Friday, October 16, 2009

Announcing JBoss Authz 1.0.Alpha1



I would like to start the early feedback loop on JBoss Authz. A "Rule based" Authorization Framework for Java applications.

Technical Features:
  • Built on top of a standards compliant XACML rule engine (implementation: JBossXACML). For more spec info: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml

  • Ability to create complex security rules taking into account useful contextual data like Identity, Roles/Groups, Arbitrary Http Headers, Java Method parameters, Java Fields, Date/Time information, IP Address information. There is no restriction on what information can be used for making access decision. This is a breakway from frameworks that are designed primarily around the concept of "user roles and permissions".

  • Dynamic provisioning of security policies (no application/system restarts)

  • A Developer friendly component oriented API. Developers do not need any familiarity with the low-level complex XACML XML hell.

  • A common/central Security Manager for all your applications, without having to write/maintain a separate Security subsystem for each.

  • Ability to integrate application security with central monitoring tools like JOPR, JON (JBoss Operation Network)

Advantages:

  • Authorization is treated as a "true" cross cutting concern of an application

  • Provides a clean decoupling of security related logic and data/metadata from the underlying application codebase.
  • Security requirements for the same exact application codebase can be fully customized, including all the logic. Big plus for ISVs that bundle stuff as part of their own offering.

  • Ability to easily drop in infrastructure level security profiles like http profile, portal profile, seam profile, ejb3 profile
Project Information