Integrating XACML into Spring Security

Spring takes away some of the great complexities of JEE and is a more light-weight and agile framework. It enables enterprise-level applications to be built with plain POJOs. But Spring also introduces dependency injection and inversion of control as important vehicles to help meet requirements that are shared across multiple layers in an application. This is especially important from a security perspective since security typically is a cross-cutting concern.

Spring Security, a project of Spring, is aimed at providing authentication and authorization framework around the core Spring. It started its life as Acegi Security in 2003 before getting absorbed into the Spring framework. Recently we saw the release of version 4 of Spring Security.

Spring Security examines security as a cross-cutting concern and provides good separation between application logic and security and business logic. Architecturally and from an implementation point of view, Spring Security provides the right capabilities to support an XACML based externalized policy-driven access control architecture.

The ABAC Angle

Version 3 of Spring introduced the concept of Spring Expression Language (SpEL), a language that “supports querying and manipulating an object graph at runtime”. This can also be used to provide authorization support in the Spring security framework. While Spring Security comes with built-in expressions like hasRole, hasPermission etc. (that can be used in conjunction with Web and Method security expressions), the existing capability is still not enough to support policy-based, fine-grained, externalized access control systems, like XACML.

Axiomatics provides an SDK for customers who are interested in integrating XACML into their Spring and Spring Security framework based enterprise Java applications. In our webinar “Enhancing Spring Security”  we explore the approach and provide some details about the SDK. You can find the recording below:

Related Articles

The one with all the authorization vendors | Dynamically Speaking
Dynamically Speaking
Does it feel as though everyone’s suddenly talking about authorization? We think so too and asked Axiomatics President & CCO Jim Barkdoll his thoughts on...
The one about identity-first security | Dynamically Speaking
Dynamically Speaking
Few have their finger on the pulse of all things Identity and Access Management (IAM) like Jackson Shaw, Chief Strategy Officer for Clear Skye. In...
The Log4j vulnerability – What you need to know
Customer Alerts
As many of you know, on December 9, 2021 the Apache Log4j vulnerability (CVE-2021-4422) was discovered, affecting somewhere between 0 and 3 billion-plus devices currently...