I have been thinking about this one a lot lately and wanted to run it by the masses first to see if there are already solutions out there.

I am looking at ways to design a series of interfaces that will allow the key components of access control (authentication and authorization) to be generalized enough that all could be provided by pluggable components.

In order for me to realize this goal the following have to be generalized:

1. users
2. authentication process
3. RBAC entities/groups

This poses technical problems because everything must be accessible to the application, yet cannot be in such a way that is implementation specific.

For example, I can not depend on a fully qualified LDAP path for a user in the applications list of users because it would not allow me to replace the storage of the users with SQL server, or XML.

Thoughts are appreciated.