Here's my situation.
I use RBAC model to control function-level ACL, and use hard-code (if/else in my business code of DAO/Service layer) for fine-grained ACL. But, my customer cann't figure out requirements of fine-grained ACL right now.
So, I think maybe it's time for me to extract fine-grained ACL logic from business code. Decouple them and centralize them.
Is there any good suggestions? Framework or libary?
Have a look at Spring Security. Its a a framework/library that supports RBAC, integrates with a lot of authentication/authorization technologies, and allows you to decouple security from business code.
If there are specifics as to what you want to do, or how you want to use the library/framework, you will probably get more relevant advice.
Knowing the Spring Framework and how it works is probably useful here.
Yeah. I don't think spring security is a good choice. Cause: 1, you will rearrange your application if you adopt this framework; 2, spring security is a framework for a lot of thing. But itself doesn't nothing. You DO care about RBAC and fine-grained ACL.
I suggest a middleware called ralasafe(http://www.ralasafe.org). It open sourced under MIT license. Ralasafe contains a UrlAclFilter for RBAC. Ralasafe uses security polices for fine-grained ACL. Dividing security policy into user category and resource. It' something like RBAC, and easy to understand.
Most cool thing is ralasafe designer. Less programming/configuration, do more!
Check Apache Shiro (ex JSecurity), although it's in incubator status. From its website:
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management and cryptography.
Our mission: To provide the most robust and comprehensive application security framework available while also being very easy to understand and extremely simple to use.
Features
Apache Shiro aims to be the most comprehensive, but also the easiest to use Java security framework available. Here are some of the frameworks finer points:
- The easiest to understand Java Security API anywhere. Class and Interface names are intuitive and make sense. Anything is pluggable but good defaults exist for everything.
- Simple authentication (login) supported by one or more pluggable data sources (LDAP, JDBC, Kerberos, ActiveDirectory, etc).
- Simple authorization ('access control') with roles and fine-grained permissions support also using the above pluggable data sources.
- First-class caching support for enhanced application performance.
- Built-in POJO-based Enterprise Session Management. Use in both web and non-web environments or in any environment where Single Sign On (SSO) or clustered or distributed sessions are desired.
- Heterogeneous client session access. You are no longer forced to use only the HttpSession or Stateful Session Beans, which often unnecessarily tied applications to specific environments. Flash applets, C# applications, Java Web Start, and Web Applications, etc. can now all share session state regardless of deployment environment.
- Simple Single Sign-On (SSO) support piggybacking the above Enterprise Session Management. If sessions are federated across multiple applications, the user's authentication state can be shared too. Log in once to any application and the others all recognize that log-in.
- Simplest possible Cryptography APIs. Our Ciphers and Hashes (aka Digests) wrap the more complicated Java Cryptography Extensions (JCE) infrastructure, and are much easier to understand and use. For example, new Md5Hash("blah").toHex(); gives you the hex-encoded MD5 hash of "blah".
- An incredibly robust yet low-configuration web framework that can secure any url or resource, automatically handle logins and logouts, perform Remember Me services, and more.
- Extremely low number of required dependencies. Standalone configuration requires only slf4j-api.jar and one of slf4j's binding .jars. Web configuration additionally requires commons-beanutils-core.jar. Feature-based dependencies (Ehcache caching, Quartz-based Session validation, Spring dependency injection, etc.) can be added when needed.
