What Asela says is true of most XACML-based authorization servers.
You can choose from open-source:
- WSO2 (Asela's) which gives you so much more than just XACML BTW - it's first and foremost a mediation platform
- ForgeRock's OpenAM
- JBoss's PicketBox.
- HerasAF
- AuthzForce
Some implement XACML 2.0, others XACML 3.0
In the vendor space you have:
- IBM (XACML 2.0)
- Oracle (Proprietary)
- Dell (XACML 3.0, .NET-based)
- Axiomatics (XACML 3.0, .NET and Java)
Disclaimer: I work for the latter, Axiomatics. We have tested a sample PEP that implements the Spring Security Access Decision in the past and it works fine. Our PDP is exposed both as a SOAP web service or via REST according to the REST profile of XACML.
Do you want to have your Spring Access Decision Manager implement a XACML PEP? Do you want to use a Voter instead? Do you need to support obligations and advice?
You can also use an AOP PEP which Axiomatics also provides. We have a webinar on just the topic this coming Thursday. Details here.