Role Based Access Control [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answe开发者_开发知识库red with facts and citations.

Closed 3 years ago.

Improve this question

Are there any java open source role-based access control system?

---

Spring Security might be good for you.

---

There are several frameworks which provide authorization system for you:

1. Spring Security
   A highly customizable framework, Spring Security is widely used to handle the authentication and access control (authorization) issues arising in any Enterprise based application developed in Java.

2. Apache Shiro
   Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

3. JAAS (Java Authentication and Authorization Services)
   JAAS is one of the security APIs that consists of Java packages designed exclusively for user authentication & authorization. Introduced as an optional package in Java SE 1.3, JAAS was later integrated into JDK, starting from JDK 1.4.

4. OACC
   This Java application security framework is designed to fine grain (object level) the access control. Its focus is to provide a full-featured API to enforce as well as manage the authentication and authorization needs of an application. It offers complete implementation of a flexible and robust security model.

5. jCasbin
   jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models.

6. Keyclock
   Keycloak is an open-source Identity and Access Management solution targeted towards modern applications and services. It offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

---

I presume that the question that you are trying to answer is:

Does user u have access to do operation op on object o?

One thing to consider is how are your domain objects and user groups defined from a business perspective (outside of the AC mechanism). For any RBAC implementation, you would need to configure it to tell what your users and user groups are. That will affect your choice of RBAC implementation.

Another (more specific) question: do you need to support override permissions, includes and excludes? Specifically, do you want to be able to support the scenario that object o1 is available to usergroup g1, but not user u1 (who is part of group g1)?

Depending upon the specific answers, jguard (which is built over JAAS) might be a very good option - http://jguard.net/

---

APACHE SHIRO Java Security Framework

It is using Role Based Access Control on Authorization

---

There are lots of possible solutions, but which one is best (i.e. meets your needs without being too heavyweight or too complicated to implement) depends on your requirements:

• Are you talking about access control for a web service, or something else?

• What kind of access control are you looking to implement? Based purely on resource URLs, or depending on the state / metadata of the requested entities? Are the roles simple or hierarchical? Do different actions require different roles?

• Do you need to deal with authorization as well?

---

Apache Fortress is ANSI RBAC compliant engine (INCITS 359) and is released under Apache Software license. You can pull it down from here: https://directory.apache.org/fortress/.