authorization

Modeling

Gateway

Authorization Policy

Build In Policy

ActionMatcher

How to customize `ActionMatcher` (SPI)

ConditionMatcher

How to customize `ConditionMatcher` (SPI)

Policy Schema

App Permission Metadata Schema

Obtain the current security context

WebFlux

WebMvc

OpenTelemetry

Thanks

About

Releases 143

Packages 17

Contributors 2

Languages

License

Ahoo-Wang/CoSec

Folders and files

Latest commit

History

Repository files navigation

CoSec

Authentication

Social Authentication

Authorization

Modeling

Gateway

Authorization Policy

Build In Policy

ActionMatcher

How to customize ActionMatcher (SPI)

ConditionMatcher

How to customize ConditionMatcher (SPI)

Policy Schema

App Permission Metadata Schema

Obtain the current security context

WebFlux

WebMvc

OpenTelemetry

Thanks

About

Topics

Resources

License

Stars

Watchers

Forks

Releases 143

Packages 17

Contributors 2

Languages

How to customize `ActionMatcher` (SPI)

How to customize `ConditionMatcher` (SPI)