Menu
Are there any java open source role-based access control system?
780
3 Primary Rules for RBAC:Role assignment: A user can exercise a permission only if the subject has been assigned a role. Role-based authorization: A user's active role must be authorized. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.
Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users.
There are several limitations to the RBAC model. You can't set up a rule using parameters that are unknown to the system before a user starts working. Permissions can be assigned only to user roles, not to objects and operations.
Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).
Spring Security might be good for you.
107
There are several frameworks which provide authorization system for you:
Spring Security
A highly customizable framework, Spring Security is widely used to handle the authentication and access control (authorization) issues arising in any Enterprise based application developed in Java.
Apache Shiro
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.
JAAS (Java Authentication and Authorization Services)
JAAS is one of the security APIs that consists of Java packages designed exclusively for user authentication & authorization. Introduced as an optional package in Java SE 1.3, JAAS was later integrated into JDK, starting from JDK 1.4.
OACC
This Java application security framework is designed to fine grain (object level) the access control. Its focus is to provide a full-featured API to enforce as well as manage the authentication and authorization needs of an application. It offers complete implementation of a flexible and robust security model.
jCasbin
jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models.
Keyclock
Keycloak is an open-source Identity and Access Management solution targeted towards modern applications and services. It offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.
39
I presume that the question that you are trying to answer is:
Does user u have access to do operation op on object o?
One thing to consider is how are your domain objects and user groups defined from a business perspective (outside of the AC mechanism). For any RBAC implementation, you would need to configure it to tell what your users and user groups are. That will affect your choice of RBAC implementation.
Another (more specific) question: do you need to support override permissions, includes and excludes? Specifically, do you want to be able to support the scenario that object o1 is available to usergroup g1, but not user u1 (who is part of group g1)?
Depending upon the specific answers, jguard (which is built over JAAS) might be a very good option - http://jguard.net/
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
