You are here


This tool provides a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies.

Official web-site:

The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs.

We applied our tool in scenarios arising in a smart energy eco-system.

The tool is available on request. Please, send an email to Roberto Carbone.

Funding: Activity SecSES - Secure Energy Systems, in the context of the EIT ICT Labs activities 2013 (Innovation Area: Smart Energy Systems).

Relevant paper

Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole, Silvio Ranise, "Attribute Based Access Control for APIs in Spring Security", In the Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT2014), ACM press, 2014.