Axiomatics had the pleasure and honor to take part in JavaZone 2013 this year. JavaZone takes place every year in Norway's capital, Oslo, and gathers architects, developers, system integrators alike that share the same passion for Java and derived technologies. Speakers hail from the world around.
I gave a presentation on externalized authorization management to share Axiomatics' experience in the field.
Over the years, at Axiomatics, we noticed that developers struggle with the implementation of this very simple question: "can my user do X?". Very often, this question is overlooked and the only "access control" being doing is the authorization immediately following authentication (we know you're Alice, so you can do everything). To add to the complexity, this space is scarcely standardized with developers resorting to the tools most closely available e.g. LDAP groups, roles, or frameworks such as Spring Security. As a result, developers who are pressed by security officers and other auditors, have to implement custom, home-grown authorization. And that takes time, too much time. In a study, it was estimated that 20% of development time was spent on implement security and specifically access control. Axiomatics' premise to the developers is to reduce that time to a minimum.