Skip to content

Executive Guide

Audience: CTO, VP Engineering, Security Leads, and technical decision-makers evaluating or adopting CoSec.


System Overview

CoSec is an open-source, RBAC and policy-based security framework purpose-built for modern JVM applications. It delivers authentication, authorization, and multi-tenant security as embedded library components — not as a separate gateway appliance — enabling teams to bake security directly into their microservice architecture.

AttributeDetail
LicenseApache 2.0 (permissive, production-friendly)
LanguageKotlin on JVM (Java 17+)
Concurrency ModelReactive (Project Reactor) — non-blocking I/O throughout
Framework IntegrationSpring Boot 4, Spring Cloud Gateway 2025.x
Codebase Scale~18,000 lines of Kotlin across 328 source files, 102 test files
Module Count15 modules (12 publishable libraries, 2 BOMs, 1 standalone server)
Release CadenceActive — 424 commits since January 2025, latest release v4.3.5
Repositorygithub.com/Ahoo-Wang/CoSec

Why it matters: CoSec eliminates the need for a separate security gateway infrastructure layer by embedding policy-driven authorization directly into application code. This reduces latency, simplifies deployment topology, and gives developers fine-grained control over access decisions at the service boundary.


Capability Map

The following table maps CoSec capabilities to business outcomes, enabling leadership to connect technical features to organizational impact.

CapabilityTechnical MechanismBusiness Impact
Policy-Based AuthorizationAWS IAM-like model with Effect (ALLOW/DENY), ActionMatcher, and ConditionMatcherReduces time-to-implement new access rules from days to hours; auditable policy-as-code
Multi-Tenant IsolationFirst-class TenantPrincipal and tenant-scoped policies via TenantCapableEnables SaaS multi-tenancy without separate deployments per customer
JWT AuthenticationToken issuance and verification via com.auth0:java-jwtStateless auth scales horizontally with no session-store dependency
Social OAuth LoginGitHub, Google, WeChat, and 30+ providers via JustAuth integrationAccelerates user onboarding by leveraging existing identity providers
Rate LimitingRateLimiterConditionMatcher and GroupedRateLimiterConditionMatcher as policy conditionsProtects APIs from abuse without external rate-limiting infrastructure
IP Geolocationip2region integration enriches request context with geographic dataEnables geo-based access policies and compliance with data residency rules
Distributed CachingRedis-backed policy and permission caching via CoCacheSub-millisecond authorization lookups; eliminates repeated policy deserialization
ObservabilityOpenTelemetry instrumentation via cosec-opentelemetryFull request-level tracing of auth decisions for audit and debugging
OpenAPI IntegrationBearer token annotations via cosec-openapi + springdocAuto-documentation of security requirements in API specs
Blacklist EnforcementBlacklistChecker in the authorization pipelineImmediate incident response capability — block compromised accounts or IPs

Architecture at a Glance

CoSec follows a layered architecture where public API contracts (cosec-api) are kept strictly separate from implementations (cosec-core), and integration modules provide thin adapters for each deployment topology.

mermaid
graph TB
    subgraph Deployment["Deployment Topologies"]
        direction TB
        GW["Standalone Gateway<br>cosec-gateway-server"]
        EMBED["Embedded in App<br>cosec-spring-boot-starter"]
    end

    subgraph Integration["Integration Layer"]
        direction TB
        WF["WebFlux Filter<br>cosec-webflux"]
        WM["WebMvc Filter<br>cosec-webmvc"]
        GF["Gateway Filter<br>cosec-gateway"]
    end

    subgraph Infrastructure["Infrastructure Services"]
        direction TB
        JWT["JWT Tokens<br>cosec-jwt"]
        SOCIAL["Social OAuth<br>cosec-social"]
        CACHE["Redis Cache<br>cosec-cocache"]
        IP["IP Geolocation<br>cosec-ip2region"]
        OTEL["Observability<br>cosec-opentelemetry"]
        OAPI["OpenAPI Docs<br>cosec-openapi"]
    end

    subgraph Core["Core Security Engine"]
        direction TB
        API["Public Interfaces<br>cosec-api"]
        CORE["Policy Engine<br>cosec-core"]
    end

    GW --> GF
    EMBED --> WF
    EMBED --> WM
    GF --> CORE
    WF --> CORE
    WM --> CORE
    CORE --> API
    CORE --> JWT
    CORE --> SOCIAL
    CORE --> CACHE
    CORE --> IP
    CORE --> OTEL
    CORE --> OAPI

    style Deployment fill:#161b22,stroke:#30363d,color:#e6edf3
    style Integration fill:#161b22,stroke:#30363d,color:#e6edf3
    style Infrastructure fill:#161b22,stroke:#30363d,color:#e6edf3
    style Core fill:#161b22,stroke:#30363d,color:#e6edf3
    style GW fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style EMBED fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WF fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WM fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GF fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style JWT fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SOCIAL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CACHE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style IP fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OTEL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OAPI fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style API fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CORE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3

Key architectural decisions and their implications:

  • Reactive throughout: Every authorization check returns Mono<AuthorizeResult>, enabling non-blocking I/O. This means CoSec adds negligible latency overhead under high concurrency — critical for gateway deployments handling thousands of requests per second.
  • API/Implementation split: cosec-api has zero framework dependencies, making it safe to depend on in domain modules without pulling in Spring. This enforces clean architectural boundaries.
  • SPI-based extensibility: Custom policy matchers are registered via Java SPI (META-INF/services), requiring no changes to core code. New condition types (e.g., time-of-day restrictions, custom header checks) can be added without forking.
  • Single maintainer with bot assistance: 252 commits from the primary author and 342 from Renovate bot (automated dependency updates) since 2024. The bot handles dependency freshness; the maintainer focuses on features.

Team Topology

Understanding who maintains CoSec and how to engage is critical for adoption risk assessment.

DimensionFindingEvidence
Primary MaintainerAhoo Wang (ahoowang@qq.com)Git author analysis: 252 commits since 2024
AutomationRenovate bot handles dependency updates342 bot commits for dependency version bumps
CI/CD MaturityGitHub Actions with parallel test jobs, code coverage, signed releases6 workflow files in .github/workflows/
Test InfrastructureJUnit 5 + MockK + FluentAssert; Redis via service containers for integration testsCI runs 7 parallel module test jobs; Redis-dependent modules use service containers
Release ProcessAutomated publishing to Sonatype Central + GitHub Packages on Git tag creationpackage-deploy.yml triggers on release: created
CommunityOpen-source Apache 2.0; issues and PRs via GitHubPOM metadata references GitHub issue tracker

Implication for adopters: CoSec is a solo-maintained project with strong automation. This is common for mature, focused infrastructure libraries (similar to how many Spring ecosystem projects began), but it does mean that bus factor equals one. Organizations adopting CoSec should plan for internal capability to contribute patches if needed.


Technology Investment Thesis

Why reactive, policy-based security matters now

The industry is converging on two patterns that CoSec is already built around:

  1. Policy-as-code for authorization (AWS IAM, Open Policy Agent, Cedar): Declarative policies are versionable, testable, and auditable — replacing hard-coded role checks scattered across services.
  2. Reactive/non-blocking I/O (Project Reactor, virtual threads): As services scale horizontally, blocking security checks become throughput bottlenecks. CoSec's reactive core avoids this entirely.

Strategic positioning

FactorAssessment
Alignment with Spring ecosystemTight — built on Spring Boot 4 and Spring Cloud 2025.x, the latest major versions
Kotlin adoption trajectoryKotlin is the preferred language for new Spring Boot projects; CoSec's API is Kotlin-native with full Java interop
Competitive alternative toSpring Security ACL (complex), Keycloak (heavyweight), OPA (requires sidecar/daemon)
Unique value propositionOnly framework combining IAM-style policies, multi-tenancy, and reactive authorization as an embeddable library

Risk Assessment

Every adoption decision carries risk. The table below identifies the key risks, their severity, and recommended mitigations.

mermaid
graph LR
    subgraph RiskProfile["Risk Profile Assessment"]
        direction TB
        HF["Bus Factor<br><b>HIGH</b>"]
        DM["Dependency Maturity<br><b>MEDIUM</b>"]
        SR["Security Response<br><b>MEDIUM</b>"]
        TC["Team Ramp-Up<br><b>LOW</b>"]
        VL["Vendor Lock-In<br><b>LOW</b>"]
    end

    HF -->|"Mitigation: fork-ready<br>+ internal expertise"| R1["Acceptable"]
    DM -->|"Mitigation: Renovate<br>+ version catalog"| R2["Acceptable"]
    SR -->|"Mitigation: Apache 2.0<br>+ audit trail"| R3["Acceptable"]
    TC -->|"Mitigation: Spring<br>+ Kotlin familiarity"| R4["Acceptable"]
    VL -->|"Mitigation: standard<br>SPI interfaces"| R5["Acceptable"]

    style RiskProfile fill:#161b22,stroke:#30363d,color:#e6edf3
    style HF fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style DM fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SR fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style TC fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style VL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style R1 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style R2 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style R3 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style R4 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style R5 fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
RiskSeverityLikelihoodImpactMitigation
Single maintainerHighMediumDelayed fixes, stalled developmentFork readiness; allocate internal contributor time; monitor commit cadence (currently 1-2 commits/day)
Spring Boot version lagMediumLowBreaking changes on major Spring upgradesDependency catalog (cosec-dependencies) centralizes versions; Renovate bot automates updates; Spring Boot 4 already supported
Security vulnerability responseMediumMediumWindow of exposure before patchApache 2.0 license allows self-patching; SPI boundaries limit blast radius; no critical CVE history observed
Kotlin ecosystem familiarityLowLowSlower onboarding for Java-only teamsKotlin compiles to JVM bytecode; existing Spring knowledge transfers directly; API design follows standard patterns
Vendor lock-inLowVery LowMigration cost if replacing CoSecInterfaces defined in cosec-api (no framework deps); SPI-based matchers; standard JWT/OAuth protocols

Cost and Scaling Model

Understanding the operational cost profile helps in capacity planning and budgeting.

DimensionDetailCost Implication
LicensingApache 2.0 — no license fees, no usage restrictionsZero licensing cost; no legal review burden for commercial use
Runtime OverheadReactive non-blocking; policy evaluation in-memory with sequence-based streamingMinimal CPU footprint per request; no thread-per-request blocking
Infrastructure DependenciesRedis (optional, for caching), JWT library (in-process)Redis adds ~$50-200/month depending on cloud provider tier; not required for low-traffic deployments
Deployment TopologiesEmbedded (sidecar-free) or standalone gatewayEmbedded mode adds zero additional infrastructure; standalone gateway is one JVM process
Scaling BehaviorHorizontal — stateless authorization, no shared state beyond Redis cacheLinear scaling with application instances; Redis scales independently
Maintenance BurdenRenovate bot handles dependency updates; Detekt enforces code qualityMinimal manual dependency management; static analysis catches regressions before merge

Cost comparison against alternatives:

ApproachInfrastructure CostOps ComplexityLatency
CoSec EmbeddedZero additional infraLowSub-millisecond (in-process)
Separate Auth GatewayAdditional gateway instancesMedium+1-5ms (network hop)
KeycloakDedicated server + DBHigh+2-10ms (token introspection)
OPA SidecarSidecar per serviceMedium+1-3ms (local gRPC)

Dependency Map

CoSec's module dependency graph determines integration complexity and the blast radius of changes.

mermaid
graph TD
    subgraph Build["Build and Version Management"]
        BOM["cosec-bom<br>Bill of Materials"]
        DEPS["cosec-dependencies<br>Version Catalog"]
    end

    subgraph Foundation["Foundation Layer"]
        API["cosec-api<br>Public Interfaces"]
    end

    subgraph CoreEngine["Core Engine"]
        CORE["cosec-core<br>Policy + Auth Logic"]
    end

    subgraph Plugins["Optional Plugin Modules"]
        JWT["cosec-jwt<br>JWT Tokens"]
        SOCIAL["cosec-social<br>OAuth Social"]
        CACHE["cosec-cocache<br>Redis Caching"]
        IP["cosec-ip2region<br>IP Geolocation"]
        OTEL["cosec-opentelemetry<br>Tracing"]
        OAPI["cosec-openapi<br>API Docs"]
    end

    subgraph Adapters["Integration Adapters"]
        WF["cosec-webflux<br>Reactive Filter"]
        WM["cosec-webmvc<br>Servlet Filter"]
        GW["cosec-gateway<br>Gateway Filter"]
    end

    subgraph Packaging["Packaging"]
        STARTER["cosec-spring-boot-starter<br>Auto-Configuration"]
        GWSERVER["cosec-gateway-server<br>Standalone App"]
    end

    DEPS --> CORE
    DEPS --> API
    BOM --> DEPS
    CORE --> API
    JWT --> CORE
    SOCIAL --> CORE
    CACHE --> CORE
    IP --> CORE
    OTEL --> CORE
    OAPI --> CORE
    WF --> CORE
    WM --> CORE
    GW --> CORE
    STARTER --> WF
    STARTER --> WM
    STARTER --> GW
    STARTER --> JWT
    STARTER --> SOCIAL
    STARTER --> CACHE
    STARTER --> IP
    STARTER --> OTEL
    STARTER --> OAPI
    GWSERVER --> STARTER

    style Build fill:#161b22,stroke:#30363d,color:#e6edf3
    style Foundation fill:#161b22,stroke:#30363d,color:#e6edf3
    style CoreEngine fill:#161b22,stroke:#30363d,color:#e6edf3
    style Plugins fill:#161b22,stroke:#30363d,color:#e6edf3
    style Adapters fill:#161b22,stroke:#30363d,color:#e6edf3
    style Packaging fill:#161b22,stroke:#30363d,color:#e6edf3
    style BOM fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style DEPS fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style API fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CORE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style JWT fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style SOCIAL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style CACHE fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style IP fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OTEL fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style OAPI fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WF fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style WM fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GW fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style STARTER fill:#2d333b,stroke:#6d5dfc,color:#e6edf3
    style GWSERVER fill:#2d333b,stroke:#6d5dfc,color:#e6edf3

Key dependency insights:

RelationshipTypeImplication
cosec-core depends on cosec-apiCompileCore cannot be used without API; API is always present
Plugin modules depend on cosec-coreCompileAny plugin pulls in the full policy engine
cosec-spring-boot-starter aggregates all pluginsCompileChoosing the starter means accepting all plugin transitive dependencies
cosec-gateway-server depends on cosec-spring-boot-starterCompileGateway server is the heaviest deployment artifact
cosec-dependencies is a BOM-only modulePlatformControls all version pins; single source of truth for dependency versions
cosec-gateway-server is not publishedBuildInternal-only; not distributed to Maven Central

Selective adoption is supported: Teams can depend on only cosec-api + cosec-core + specific plugins (e.g., just JWT and WebFlux) without pulling in social login, OpenTelemetry, or gateway components.


Key Metrics and Observability

CoSec provides built-in observability hooks that enable engineering teams to monitor security posture in production.

Metric / SignalSourceBusiness Value
Authorization decision tracesOpenTelemetry spans via cosec-opentelemetryFull audit trail: who accessed what, when, and what policy allowed/denied
Policy match rateDebug-level logging in SimpleAuthorizationIdentify unused policies for cleanup; detect over-permissive configurations
Implicit deny rateAuthorization result monitoringHigh implicit-deny rates signal missing policy coverage or overly restrictive configs
Rate limiter triggersRateLimiterConditionMatcher exceptionsDetect abuse patterns; tune rate limits based on actual traffic
Blacklist hitsBlacklistChecker log entriesMeasure effectiveness of incident response blacklisting
Authentication failuresJWT verification and social auth error pathsDetect credential stuffing or misconfigured OAuth providers
Cache hit rateCoCache Redis operationsOptimize cache TTLs; ensure policy lookups remain performant

CI/CD quality gates (evidence from .github/workflows/):

GateToolCoverage
Unit and integration testsJUnit 5 + Testcontainers7 parallel CI jobs covering core, JWT, social, cocache, webflux, webmvc, starter
Static analysisDetekt 1.23.8 with auto-correctEnforced on all source files; config at config/detekt/detekt.yml
Code coverageJaCoCoReport generation via code-coverage-report module
Dependency freshnessRenovate botAutomated PRs for version bumps
Signed releasesPGP signing in CIAll Maven Central artifacts are GPG-signed

Roadmap Alignment

How CoSec aligns with common engineering organization priorities.

Organizational PriorityCoSec AlignmentNotes
Zero-trust architecturePolicy-based defaults with implicit denyEvery request evaluated; no blanket access grants
Multi-tenant SaaSFirst-class tenant modelTenantPrincipal, tenant-scoped policies, InTenantConditionMatcher
Platform engineeringEmbeddable library modelNo separate platform team needed to operate auth infrastructure
API-first developmentOpenAPI integration with bearer token annotationsSecurity requirements visible in API contracts
Observability-driven opsOpenTelemetry spans for auth decisionsIntegrates with existing Grafana/Datadog/Honeycomb pipelines
Regulatory complianceAudit trail via policy evaluation loggingPolicy-as-code satisfies audit requirements for SOC 2, ISO 27001
Cost optimizationNo additional infrastructure for embedded modeEliminates gateway licensing and operational overhead

Technical Debt Summary

Transparent assessment of areas requiring attention.

AreaStatusEvidenceRecommended Action
Test coverage breadthGood102 test files covering 328 source files (1:3.2 ratio); all modules have test suitesMaintain current standard; add integration tests for multi-tenant scenarios
Dependency currencyExcellentRenovate bot produces 342 automated update commits; Spring Boot 4.0.5, Kotlin 2.3.20No action needed — automated process handles it
Code quality toolingStrongDetekt static analysis with auto-correct enforced at build timeNo action needed
DocumentationGrowingVitePress wiki with i18n support recently added; CLAUDE.md for AI-assisted developmentContinue investing in operational runbooks for adopters
Single maintainer concentrationAcknowledged1 maintainer + automated bot; 424 commits in 2025 aloneBudget for internal contributor onboarding; consider sponsoring the project
JMH benchmark coveragePresent but shallowEvery module has JMH plugin configured; benchmark results not publishedPublish benchmark results to track performance regressions over releases

Recommendations

The following recommendations are prioritized by impact and urgency.

1. Start with embedded mode for immediate value (Priority: HIGH)

Use cosec-spring-boot-starter to embed CoSec in your existing Spring Boot services. This requires zero additional infrastructure and gives you policy-based authorization in days rather than months of building custom role checks. The WebFlux integration is the best-documented path.

2. Establish an internal contributor capability (Priority: HIGH)

Given the single-maintainer model, assign one or two engineers to develop deep familiarity with the CoSec codebase. Contribute upstream patches when bugs are found. This protects against bus-factor risk and accelerates internal support. The modular architecture (especially the clean cosec-api / cosec-core separation) makes onboarding straightforward for Kotlin-proficient engineers.

3. Adopt policy-as-code practices from day one (Priority: HIGH)

Store CoSec policies in version control. Use the LocalPolicyInitializer to load policies from the classpath during startup. Treat policy changes with the same rigor as code changes — pull request reviews, automated testing, staged rollouts. This establishes the audit trail that compliance frameworks require.

4. Invest in observability from the start (Priority: MEDIUM)

Enable cosec-opentelemetry immediately. Authorization decision traces are the single most valuable signal for debugging access issues in production. Connect traces to your existing observability platform. Without this, troubleshooting "why was this request denied" becomes a manual log-scouring exercise.

5. Evaluate selective module adoption to minimize footprint (Priority: LOW)

If your service only needs JWT authentication and WebFlux authorization, depend on cosec-api, cosec-core, cosec-jwt, and cosec-webflux directly — skip the spring-boot-starter aggregator. This reduces transitive dependency count and classpath complexity. The dependency map in this document shows exactly which modules are needed for each capability.

Licensed under the Apache License, Version 2.0.