Apache Fortress

A commercially-supported authorization platform that's production-ready and open source.
DownloadView Standards

“Apache Fortress is an open source project of the Apache Software Foundation and a subproject of the Apache Directory. It is an authorization system, written in Java, that provides role-based access control, delegated administration and password policy using an LDAP backend.”



Find javadocs on RBAC for Apache Fortress here, plus info on its capabilities.

  • RBAC Management APIs (Apache Fortress Core)
  • RBAC Management Services (Apache Fortress Rest)
  • RBAC Management Pages (Apache Fortress Web)
  • RBAC Policy Enforcement for Apache Tomcat (Fortress Realm)
  • Centralized audit log (OpenLDAP)
  • Multi-tenant data and object model
  • Directory storage and replication (OpenLDAP)
Multi-tenant Architecture

Apache Fortress uses multi-tenant architecture.
Learn More

Product Source

The source of Apache Fortress is found on Github:

Source and Binary bundles are available from:
The Apache Fortress Project

The Apache Fortress Authorization Platform

Apache Fortress Core | RBAC software development kit.

Apache Fortress Core: RBAC Management APIs

The standards-based access management Software Development Kit (SDK) is the core of the other Apache Fortress components: Rest, Realm and Web.

Apache Fortress is open source and easy to use.  It supports multi-tenancy allowing multiple organizations to harness a single LDAP instance, while ensuring that the data remains private and isolated.

Find out about the standards that Apache Fortress adheres to. See Standards

Learn how Apache Fortress Core approaches security. See Security Services

Apache Fortress Web | Gui for managing RBAC policies and identities

Web Policy Administration

Apache Fortress Web is a graphical user interface (GUI) that manages the User and RBAC data that resides in LDAP.


Apache Fortress Rest | For managing RBAC through a RESTful interface

Integrate Security RESTfully

Apache Fortress Rest functions as both a Policy Decision Point (PDP) and Policy Administration Point (PAP).

It wraps the Apache Fortress APIs using a service-based (REST/JSON) protocol, enabling multi-platform support. A one-to-one correspondence exists between a Fortress API and a Fortress Rest service. For a list of services, visit the Javadoc.

The Apache Fortress Rest security model uses its own APIs for enforcement ensuring tight security and audit trail. Additionally, Fortress Rest uses Java EE security for another layer of protection.


Apache Fortress Realm | Access enforcement modules for existing services

Guard your Apache Tomcat Web Apps

The Apache Fortress Realm allows Java EE policies to map to Apache Fortress policies that reside inside the LDAP server.

It consists of role-based access control (RBAC) policy enforcement plug-in for security authentication, authorization and auditing.

With the Realm, you add an extra layer of security to your Apache Tomcat apps.

Apache Fortress Standards

ANSI Role-Based Access Control (INCITS 359)

There’s more to compliance than assigning users to groups and applying ACL policies within directories or databases. RBAC systems provide selective role activation and deactivation, role hierarchies, and constraints over separation of duty. The RBAC component provides APIs to add, update, delete and search the directory data. Apache Fortress gives you everything you need to exploit the full power of this ANSI specification.

More info here.

Java EE Platform Security

This is used for SSL, X.509 mutual authentication, form-based container authentication, coarse-grained authorization, SSO and more. It works within compliant Java web apps, such as Apache Fortress Rest and Apache Fortress Web.

Java EE security is good because its declarative controls keep the development and integration costs low. At the same time, it provides adequate network system security, and the business apps run fast because caching is maintained within the app server container. This means fewer round-trips between the application and policy servers.

More info here.

Administrative Role-Based Access Control (ARBAC02)

The ARBAC model explains how RBAC can be extended with organizational controls to govern policies pertaining to the security administration process. ARBAC helps by allowing administrative tasks to be delegated to end users who fall outside typical datacenter operations. Delegation lowers overhead, while at same time maintaining a firm grip on compliance – resulting in cost savings.

More info here.

IETF Password Policies

OpenLDAP has supported this draft since 2005.

Apache Fortress adds by integrating with its administrative and access control APIs. These APIs enable outside apps to participate and manipulate OpenLDAP password policies, without understanding the specifics of how they work. Apache Fortress provides services for setting up new policies and ensuring that password policies are tracked and enforced across all avenues.

More info here.


For audits, Apache Fortress uses the OpenLDAP slapd.access log overlay to track the data exchanges performed within its own APIs. This extended capability stores the history of slapd events needed for replication. The events are persisted in the OpenLDAP backend database: the Lightning Memory-Mapped DB.

Change event tracking includes adds, updates and deletes of Apache Fortress entities. It also tracks Read and Search events: user authentication, authorization and policy interrogations. Apache Fortress maintains full historical data change tracking, which may be searched later with APIs for monitoring, reporting and undo. The log may also be retrieved later to sync with an external database for long-term regulatory and compliance concerns.

Temporal Constraints

The Apache Fortress Temporal model allows users and roles to carry time and date constraints that govern when activations may occur. Role constraints are checked on every call into Apache Fortress. The user constraint is applied only at session creation.

ANSI RBAC Policy-Enhanced (INCITS-494-2012)

Limited support via dynamic role constraints.

Apache Fortress is a trademark of the Apache Software Foundation.

Apache Fortress Core Security Services

Over one hundred services are divided across the Manager components.

Some of them (Access, Admin and Review) map back to ANSI RBAC functional specifications.  Others (DelAccess, DelAdmin, DelReview) are for the ARBAC02 model which help manage administrative burden for large enterprises.

Each manager component defined below has a specific purpose and contains a collection of related functions to control the Fortress Entities as they pass through its particular area of the identity lifecycle. Of late, the APIs have been wrapped with REST Services by Fortress Rest. This makes it possible to access Fortress functionality over HTTP protocol using an XML message format.

A description of the managers follow…

  • AccessMgr This object performs runtime access control operations on objects that are provisioned RBAC entities which reside in the LDAP directory to maintain policy enforcement
  • AdminMgr This object performs administrative functions to provision Fortress RBAC entities into the LDAP directory; it can be used to build custom applications and UIs
  • AuditMgr This interface prescribes methods to search the OpenLDAP slapd access log, which contains an audit trail of entity operational states to maintain and verify compliance
  • DelAcessMgr This interface prescribes the API for performing runtime delegated access control operations on objects that are provisioned Fortress ARBAC02 entities which reside in the LDAP directory to maintain policy enforcement
  • DelAdminMgr This class prescribes the ARBAC02 DelegatedAdminMgr interface for performing the policy administration of Apache Fortress ARBAC entities which reside in the LDAP directory; it can be used to build custom security applications and UIs
  • DelReviewMgr This class prescribes the ARBAC02 DelegatedReviewMgr interface for performing policy interrogation of provisioned Apache Fortress ARBAC02 entities that reside in LDAP directory to maintain and verify compliance
  • PswdPolicyMgr This object adheres to IETF PW policy draft and is used to perform administrative and review functions on the PWPOLICIES and USERS data sets within Apache Fortress
  • ReviewMgr This interface prescribes the administrative review functions on already-provisioned Apache Fortress RBAC entities that reside in LDAP directory to maintain and verify compliance