secure_authz
Deny-by-default authorization (OWASP C7) with typed subjects/actions/resources, RBAC + ABAC, tenant isolation, native device-trust predicates, and HTTP-framework middleware. Part of the SunLit Security Libraries workspace.
What this gives you
- Identity-agnostic. Feed it
security_core::identity::AuthenticatedIdentityfromsecure_identity, Keycloak, Auth0, or your own. - Typed subjects, actions, resources — no role strings in business code.
- Pluggable policy engine. Default is casbin RBAC; swap in your own
Authorizer. - Tenant isolation primitives that prevent cross-tenant resource access by construction.
- Bounded LRU decision cache with TTL — fast, but never unbounded.
- Native device-trust predicates that combine
secure_device_trust,secure_identity, andsecure_networkcontext — express "this route requires a session pinned to verified mTLS, on a hardware-attested iOS device". - HTTP middleware —
AuthzLayer(axum) andAuthzTransform(actix-web).
Install
[]
= "0.1" # default features: ["axum"]
# For actix-web:
# secure_authz = { version = "0.1", default-features = false, features = ["actix-web"] }
Quick example (axum) — guard a route with AuthzLayer
use Arc;
use ;
use Action;
use ResourceRef;
use AuthzLayer;
use MockAuthorizer; // for tests; use a real Authorizer in prod
async
let authz = new;
let app = new
.route
.layer;
// Upstream auth middleware (e.g. secure_identity) must put an
// AuthenticatedIdentity into request extensions before AuthzLayer runs.
Quick example (actix-web)
See examples/actix_authz_minimal.rs — a complete runnable service wiring AuthzTransform plus a stand-in upstream auth middleware. Run it with:
What's inside
| Module / type | Use it for |
|---|---|
subject / action::Action / resource::ResourceRef |
Typed subject/action/resource vocabulary. |
policy / Authorizer trait |
Plug your own policy engine. |
casbin_engine |
Default casbin RBAC implementation. |
tenant |
Tenant-isolation primitives. |
cache |
Bounded LRU decision cache with TTL. |
device_trust |
Predicates combining secure_device_trust, secure_identity, and secure_network context. |
middleware::AuthzLayer |
axum tower Layer (feature axum). |
actix::AuthzTransform |
actix-web middleware (feature actix-web). |
testkit::MockAuthorizer |
MockAuthorizer::allow() / ::deny() for unit tests. |
Feature flags
| Flag | Default | Enables |
|---|---|---|
axum |
✅ | middleware::AuthzLayer as a tower Layer. |
actix-web |
off | actix::AuthzTransform as an actix middleware. |
Compatibility
- MSRV: 1.78
#![forbid(unsafe_code)],#![deny(missing_docs)]
Status
Alpha.
Related crates
Part of the SunLit Security Libraries workspace:
| Crate | Purpose |
|---|---|
security_core |
Shared types, identity, classification, severity, redaction. |
security_events |
Security logging and tamper-evident audit chain. |
secure_errors |
Three-layer error model with redaction-safe public errors. |
secure_output |
Context-aware output encoders (HTML, JSON, URL, JS, CSS, XML, LDAP, shell). |
secure_data |
Secrets, envelope encryption, Argon2id, FIPS, mobile storage. |
secure_network |
TLS policy, SPKI pinning, mTLS, cleartext detection. |
secure_device_trust |
Native-client device trust and session certificates. |
secure_resilience |
RASP and environment-detection policy. |
secure_privacy |
PII classification, consent, retention, pseudonymization. |
secure_boundary |
Input validation, security headers, boundary protections. |
secure_identity |
JWT/OIDC, MFA, sessions, biometric step-up. |
Getting help
- Questions, ideas, design discussions — open a GitHub Discussion.
- Bug reports — use the bug-report template in GitHub Issues.
- Security issues — please do not open a public issue. See SECURITY.md for the responsible-disclosure process.
Contributing
Contributions are welcome. Please read CONTRIBUTING.md and the Code of Conduct before opening a PR.
License
Dual-licensed under MIT or Apache-2.0 at your option.