Java Application Security Framework

Peace of Mind:
Knowing your multi-tenant application enforces fine-grained security

What is OACC?

OACC - pronounced [oak] - is a fully featured API to both enforce and manage your application's authentication and authorization needs.

Fully implemented API

All the functionality to manage your application's security model, out of the box.

Single access-control paradigm

Always operate at the resource level. Manage permissions exclusively between resources.

Flexible security model

Secure any operation between your domain objects and the actors on them.

Permission delegation

Authorize subjects to delegate their permissions to others with GRANT OPTIONS.

Identity delegation

Authorize an authenticated subject to securely "impersonate" another subject.

Efficient query methods

Find resources by permission with efficient symmetric query methods.

Learn more about all of OACC's authorization and authentication features on the Features page.

Supported Environments

OACC is compatible with Java™ SE 7 (Java™ version 1.7.0), or higher.

OACC persists all security relationships in database tables and currently supports the following databases:

  • IBM DB2 10.5
  • Microsoft SQL Server 12.0 (2014)
  • Oracle 11g R2
  • PostgreSQL 9.3
  • HSQLDB 2.3
  • MySQL 5.6 / MariaDB 10.0
  • SQLite 3.8


OACC is open-source software released under the commercial friendly Apache License 2.0 (tl;dr).


  • Oct 11, 2018

    OACC 2.0.0 released

    New API method to support token-based authentication. All pre-release deprecated methods removed.

  • Jun 7, 2017

    OACC 2.0.0 rc.8 released

    Configurable password encryptors, including BCrypt.

  • Apr 25, 2017

    SecureTodo OACC example published

    The SecureTodo example and writeup is out now.

  • May 17, 2016

    New OACC website released

    New OACC website is now usable on any device.

  • Feb 15, 2016

    OACC 2.0.0 rc.7 released

    Permission factories now cache all permissions.

  • Feb 7, 2016

    OACC published on Maven Central

    OACC is now available from the Maven Central Repository.

  • Jan 11, 2016

    OACC 2.0.0 rc.6 released

    Improved serialization support.

  • Nov 17, 2015

    OACC 2.0.0 rc.5 released

    Supports client-specified alternate resource identifier so clients can avoid storing the generated resourceId.

  • Sep 29, 2015

    OACC 2.0.0 rc.4 released

    Expanded database support: now includes profiles for HSQLDB, MySQL and SQLite.

  • Jul 14, 2015

    OACC 2.0.0 rc.3 released

    New API methods to grant/revoke permissions and delete resources and domains; now enforces query authorization; culled overloaded methods.

  • Mar 23, 2015

    OACC 2.0.0 rc.2 released

    New API methods to check permissions; vararg support; only uses unchecked exceptions.

  • Jan 9, 2015

    OACC 2.0.0 rc.1 released

    New API methods to get direct permissions.

  • Nov 18, 2014

    OACC 2.0.0 alpha.4 released

    Comprehensive pluggable authentication module support.

  • Oct 7, 2014

    OACC is open-source!

    OACC open-sourced under the Apache License, Version 2.0. Project website launched.