Best Java framework to manage/create dynamic security policy rules?

Typically in any web application, the major security concern is securing the resources from the malicious users who are trying to access un-authorized resources. They can change a value in the request parameter and try to access something that doesn't belong to that particular user.

For Example: http://blah.com/id=foo a user can change this to http://blah.com/id=bar and try to access the bar resource to access it.

With restful services this may lead to greater security concerns as the restful URL's are rather self explanatory.

eg:

http://hotels.com/hotels/1 a user can easily guess and change the id to 2 to see the details of it..

One design is to check at every requ开发者_高级运维est manually to see the access rights for the resources and deny it if needed.

but this is a cumbersome and not maintainable.

So the question is "Is there any tool/framework that can help achieve this in a easy manner? I know spring security supports static rules not dynamic.

Over the last couple of years, the de-factory standard for this has become Spring Security. This sits in frotn of any old java webapp (not just Spring webapps) and provides an interception authentication and authorization layer of your choice.

It's very powerful, although also rather complicated (over-complicated, IMO).

I would highly recommend looking into Seam Security. It can even be tied into a rules system.

edit: I believe you would need the Seam Core package for this to work. However, I have never tried using it without Seam, so I can't be positive about its dependencies.