AuthZForce is an Attribute-Based Access Control (ABAC) framework, compliant with XACML standard v3.0, and able to retrieve extra attributes from various sources, e.g. LDAP/SQL databases, REST services or X.509 Attribute Certificates.

AuthZForce is an Attribute-Based Access Control (ABAC) framework, compliant with the OASIS XACML standard v3.0, that mostly consists of an authorization policy engine and a RESTful authorization server. It was primarily developed to provide advanced access control for Web Services or APIs, but is generic enough to address all kinds of access control use cases.
You can use AuthZForce in two ways depending on your needs:
    - Java API: AuthZForce provides a XACML PDP (Policy Decision Point) engine as a Java library so that applications can instantiate and use an embedded XACML PDP easily with Java.
    - Web API: AuthZForce provides a multi-tenant HTTP/REST API to PDPs and PAPs (Policy Administration Points) that web clients can call to manage policies, request authorization decisions, etc.

AuthZForce is able to retrieve attributes from a XACML Request of course, but also from other attribute sources, e.g. LDAP or SQL database servers, REST services, X.509 attribute certificates. Besides, its plugin architecture enables developers to support custom attribute sources by adding new plugins.

Web site
Releases / Downloads
Project leader(s)

Romain Ferrari, Thales Group

License(s)GNU General Public License v3.0 only
StandardsJava EE LDAP REST SOA X.509 XACML
VCS repository(ies)

- type: git

Issue tracker URL
Discussion channels (anti-spam protection)


- AuthzForce Core (Java Library) - Quick Start Guide:
- AuthzForce Server (Web API):
  - REST API specification:
  - Installation & Administration Guide:
  - User & Developer Guide: