+

Spring Security and Attribute-Based Access Control

Spring Security, a project in the wider Spring framework, aims to provide an authentication and authorization framework around the core Spring. Having started its life as Acegi Security in 2003 before getting absorbed into the Spring framework, we recently saw the release of version 4 of Spring Security.

Spring Security examines security as a cross-cutting concern and provides good separation between application, security and business logic. Architecturally and from an implementation point of view, Spring Security provides the right capabilities to support an XACML based externalized policy-driven access control architecture.

The ABAC Angle

Version 3 of Spring introduced the concept of Spring Expression Language (SpEL), a language that “supports querying and manipulating an object graph at runtime”. This can also be used to provide authorization support in the Spring security framework. While Spring Security comes with built-in expressions (like hasRole, hasPermission etc.) that can be used in conjunction with Web and Method security expressions, the existing capability is still not enough to support policy-based, fine-grained, externalized access control systems, like XACML.

Axiomatics provides an SDK for customers who are interested in integrating XACML into their Spring and Spring Security framework based enterprise Java applications. In our webinar “Axiomatics Boot Camp: Spring Security and ABAC” we explore the approach and provide some details about the SDK. We also go into the details about recent enhancement made to the SDK.

Related Articles

You could build your own Authorization solution…but should you?
Dynamic Authorization
Having spoken with many customers about the challenges around authorization, one of the themes that has come up time and time again is whether an...
The one about ISO certifications | Dynamically Speaking
Dynamically Speaking
Recently, Axiomatics announced we’d achieved ISO 9001 and ISO 27001 certifications. But…what does that really mean? In this episode of Dynamically Speaking, Axiomatics COO Alexander...
What happened to Robinhood?
Business
Recently, Robinhood shared they experienced a data security incident whereby someone gained access to the personal information of some customers. The attack stemmed from a...