Our web application is based on spring security. We already handle authentication via SSO provider (CAS)
We are trying to find a convenient solution of handling authorization for our app (Roles and premisison).
I read about XACML; however, couldn't find any practical experience/example of implementing and integrating it inside the Spring-security framework.
Anyone has any experience with that?
Thanks, Ray.
What Asela says is true of most XACML-based authorization servers.
You can choose from open-source:
Some implement XACML 2.0, others XACML 3.0
In the vendor space you have:
Disclaimer: I work for the latter, Axiomatics. We have tested a sample PEP that implements the Spring Security Access Decision in the past and it works fine. Our PDP is exposed both as a SOAP web service or via REST according to the REST profile of XACML.
Do you want to have your Spring Access Decision Manager implement a XACML PEP? Do you want to use a Voter instead? Do you need to support obligations and advice?
You can also use an AOP PEP which Axiomatics also provides. We have a webinar on just the topic this coming Thursday. Details here.