Java security in non-web app

Question

Does anyone know of a good, open source security framework for java?

I've played with jSecurity a bit, and it seems really cool, but the documentation is so sparce I can't seem to make any progress.

Spring security seems web-app oriented -- but I may be wrong.

I am not opposed to writing this myself, but it seems like this should have been done before, why reinvent the wheel?

All this needs to do is be able to provide fine grained security permissions on each level of the app(s).

Example: App1 has actions 1, 2, 3 (like 'canOpenRemoteFiles', or 'canReprocessTransactions') App2 has actions 4, 5, 6, 7

I will ultimately need to do something like:

// -- the call may not be this declarative
boolean foo = user.getApp1().canReprocessTransactions();
// do something with foo...

// -- or something like this
boolean bar = user.getApp2().canDoAction1();
// do something with bar...

// -- or...
ArrayList < String > dirsCanAccess = user.getApp1().getAccessableDirs();

Thanks in advance.

Answer 1

After much more digging, jSecurity was the way to go. It is not well documented, but quite simple to use.

Answer 2

Why not use JAAS? It's been a standard part of the JRE since 1.4.

Answer 3

You can use Acegi Security framework (based on Spring). The framework provides AOP based security interception that can be used to control method level access even outside the web app. The link to the framework is http://www.acegisecurity.org/

Answer 4

The last time I looked at Spring-Security it seemed very much web based.

But... the Spring guys are pretty good and I suspect that they have lot of building blocks you could use from the core Spring-Security library.