springsecurityspring-securityshiroabac

ABAC support for Spring Security or Apache Shiro


I'm trying to find any open-source or commercial implementation of Attribute-Based Access Control(ABAC) paradigm that will work together with Spring Security or Apache Shiro frameworks. Right now I can't find any of them. I don't think I'm a first one who needs such kind of functionality - so could you please recommend frameworks that will support this ?

Also, can Permissions in Apache Shiro be considered as a particular case of ABAC paradigm implementation ?


Solution

  • jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models. ABAC is one of the models that is supported by jCasbin.
    ABAC: syntax sugar like a resource. The owner can be used to get the attribute for the resource.
    In jCasbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matches). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.
    It supports Spring boot via plugin: jcasbinspring-boott-plugin

    Also, there is another opensource project called EasyAback. (The original project documents are written in Russian and I translated them and moreover added some other documents and diagram link)