Spring Security add ABAC to spring security (Attribute Based Access Control)

Summary

ABAC is a standard published by NIST (US National Institute od Standarts and Technology) in cooperation with industry and universities. ABAC grants access based on user attributes and policies.

Wikipedia: https://en.wikipedia.org/wiki/Attribute-Based_Access_Control NIST: http://csrc.nist.gov/projects/abac/

Actual Behavior

Actual we only have RBAC (Role based Access Control) and ACL (Access Controll List)

Expected Behavior

Implement a spring-abac module to support ABAC policies

Sample

[
  {
    "name": "Liquor shop for adults only",
    "type": "",
    "description": "grant access to liquor store if user is older than 21",
    "applicable": "resource.type=='LIQUOR_STORE'",
    "condition": "subject.principal.age>21"
  }
]

@RequestMapping(path = "shops")
    @PreAuthorize("hasRole('USER') and checkPolicy()")
    public List<Shop> listShops(){
        ....
    }