Java Application Security Framework
Peace of Mind:
Knowing your multi-tenant application enforces fine-grained security
OACC - pronounced [oak] - is a fully featured API to both enforce and manage your application's authentication and authorization needs.
All the functionality to manage your application's security model, out of the box.
Always operate at the resource level. Manage permissions exclusively between resources.
Secure any operation between your domain objects and the actors on them.
Authorize subjects to delegate their permissions to others with GRANT OPTIONS.
Authorize an authenticated subject to securely "impersonate" another subject.
Find resources by permission with efficient symmetric query methods.
Learn more about all of OACC's authorization and authentication features on the Features page.
OACC is compatible with Java™ SE 7 (Java™ version 1.7.0), or higher.
OACC persists all security relationships in database tables and currently supports the following databases:
OACC is open-source software released under the commercial friendly Apache License 2.0 (tl;dr).
Oct 11, 2018
New API method to support token-based authentication. All pre-release deprecated methods removed.
Jun 7, 2017
Configurable password encryptors, including BCrypt.
Apr 25, 2017
The SecureTodo example and writeup is out now.
May 17, 2016
New OACC website is now usable on any device.
Feb 15, 2016
Permission factories now cache all permissions.
Feb 7, 2016
OACC is now available from the Maven Central Repository.
Jan 11, 2016
Improved serialization support.
Nov 17, 2015
Supports client-specified alternate resource identifier so clients can avoid storing the generated resourceId.
Sep 29, 2015
Expanded database support: now includes profiles for HSQLDB, MySQL and SQLite.
Jul 14, 2015
New API methods to grant/revoke permissions and delete resources and domains; now enforces query authorization; culled overloaded methods.
Mar 23, 2015
New API methods to check permissions; vararg support; only uses unchecked exceptions.
Jan 9, 2015
New API methods to get direct permissions.
Nov 18, 2014
Comprehensive pluggable authentication module support.
Oct 7, 2014
OACC open-sourced under the Apache License, Version 2.0. Project website launched.