Authorization for objects in Java EE

My web application requires access control to the content that is displayed to users. All users may be accessing the same page but the content shown will depend on their access rights.

For example, if I have the following data:

    Book    |    Roles
__________________________________
    foo     |    RoleA
    bar     |    RoleB
    baz     |    RoleA, RoleB

Users belonging to RoleA will see foo & baz.

I'm looking for a framework that can do this already. The requirements in Data Access control in Java EE technologies are similar to mine and Spring Securit开发者_StackOverflow中文版y was suggested there.

However, I'll like to be able to change access rights through a UI without having to change code and redeploy it. Can Spring Security or some other framework do this?

Yes this is actually one of the main functions of Spring Security.

When a user logs in via Spring Security a UserDetailsService is used to load additional metadata and user permissions. A UserDetailsService is like a DAO and typically used to connect to your DB and load user data in the security context.

You can define your UserDetailsService in your security namespace config.

This will help you on writing one.

I think domain object security describes what I'm trying to do and spring security has an access control list component that does this.

Introduction from the reference docs here.