I am looking for a security framework for Java web application with Object granularity. What it means is that I don't just want to filter by urls or by roles, but by specific user ownership of domain objects inside the system. For example, if there is a `Message` object that has a `Sender` user and a `Receiver` user I would like to be able to configure it so that every Message can be RW by its sender and RO by its receiver. Or for example, all user profiles are viewable by all users but editable only by the owner. This rules, of course, I would like to define them with meta data (annotations, xml files, whatever) and not embedded in my business logic. Is there such a beast out there? Preferably open source.
I've upvoted Matt B, but I'd suggest there's nothing wrong with building your own bespoke solution here. There is often a general tendency to try to crowbar in a generic framework, when in fact it's often lower risk / less development time to simply write your own, especially in this case where your entitlements model sounds fairly simple.