My boss asked me to find some open source java security framework for our project. I searched internet for some days but nothing seemed to fulfill the requirements :(
currently i look at jguard and kasai but not sure about it.
Here are requirements:
1) Open source/free
2) Enabling to give permissions to single user manually or "load" it from profile/role, lets say "manager". After loading some details can be changed, so managerX and managerY can have different permissions.
3) Any user/role can have invisible/readOnly/update access to any graphical component in any screen (button, link ...)
4) Needed 2 different kinds of authentication: a) standalone (user/password screen) b) from another system with auth data passed somehow from another system (i think it's called "single sign on")
5) ownership-based (lets say, userX can see/access only part of records in CustomersTable in database). or at least open source that enables plug-in class which decides whether userX is permitted to see customerY...
6) gui for managing all this.
7) and ,of course, cross platform (any relational db,any application server).
i am new in security, but my boss says it's quite common situation, so surely someone encountered similar problems:)
can you help please?
thanks in advance,
I know this may seem like an easy or common task, but authorization/authentication tasks are extremely custom to every environment.
It's one of the biggest reasons it was left out of the J2EE Environment because of the vast scope of the issue. (I believe) Fortunately and Unfortunately Security Stores are nearly always an extended service.
There are no easy answers, but I may be able to push you into the direction of Sun Java System Access Manager. [http://developers.sun.com/identity/] Besides being an industry standard LDAP Server, the Security Assertion Markup Language (SAML)extension will be helpful for you. The real help may actually come from the two Java projects in the java.net umbrella also distributed with the Sun Java System Access Manager. Open Web SSO project (OpenSSO) - Single Sign - On, and Open next generation directory service (OpenDS)
Sorry I do not work for Sun, but I do enjoy using their implementations, as long as they are free. Not truly open source, please check the license. They wish to charge you for support at some point when you figure out you need it.
And that's not a bad idea, when you are at the point where your system is being hacked, or your security system is down and your users/customers cannot access anything...
Sorry for the book answer.
One more note: There is a good book on Identity Management called Core Security Patterns: Best Practices and Strategies for J2EE(TM), Web Services, and Identity Management, by Christopher Steel, Ramesh Nagappan, Ray Lai. Definitly more than bathroom reading, but you may want to visit a bookstore and take a little look at it(Few Hours).
Sun Certified Web Business Component Developer
Sun Certified Web Components Developer
Sun Certified Programmer for the Java 2 Platform
it's a framework of course; but has everything that you require built in for session handling. With a very slight learning curve your ready to go in a few hours.
-- Richard Corsale
have you tried ACEGI SECURITY ?
I've used and is really cool and easy to use.
I am on the same boat. Can you share some thought on JGuard?
Have you find and conclusions on the best tool ? especially regards to this : 'Any user/role can have invisible/readOnly/update access to any graphical component in any screen'