Spring Security integration with XACML(Or any other policy based solution)

Question 1

What Asela says is true of most XACML-based authorization servers.

You can choose from open-source:

WSO2 (Asela's) which gives you so much more than just XACML BTW - it's first and foremost a mediation platform
ForgeRock's OpenAM
JBoss's PicketBox.
HerasAF
AuthzForce

Some implement XACML 2.0, others XACML 3.0

In the vendor space you have:

IBM (XACML 2.0)
Oracle (Proprietary)
Dell (XACML 3.0, .NET-based)
Axiomatics (XACML 3.0, .NET and Java)

Disclaimer: I work for the latter, Axiomatics. We have tested a sample PEP that implements the Spring Security Access Decision in the past and it works fine. Our PDP is exposed both as a SOAP web service or via REST according to the REST profile of XACML.

Do you want to have your Spring Access Decision Manager implement a XACML PEP? Do you want to use a Voter instead? Do you need to support obligations and advice?

You can also use an AOP PEP which Axiomatics also provides. We have a webinar on just the topic this coming Thursday. Details here.

Question 2

I am not sure about the spring security framework. But if your application can call external soap web service, you can use WSO2 Identity Server. Because WSO2 Identity Server's PDP has been exposed via SOAP based web service. Using your application, I guess, you can call them easily. More detail you can find from the this blog.

Question 3

I know this is an old question but I thought a recent webinar titled "Enhancing Spring Security" (disclaimer: I work for Axiomatics and am a panelist in the webinar) would be useful to answer the question asked.

It explains how the Spring Express Language (SpEL) (introduced in v3) can be extended to implement custom expressions to call out to the XACML PDP for an authorization decision at the URL and UI (Web Expression) as well method (Method Expression) level.