I would like to start the early feedback loop on JBoss Authz. A "Rule based" Authorization Framework for Java applications.
Technical Features:
- Built on top of a standards compliant XACML rule engine (implementation: JBossXACML). For more spec info: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
- Ability to create complex security rules taking into account useful contextual data like Identity, Roles/Groups, Arbitrary Http Headers, Java Method parameters, Java Fields, Date/Time information, IP Address information. There is no restriction on what information can be used for making access decision. This is a breakway from frameworks that are designed primarily around the concept of "user roles and permissions".
- Dynamic provisioning of security policies (no application/system restarts)
- A Developer friendly component oriented API. Developers do not need any familiarity with the low-level complex XACML XML hell.
- A common/central Security Manager for all your applications, without having to write/maintain a separate Security subsystem for each.
- Ability to integrate application security with central monitoring tools like JOPR, JON (JBoss Operation Network)
Advantages:
- Authorization is treated as a "true" cross cutting concern of an application
- Provides a clean decoupling of security related logic and data/metadata from the underlying application codebase.
- Security requirements for the same exact application codebase can be fully customized, including all the logic. Big plus for ISVs that bundle stuff as part of their own offering.
- Ability to easily drop in infrastructure level security profiles like http profile, portal profile, seam profile, ejb3 profile
- Website: http://jboss.org/jbossidentity/
- Download: http://jboss.org/jbossidentity/downloads
- Blog: http://authz.blogspot.com/
- Anonymous SVN: http://anonsvn.jboss.org/repos/jbossidentity/authz/
- Committer SVN: https://svn.jboss.org/repos/jbossidentity/authz/