(Some of the feature set is under development). Please start with the final releases.
Requirements Document: https://docs.google.com/document/pub?id=15kEFSBAaHp8maIoecj5FzYKAVoUD6nEoMDbDFqtQ4rE
Let us answer this question by looking at some of the use cases, application developers usually encounter.
Use case from Bill Burke. You have a web application that is accessed from a browser as well as mobile clients. From the browser, you may want to do regular FORM authentication but for mobile clients, you may have to do token based and/or OAUTH style access control. With servlet specification security, this is not possible.
I want to lock out users after failed password attempts.
I want to email password reminders to users when they forget their passwords.
I want to step up authentication or have secondary authentication based on some rules.
I need security for JSON objects.
These are just some of the use cases that application developers may have, that requires the need for an application security framework.
PicketBox is a project that works wonders for application security.
It provides the following features:
Choice of HTTP Authentication Schemes (BASIC, DIGEST, FORM, CLIENT-CERT or you write your own authentication scheme).
Choice of Authentication Managers. (File Based, Ldap Based, Database Based etc)
Choice of Authorization Managers. (Drools based authorization, XACML based authorization, Deltaspike Security based authorization or write your own authorization mechanism).
Drools gives you powerful rule based capabilities that allows powerful yet simple access control rules.
XACML is a Oasis Standard that allows standards based access control.
Audit Capabilities.
Use your favorite Dependency Injection Framework: Seam Solder, Spring etc.
Password Masking.
Infinispan based distributed cache support.
User Model based on Deltaspike IDM.
Decouple applications from security code.
You will use filters or interceptors.
JSON security.
Application Session Management.
In addition, the features provided include:
Account Lockout Facility.
Password Reminders.
Changing Password Functionality.
One Time Password Support. (For those marketing emails, you send)
Includes OTP Tokens.
In addition, the PicketLink family of projects will provide you Single Sign On, OpenID, OAuth, SAML2 support.
Enrich exception hierarchy: UserNotFoundException, InvalidCredentialsException, LockedUserException, etc
Account locking
Password resetting
Users provisioning/deprovisioning
Rember-me authentication
Auditing and Intrusion Detection
Concurrent Session Configuration