Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Role Based Access Control [closed]

Are there any java open source role-based access control system?

like image 780
Alex Avatar asked Oct 09 '10 02:10

Alex


People also ask

What are the three primary rules for RBAC?

3 Primary Rules for RBAC:Role assignment: A user can exercise a permission only if the subject has been assigned a role. Role-based authorization: A user's active role must be authorized. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized.

What is meant by role-based access control?

Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access. It involves setting permissions and privileges to enable access to authorized users.

What are the disadvantages of RBAC?

There are several limitations to the RBAC model. You can't set up a rule using parameters that are unknown to the system before a user starts working. Permissions can be assigned only to user roles, not to objects and operations.

What are the 3 types of access control?

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC).


3 Answers

Spring Security might be good for you.

like image 107
duffymo Avatar answered Sep 28 '22 07:09

duffymo


There are several frameworks which provide authorization system for you:

  1. Spring Security
    A highly customizable framework, Spring Security is widely used to handle the authentication and access control (authorization) issues arising in any Enterprise based application developed in Java.

  2. Apache Shiro
    Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro’s easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

  3. JAAS (Java Authentication and Authorization Services)
    JAAS is one of the security APIs that consists of Java packages designed exclusively for user authentication & authorization. Introduced as an optional package in Java SE 1.3, JAAS was later integrated into JDK, starting from JDK 1.4.

  4. OACC
    This Java application security framework is designed to fine grain (object level) the access control. Its focus is to provide a full-featured API to enforce as well as manage the authentication and authorization needs of an application. It offers complete implementation of a flexible and robust security model.

  5. jCasbin
    jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models.

  6. Keyclock
    Keycloak is an open-source Identity and Access Management solution targeted towards modern applications and services. It offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

like image 39
M-Razavi Avatar answered Sep 28 '22 09:09

M-Razavi


I presume that the question that you are trying to answer is:

Does user u have access to do operation op on object o?

One thing to consider is how are your domain objects and user groups defined from a business perspective (outside of the AC mechanism). For any RBAC implementation, you would need to configure it to tell what your users and user groups are. That will affect your choice of RBAC implementation.

Another (more specific) question: do you need to support override permissions, includes and excludes? Specifically, do you want to be able to support the scenario that object o1 is available to usergroup g1, but not user u1 (who is part of group g1)?

Depending upon the specific answers, jguard (which is built over JAAS) might be a very good option - http://jguard.net/

like image 45
Amrinder Arora Avatar answered Sep 28 '22 08:09

Amrinder Arora