tags:

views:

215

answers:

2
+2  Q: 

Best Java framework to manage/create dynamic security policy rules?

Typically in any web application, the major security concern is securing the resources from the malicious users who are trying to access un-authorized resources. They can change a value in the request parameter and try to access something that doesn't belong to that particular user.

For Example: http://blah.com/id=foo a user can change this to http://blah.com/id=bar and try to access the bar resource to access it.

With restful services this may lead to greater security concerns as the restful URL's are rather self explanatory.

eg:

http://hotels.com/hotels/1 a user can easily guess and change the id to 2 to see the details of it..
One design is to check at every request manually to see the access rights for the resources and deny it if needed.
but this is a cumbersome and not maintainable.

So the question is "Is there any tool/framework that can help achieve this in a easy manner? I know spring security supports static rules not dynamic.

A: 

I would highly recommend looking into Seam Security. It can even be tied into a rules system.

edit: I believe you would need the Seam Core package for this to work. However, I have never tried using it without Seam, so I can't be positive about its dependencies.

Zack  2010-01-29 15:18:45
looks good, but is that modular enough to plug it into any applications, even if it is not done using seam?
Teja Kantamneni  2010-01-29 20:41:16
+1  A: 

Over the last couple of years, the de-factory standard for this has become Spring Security. This sits in frotn of any old java webapp (not just Spring webapps) and provides an interception authentication and authorization layer of your choice.

It's very powerful, although also rather complicated (over-complicated, IMO).

skaffman  2010-01-29 15:23:31
Spring Security is great, but its documentation sucks. I couldn't still find any really awesome manual.
Roman  2010-01-29 15:26:00
Over complicated is true indeed but do you know of any easier alternative that plays well with Spring besides rolling your own?
Daff  2010-01-29 15:26:55
I am currently using spring security but when coming to the security rules/url protection it doesn't had much capabilities, the decision making and voting api sucks
Teja Kantamneni  2010-01-29 16:12:18

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java