Support jCasbin as the authorization backend

[veotax]

jCasbin is an authorization library that supports models like ACL, RBAC, ABAC.

Related to RBAC, casbin has several advantages:

1. roles can be cascaded, aka roles can have roles.
2. support resource roles, so users have their roles and resource have their roles too. role = group here.
3. the permission assignments (or policy in casbin's language) can be persisted in files or database.
4. multiple models like ACL, BLP, RBAC, ABAC, RESTful are supported.

And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.

I saw there's a RBAC need here: https://github.com/yahoo/elide/issues/426, and I think jCasbin is a good choice. What do you think? Thanks.

[clayreimann]

Thanks for the idea @veotax. It looks like jCasbin is a very configurable security ACL framework, if underwhelmingly documented (at least in java). I believe, however, that it's concerns are orthogonal to those of Elide.

We provide a number of hooks for users to implement security in a manner of their choosing, and it looks like you could certainly build a generic security check using jCasbin that handles all of your security needs. Based on the readme over there you'd probably want to use a request-time check as opposed to a commit-time check since jCasbin does not appear to support conditional access based on the final state of a modified resource.

[DennisMcWherter]

To be clear, my understanding of jCasbin is minimal. However, I don’t see a reason why one couldn’t implement a jCasbin PermissionExecutor. Most likely this executor would simply ignore bean permission annotations and read from the appropriate place. If someone wanted to do this, that seems like the most natural place to me.

Any issues with that @clayreimann?