// the find
apache/casbin-jcasbin
An authorization library that supports access control models like ACL, RBAC, ABAC in Java
jCasbin is a Java port of the Go Casbin library that handles authorization policy enforcement — ACL, RBAC, ABAC, and combinations of them — through a configurable policy model defined in INI-like config files. It's a good fit for Java/Spring applications that need flexible, externalized authorization logic without rolling their own. It does enforcement only: authentication and user storage are your problem.
The PERM metamodel (Policy, Effect, Request, Matchers) is genuinely clever — you swap authorization models by changing a config file, not by rewriting code. Cross-language policy compatibility is a real differentiator if you run multiple stacks; the expression validator added in 1.98.1 actually enforces this at runtime rather than just documenting it. The `SyncedEnforcer` and `CachedEnforcer` variants are thoughtful additions for concurrent environments, and the watcher interface gives you a clean hook for distributed cache invalidation. Test coverage is solid — 20+ test classes covering every model type with benchmarks included.
The Java implementation lags the Go original — features land in Go first and sometimes never make it over. Policy files are flat CSV, which works until you have thousands of rules and need to reason about them; there's no built-in tooling to audit or visualize a large policy set beyond the external web UI. AviatorScript as the expression engine is an obscure choice that the project is now actively restricting (as of 1.98.1) to maintain cross-platform parity — if you've been using AviatorScript-specific syntax, that's a silent `false` waiting for you after an upgrade. Documentation lives on casbin.org rather than in the repo, so the README points you to URLs that can go stale or drift out of sync with the code.