Spring Security integration with XACML(Or any other policy based solution)

Question

Our web application is based on spring security. We already handle authentication via SSO provider (CAS)

We are trying to find a convenient solution of handling authorization for our app (Roles and premisison).

I read about XACML; however, couldn't find any practical experience/example of implementing and integrating it inside the Spring-security framework.

Anyone has any experience with that?

Thanks, Ray.

Answer 1

What Asela says is true of most XACML-based authorization servers.

You can choose from open-source:

• WSO2 (Asela's) which gives you so much more than just XACML BTW - it's first and foremost a mediation platform
• ForgeRock's OpenAM
• JBoss's PicketBox.
• HerasAF
• AuthzForce

Some implement XACML 2.0, others XACML 3.0

In the vendor space you have:

• IBM (XACML 2.0)
• Oracle (Proprietary)
• Dell (XACML 3.0, .NET-based)
• Axiomatics (XACML 3.0, .NET and Java)

Disclaimer: I work for the latter, Axiomatics. We have tested a sample PEP that implements the Spring Security Access Decision in the past and it works fine. Our PDP is exposed both as a SOAP web service or via REST according to the REST profile of XACML.

Do you want to have your Spring Access Decision Manager implement a XACML PEP? Do you want to use a Voter instead? Do you need to support obligations and advice?

You can also use an AOP PEP which Axiomatics also provides. We have a webinar on just the topic this coming Thursday. Details here.

Answer 2

I am not sure about the spring security framework. But if your application can call external soap web service, you can use WSO2 Identity Server. Because WSO2 Identity Server's PDP has been exposed via SOAP based web service. Using your application, I guess, you can call them easily. More detail you can find from the this blog.