PicketLink supports fine grained security when one implements a Service Provider Interface
public interface PermissionResolver
{
public enum PermissionStatus {
ALLOW, DENY, NOT_APPLICABLE
}
PermissionStatus hasPermission(Object resource, String operation);
PermissionStatus hasPermission(Class<?> resourceClass, Serializable identifier, String operation);
}
Now the only thing we need to figure out is, a way to fit this into an api so that it's not PicketLink specific. And even better have it declarative, but it seems to be to fine grained to do that.
I've create some issues already to track work on these things.