Security framework for java with object granularity

Question

I am looking for a security framework for Java web application with Object granularity.

What it means is that I don't just want to filter by urls or by roles, but by specific user ownership of domain objects inside the system.

For example, if there is a Message object that has a Sender user and a Receiver user I would like to be able to configure it so that every Message can be RW by its sender and RO by its receiver.

Or for example, all user profiles are viewable by all users but editable only by the owner.

This rules, of course, I would like to define them with meta data (annotations, xml files, whatever) and not embedded in my business logic.

Is there such a beast out there? Preferably open source.

Answer 1

Spring Security can provide things like method security and "secure objects" using AOP.

Answer 2

Check out this link Acegi Security Fundementals - it's slightly outdated but still gives you the main concepts of Spring Security's object level authorization mechanisms.

Answer 3

You're looking for access control lists (ACLs). Like the other respondents I think Spring Security is worth checking out here--Acegi is just what Spring Security used to be called before they renamed it. Spring Security does have explicit support for ACLs (in addition to URL-based, role-based and group-based access controls). It supports both XML and annotation-based configuration. And you can apply ACL filtering to the view (using taglibs to decide what to render or suppress in the JSP), to methods that return a single domain object (decide whether to allow the method call to succeed), and to methods that return a collection (decide which objects to filter out of the collection before returning it).

You might be able to get away with rolling your own ACL code for simple requirements, but in my opinion ACLs can get tricky pretty quickly. Especially if you have lots of domain objects and you have to start taking performance management seriously.