Spring Securitymight be good for you.

Spring Security可能对你有好处。

There are lots of possible solutions, but which one is best (i.e. meets your needs without being too heavyweight or too complicated to implement) depends on your requirements:

有很多可能的解决方案，但哪一个是最好的（即满足您的需求而又不会太重或太复杂而无法实现）取决于您的要求：

• Are you talking about access control for a web service, or something else?

• What kind of access control are you looking to implement? Based purely on resource URLs, or depending on the state / metadata of the requested entities? Are the roles simple or hierarchical? Do different actions require different roles?

• Do you need to deal with authorization as well?

• 您是在谈论 Web 服务的访问控制还是其他什么？

• 您希望实施哪种访问控制？纯粹基于资源 URL，还是依赖于请求实体的状态/元数据？角色是简单的还是分层的？不同的动作需要不同的角色吗？

• 你也需要处理授权吗？

I presume that the question that you are trying to answer is:

我认为您要回答的问题是：

Does user uhave access to do operation opon object o?

用户u是否有权对对象o进行操作op？

One thing to consider is how are your domain objects and user groups defined from a business perspective (outside of the AC mechanism). For any RBAC implementation, you would need to configure it to tell what your users and user groups are. That will affect your choice of RBAC implementation.

需要考虑的一件事是如何从业务角度（AC 机制之外）定义域对象和用户组。对于任何 RBAC 实现，您都需要对其进行配置以告知您的用户和用户组是什么。这将影响您对 RBAC 实现的选择。

Another (more specific) question: do you need to support override permissions, includes and excludes? Specifically, do you want to be able to support the scenario that object o1 is available to usergroup g1, but not user u1 (who is part of group g1)?

另一个（更具体的）问题：您是否需要支持覆盖权限、包含和排除？具体来说，您是否希望能够支持对象 o1 对用户组 g1 可用，但用户 u1（属于 g1 组）不可用的场景？

Depending upon the specific answers, jguard(which is built over JAAS) might be a very good option - http://jguard.net/

根据具体答案，jguard（基于 JAAS 构建）可能是一个非常好的选择 - http://jguard.net/

APACHE SHIROJava Security Framework

APACHE SHIROJava 安全框架

It is using Role Based Access Controlon Authorization

它在授权上使用基于角色的访问控制

Apache Fortress is ANSI RBAC compliant engine (INCITS 359) and is released under Apache Software license. You can pull it down from here: https://directory.apache.org/fortress/.

Apache Fortress 是 ANSI RBAC 兼容引擎 (INCITS 359)，并在 Apache 软件许可下发布。你可以从这里把它拉下来：https: //directory.apache.org/fortress/。

There are several frameworks which provide authorization system for you:

有几个框架可以为您提供授权系统：

1. Spring Security
   A highly customizable framework, Spring Security is widely used to handle the authentication and access control (authorization) issues arising in any Enterprise based application developed in Java.

2. Apache Shiro
   Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. With Shiro's easy-to-understand API, you can quickly and easily secure any application – from the smallest mobile applications to the largest web and enterprise applications.

3. JAAS (Java Authentication and Authorization Services)
   JAAS is one of the security APIs that consists of Java packages designed exclusively for user authentication & authorization. Introduced as an optional package in Java SE 1.3, JAAS was later integrated into JDK, starting from JDK 1.4.

4. OACC
   This Java application security framework is designed to fine grain (object level) the access control. Its focus is to provide a full-featured API to enforce as well as manage the authentication and authorization needs of an application. It offers complete implementation of a flexible and robust security model.

5. jCasbin
   jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models.

6. Keyclock
   Keycloak is an open-source Identity and Access Management solution targeted towards modern applications and services. It offers features such as Single-Sign-On (SSO), Identity Brokering and Social Login, User Federation, Client Adapters, an Admin Console, and an Account Management Console.

1. Spring Security
   作为一个高度可定制的框架，Spring Security 被广泛用于处理任何使用 Java 开发的基于企业的应用程序中出现的身份验证和访问控制（授权）问题。

2. Apache Shiro
   Apache Shiro 是一个功能强大且易于使用的 Java 安全框架，它执行身份验证、授权、加密和会话管理。借助 Shiro 易于理解的 API，您可以快速轻松地保护任何应用程序——从最小的移动应用程序到最大的 Web 和企业应用程序。

3. JAAS（Java 身份验证和授权服务）
   JAAS 是安全 API 之一，它由专为用户身份验证和授权设计的 Java 包组成。JAAS 作为 Java SE 1.3 中的可选包引入，后来从 JDK 1.4 开始集成到 JDK 中。

4. OACC
   此 Java 应用程序安全框架旨在细粒度（对象级别）访问控制。它的重点是提供一个功能齐全的 API 来强制和管理应用程序的身份验证和授权需求。它提供了灵活而强大的安全模型的完整实现。

5. jCasbin
   jCasbin 是一个强大且高效的 Java 项目开源访问控制库。它为基于各种访问控制模型的强制授权提供支持。

6. Keyclock
   Keycloak 是一种面向现代应用程序和服务的开源身份和访问管理解决方案。它提供诸如单点登录 (SSO)、身份代理和社交登录、用户联合、客户端适配器、管理控制台和帐户管理控制台等功能。