secure_authz — Authorization enforcement (OWASP C7).
Feature Overview
The crate ships a framework-neutral core plus optional HTTP framework adapters. Pick one or both:
| Feature flag | Default | Enables |
|---|---|---|
axum |
✅ | [middleware::AuthzLayer] as a tower Layer |
actix-web |
[actix::AuthzTransform] as an actix middleware |
The standard subject/action/resource authorization path remains
identity-agnostic: it depends on
[security_core::identity::AuthenticatedIdentity]. Identity may come from
secure_identity, Keycloak, Auth0, or any custom provider.
Native device-trust predicates are intentionally typed and live in
[device_trust]. That module accepts secure_device_trust,
secure_identity, and secure_network context so route policies can prove
that user sessions stay pinned to verified session mTLS.
What this crate gives you
- Typed subjects, actions, and resources (no role strings in business code)
- Pluggable policy engine (default: casbin RBAC)
- Tenant isolation
- Bounded LRU decision cache with TTL
- Decision logging to
security_events - Framework adapters (axum and actix-web 4) that share the same
enforcement pipeline ([
crate::enforce::run_check]). - Device-trust route predicates for native clients.