Role concept in the authorization

Question

I'm writing the following

public interface SecurityService{

    public Error tryLogin(String usr, String psw);

    public String getRoleCurrentUser(); //Attention here
}

and of course, there will be a couple implementations. For instance, now I have

public SpringSecurityService{

     @Autowired
     AuthenticationManager authenticationManager;

     public Error tryLogin(String usr, String psw){
         //Implementation here
     }

     public String getRoleCurrentUser(){
           String role = null;
          //Getting the role of the current user
          //and if the user authorized 
          //assigning it to the role local variable
          return role;
     }
}

In the SecurityService interface I used the role concept. My question is if the using of the role-concept couples the code to the spring-security?

Or the role-concept is a strictly criptographic concept, so any security framework which takes care of the authorization should understand the role concept.

Answer 1

I would strongly suggest against implementing your own logic. Just search around in SO for many failed attempts.

There are plenty of frameworks that let you do just the right level of access control you are looking for. Some are even mentioned in the comments.

Have a look at:

• Spring Security
• Apache Shiro
• WSO2 IS

which are all open source solutions for authentication and / or authorization.

At a broader level, read up on the two prevalent authorization models out there:

• role-based access control (rbac - NIST definition)
• attribute-based access control (abac - NIST definition)
• XACML is a standard which implements ABAC.