From 01165ea0e198531d10b9cfa927bb74b923c326d7 Mon Sep 17 00:00:00 2001 From: Ben Alex Date: Fri, 3 Dec 2004 10:15:55 +0000 Subject: [PATCH] Documentation update to present state of CVS classes and interfaces. --- doc/docbook/images/ACLSecurity.gif | Bin 0 -> 4041 bytes doc/docbook/images/AccessDecisionVoting.gif | Bin 0 -> 6481 bytes doc/docbook/images/AfterInvocation.gif | Bin 0 -> 4672 bytes doc/docbook/images/Authentication.gif | Bin 0 -> 12955 bytes doc/docbook/images/BasicAclProvider.gif | Bin 0 -> 9921 bytes doc/docbook/images/Context.gif | Bin 0 -> 4269 bytes doc/docbook/images/SecurityInterception.gif | Bin 0 -> 5827 bytes doc/docbook/index.xml | 553 +++++++++++++++----- 8 files changed, 434 insertions(+), 119 deletions(-) create mode 100644 doc/docbook/images/ACLSecurity.gif create mode 100644 doc/docbook/images/AccessDecisionVoting.gif create mode 100644 doc/docbook/images/AfterInvocation.gif create mode 100644 doc/docbook/images/Authentication.gif create mode 100644 doc/docbook/images/BasicAclProvider.gif create mode 100644 doc/docbook/images/Context.gif create mode 100644 doc/docbook/images/SecurityInterception.gif diff --git a/doc/docbook/images/ACLSecurity.gif b/doc/docbook/images/ACLSecurity.gif new file mode 100644 index 0000000000000000000000000000000000000000..7a0d0aa82345ef28853939032b357a0934c5940e GIT binary patch literal 4041 zcmV;)4>s^eNk%w1Ve$d;0P_F<@9*yb007(D+veux|NsBU$jG#`w9(PgwY9agv$FsI z00000000000000000000A^8LW00000EC2ui0P+Fy000F35XecZy*TU5yZ>M)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQ$!t1zfv9v!ty-_xtah6f3~b!6cuX#v z&*-#z&2GEjaH`i5AlUEtynfH``~QG^0R;kJfrp5Rii?bmj*pO$l9QB`mUn}N6?K=L zkpTt=hMuIQrl+W>s;j1;qMNL-mloU*vNy1Tr+rvbEdzQ4gWx5LQE%FE2ewG+q9 zlEBY0(bCx2+S|+2!rYJE#^B`T=I58<6xZl~>ND)^^7HiO?-KEd@%fmm_c8qH2_&!& zP{4r*1N}Q_CmN@Mei-g?c<3Jti3zb$Bq+#TqmBL<+buMBEJ{CuCQ&}TMWta%lz3jk z#B|W&3ydL^$$Yu8r%RerT(T@lG$ziR$VNuYv+-fWryQd;h3YgWQ+LH|AuR`zs#mFB zPgbpZvh3DvN+TBiIyNX+p-_PiHEJ*`ytCwXvScfCEYP@pY0|~ZEv-kZZ~Y=xtk`VS zy43&@&U-a+SiY7Y1J*n_n_)(beI|B06K*)W);iA%ZMrQ_qDNKhL=7PJIh!tQ%ihiV zHf`NpXKC?3PvcQ9t;|^ zlu9xomQHz5P&Z*I{E)TThZ_Ah4QGp4*vUcG-X{~#{+6;c) z5NaN-8X?$fr1oUxtB1fQdls?5{#7$8vdTugovvH42&A;w)<-Q;HXUn19N>m4?zrTZ zYwo$|k`c-`%a(@^gxSWs+PbjdW#G5+=8KLi>{jcpi~0r(4zqa`^X#)79K4Re4A;1A za~ll4@)=bCLq@)GBoe51G2Cir@SVagi&)b$s=1V1vD5_tn$sh z5InHKAyaI!!X`t5^U%4lnC{V3(5u1BGvniJzZbIV7+^g<8Fe~5O6rkBA@&84Afo2` zj{pT2fWX;kr>*wdY`3j8FmA^!x7-F0GKz|7TJ0FhQfnwApnLY+Pd<54cp={s{xg68 z2Q=>ZrNx&E1b)#{DxoF|p?tU#nzK3uso@f?n zYV#^JU*zkk)*h$f#^ZVB)H;@LJfMCxrmyt?W1sy8V7{L}>&o}P|McQJ4EX-^y#B$@ zEAkWDzc`19`*~nhwyO;8f&v@bZ7+a#x?TB{6h0K4FKeB94b@~fKB+{{Qm=d8{1&Jc zrZ|uT37iDtxB{tNd{1EXbI(LxxB(9StvE-SVMW@t)3*t_X|Q6T}v|=*2S15RB9b!x)8T#x|}@2)$b)KHNyhL!r?c za>M`?>$ou^QYVj7;H@QWmFkj7qzOR^(k^`7{7DE6_dN(2X`x14YE%taK$%XIEfxLa zMIngJQVlMhq7$kKH@Kw?Vkj&~8qo(M>CCxAX{G>druQspRwc==RC6UCYwTKA3+}U| z9HkUlVbaff?i30atqm--WSmWk&4%gAYIhRrL-91$i+j9U^d##Z$|CKvpbf2PM@w4K zD(we7T_f4dW`Ne3ZEmntn`>iBTercjwz$ph*=DQT-um{pzzwc&+s51B;+D6qO+W%% z{%f}&q;`yp%bawlOWo>9PE(q)u6DP}-R^q#yWkD4c*jd#%54q^&rR$LACzA8y7#@= zYcG78z}}I~_rCabf_(Ffg!=B6zW@%fF$5gnlKq#!2u|>U6ii;-B z-W&6n1U~+;kbM{AA>+@;NFHX9lRRT4J9&&te)1HhOy%`f*`im@a)Y&eWc$L5%V0J_ zlp_qZE^FAsVNSCxko+>IxtV4@6Pc%KQ?pK~`ObzMa+w|M<(QR>&wK7Oo(H}DU?aCV zW=*4WoGt9MiPf3Vkp2&offi?&E&9*C3Us75ErKzRxWY2C*t|qAB*qplJ}CYN_B2dZ*^#2g1G-y%Cy2{``d9JR7A7dd4Q zwbX^yyybQjdVei`70{*7b0O6$U6%>h3KsL5S5!JaZF5dzrVe#iSLf;osdX_ky)4oL zVf==wD5<)=crm%TrePSeEb4M^L&d2>C5e@?7a`{er_e@KSXPsgwe519X{ri0@J&40 z&x(GtdO% zJA+FnexB|@tF)Z!{%2YDl;p#}e#KRcepPfnBDz;%hZ0@t<^J@p{W**OfZ1>G?`Is5 z#G!tO#eWy)e;J1{)**l=cXr^RfKQMy&*6YL$8Y6Ufm5Jw_eD|xsDEolfahTap>i>x z0%xVhDI_R@B{*k|mVzUQf6&2!@W6oIVQ)6}e!L-pyC;JS0)zc!GZDyxdDd|KhhGwt zfIw(U9vB`tm;?ypf;M!7BqoFf2w&dv9>1i4S2IgZ0)_XKgbm1rJavAba7%w>OP;WV z`zM7T2!;!|G-G&qlj1pp6IMV+Dr_iWYN&*F2zpIIdYfl@OqFz^r-RplhWZ63Ck0D@ zh3i90BXIv0tX zn1^4eih=iou(*D%*om{)d$QPyCgy}2M_{~IG@jUMwU~;&$cm>pjD;AC&Si{NhKk8} zi`$or$GD3_cyG)oZ;&XB?skp)=8W8!U%!Y8h8Tn1sEy=ifun_iM3#-tF^){ITE-QR zv2|O*RX3W@j17m57O0N*68V zLy)`XUkavu+?H(^`C=RSkpn1x?go-1nS+q$izS(octi&XrjaV?Yv+fOFFBJd_G%+Z zlQ>xd&*hTYmy3TwWNLm?} zD3+Eh2xokTX!PfnTg8_b*)vEnEIH!-}Vv(e&l;L=W@s^rTxtc4&kFNQXu(=`7IGY)^nYAe-%7~j($b_ol zj=tHFz{!2RIh-R`oRcA($a#|#Hik48ozBpl9cP+IgPK5gcZ;Qky0Lojcbn7+EkM+o zvqutxF;+(cc5QW@oX0iC8J>aE95nuTA4pewNi{&M^quh8U+su-4AFIl*BFUNeeGEh z@427E)L8zhoq_070Y!EQDrWt8i&erF#I;$)P$qq2g&T8yca6 zgM}~0K7u7nEZTP^+Abj~qOz7tK1YU6XNHjSq09L%p9z}1M2c|1LGYwM;^aQ;Btq3k zAw1eL9P*<;Iv>fDH&2yzV&xRK=Y28iFJuCxqZy=9Cx>4$c%m360a{Z{YNF0UqdaA! zml0P{cb|nPry-K2GD6%I3I!wzFFjhBiON7g zWT@PNT`DMF}r>3$|d6kK*Hk6uGw6g`H-Lv>)rUZ>zL1JGZB1w4|W1cKftaySJ%^w`T~l ve*0o|JGhXhwdumOhRbDPJGPD+TxGksk*2n6Te;okwvwBNk%w1Vb1~;0rLO=@9*yb007(D+veux|NsBU$jG#`w9(PgwY9YX00000 z00000000000000000000A^8LW00000EC2ui0M7yy0RRO45XecZy*TU5yZ>M)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQ$!t2G(5Q4uty-_xtai(l1-{_0cuX#v z&*-!oEf{ns>$rSQuiNkVynfH``~QG}f@E!P8vz7~ii?bmj*pO$l9QB>0R;kv0Em^H zo}ZwhqNAjxrl+W>s;jK6u8WtMni!m~wygmM2b#6FzQ4f1!o$SH#>Tn3vlqR`&Wr&F z%5Tlj*4NnC+S}Z((bLNm)!o70yyWQV>g(+7tLEVqh6DnM|uVB1`3@bU*0x_b+ix@Ndnz*bYsCoVsJ=)@kMWn`)1RsS&$?_V>bE2AY z0x8KPw3{)d!EDL%lgvakBiV$7v!_u?FAWU^+Utv=nNA6SVfr)-(^^rfR)w`xs!pXx z!&+*J^{QE^SgoQ>%eC!Rv2bC11sL#SQJ{FG=AF40CttmQpWc-?w@cT!41W>@{I_vl z!HoMZhKyKj(t97tLUz2C^V-K(*}nBz*kI+jSPkyJpQB zw(rAU!I`EFH+OI2k&`Q?O#J9&!}VB0)jd_~Syj)c0B??w`q{?SXJ6-jI{TLG7R^UN zPrkkT_t0#IW1m=l7W(k>>#wZ-e)IlM;QqJYfCRP#;1vQUbYK$+7UXF7spOI_?Fb!lMHT@hlT=n2ACmKV5*|{%-L+eCmJsBmhgQB*Pim7? zBhqqZq7x;9os`98O@V#MoFm)4ImDDgBGRCpxQN!Kn`0&^5uRyHS7%m!hUV0x*YQ;y znrRlg-k_*7DqCudJ__k$oXR1w|f%PVe{{`z;QU&>Aw)vUsT$EqdG8o6vttqs;1RKa$;*tEqq zny6&2Sqtd4NM(y)tkL31?Y!t}=`Nh?+7+*?g1LqqvGf`%aJ9UR?(tnk5fj;mR!qfU!vsbx(%TEOB;t7^I!+nX?0<$$J*o;9Ou0g z4s&gjE9Y$UgFF9hF*wdY`5(;7-JK?$$xS4$o1VLCL{OUP}Y4l-hgMQx7<>%u_nDyd07E+83hVAUR3$K##E+5}z#=0*Luku6H3~jFlE01XKy9-66^Ve(1 zJ#1e}@BEg&2PJ;;KKX^awrTc@EWg_O{(YV34{i7SVane={>bN_l0fI{pY=*{n4t9T zc`->}{otoPQ4LUk(}Q6A5V*bI?Co4y5t+0+#Te{G3|!#Lo=iAcu}Q5@N+)9&s7wVu zav9508%x*2LiNE#rI23^>{tvZHAAx0kW{Sd6tGk{DlbK9Qxy}BczAd$k!5dH9&2Lo zHW;xE=Fnr55l#LPU-LpKo-Bk}T$QRs7qfj4?2NM_mQXwxtrLE3U-VKF9L+dK{gJGW z|H2g>4+xq&3aeptWFR2X7_L43(T|7>*6|SOMkY|lg<>$I$<(;NL|Tw#>T=m5kA*Tc zI+0pjv81d@cAQW4CX{p}WM?!vzmUXB^}przuTpdNX{A{AM_D*hb>*ii=FV z2?_T?!wf#Gm?`Wfm`rF+CtwhrLloko^r;$$c?XDCBvrj~6VMg@b7VZU;VJpKPlR?! zE$EErR{jLF#D%&Ll_Rq#Ctui4cKXnrNi=1(yeP~k?r@CBOu{vv5x@j8CZ#_B66rek ztXo7cQwyx%Om&6}nEpsME|Do#eAXg7n^eo-x8d0Csz!k- z5Cl*F10cWvVD%~j#!A+*n)R$`O)CPTq1Lg6Rjh4|Yg^y?RZM6Ot9b1WQHwAD0UY43 zfDNo*2TRz(5;gz_K&)XG%h<*;wh%1Kt7J2x)xE*t3zkLPWH(E*y=GP(n+WY^N5|RH zM#!_H4M=DMklGv^)wHk`Q$1TN0@jMwwzQ?eYh%k>SLJpFwhiuYb=%wGx}&m$gM)I1 z{u=`pjpMnjoS#X^M<-s6D}oQqsdi^++|Z#mv$(ZDc$v!r=W>^i(yeLp8u&f|jxS>r z>~1%ZOPBGAgS;PW_3>}SV7sdF*B}TEKc%fo|OO;?OGG~M_tf+NlxZBdw z_aTSCZwojHO-UK7!>1G;h{ZY2_(4;f@&(3)=aXR#uKWODV=M{k;a{gacpur zOpvWK#WwwJazRUE7oz}R-XyS&(@SC;FY|jR)+3OEJX<4cz`j;aK@BN(PYFjdQ8Je2 zmJ-@Yj4D}}@8syGO6Xt)!%~F=rtpua?1~i+Im_kUU-fF5qU}b9&M2`n(XfpEXA`WX z!12vTQ~wO;lL)%Lh0b%MCryk;1BB3#9zlgE-CIj%I@6oxbZkBS=|YEE)TSkMsk3}) zRC89>P|_P)3#!K`*=qeJ#>f4yAcYTMq+ z&3CZ%>rwuK`GY4l%NdeYlytuGH*l7)64UAKK=-<7p|#cglgf}7jf=C(MR4Qeog zc!<5D@tSu4$xiO01G5R`ZFaNjIJP>`^}2GWd;QAzoYhr`{|op)>Oo$r?G`lkUOc#Kc= z@sN+a}OB= z+S~s2vp0ZUH_r^-ix&)jb*%7*PyFH=|MxCy_NQP|KhT^q6a0VV-6f%f1Mm^*wYv=+#=!SeKe_}^Xc5+NSC~SRLh!aRq7Zopo zI7fq6TZZ_E3}}V~mq`AyM~xT)dkBe|=zVNPQ6iOy{$rET#gEDm{$P|U6MS`|?i@2DJy10wL=LX~@geuXBPq%e z@kn#@m}}s+g22U%!8LJBH*fFfc-wZ6J$R4!h>k(fSJW4gf@OkB z2#@#&bGJo+*hh@^$dFT(j}C}*1DSNH#dHKYgB}TFAo+^5Ra^$dbEvkGELn!NhFyqe za`1(Bn6~;oZ|9kJ{K-q31jktOSk?soVNp;hKOn8sC^PQkQ>*ZrI?&r2PkxybHOBL zCAFQ=rJbfJg81ohO= zJrhVj?Y|BQYD{7-`h@FOJm_GWGELwp=YG~b7 zq_uXWhiFeDsg6=QrBqs_RvHKF$eX!iluWuf*I0~K8m4Q5qbE5AWSXB$SE6Vdj`Z23 z`|+iuRcrw1NL=cs$?11(njdhgQo&`XQVFC!`KNShZhmSz7nY~+!GrdNsD=7&csiDU zxuYrCsA&19g6cRkN~x`LsQ!=&s3pL0&t^Q}#ALu@6B~t1$N`hv)ozE$sR#r>-gA?< zQJV!eU2fqIP8zDhSw9f5UTL^U?Io)tr>Z&Gm#)esKX;b9bE*WCo7)3IFyg5&z;9OM zZ>Qp4s03hZ#ztfomA7heH>63_!x8h-A zL`af2u^d*GVHS6CA+7n9LEogD3M-d4)?=RtN74p#(Son*251mF79w>>&ACtSYw#14Lb;?wk z8@Za5G69<_m{Yo(^S6~Mxst}ZmE*dl392h zR&3>u$~$_=yS&cJylyq8_(Hsab72rESbidr+G|+ZyS?7ay;AX46gj=rtD6q#C-;z~ zMI{wAQohyxi;h@fRq7k3?0av<|i-fR15zr7>KvBS3BzAFlc0dWQW#FwkH;SML4Q`iD7?rvWEUlty#rBgC|xz#6}{s4CQ5I_pPxpaB8A< zFvNBUx12o(mrzW+g4U}AYzZrD#_R)=mFp&Bd^$Z$3pMe_f=tDLTs)LZJuh>}h#WO* za3cPfTqBumPn4`Qur|Lq0LqdB#GU*zpL}Z==E$YYxl<|1E9h&gyvi7J%1QytXDrLJ z+{&m-gp7>K`9jM!n98^8%j^QohGEOSOw7w-%m#tXtV3>qs#8h%N{~@)7e75QpX5Itwi}l6K$~MYPXCFogBl_<}8#w z=N38Zac@UNAG1RT#<-%o(NZ*^+B&$a(XAvribu4zT_$q*Iw}es%nZG{2AZ+(6aKZl z^ORR7)T8Q00ScAf*|1J4VpD6>g=EB_)Wy27)5rYIWb)IKRKmW}vP1orQg*FDSHwT& z)hk6Z@7YSFl!zYOumb!^&aR&5YGPElcugmQo$oQ5`Tz{nua|O?^wS zD0kK;SJZV)*r`gESx42Zf!F8Z%&Xf%9(soxJx^p!Qv2%J*Mx`?`@wPuP%@TLoE@F` zG*R1pPp-`to`|3bHpf`W*j(N)@%O%axj#rjgr0gVd^q*M31 zuG;L)!+jsc4avAcp&Q{0qw5pS-M=3Z-6b*I0Rp_@J>KM9-ex1bMYYQv{&5Az>w2p9 zyzm|0rq{f=S9;6)-tzrb_-%V{Mc?_I-}{Yvx+e=#qTVcb1=st%3clbGiCBuo;1C|+ z&FA0}Ug60%zRG0a8qS-NN`EKGnH$d2H+pfdjAtaifhAs%J$;%du753#q#=IQBmRya zPUBCy(CdAp2ASe6hLIqS;|D(D^v2`Am~TX`fFd5`T1pFk2!B7G<6kh4&^|;mt4N(&=`qVPTVXmUTCgS{8=duQZ zc)nqF4w!qcVSgThWiH)1K65Uv=Y#&;g^r?4&Vhm6gMF@v^H}5l66)xQjv!fRp3Yc` z=!uP;&g7gPq51ddS{CU!h^E`NrrY^E=HooH! zs_B)UTEOn(?(qsiQtl;sojJuYRIYD(f^Z?K*m*qrU7DlIbo= zj~F@Y4r*oMH;?1KbmhK($v&idO@<;_qN|>C9gcz6j*#<4>+Rm--rj+W9_;hC?e#@F!yM0@s~{RJ2<>*YQ4X9~PV z&xyB~^jjMAXTbF2n;z0js8Ubh6Pg%PKYqiOjDgG(Tp!C$CA{1H6zI)2iBb012RUdT z^#-!`T0>beGWIA8c24D_RyALC|Afww_f)TPbe|qOGWO#+$lUOla&Nk%?Dtn+_dO%{ zeBbrkVEAF7mxn+1dJp)GkNI0($&g1xyZ5M{XUUq+-fY5Q z@)F6av0PZHd2&f~5Bq_V-Tm_UiN9mi&#|;ZOPUsoQP_V5m*eEFG7R68%|x zv{+mGYuB+LN3ZR4{c!l&5D*9na#l+#y?1AD(=5@G0^|Tzwsl`PmS?)QZ#;jqiR-*x zC^!U;ike<9rDHaoC!*0P9P&z}q)CgZMnznt$)IwU%`xZ?n_RcmZ(rI}>R92YrA+RQ z-?RL*HVhsPyS~D_895?1!$!6`w!uFiKSZ*#OwCPB9KsP0%e6zmpTES;)SHt@NJltQ zwbs%?Q`*KcRb84rSg>1BS=*p5lHWSi9Z=v{tytqPuj08k6imHJ#ye=h?qTQR=*wO5 za&xq-!{*jn(c^UMb9sPXa6aO9ZOZk^{(8aa0J-Lo^B0WYK|7(;wbK?4n?hz0BW3Fc zi($27FbX!CsBdCIeIOx?8(7k0nNJWcxe95@rIKqWJ8cwskJ-plp;Rs;DU%blkne8N z;qnU%C@D#cW^6&HokXNa6xzE|v}y=EF*Q0ng5{`Cr60m!WrY@#Du1(LttM+45yJX`5o^+}X3_ z!=X6c9MOwmVR|`V3sqF#`9K5WNQ%i?F~7=erQOK|1vCLl8q0aYPbH z6bOwHQ&e$97Ck&sj}~K;amIiWobX1CXw)&q7jbl9M<9c2u}2>P5TF195KwYSCYyBf zNhqU~a!M+dG@t+hW;im*D!cUZOE9g(vW6|gH1kX|ugtPYHeV&P+KK rbx}`04RushQ=PQbPg@st^;KA7m33BHYqj-OTyxcRS6+J^E&>2Mwz&HK literal 0 HcmV?d00001 diff --git a/doc/docbook/images/AfterInvocation.gif b/doc/docbook/images/AfterInvocation.gif new file mode 100644 index 0000000000000000000000000000000000000000..4a27abd650d9b3456912288217155cb646dceb30 GIT binary patch literal 4672 zcmV-G62I+7Nk%w1VL$>e0rLO=@9*yb007(D+veux|NsBU$jG#`w9(PgwY9YX00000 z00000000000000000000A^8LW00000EC2ui06+pS0RRO45XecZy*TU5yZ>M)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQ$!t2G(5Q6k3Rth$tai)odcWYXcuX#v z&*-#z&2GEj@VIs;jK6tpNrHp{}&Gwzs&sy1Tr#0SK}cd%eWP#>dFX%FBws!4$*H z($mz{*4NmA&a>Iw-rwNi;*;CLg&tp(CqN=(Vd3#@%Q+E?i2R;{>t`-_2V

~4yr_W6xFH(#d6C+KK76Td;`thezQagJ-ok~e&&8sYl9-RsDCe^Q) zqJkY;3M*5gW;bS>D3z>RNMhg0ol93?+`4%4>IHXquiw9bkM#{qxUgZJ4b2^1%(!u; z!Hy$Ko?Hkr<;$2OTh7e6GvLjhLyMLRdbH`&PD`U+&HAD0*2z}(Y|E%7LYuI0zRq22 z&rq(~9xnIzIyHb9scDWck}UAR8siW7oJH8B2(Uc=Mfd)gb@xH zp?~nb)L?J+iMJs!vNdO*f4~Jr9DnXLhv9)~E#)GDAA;B+gE7KpTa5}jgd=Lj?Pv^g zJ_addSTpi8WHd{ zlp5Tlo&FaeZMfbh39*~P>MN&@{vgYhp|uYCYoos&1g#~`Qd?rBiSR0|rQCY8thRT( z*c5>xvL&HJOL>Q)rzWz?E_T}e2d_&QwR_@o&yFfDyy$ikaCc|rD{glEe$=ja?j|*F zc9+uoZofl4mv4%*`sT2y)frr`#sF`3s)!Fqr?0;^@~dII)?KP{!q|;i>8J=3?67Z8 zUPz&U`snQQitqg#>4QM;Osdc`BMo%V-x{4&(HAm}o72xKO*Pb5r`NRAN^?!(!C4o` zY}gp)yq?TDdknGABWf)&*{8OhHjHksjrG=N!&vO3?4cd>)Lu)C_k{X+y`SC|8~*dK zau?k=%^3RaE!%ppJa*symD6PQsykawwpEJXebd#UlMZ*(VAsug>ETxWx!A9Nz181T zuTFc{s0WC*;JQaGD&VrGW%kD>a=b6a=$8EUelVkDvcwQtwJ~&bJ0~%U&BJ&6%EenR z@b(m6-@LoNXI?M)B&vr3XWL{q!!V>NXFJ#QCnHm;^ve`Jb$?gWGHiiXXku$FPZ|kuqX|TEEZioYcScA04?>ruVFocKNfmh#b%+{V;9f~ZGmcW0sl;T?PT9tDaYT>$Vc+50 z2fzNgk$!qyp8*dC0mN4jY^Vvui{=%ttGYkg|v%V<7Gv8y1`YBGG#<_n-rJkI!Xp^aZIgI zBDdF3^f4!;iSvRn8TT*!;R>42lcpxKs?~vRih?QBAY0S;%_}mLBy&AvRJ_F3zWVjA zfDNo*2TNEiv55i#D1ZSFz}Ut*)&P)gEMyn!*veY=v5~#3W;e^(&RP~0nf0t_M@!n$ zn)bA)O|5EI%i7ku_O-B$t!!sY+uAbL0H3hH00eM=-um{pzzwc&hfCbz8uz%!^=$wS z{;=HSI`_HIjjnX3OWo>P_qy24u6DP}-R^q#yWYhE6=ZOQ@tXI%=uNMB*Gq)}@Z`Ph zjjw#?OW*q1Hw5m@?|t{n-~Rgdze#W}d<6{P0vq_i2u`pF1k7LsJNUs6j_`d6OkoLI z_`(>@FcJu?2Mv4p!ypcE6*9nK5u5nLC{A&SJDlPcyZFTtUa>G>Oye5cc)u&o@r`%P z;~uM5#y$?RkcX@UAQSn>NKSGNjI87)JNd~dU^0}aOyw$HK+0CmvX*_^;4ORk%ONf? zmS_9{F@yQcXr8YXpg~~sxYv#w84^8Px-(b&OCUm0(4PQcg+R~s7^$^;Q-t*oBVk4?O`2WanAgKKzoi zH;`){Lwkoinf9Nld~F?OTibr-c0a!j?rQJ2+czY)w#|KGblXtf{4KV;r*!Ne9|xm$ zeG0sByusYA*WDm`nnW#%Mr^vXNB{h-lLJ!V5rLoLjqbYCJ+#%}gCLptVtzw)^GuJTk(ap0_?XyO}1FiybT z2ss{n&;5H-EqIiUo_n}R=V#XC1P~?z>qz$^9><#5jPQuQPd*>7W?IpbmBBMy#w4UT z3&HehszZH|87z4PqfC>cG|wX+hgF|p4n3e>o>04I&d}*pWJB7N~CfVyFD1Ob4M$9w!lfb3;}x@9x$1|t%BQuzRyfK2o1`xsbOGq<( zz=wUp$A2zJ5?@$_8YqQQ5QDpdOSr^+SI8)9n1wzFgH(uKbXXfG_&&N*arMVZA*F{a zRZ`0Lf(RCfMD&J50EurRhUPVIm{ zQ5JMx=5g|Pk04-=UZ#)u*pKbVV)b}s{y32Th;{+_Y3fLj<)(HCX>AOtkPvBf64{V8 zW{(sZk-cV-Tc(j1*^fF#k5KlJYS)nid67qEk|dduD!Gy@*^(|9glh+8nf8*p#*Z5C zYBqUcIhl3&2$D2ek5uPo;3ssbR)H>uVMZzbX)-5%L^)?ksgyq{lk~W0e>RhkR&+ZF zgHy?ARcVl>wv|x{lvp=le@B&M`FCT9lvGE4ObKXb8FNn=mQvZ36UmjCR)Sd>VP{vD zFBfij>63DaXQalKarS-V*lukZey3KHH5iz~h>}AFnT|P`lv$aUd6}4*nVPwooY|3* ziHn_ii=WA5p}CNTHkzf0j;EQL(}tQ3iEO|ao3cq*-dF{*d7Hyln?;sa-QsUCkc+Ls zY_7(ey&{ZN@Ink1gv7ZhyGUZl*_<^1oJO>YS@)ctIEKslB-d#I(zzPcNdw&}MBmwg zelniqm7Ur-1L1iZ=J}f}n1ZFmM?L-sfAD!h68J$Cm7l~nHjr|6*(55^DR`d}c2gBg zax|YolXsV(pU}s2of4qx={j{tRBcFiIB1{?T0-6uMvH<}$3k%Y*$EKZCb7anp29Rz zVWEeYZ;Q8sZ5X1pF{19NenD*Ar9%!lOo5 zdgalCUGan*VVo_XK*M>j=3 zH%B4Raedm?eNQDnQT0<>*dAPyoNL-EpM-^O8aex^r&Yx|b1Hi}%7vX%4{G`X_aaR* zB}#|aAM%+ua0*NEx2TkJH2z)KB59~}*~f;yA*C!prFj&olEW>O`b(aAsj`!)CKsxL zx>W7ir+50KzN3cLSE#kLs&zU^CPzzls8h0ZsI^KX#*!g;$g8UYHE|kyvif?Mx`)-* zD~)=bI#*UOBRymVe2-drUYDyt>MDphMrbuV1!Sc=#XPWzuI6JijJP((%6^sMKT5c* zEYYNo^R0teOj=`z5?8J}m4ET-ql~(p6c`&?#DnB;t?SvMdNHq4%5`A~f%E#Xb+~Z| zi)-i!DGqC$!`ZRg@Ubo=v85`qBfGI9fU%-svMa!{=|-|EV6!uH zu^{^dJS#&!Te8l4>60%>5bskkcHxB=$4k}HvuTe!3MjrOS`sPWVf5Uy1TpUn3n(5j5nX2)xnRu{c;mc6hUzArbv z(p$c`OP53b$C2jiY}?Cc@at+!S(fpOkAsQ7|CYZPDU#SLx*YJm{=1qZNx;!bZ3XO+ z3an-gyukO^cJ?K~5Ujri>A(nC!3_Mn^aYQUtHJDOmJ`O6AZ)>IIl?Dg!t$tJ2uy2`IHjrJ z#K-=Te41q3b)95}Na&w?XULhHWKb+nqCCnc8OEr5XQjLgR=mn0*2=o@%CHP#vV6w1 zjApkya&nx@v8>9zypO;f%v!d~w?NCptdql>%vEO0zR=6eoM9SgReBeN(VS%pccS?U zgFXTp~?6rsva9qlYcf{LL|@3Ad`J+H5=82SVwr&JYH0%yB!m*RJgkSPG(HPxi6io{k z-O)Y=ME)$&3AfB9jf+8iB~6^tH8!_*8`Gn;w=NxIe>=E1?Oa1#(>&eNK1~D>0027{ Co>9O6 literal 0 HcmV?d00001 diff --git a/doc/docbook/images/Authentication.gif b/doc/docbook/images/Authentication.gif new file mode 100644 index 0000000000000000000000000000000000000000..2111d2e380459ec67831de101affc01a59297b50 GIT binary patch literal 12955 zcmV;MGGxt1Nk%w1VQvGX0rLO=@9*yb007(D+veux|NsBU$jG#`w9(PgwY9aZtgOAg zy{oIMv$L}R0000000000A^8LW00000EC2ui0B!@L0RRO45XecZy*TU5yZ>M)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQ$!t2G(5Q4uty-_xtai)odcWYXcuX!g z1L(AR&2GEj@VIr3;k3W&7uCK7Mva__cwy~(HtGg(zx4*!_!o#uw1_!)6zQoMU&d<=% zlE%o%)*{Q&+S}aP0SMLCH`(3g=I7|Q-{Ioz8szEm^7EMM?l$oB`uqIb_V)lSQDm=O~ydP4x6RYbU3nM4TS9T)@!Y$G@|;X2GuMYoxZ5PC6H!XTs3y@!reP*ZdSBhL#Q=-$uHfwc@rP*i}$cz z#(eD(F1EGDV3&Y(TqcNBXIQ$QsfI2q8no%YWt~+g=ce|b^ob^i6AB>|>2Ab!qiH=B0ODK=n%^Hosafe0p- zTxbkhXBdUAK&Zlm9(m{+ha?IkVuS#ISmKKNoOptY{^?d2H!ivWBa186DBX=X_Gpfd zBn)=nj8^fM+E4NY!K04{0vXtnOh&0xk~myd9Ae95X}`e+Eia zpD9Hu>7__MI*xdx$@$))`Pm5|o|a)MDWxJ=YU-*-k!s*s?I9QImTXg6wzWa%}=m=~L z!!IGsufm=TMQg4OPXKW`8Nc(_X`fGOLR9_t*)Xo}x zlT(OR?H$&&VlDJ9M6a^;L1iDRsM(8JJ(|`)W2YsC7gpD@jban=wk=rN-89{XCtOn7 zj|@Ic;b^NZdDfsMj-aUi(ETkSiHzTylX@2Fw|90R11(qSRIjDE%Z>*F`svEe4ZF%* zYTdKdvY+kX-07{pLhIg;8o&;~pX-nBxBMwbhn`0nT#}{i(L}?HkLNLYz=2rLmJbtMklhtis6ys6sH5nI`##N z#N(3|n|Qz{+Oc;e++h{}__+__%3XVeVIRjt$gj<@1A}ZNOU4&CCl*nXstY6oBZ6gU(DHGvy`0^)2itu27FJpEON~STCB*l%^KHxy(16FP!V6 zCOX&IO!akYoa`JXg^KA%g+cS3*Tjef^CdBMDwASFvL-XliHm7$lPl`9m^TBu&xPib zQ|Tk8K>p$R(DOyqpArRUJq{|EzzIh&777^vO;$6Iez9jL3!TjhcOl3Hkai(O-AYvo z(z<==Iw&pK^z6jaIw^>wmGWQ6Na`h%V(@1^%T4ZHdb^n7jHohQ899zRGpNE;R!`O0 zNlCUv%u%&+R&6R)RhH7D=FOm{WC1YQCOipY!>t>DCY>y&ME=+fF*~j65r^b83hEV! z|NLKFftsp!(sgNmz2{#KYgkWNld*qI?B)2m*9z{HuvGM@E;V*Q_jz`MZtSBa2bLh& z#jQfQV_Mp>!@{0AhJ{s2E!Tv~#fcrZOI+h;;xNlA+9FQ2dh;z_u9P_7icYwWts88Q z{$t#EHCJ!>I&Ey18{C=>Hm$$YtOORx-R-96W!?p^c#Y|qAuYDC=WQC61e;#TMz*@{ z_1avEv|H>Zud;w`ugvtDUb;Tkvi+?fW%&!)`nr;s*b{AM!wXtAZdbt`!>xn(CK)j@ zH>$PsB2`oNsW2vLxn|`~|0KM%lHN|Jsm0Ay4JB0GCS-*u7M*NE%*CIey-00uySs#neG zR=fJuu#UB?U2T9`&-&K5&b6+0{f%Aw`q#0pb*h0)>|z7k0I7(e;R0+nxt4K^N>enQ zN9{>zi(>!+IDodd&FyY```h3Sx46em?sA*^+~^K>01mM3bi4cA@Q$~<=e=#4WHE*K zE--$a4bQ_`8JbB=oQ#qSh9&`SUc(%$tKf=i( zre<0ghv($gxm1uIbT3o6=|YF}EhWuCcu_Xc>O3cy%r{VsF&*mSSTNAR9)we;TG+!j zw%QF~j8&su?XrG5vUMRi`kph;6(v&n@a}b-lRbIm`nwRYP4B{UI}L`1x4l2gTJ{cA zt3~a2R+G9?PEWy@0pqHS89Dd^xlgr?5(9S z(vMiW%%yIcQMgo23%af(o_QQ!KYKF3y!OQpJMyh{WN6bZ^{97Yn<497*ZV#BsS=3x zvCoSuFS@Gt+}}yh+QlK?K5rwxeB?9FzuDrb^V~1P@#Fvb(f-fhZHq%Q6yZ;QG2FlZ z#U76ve$*%=YnoX9}xCnc*t2l_i}0^XPcFWUr14kRdZ+9P==^ae|AxP zM~Iw3e03-kcj$+b_+Wd8aeWwCfB1-R=z^69S9^$u{-0=tc}8-Z_f?R$GMILX=4W}% zREn;+TBUb4mqsg)hgbR+4{fN4@8E@VT2-cuafXT8I09D|iuU((KR1G-M}YfbTF=#A zJT`Iym1EPDd%DM1*vN+3SdKj8iNV;57|4nKxDk5jjZ}t4a(0DAcsbBjjjDB1hv;9E z1(71Pd;BPa1<48rxsaWxka4z=Gstl|<#8qVVO?WZs>q52vQxOXKPY38<3~FfvTzv1 zG5si#I=Pc&CVWJ9gnxFE4U>~RS(HXOZCgkF4{L}SwX#;Zc$AO;l_MF2*{G3H$pj2} zm1zNmR4Fc2sg+9zmN&tbUD+Z;DV8>Zmcl`nWvP^Bsg_v?myp7iZ7B~=DVITlmmK+G zb!nDgsh5C>4^k&Yi^q6jVW7YoUeiYeNT!&ckiJaWIo+ZSbp4oK_6^5%hQTg+n zq^ME^q+!T)lCK4RbvWT}>Iq(Uab~&Q2 zxjYprf{@81Pw`Rk;ELi$T<9}Wr#PXtSfj7CC3sb$N!cR9;hwm-qE{fKEt*Z2sXgL{ zUdslJ(szwMdZgz-n^s_?Qu?0znOQEmpx~Kr(HVLYJs> z3U-JJsbjXNeAcLRF{qTvEdF%*FqdjQJpmiPmrvxQf9vN#omwtw`k0$4K15ojsx+M% zRgYFTqM_HGUzrl2WB8u%lC5>S;Wx zgTyzf71OKfw3N2RFWlOcqLOtFWT;dCX65&!V3AvrBc5Q|Sk8wx4{BGW16$Ubs@tNW zJ(Q$=#+m)(n(%cb9*UyALatNbl+x9v92R6Vd5@kJpTqT#u~T|EYGE7puqQ|aW(Ri~ zyRmRLcaKVGF^Q5L7oO<{u)9N6n>Vh&TCP%oK3esrPP1MO`+V!_STj32r^lLpNd$zK zcs~2H=*FQ+B47?H{(TR6pZL{51S}I4e7Q zyBV$OS7A#vwe&c)QgxvJ2|s%a1%2zQnHsk}xQ`|xump-pkGpY_+dN>~xWw?Sn5wyf z%e0+4LZ5rOp z2Epq{rdhm7`@5W*yno@mf5*HkOSz6fy@Yzak_x@9BfZGWy`_}8;LBy!>yG0Kx8l1` ze=Dx`L_P`rsOssP%Wdbd#dYb5+CzySQK%JXeexEEIcEM zxWbvaQTIEQz=y#{1V9AL!K}9|A*=*en`x-nwF!$o;HH+l8RYa`BB>69vcB8); zvS1QGL$<*>`ld*XVl+mqI~D*!tCwNBd-#d47x_(FO0uEC!xHSnO!}pgwPMUR#?a|g zUrL`ut95QVw}+Ad3gE?mFqwM%drq3Tv01bx$|^m)gj$Qn(Pv#2>&R%kY>RBUYoIpq zI92}a8nK_5$+bnZkh~v!yl!--n1lOq`Q@k2s=+!8t{wcWpo_?BtjIeY$D20Gd7Pg% zDao{qdIJWXw=5gr&~B7zxr8&qDO^X1j0E6`V?m~4t5{kpnZz;%VqM&1Hf*+y*QZ>% z#Tkam(nyapI?YQaR@NLB!K`h={K~~#F+uuA$^5Y`;?4pm0Q5Y}v3t+>9BDIbe4K&I zfO`M~5YUvFv2Vw*ac66{R?x*JYzEy#4gJs%t+5_E!S##2rrEPVo6#CQZ-}?i9{the z_Qe*5y>|M}{P{cwchYKA(Jf)pDxH>3_|hN3(!I3LGVQ~3c+;mz(;*VeI;~b-`2N!` z!qfjO)Rhv{My;AeO>s7z)Jh_NPCe91&D2rtbQzeHRV}Iv<-iM^z%4wg#vG#AnVv9eY?d*GYY|bgWmLEUz$&w|8|{(iw|+d&>I;+*@O`>S{#MXxvm0 z%GwqH3J}|)JlhP|jG|=QLXF#ev#|K6-F9W#3#Z8zYo6RapWrPsic`tB{&U{+$=*6j z$Rg(5+b!QEh6a6H0QcS0)J>58XoJGo*xD_hy3E`a8L`w?v(GoP0Y%@u9gQ|Ca)}r@ zx*Y%u0Nt_u+~~aDP*IGZl|~79iILchv#qSusM!iWV=~pv3re*$CeF_M94h|FW^3Xu zUba|EWGED_tQg}zT+ZIX0I`hGxJ-A3x<;sZPst^j_3ZHWEWSH6}=-j3?{=In^w{F%>mUgvfW2gAGO zI8BKNnT{Zt(t4h;5k2U;#?XX*=!j0}3ax9srs$5T=WPq=9e~mPAYJK}e(9K=>E)&~ zAT838?th;i>SHSBqCOF&e(I_^4X8dvq`vA-9T%>?NwMzgQ!(rI((1N;(^Hk}D1z&} ze$p|@3U@y2jG*QyP3*{?&z}D4r(_=cYJxBNDpNfTkIw7_mp;#~bh|5R(>@J(ZtWm6 z7MBEr)gtDA;?m$gY0kb&Kv?eG?x^X`>U6;FIq2^1j_&cU42Ie6v2=gtt}8yB?|V74 zRH-8&Nm|{G?*dOK`wrh2RoCp>z>G-NcYPGi0l)B$KZlWY&*1R4n!|@&z!1DJ7q7p- zpzsSn4tOf7Ab+-XouW=$@p_%tXN?mEuM?g#G%Szt%_sizgQvWJwUy0O&?<{2{@JY!V^c3;rf0*f-S3N1nc{=RT-*j+oZ1drJ5vAHXH)ezMz&b| z*{(YDL|?Fscdoq+*@)#DE%|_*w%%ZH%Z+KijSEVt%Z(hIW z_x*psz#K0@3pYB%L`4_7sxZ8^MafCZN|DC45W+&vPR~!!P|=A^&qGVp)FRBO7RZWI zRoPiu6V{%Q($QVsUfeK9+12Y;u&~00)igHC%%f>}4prOM?OV7) zS;RFe;8aYrdG+osgqN?i9e)4*Dm$1@VL>T#i8I{T@nbNM_XU=WjdEoym;2hf0}k_N z&}IdP-mH%_FU_Z+q)x1IP&n1GW%n9A`!HwQoygRlz1vhSN1k&JC(ea;@honRBd4-v z`Dy2-5GRMt-1_x9*#F$su19(PcM0D=E!)Ew{CU;S(GN)fNoU!Qu#Ha6;NBlp-Aq+2iWL4ZAZhLlCzMF`f~- zK*u@^|C6vp7B6fu3Isun5xN&Ou&+iO;mfg!87=HFv>(s=a7Pw{WYEY2k*rL~`-UVk z$tQJ)(gP+TtMbSjrv&fHCbi^%%f`UW&`B?I6BE5Ng)}hDBC{+L$TxM2Q>+5n+>y*V z|FToQJlj~a&yH3E)T=$QD>T4A2kpyEMfo`tMMWPatI<&Kq_o08B}GotuQdm>TyyOvDe83f_1ATH9Sc}ui#7IGaD>$h zS!SD6M_JUkvB#MJHcD>VTB_w}SZuqcM_a?@@%9*S0g`rHS^{|IT69rS7ap+0ZFgQe z-VK-DY3(&v6nXKDgO%p|odn=l1vXd_f<-%++GO^vbm4&;Rs&*05_YLyiZhPEVzM;O zR^n*+^|)e?9T^!8jt@L}lY8U8`wP5|y?L-3-n}#_+;6u5XS`>z=N`Ph#mDyg?n%JWEfHxQXuE_%~AcjKY@_P73?bi9)vKl|&~U%!9s{Vjg}+gtVE=Rdev&wdNc9s=LjKmsZcf&eUE z`wXZ)WZ+L>gKHk$oHxDbC2xTM?BE9v=spS7kAl0QUjP}1w(@AMe=VdT_Y7w~5#msX zEp%Jo{vsDRv9Yg)Fk}Ym`nE$GB2kGvOkxcy=))d1F@fMySqO8;#3eS7f>9J;6on|o z@;OnAVEiE&!3e|zX0eAIt)F6y17)U|d@qci1&L9ie!6 zR3iu}iAX$Zl74%9n)V7PNkg(yjJiByAYW!-k|;n_=5d+0d?q`!InG3uGm*qB7%av9 ziA!>}^PS{$BPt&mM0zGhbHw9e^AKpiAl8w3zI0#-?YYSpPBSwHE!zXfsmN~f(v%a# zXc()>K^kuIo3v@@0GFsylU7oBD^=zM-KWs*DHEb8bm1*MnnRF^a-NOs7)a5#(Q;Z; ze=$X8NN@T{ni>?7>D!@50~!de=?rDPtHeluV6~P#buw6GnpFW~hB9K+tC^wM82;rs zlxbBSTup*nvw>E&wri}wfGY~tX0^FmA*yk0D^J0|*VVbzGJvgFUcpINn+f(XWksy+ z{OW|dBF(VlY3#}-i<-)o;j%6gS!Nx}F3*}xv0n{s#x~2?(q{Fs#k7^PTlOR@gunaEZ-3P?;I$OkzzeR)fAbPx1`{|a2+j$GBRpTF81FNq@e8bkyA3MkiNjJl zUKdDAD?XYy#C!tHH%{D{Zp6mLD+Yl#$~0qn$iv3N*l~`()MFIOHpVoDF?k|HBM|$z zH!4>0n?_9JQ6>3HK~AxhLEs@Izxc|wd2*9)%;YJT*vi?VvT?w?W&T59c|;zj5SwdN z=4!b4C322)iRhfDc)=M}ZB}!L?rf?_>AB7m`m=_8B8r9<|HKI<9>Ox0m)vPA8rN^}DSVMN! zw63(LZw+fz@47FohSaM^oogNmJIcK_^`n6uXk`nu)^YxAwUd=$7+G7}>~OG&w*BpN zKnvXC-gdVkOKxn)zQPdWfW^edBaVjA{*vP3AYW~j172EiGx8Bb@q(4k&+gxUP6VDFFEIeYR)){&I4P)^(kch|O=lLuYjV(vs2 zytLbus%sx!-gCk7x~op_ey^S62+#N1!PDiDsNC!rnE1it{cC$CWZ&5?_VdC0qL9D4 z?IwTt%5(nkr$sZ?-$>9K`kj4>kNe<3FZjjNTXuQ}Uf&rZJhWb3>#&gL?Q1Xk+e1G0 zbpU!er`r3|6+U!s58d$FgL%2T9&o>3zTul6HsbI8J~^aaeGpj+y6&eDgD=#i3d0}3 zQFgzB-kUgk#P`8BdjF^9Hz5Q^m{gO7bAQdue+k>K1LK<^uu-7*VV;!2KUWeehw38q zYpMQ=pM?v+@>8W!YQUDFr~&k*@8hWYtDpN*zwxu4QnI4Q^FQs|x_^oviy|R|BESu# zKLWD90t7*d@+9;VrxJv~6I6q*x+XGOqzeoycS0y;QYSMSxbX3tBO1aXEW#gDs#$s` zB>XGcS*Lw!!YllwEOI9#%)G8Kopjw;iISisTT&w=~vmiYj#9wlyd_p}udO||n!5;v_nM%Zv z`a|SHsXubUT_T?@%)5@-s4zq(kGe!mG@w%q#8iwUPK3k+DntMTqEKWfOB5x1VyIg@ zLRah|STs4T^TAf)LtxCsu-d{+Tq8+5zcNzBMLfeY+`LC@C5dvRAUq>1Y(#84rYMv~ zWMn)?M5kzK!a}-6IK)P16vkfaMw788@q5EKbVhS*MQ+ptvx5=9Xs7)_MJT!`S;9aE z3Pc$MzXhbnWW>Pl!$+bjMJ+liA_S_MIwygIrw0V6f@Hz<`=^Eqs!C)?n>ry@1V``- zK~F3`l|mm@;z&rMo)bdI?U5;?^8Uzct|%Omx#s_~1;?TsY7iO=j`T8Y4~A90$|X zf;$s0^LowVLW$*q0@s91sVFboWC--4O@c5k+{{hjoUVPVmZk_!<2+93+Rbe1P2_CO z<5W&OtOf|XFzT$%0KhgV{+Q0{j0+3f&YxH}5717x=uYn}PoEGsnlMlGTu=7A3Gn=} z4G_=voKN~ZfcIP#I72qFay8k|&pPqXBGEGdeX~vBGG#NeXiGFI8_=8MPZ`@a1Wix{ zmCyrewg<(u2&GUh(@+lW(0F0cC;?Fq9Z?dskrI`)6HQSS4F(Z)GDK_96^+phjZrUK zP{)ALqA}1|nNb?8Q5y{x3r℘n5yFvogccF(VEnWz9w*(jqm|BLz|i71CB&QcAJX zEX$7|%~CDF(o^wL2;EZB08^?V(@!zeCr#5eL(?-=Q#b9=A$wDHn>03+(#6|+UX&{NINR3(I0fP`fjGElV)G7`!r=uR(L(uWHnb}^+je)($c%vx1tj$%~v_ASA5M%eSI1u zNy~K=xYe9CT@4R!HP#v9)U4@MhMibau+>z1Sc#=rRLNLd<<)q_*h~mn78O|&Em?;B z*c}tsiY5M7B{A58-OI{kwmmD>cijMDo!4c>S$+L8fX!K(r4yWuSDH0f`WRZD-C21> zR(j>v4SU&j#Y$hhN0Q~%TD4ekt=Ot1S*cxFdF@uK-BzsK){NyBjy+ki62(3{oRoK4z$?OFevTa&F@zNJ;B9awGvTDle5p#57mgV?Nj+sTC5PsLiZ zO(R*azupB+J$v)Yq+%*bTE7aa(T@K?}k`0puT;EI*Mv-qVfSPTO4^LC~IsGA}Cy z;Qs9vG?XGZ^e1ML!(zNj=51c*wKH8%*^<>(&FxsNz17)OyJ$4Ucv3$Lwgnc#SETZ4!v#R{zY1&9XrpZf$nw7?_JRcw#Ow) zFGRKAl)c!LHPz|`JI#Yz6Nb|i4%Ct5of&4`8+JBFNn*(`8Z#Z@CKjtF24BDp-xhOJ zE572WVc;O;*$q`V*COdEevh^52jXKA6w8fg% zzex&1eC(a6Hom&aMMm!Df-Y)K4lbmY4`*Uurskq$lEv-a>D4_wpC(?m!D^${>NVkN zU2ddz#$^Ev%81PA9F#w({>PerppIf8z}~-}exjm$Xt=Huxkl#1zL#bg=h`i5h&GhP zw&upZ<7a^E;H&JTJX6m0xyf#$&u+NTMv>75%b`}}(@wb37H80wKG;U=)NZlWX6?&v z64DmyeP(FU(`V@aPphG-=yQzD_YCg}s;@M-AqEm86NPH#K1X`Qx1XoBt4tLF`ea4vK4tb_5t#v)@3 zVZ3HLg`zwj|2zC{vm=LDAMd?l6vVPN>;yk?wO(?(^lU3f@0m8pmRxA&5lEvf>7MqW zp3HK)VsQ^K^TyI~2Zl&ls9`lHIR=k&!eVotvA=X_aQ^kSa~Y#^jzjaF@^i@objlWV z?@jV4HuOP9^etC(ydrebc66BG^HlDtc=kLApPT=-@j8ceLXq^Gp>*i5bn2sU>tjCW z%Q#Q3Cs1b@Q6E!M*TDI!sR?9mljOjhCT!v*@f2UWRS)h~clBQ{?ghr~Y&2IJSv5yomw~_6zc9o&M z{@8R(X9Uf=UEG;+au#>mCU@ipDi99J67qLol*lDaUL)5Sd{0a__j0pB^~fvu$i8=W zHxqDQ;E4Z+0Ro4Q7G7EpZ!(8L@zKJc*1yB%{_KNS;fZhdX}?kS?ZjbpM!^Q8!VYUv zTY7jVq_?c4->QaGY9K$}g)$_CylX}@ak=C8m6q$Px00A{d$+H)KmP7|fd+?n@wI;p zb%`73#l;U~DhME9 z5=ld~+2V<{w0YInT~vm0=fSA7bF# z6MffhVJogLa44K^ zNu*boXR`7#r&EvWsZdkV3XuK?)2?$I&z|%(_0Dtkl(r*dH}*3(`E^V-b+7sElDj%e zIEw)mfQNub!6X6v0x&CR@E}4h+K6%cMW-PLMk|7qf+(wTvwX zQRKsr6h#?RnD8Y`PajvB{51@vJeoLx-PGC0XU$nVh4C60^wxv|0{{&0ci=z(1pp~c z+86UG)~rY40TtP6YpkJSe+KOd_F_>bUBj+5*%DdSxN_B?JPFjIO>j7yn8eFdug{Hs zT@BU(87xEJQAr!V(eqDMPUSGT5d|DOtrZx}Y2c(L z+bHKa;oEDbaMc-cp^4&Pg26>W6mPLjG=zl^y71Tl94P=*002GZ4?+F8xLJMo-4~;b zHQIQido<#><3?7M)FKxpsUf67LEx17Hi_JiPpZHpmWAk;C6`^= zx22Z>koa8z;ZgF`0hBaV-ivKw1*VsA$~h;Ub@G_ses1bX2Ap=%=O>_n{v>D$`Y`of znwC&f$x==2{`u%~gi1OorImJ>9~OB+x@n)5dip7-fMU8SshV{fDypffn&qfLmP+cW ztI9ent%0=kDy}faS}U);`f3H6K<3)!uD=?4?4+#@yR1RQBKs_~fht=hvo1OtEw zIBm7vHlr=L;Zn*iwcaXst+?r`Yb%@Px_bt?>&iQ?9=CoW?7MNrOE16TlAABUlJq+; z!8zI+@VNymys!udBm6KwcMeJtSC1stNUT+C86%wg4*V~~b9u}#$+LnSa=s%Qvhp3m zXt`do(5Y8n$0fsevR21@qVsu*fVrD+6$>@=LpQkG+m#@x^)ki0LGzx6B;$;-xfC{7 z&W0!c*~K6|6BYLvhDG3$_0koiRu9ndM6sbb>!@t()Vc}_SBrHcL*?A~X6EzE*0KDz zVbmSnVaq)+OtZ&i<137`UG&cD1flsbraf$ck znS><^j}YFayBZmg*`xm4N{Gz#bmo$;3^en5T^w85*^R&O^~2-38|B|r=VASS*>RCk z(vPK`;s_Q$?D4E_Y9O8H68ODb7ziV}*+%k+R+{n^FKzm31?;@0Inj({5bsmi0OkG% zE3dgtZB+1xgQ!;_)o6%%B8uM7NJtuQ!~+ypy5Z8?Rz1(Pt3OVXl9b%^KGwaie}So? z`Gf*FzikIWd?TFgQ1QWng;0c$;@AdZW;3B}kxo^#;FP5@D0w{n15FpE0($WC7oTV*e zNy}aGvX-~(B`||2%wZC zye28DxvVvzshs9KCpy!q&ULc0o$h=mJmV?PdD63<_Pi%P=UEAHCghd6geE`(y31q= zw4eYbs6i8|(1i|Dn$+YcL?bHEi5ile`MfAbGpf;zaM)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQ$!t2G(5Q4uty-_xtai)odcWYXcubZA z&gisy&2GEj@VIl4B!}y$GpX8OPAaE+tWo z^hXip%P}#9StB)bQqEhBegd<(OQ=amt8Q{JiZrOhNDGbbv_(|u7pCo!odK$CYgeAI z)Hw9o^`zFb^QyMOdh}K@>0C z#fKxWQ!9$_QObgq$TeJ-@ng@OKRf11Iu+*3S1db2>lw0M(O(hgB}=xfywjglbHt6h z2;thaTi8O@7Y(`e=-Yw2IiJXz`JY;bqgS6UzOnUK-Mv5A zKCCrZ@pk7H-<_Qrdxq)N`?w$3^?UcUo&Lq&N%iRmQ(Fi&lOIS4npU8JObpmyDGNe~ zgoG2)x7;yI_2g4F6bz~B_rIkQn zndL22qS=I+Yl>rIH9oN>=6lg0xl?>i64|DkJixi;oPa76=b<(J=?Y2EfeGWCVRDw} znT75kXqJRlnh2tt2Bqj)GP!r8e*v1+;isC`aOsqprix>yuxf*9D63X9tE(~8s$;9T z!k}xc;N6-Vux9qUAF<5vYHSO?{vwN>u!uCPjIzseAnk z8<(@PQmU=5HS+nPxJ`Xkn`BVU`|c*tuDj_h;EZ>#iQtAg+E3-?>&La^7_2V|`xqH& z!va4-bVu4A0t)jk@7*sGR!Vmret}LCWbVm0)i~Ea7#aXF{myNO*As?x~ue~)ggT}m^p{$ z^`uvS$FIbS(cI|P@($KBF4|R9h8OS^^$9cLPslanbtTxwL7t8k# zMx#Au;bb~3UC*H14E5mt{O(O>)l)A%g5QBtp6A$W6W6t)feYQa=j`(PTHH3z(7pBbVDCjt6SwU>y@i?Y`S|rr=6?7Zz)${@-jw9L zdh(NCGyof1#5qa^@EfKClprI?%2v7(l4y9PEN8jM0O&zG+WVuX&LF;2`qEOUOh^85 z$wb!ivX{S1W+GxH%x?&gl*qCmnvRJ~Wm=Ps%xtDJjp0I>=u$+~tlu@q>8loM(+op` zqdMmxNBV_RoaBrr3!X_&22#V4Sp?-6JE>1krjZryT%kM%`ig7@a|+Lt#wuyq$N(I` zp$whnB>wsKP7frMpcu6x1ulBgD0Fm=nGxVeGg`lqB7>wT1p!AldQS0~6e0P?U;Rb?)Sq&>jz{*vqdbNXO6{}h;iq3TAW2I2_Wm?zzQ=$qqgF8*?HJ^Icvayh^ zfDI=#k11HfqLYq=-DqFYx`D+m?5}_gtX9T(9ETgPjyEISoN*BTL%P zaWtl8fb3r@OHT}@RXo;>?QKj6yV}F5!I{ZTW_FQ#TFbr`yVK2WbjM3xY^vwC!^P}mgA3jAx;LcT z1>Q7ysoJGN)<^5iuYOx{%lD!+zUT9AW0g29H40dT0A30p+v|jGCWsgZj%tKabl(FJ zIAO({@P0Hb-3w!w!wp6VgAZKc&3QOj83wTq5}X?rtF^>Mw~r4RSaGmOtCR#Ol64~xX9i8ZefLs*eri{tV{;p zv~uVr$5E)v!}#U}tITGHw3As%E`f7}Thz;n6u3r?>~=cVy#G*8Zm|nmpFV8<)i$%) zTw%Vcms>m7%%T>&;nnS16J6w?c!_kWlOpC&Y|R}TdKufJG_#0`XWIr>(m0ND8ARPO zs^E-=9NXjDcxER~7y8pOHb|ZuyWS*Bm(g5yEsXEM>L!w-bkh-=qpWkE9v8~fxF$4l ziAz=Lig(&6Ep|k{Cn`OqO?OKIk(!?!?Gw9W&WEk@dU1f}ForLTg9 z>lO;hY)2@oPZj_BGPNlSY*fF~-P}|4w&88DPKS$N{bpOda-xoY^^tuv@mtBx?4aeK z*QY(zY>qdZ8s#ed-3-TsvjOFyz5seu0s@NDYR2cC{d<4%0-Vcjo-+Q+MUQqRQ`yNR zK6HCIWL7M!@5$eE4uo?vc zx{0Ljrj|?ZPKU!&*0Js_QoSvT$Ju)1A}DLPjlJq+Pt($I#G%2bMD691_u^zGIZca+ z?sU&trn|oPWfR?SOxv^{6<;*N-_)%~MZ6C=?^k-)CGHXAW9{&gylx9U*0_tF^I~2* znZrKzwBGo98pd{bN|;ujPrK;xcWdnpf92Fe`$3>>6688%=kb3{MN4j(@G zoR5s^=g<4Z*8cRgD}Lzreud!YX8OY)uZrm#%@c<|6az+oZ~ji7d*vtQde+ZY`7W#C z^fw;+)^C#XF9Cyd%8`BfM=ab26HCE=BGweI_B2ZpXtq%^6U0X(^L}gtA8=D~=NBc{ zw}3Jdf(n)e%I6&x$92jEd2Lp<1jB*$wa$3PN; zLytm2w}*r;*k?S~fw0#tHK>3&*eMNY0x8HaJNSd5wP*y#ZUT3OBVuNn=6Fk}Ltk<_ zGT4EY<0&?XF*rDdo9BZCa!Ivo`tVW` zqAMigiQoi^oC1psLyDrPXm|E&aWPVmI1sc5A#@mw!Z?g_@MZ{Qi){!_9t4NKXdw91 zPtX{R(m0LOSdC~Ti9Uji@551y*o^wIP!Sc5;y8}vSdQk1NJMsw+UJeSM^D{&i!_#e z+L(MsSAOgmk5@x+iPL`k$UpmNfT}S{bL3im<*MUZ`oA6C?|Z0T!p!q&?I{I$e566Q->K2j~SVkNm7$3ZY6n{oEcr2 zi4B$6nWEW|>zJ6Md79(&nYOZ-sM(rWrJ4$2nyxvUlmwf}BAc|Cn+S%Iy4jl{RTRAG zo5IOcS{MYj32L}GoXUA6#c4Ljmz>KPotn{@h{r3ch-5=3o!V(B%_$|N*@m@sYS{IK zUbda)sVd#+8^QUAdZ=EfSX}2BpSk{$o& z13HliijfR?kqmmE^~iA6Nowg8a_}i<{uw^@ITQr|h9dNwtVvt+)o5|Xp%{3J*K#QnXo-MLLk|nWfdDq$KHkC7PfOs-j{FQx)-K zZpw+!>6$b;r*vAUcDfQ%suTgqZz5Ti{TPsOdYbeli-g)1Nx>YyF@Z1lXMkgYe8wd9 zw@f@Lgh3dOgH@=QS`#*^r~d80hc1Y0hKObnjLByiaM2H zNtgOoYmsVR6-uGvS)r-Qi>&&q(x-yp0jiS+dCaz?^C@2X310kZsjLXB&?-M4dU%^i z9e!qacln^mimRr!Qs~yJni#F(x|+i3m?4;SA}Xijx~{i5tpTy6@NlPfnx~ZptS$GZ z?7Elk3Y_M;uPbVg*mwwJ3YvU+aWf*SBGtG}qaKcU7q?l&@Yp zV;WnuDN7Xv%R4H!l9?lA`RRq@d1?z8p4cW@Upu!b+Z$1PtHMXNM@V&NyOe2*g?DIb zrra4#Zll&iNP8y+l3b{!X{gDaup30J&YQhk%U!aI6XTNpw2 zACBrkYp65G<5y60`5O0ufpKDx-PZYyl822^)Dyt^{A|0)xa>ywY?HAeV# zoy)PIQoX1C6zxE}1aAe;^av@$Tf9uDiJJWQlLOrSuFrVg5>GhDwloQ>O8rqG+Q(IUf+d6JS_ ze||QuN34!Fo5KxuwOAY|9o&rx+$AAty@XoDQB|_kYLDXkh(_tf`rDFCqP!Ihh+~|_ zNPNXci^f}w10VIhI#Iq9I6BK_yJ9T1b}O#{x~cDav{*)4vWS;D_c%`(mV-FRcFY_; z8l?Vb#7~%9MsB&pX1oPg#mC2%Y-$+C(i=5Go5y?Lq*3}vvDC_uM6djc$2bwL%s9f- zdx3YPx#NNyN2$vHiKPL|#Ku;{sY}Ke(Nn_Qu!_vO#*Dhi3{&n2NLtLe&wR{uY<9q9 zETW9T(Q?h$49vi2xVX~Icw5ZiJh#!jd|ErE)$Gja{I%=+R@nJ}hCHW;ylU}`xbut; ztf(!Qyvbgq$pZaJogBgYoUi??Tnf$Hy=}`{3E8ajRB=!p)#5tU<;=SuM`ujU z(!bO&|L4_ItkR1DrrL{#+`G(eS0iby*3r7qYZ`_=!OeDk*KD24hAAU_-PiW|*U~Ih zbkHm2OxUqm)8qVNkHy$bYuE`P*NPq4P9(+s=zb*>#d|x*xQnmH%enYgc`xF>G6KbY z3c3GCB&r>Sowin%%_UBRfag)#GkCBC2xa&d#_>BsyX~d`crRFC+rJ&fdilUANYunw z(MRpkK+~u*dBFdcxs@};j*7f;Y`MrIK~CYa-xhQ`H+#DCa@`G;oRNqa{^*i$EP2vh zLdl&j#ao>LdqJ2zl3z$0^WQJ#CU1BgxQ zcg9hBefNja9f(#gDp;Q7GAoz2m*LdSJgldC6-3z)g5+Th-SLgK(OVFd$%$XgV<@hJ z_`9C=t>jKzZyH1AAY$i!is!Sj=8oMQZcf#hE!mlBlRmEB6I_)~*Uawz?(L2m zE4V|dCpuJ)>wqSRv6I_&_vC3lMe*)b1K-4)e(@Ne@hkD*V+C)#x9&N+=!g)|1zqwc z|3w6S@+!ab(Rk1VUv3XN@uO&FDz10(XX)YHw>l5opz!|C6aDi*e@GG?^h96u=IGoV z&*!tuK2#YMaxU#VpV`VCVIPy%1ElneGVjv;b9q$aKx5rb%aUiVBo&D5{uR?!pFtvj z#s>~}YSZ7ROsoQazwU+hX-~hOY|U~Xs^&pACxpU|4EK^Z>s0;JcaQgk{O>jn?Bz~| zKMB8eNBAx-F^AtmYoEwpzo>l}?6&8$iMZsMPvw8F!ZJT~lwbL$+v03*Xe1%|=&-~-H z{)b=njZXib`TcM5(@L)Y5CG())n1(S=G}iV6i3nvN;Fkhwsl`Pmgg)W?vvJcp0saZ zP&gzOjYnisxl9HShh9`VrS5W7Y*xGFc6C4C)jK9zz)W;ny=EJo&~jWp4~gk_d|sbF z=7w~lU_LusE@A-TDeEog?{(k>|fcXr-saJ5sI)e!n9$Z*PKmh{?Bu=DQ z(c(pn88vR?*wLd#0|5jyBw3^6Nt7m1ZW$opz)P4hWzM8o)8Xik}efT)vCg&SG8(zDxs^>u1~>w6&ug1n6P2D#>u+YEvvR~ z*GipW_9{FGOB?A^VM&*nXhm_=pFnfYku?ALQs zx{&*#{ad=T7R;wrcS*ha=wh&T_0lWr+M8|Mi(2RA-5bkp-@#n~7miY`$>LR$FIUd| z^zjSCop+Ev-8%B?oS}Qp-lKZ{cktiA4;4QivU&6?%BOF)eSP=$?1jgdkM1~q>-g*E z*1w;d+WwXc&_C4%B+$MCQ!p^W%ob!28wY!f@WH?)q|legF2qDb3N7SN7sfuMPQ(N~ zBoUYGPTWhyh5~Z&MHpk0@g4yNU~NVmbJTH18Ed?QM<9a~a!4YJH1bF!lT>oaA$=@k zoN}TRB!B`&5=Tlbvvj7)X0-J3OEAL}b4)VJ#DU8v%~X?^fmmDfO-%x5(=a&ewDV3p z^VBm9ISCpA$~~t!=eIx$C1OxT05x<`MjLhX(L)hQ6Vh@J&4$uFEd@kTOgr`TQ&7p# zGz(5cRb$jBN;Ne~RQ3K)byZknm33B6B=v^YIBi7@*D+h=gI8dK71mQ<85y>XV!t?6 z%Vg=dT;@NF=B~?sS#sSyMYLS_CT~EGkf?ar*NH-8R zzq8j>?c`Q(zjwO5{vI|lh?n^{(Q(}`nkx#X8ghPh>pVFo&9 zmyzx{)QV|1*XV|$-dAL)r>?qatFwN3XDK9Rf?OzaNY1` zy79Q9hP>?0J0_ZQ>Nn3UD1id-cFUXPuJ1Tjx_;#SRxOHp+63j#au}?_F-eCzqYt z(|;`;RJ3Cs-1pYuKE6}E1-n*txrr9N`J|}^+;i8b)Kzi5&Jzvs73(7RY?&V)9pttP ziQdiUXMMcp>es(Mep%m#p?!JJ_ulZ@g-xS61Jcb zF2tJ+{!vFmAObL-WMdmQp+=yb@E(+r3;|VGmOIYTF>Zuos@(WTKq7057E9nD zb%@3<_R(5_WMm_k$VCtq5|UQPVjC5i3P)yAlVLFA-i(OFyzsG;Uhv{3O({vXe3B7n zcm=ma7qYuO40}qbS}ZO}##73|XasWuFEtjnugP+kxqRa&-=RwHw6GH&8<@w07tC4m zE0(P^=9P#ki)m_0U&FIo|9tt(YYyU;bwK79lHo#TX0KsZvtIU&cCwjOj(+fr87vL{ zF;1t26PlnCn#q)w&ZCj-Zrh6|`~E4kf!a@>w5+B&%DJ~un4@#SQ(i@x7dvz|G?EM5 z7T~hwOyFH~dm*(bNvBy$j=DjkI(+EA;xy9bO;mdbjj88oiqU1R)TJpM7(Zneyn3z^ zsF6!wML)OBf(n$UTTJEi@W~a4UbLn_Eot(6m(fYGZK=Iv-M;E(QrR(6s9?3KK)<@x zfaz2{E&XAf=mtxVLhXJ5^(Xx#S3T{4lMqjp9$JY3HF(nWoo@{qJ-wPf!2vd@yNqio z*~nMwuyti`a;!J|l~q^yRkM=a=nK_)khg)!i;&&lW=-o^%x0sCs~wUVWBC5q&#v*b zvyB&NH}H^%d_=dqtFx9eqZZ=KLy_(~+WRR23=ClmOG&~LcEn<+a^Vbz_;MUB zi3V2!ViBhp78@qXJY2q%pjgH`7AK8sOcd@k*f=~Ua-CTG;~xdt zL- zcnr#|b(au{=}S?r8@)ZLxI?XuC)^?z;w-dXsY;ToK9cQ&aoh*3Nc=u`Oy1{!-ewQk|;9#Q_rS1 zU0u1FZE~5aoSjE)c{VXtQjC9k<76hF9m6-rJDPcxja_;77EV=|o;>DW?dj3SjkTDj zoauU9?VU426h4-Di;hvsuX(B2mioy~6~ z0`pA#&nLcywtrsXb}`!A+@>t|E<8YuHUC59YSZP~&2Iw0Vtb}wn?EokzujY`KIyRe zD;ISGH>Ja-XtF=5Gnj1xse8dc%K|3^dcTE2z~b=0U;#nBd%S~78h%3>p+c;G!x_VZ zJi^Pn`(rzlQ$dQeD}CEHfm5h}bGZL&JfpKX5ez2~48A}jL6XC%-#NP^Y(lcqnx=cZ zs&c|9v?pSC!nV7zA`Ffp8^u$@3PiiE z8^89ukS<)9JG`Ngiog{lyBn-SEYv@#azOr)J47m6!kU}IL433=^o=~El`n)r!}B-E zi6?!-#JMWL%HhQM`Kj*FK)QORP29vzG{sLuLC3p78?-AsJUu_FzxF9ALqs>qIVo>) zo&e0hJzT3+`o%8+G264k>U%^9aRXcQpb8YlV@pPU(Z&8-Moxl7_yI<@3dRY-Mrn*a zW8@8dL8^metP~8Z6GXU#8ypiPofibGyYr{G5+iD~ru9p-Zsd<%D!VBZ!zv8KeC)@o zQmJ^fu6Y!+dc=(jTrBj7LsnEm3`|HubVG#%9(?IVKpV(cbiIRgLYZ1Sf%!v0%tt_^ z!L$m<&a%ieD@far#arw{#iE>49R4g)#6eTE8Bau?ylT5iG)Xi=N!N(PXrv|43Kx=m zEuB0`iY$>#(H3n4NCqs*ojl3|@yYywO6haTryR;ClS-eVN*}OFqr^%i(@I#$Nv~8i zuG|l?jIgs5fwU~kFyhJ8XiKJ9OL7uGy{bQ6nn7rUK+;ph4P-^VG{E2K%aU6+z@)&z zv%>u=K)ZAxxGWF_q|3xZ-hI`G}{Frxy9fF&PQ6UW;qr5w#Joe~XGN@5yQ%cxRJAxpO;GB`yHIi(aj zt=UDRDIQyj8z#cR9YP}TU9Y!&DAQ~ z)fDShUu}`fL>A2iO<;P*##~6v+(>CkH)SPE5j9QB4AW&bz-SfC3Od%jY}Rg7#%nzU zR~=UNAkBNq!O+}4f)h<<4Od(Q$_tD-r9@U|<2`e&)}QnsbUjRdl~%+wOr|8)F&oZt z6vrS{r*L$qBVAV*JSZ8&QRVbO>*3Agq|N3uPT_P?#4<<51I6h4Ke{4L1g%YsHK@MR z8iHNP<;?y~h2_B~4Z?&nmsu59D)mr*)J+RSIqp2G^GrmEjKc2p*`D1_4HeqbY{(B? zI-Ffv>^a9}8(N$sPobpQEUVCYGEk<=*uZ1BB)v?m9Xf{`&^3HRehgc%1w*lAPOF{I zqvc4ltton9TAZCHgo8k~6+`H}#}s8Mstrq{?Zd1ETz3pfq@~aiZA1>0LYqBYiz+L^ z6~$yMT&kMf|CC#|>rMJw+^6eHIy_Lm?b{m5#QIDuCQVSoB0SMu$%chkm#Im-D$?gf zJQ*#)nQYw{eO*-~-P8ryG%ULxjZ%bVNgjpBy6s2}Mb4HC#jvs*y$e{-ZLwKoSJc$f zG?b;5F3rF;onAeuRvi=8=Vb@}xwz4zUUUIdWtFwc5JW9t13q8`PGAM*2SOWQ3W3y0jbI6$U<$5a3%+0s z&R`ARVEKwa2mX*w6;%-)VG=H36Fy-SPGJ>ZVHO@R8~I=uj$s*|VH$?v2mk;({rH$0 literal 0 HcmV?d00001 diff --git a/doc/docbook/images/Context.gif b/doc/docbook/images/Context.gif new file mode 100644 index 0000000000000000000000000000000000000000..9d63b197ffdb0c80e3f1d275bae0f7757bd1b748 GIT binary patch literal 4269 zcmV;e5K`|)Nk%w1VaEaT0P_F<@9*yb007(D+veux|NsBU$jG#`w9(PgwY9agv$MUu zy`rL`tgNg60000000000A^8LW00000EC2ui0LKCH000F35XecZy*TU5yZ>M)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQX$&}@(5Q4uty-_xtai)oVg-YscT6UO zndn=9z;3(W@VI?f`fd1fN6*_YlMuAj*pOp0R{(wk(Yv#m5H1# ziQ6jr7@N{#|F9ReOg= zpSxE0-snTdF9$q@Y##O*6b~1;a}yR4GZaE2DQEspT7@LAj^x3J>jI z8@V!K%bO-emMoc5q#K$&6~@HqQJAKV1MiWvxwPrYHBX^1eLA%&%vU`s{)Fh%D%GuB z!?GOPYG{Q3zly3et1T(lukLuNoa=S!&Vg)o%v41aZp*JGPwIT>^BdNTXw!}pdbsU8 zmVU+B1RNPKQ)mrwNQ7LsDd(`3JzqAAF7Yz8w=!QqoeXGSyEh4jR2kHz?a>VLI@|*{ zZtuQ)ffgKUni=a_s?jZ8zBqY}7|iWL51c3iIdDxR;1ik+~s{tCP7vm|CBT*kHT@dmumo1|Z<@ z!w^R-am1!fZ1Keq8}J8G(w6Jlx$Cln->%iY>*-kq%j@mE_;#%CmFj-%-oNrfo3gUB zKAW@6_IWUX00#su^w2~XO*B+SC#^Km0gansZ5&2zZc1Z?SS{3GaYdfgI(6-0a6fU# z-JjFddnn7%?h12f2=(hOiU{{?uxST7EBD+953CnSVrsc|RCld?<*6@+7TJ-wxjnO9 z%2DK+l~E4~6>I6?Z1>InDPMlK=4!NZ%y~!}X_erBE3VX*ARf-P*Cx|!r>uq6xtfC# z+S~Jl5eo6n=YIFwrn&oKX;9&b2amYmkEEJ{t+BgaAIF|&Rak~m#n!gu(^FfmR$33f zQ|f=k74~55{+dduQ7ZrZe+o%|?6FfYi0gy3=Pm_;&9AQlNYaPv|Nj7-Lh@wC0-lUX zefnDxK6nto20HM8V+d0{Y6ZatN-%*W5C^xs^FH`pPz|t~lejP_0(opO2FB{(Fh)qA z#>t6=By<`s>Y+kcA+RH$N+B(7_`EIbt%jT8VFwPS!xK3#hN1Ei5D!SejyUFpO+;eN zKDR^>MsWp2T!sD+Nq9m6RWW~Jg5nXSn1L=1>x*JkV*0KqMKh+zV^@QtsZcXKe4sBO z~dRemU^$gC}-jw(vh7!}dTk+sWo}_vqxB1>^U|BWlv5uCT37l44>Y1n zWJ0pp&5w!Ad+(GAFV`77Np4e`)ELs}nAx^t)^l~u3>oB%=TF*5shCcQW(EuTPvpIF zBJ8~92>v*U!mH^rjv*4?nyyz$UpnQJZ2DS9tGCg~>}Mvcbf-PT=t{wSua&a_BucaQ zOKnP&b2Q{e7Lk(-g-$dz6b4sE$MpRewd56dGT+)Cnfle^tGy zHq>N4|p*%i{Mx+{iuel(s+ zDN;G-3EOj)u9xXG&U)FK3itZXnSSeMK!Z9^hX$0gg*Yw06#ClkF!n~@AvtV28GU2-?-k%s&Oye5=Bde#0aeILf zRs$s9$3PCUkcUj+Cv?OBM5fwtCqLS<)A&G%U}+( zn3dKv>R7qIXI{#|J7g_@KM(oWDEi);=+Oqb|I04vwJ+ot)LpjPCH%|D+e|++PfBfJ#Kb^y$e)YF`@$J`b{4a%mc>d2n5%;IIxbv^7`a|FS z;kJJO7=Yi#e*=hg2bh5OWPl1tXqm@=4X6nI7lFt(fdwdP5SSGf_-wz|fvtvY#8+kP zhi%Q5F!NI|xKo08<98#-fjpBlEMjOiBYc{ZffUGcyOwAmQUydD@kXX~ic3_Arg(6k z2VSW7iXHS-qsVZI_bsq^i+Oi>y7G9dh>O0MMrTBe!T5{BxJI>Ti==pYl~;_+h%LuB zM5(BZ%{YxE!f&EfNw5Vn*3c=>_(arLU(|Iv-UDzc`7iBFYWnH1vihb0K81`PQBwZHOQ9+TA#aNHxMRh_KcK;-clO>RU z^pIYsN+ENL3>jajQ%-*!46Q_lg@ybxy}m1O<^Lwv5&I z7BeZ6PWO%V*me`RA8ljDf~MV2@xY_TFiN#%2bg6H9*g)K%)K$o=ypM;PY}c7gHPdn_+ogffJiE37=}&nFQJ& z@u@%-8Dj6)o~&}9*jb=*wVo^qVQY6yQ81z58JZ9Zp{bdTqk{?Q37G@Bp_a*zpg5Qs zN}`=tbIx=<=wpd?w6g*l=-nwUM>TWJZGLHd{-N}DNq zq>h=S@Ux^$ikMECiw+v4B|4i=TBTNsq*zL&K)R)IDWUS%2L_Q&%9#%0365y0oS)$_ z87B$pIHo0cn#6^Za_U>PMU@G4pu5N}#brV-qc&0krCOs;b}BN6>RWxHL2TNnbXp#a z`l#~=px6kfBEqL~mq=TulK%AdP!?66XaXyycu{vj7b!82FXc|NRZ>vnQW)kJraBv_ zdP>`Qs*5)d(~obLcC1RFyW~hQH%pj0lKdhgo!UJQiKfyxO#8&10d}4Rb|2KL zsnD8}FnK!5+EC>w7Hb+&qiRfD@lyJO0DVwPSIMS zF%n4b`gHetO9*wEaknMfDX!#oQsre~)kI8DsipqZraHN;#Z+L&RITjUtq`lN*?O%I zNnjf*p)R#baz|f#0j#*XoubM?_xY6ih+h6GKHaHH-Py3N`mxj`H8Y!Gs=AW;shb8% zBsPmnIQz0c>rn@dLudd zQ&}sR{APNqhcRfCR;>4AW$Q4l*O+0Om;82nyEnIVTQs6Lk#DP)2-kgitGBvHX%E`B zR>Y@(E4XsGx7ud7Vfwexrnqd0xQ8~U9J{n_8eAI}wH$e;Cil3E%eTH_sDX;PTKlJY zM7m>|sE6CRiMusJsjEK8O1HYIR8w6&J9O4+t0|SLwJNKz8>-U?xr4?}5Sy>kda(F4 zya1(>0;#%@%dhNeo$#tm`--f_8$Qt6uhXlr3(35}o4f$Vts1K($ttWHYq1*3liV9< zC3}tJv=TRJi%vP)lsOTz1Lmpb39~>8ze4M>_?eWztG*u^M2_mX@M)j$~<` zXsWJk>%MR-&vb3yc&_h!@BhG{a7Zi~kI1BQ$!t2GP-tLEty-_xtai)odcR=7zz8mz z&*-#zT^8%u@VI<_c2@#~ynfH``~QG}f`f#GgaHKtWQL55j*pO$l7)zhIe3$qnwy-4 zl@^$tqNAb#1_z6zs;jJ|rl^;#va_qNptQKT1OW)JM4`ID!nM6`!^g;dyuK5_$%~;=>Y5P)bBv?^7o_kGxqrX;>CCTY18L} zpTL8T2*xmoP~JO+o7NeG7)&7#ipV4m!g$Z(3y%J^{!B#pFdrXG8m~ce267|7U)EUW zNeQUsu9Goe-mn=-=1o8RZ2HVqlG7A%p->*(wR9;{Dl?rrWs0<_QJq3~mI5X6xhQ)&#k^JBxG16vj>OYh#cp#jeoz53)_ymb*X%Q_GBWWTKi=a!ok zb+WWAG*hzexk_QWEMHHZS~{_C(2j45F7A2s^RSqIT+bw#I%w&~DT_y&UB>o}hryFh z&7SZ2S*E!`{yJZ3+4D8a_rPy5G=2Z}A^yc*Df+=MpgZ%u6`6APRTE!B!vKfFfe@Y} z;R+O1$c=LvUN)Oz9fs&hfggz|(1Rv6_hCILwg?o7YPr}EhcdzkV>UIqc%cdz<~Rw8 zK6bKW4Lt^_%aAA(X=Fk)E}74b6FMm(k|!uBB_&N>Dcdw!HbkWfR(5$!mSRfsX4l&47z80#*GKj ze>J^V-A2q^h3G{Yy|x)poK4ASk_c96sY<6RGoGoV<@q63->np0sH}dPs+ptilToXc zmJ?u$fsTL?9`Q_fNU5Im290U3{?eseTTmrs7hIGQdz7+oS=tqDvB5S|uIBAp+;Y!a zJ1ug{*@vySM}k|zu)4VwZMt%ewJx>Sp39)VO{Lr0x|!zpDs=66$C|+iv*)aO4F9v~ z4vz8`U3J77R&jUhHGHdz#@MRy$Cnmd@Wts#nlPWYSjO;f$9)B|$i~7vYoy;k+;N1I zt-RV_BrBM6Q>p=dOt2zQB$muiy)0nDJm2(h%R;-n>Y*u%r}4xJWBjsuNOSElmla{n zHLN6W9dg7q-;5s9CU?#DV?CSw8Lt9Y?bXvi18i+_TUQ(#YxLIp?9$lTj3YXg<>t4< z?J0h@;K+HXHmcF}JGbNhROxLwzy@PZGlMZx9T2i`5*?hPbLV6@3uqq{dYpD2`>4AH zqRy^^v_1v+qn21vvk;`hJ`TJVAxRA2-xL4g4X-~b>Dp$JDv!V;SBgeXj*3RlR& z6zI45T3CI7lg!agKxhqc;l4$VM*Gky->~85xO4G9nU^n2aMEFPX_V zJaUqqv}7koSw}c>l9WXHBpoxkNmRPhjHZ0$B{pzMLAFwsxcnk0a+yjE)UuDUtPq%oJ7gk&=Fna6~tG^a^PYFhJ}X~bruQ0Yug4*d3?CH~@8nq2b9G&*WA;Buev!-Nt-ct9{RHaUJ7w&T^ zJE8gu-CgxZS@p(O)3#EslEbTGT?uA{ry=TX)s})vYfsjiR=2LxtQM84T35u@3b_@p za2;k}yF`z{stJ3@6e>DZ`A)|AQLoXUtFxjpwf9`-bwKfyCwAeyJ17>4n-rxQn+T84 zdc&E6rAe&-MOSJ4NF=Hv-R}sBey6?KCbe&^*mC^Kt(yyZR|;W&6v9C z{cxcN_ZtK}Q?ax7(* zbK2YdMqhbN2D=Dz?Sfiku91cHqkt8bZhafZ?@H3Vv~Z8yv^FzZsiLqJGfuO{#w`Hl zi!@@9)@|e)FPvz%zJB>HIfE(3Te@+8}t+cSZ9U; zVjHJ!FpDcrXI)34>b1*9)47zDqS2Yt`kk9_sug$?YXv+CA zx9qx0WipnJw-hCbN156LMJ~NEo^eGa>xz)fW5~Hpq=AntULz-&&5(s%?2I!0Aj6XR z0s&UcfI-RIW|)}Bfp!O-uX<=ia}&jWPP8ZQ6zLHqcdQCo^KC)d-Nkac(}$S!RP|A0 z(e}B#jy`Rv1)M!pyX4bfEv#;PyGjC+TGI&)sbQ}KVNhqM)x1`6Y5nYIV0RRa!nSp) zaZPFc1k=}z{O4D+q#vHbk!d-3K^61?0 zRyXm)YHWLFbjh{bti`}x=i|0*XzbRWyJwvwG;Kz|1n*C>&gCjZ*A>qUk7kJ;ez*8$ zZp#(!*1Q(CTrR`dUy%FNx~aWtjGH>+2j2MFpbQ=y(_CI07Ta*Ww(tICT-@IphdERy zb!9l`H)L-HS4K4#;)! zT+Z&2-MDZLW}d4u$iF^lg}eM+WY4$tFpILf@BQv0*8AQUL+_T0ou+yulD?H^Rm1zT z?3jc+tuwQDktF=@a#Ex^aEn)YJE`#P#tL~aqF5&X((_9Kz1?9k`hp16qgCK%V7ul{I*m4eRnN8_|d`pz+tw{`TK*gY*n7_#rue<^E@Tw7vfI^P6$~?fd`# z0BAx$CaClU1IERlldnZvpOm=t@)t83>g@X7;e&=_HX~;x> z2t0yFP@;xr7kFm9w}^$)hz3Q7d=_2~Xns&ciDYGo{!zGS`S*x%<%tUiirz$SCU`og z2zaQdQ$ay6QU+U)Ls_SCT|y#guSkdXKys@UaUDim#3hTbC25DZi>20!a6=y>XIUYsELe75CbMC90W@0IG|NaB_%$+ELwnx%jUrKW z5LYfi<||24kKVyy(wJdZBVlM4FTLoB?-)}wVJ;WeV>^~OQKpZVf{x^v8a#G6w{nUD z$x`-+cFT2;`vMzsSB`O)WmxuR9NA@HA(HM`k!JXN#aM9MA&@9pR=`qdTk?`usFFTH zku-@>Hkl(hnUhNBiBRX0LKufc=~ICylo>bv1r+3d7SupY=|E2TKk$c?5Ev~%6o5iR zELgciS}8*VNR^*OGrM4QF-R<6nUVqHg-J0~VR4p8C}(47b~C}2bLo~tc@1*emM|d> zc6pZ~k(YW&8z<41KV569R zf|r@edzKWJ%>-_90-B-8aHgb#V6Y!wkeaHge8j|suvwK4MVqymlmHh=xfz?gNrt_d zjAvwpVi=t9Hk`O=oUaFM$*G(;Rh-Vpo6h;1_avRuIaAO{NY;6s1X)VW$(XLg|p&n|YLsf^AIHB4Bm!IM*VmXUb_Bc=WCE1x%AbJM_FaWQ^ci%yyK^7}dH(9wD zTeB#m`_X+#3XH_aq{4NJk}_@~NS~#ZL$@<4rh-|Mf-L88q){4_>dB>SH;?)9IhK`; zBPnv&XdBts9ny6QK$KK`n57UJUJ1}&9@$(Jw;R|(jSE9vT;^J?AvPr`au{}D`q*W5 z8UXp}Mcub8TKA}GcXOIrE&jz}ryzu<@200e>J5E*kXF>%k*Q8r1$J5h1pul+SWSBh4+TJ|^7uAJ$Epvhsk)l13|Wpd@vFfq zo=|Em=eR1D+N(R)Hqzm#hSQ@#_oDoidmyHBP_~fU+A^makq~J$e$fj$bVovpa&Wq< zd9#oD5~%vRWniH-UjeQ^xO~NmLw%YzZuc{UqglKfj{90JX$m+?BN^M`H0mO-vkIjw zsUxQ#03MsCQ&_AXi>5K!u^&sX__34RaSA~ytg=~w#oDqeDT@DG zpg23Qp`@ie8>1>p{thI{PedlPirBLUdY?{91qBLRAv>yT^t4vX22p!P!uOQ+6O~+> zK~p)bLA$dOu(e-%whH96>le0t)PGwkLOS%e+Bd0EJGCdu0d6a|dP_rb8-R3+h5q?U z2#Qid=bcoiw7ev)L)b=&n;D3kOO2bj)p@vNE4l0mw0T##mwQc->$sY`xfFGrp9{JN zg>R!vx(3p1qD!@=>zi5Bxtn*oNvoT$Te`B#gr(PqNce<10ZoIef-yI0bqiARH-1Pa zew^65zWcbWRJ?_Fys;L&4Mj&sriqalyub##;B>o%)M(Xfh~tO7619n$xNHfCyxY6H z+}pk6dq{o$cD~YkfRWfrqzEz8^t+auZ1nql+G|l=Sc1*QgM_=jjdV$>7{E6uws&hy z_?y2kYg3{%yivu#%&W818N)O|092_qUua zOs?A0z(e@LADoCPj7>5uST-D5oZu(cy|@<#zuJ zbU4J&&e$M_YOmF$)>^HmX$Ot=x{=pX)=e$fUN$(Cju$Bis?dF;lZY{yfq$F)Ys=M>28qQ=54$aBo1!L7tc<;4=H z-1f=b9_ZXf3Ej+OwrEQ~YJ1)J!?u{cl-hki+5O#8Da9vX-Dex#;*CJu{vA$vySE_J zx9*)n>)ZkD9p51Y-}XI2^Zfz!{kHg>-$%rODQrlWh`JA~PXn$?2F|gR3-l51s>um9*QhJh#=nKGCt!- z3*jReypXHA!)oHGYvV7=;~BMQ?kisCyTeV3ynIIF@oVIiB;=#DM1**VK3Tun=E0(7 z!TNW?*PG?Qo8?u`pm>&cSY;Q3Bs3N!gOAUr29tG zOT%;y?Bwa||0e7WZtUR6h6KpuKFsWj?(Fvq?J+FvZYbSVu-|L=wAiji*6sz{4pYUw z3*;RIHu=O@6z3G9&q?>*qF7OaD#t6?T`@Zmwc<`^Q@Jps61s{J9f9?|hP!#X*EtRRi=*a=e@jLPHx2RdB zED;s27R?e{wVbk*Wv29gk+CRoJvZSb&ng^&@*=+z_k#YUk-V{%xAXr*F2ihcVI7k9 zYN*Hz?<>lrmRhlISIvwp^hBaJ_VUg9Rn%Co^y*^LF%Q>LozzN)2&P?`v@FqJ->jc# zQES@I4P$d3695Y!sbvrD6ZX(Dv(hnbEsc%wXOA>Uy3%W}M{WOH%*xMC#&rI{0665? zuXp!RU2|@)jsc(mR39$g3iu!GrGx)Ph2PR)R#|Fkng4x#;?z+*A{E}eor`m zgLE9}X1ZMZRCGCc9cQT@%{uC+_Cflk7TNv~01eRhd8OJZ-vYuvC6?{@J9Wvf;{aa& zMH!Dp&@b;1MBB-D@y8$V6W{Pj$^Cj%{jYB#_J$te;!pj^Z~K@}@a%8;-OlvnV72o9 z3*FuY_5V@ko!$Vn-bu9o5P;;Q)n1&dDFS>j6i2c&PqY*YLvvp^mL<+hZ#>s`zW4vp zKyV-yjYnisxnwqpf&oxE1qq#3Y}N>+cBNKrSUgs8y=QbReference Documentation - 0.7-SNAPSHOT + 0.7.0-SNAPSHOT @@ -73,7 +73,7 @@ Introduction The Acegi Security System for Spring provides authentication and - authorization capabilities for Spring-powered projects, with full + authorization capabilities for Spring-powered projects, with optional integration with popular web containers. The security architecture was designed from the ground up using "The Spring Way" of development, which includes using bean contexts, interceptors and interface-driven @@ -91,8 +91,9 @@ Throughout the Acegi Security System for Spring, the user, system or agent that needs to be authenticated is referred to as a "principal". The security architecture does not have a notion of roles or groups, - which you may be familiar with from other security - implementations. + which you may be familiar with from other security implementations, + although equivalent functionality is fully accommodated by Acegi + Security. Current Status @@ -156,7 +157,16 @@ Key Components - The Acegi Security System for Spring essentially comprises seven + Most enterprise applications have four basic security + requirements. First, they need to be able to authenticate a principal. + Second, they need to be able to secure web requests. Third, enterprise + applications need to be able to secure services layer methods. + Finally, quite often an enterprise application will need to secure + domain object instances. Acegi Security provides a comprehensive + framework for achieving all of these four common enterprise + application security requirements. + + The Acegi Security System for Spring essentially comprises eight key functional parts: @@ -193,23 +203,51 @@ A "secure object" interceptor, which coordinates the - authentication, authorization, run-as replacement and execution of - a given operation. + authentication, authorization, run-as replacement, after + invocation handling and execution of a given operation. + + + + An AfterInvocationManager which can + modify an Object returned from a "secure + object" invocation, such as removing Collection + elements a principal does not have authority to access. An acess control list (ACL) management package, which can be - used to obtain ACLs for domain object instances. + used to obtain the ACLs applicable for domain object + instances. - Secure objects refer to any type of object that can have - security applied to it. A secure object must provide some form of - callback, so that the security interceptor can transparently do its - work as required, and callback the object when it is time for it to - proceed with the requested operation. If secure objects cannot provide - a native callback approach, a wrapper needs to be written so this - becomes possible. + A "secure object" interceptor executes most of the Acegi + Security key classes and in doing so delivers the framework's major + features. Given its importance, Figure 1 shows the key relationships + and concrete implementations of + AbstractSecurityInterceptor. + + + + + + + + Figure 1: The key "secure object" model + + + + Each "secure object" interceptor (hereinafter called a "security + interceptor") works with a particular type of "secure object". So, + what is a secure object? Secure objects refer to any type of object + that can have security applied to it. A secure object must provide + some form of callback, so that the security interceptor can + transparently do its work as required, and callback the object when it + is time for it to proceed with the requested operation. If secure + objects cannot provide a native callback approach, a wrapper needs to + be written so this becomes possible. Each secure object has its own package under net.sf.acegisecurity.intercept. Every other package @@ -221,20 +259,21 @@ directly. For example, it would be possible to build a new secure object to secure calls to a messaging system that does not use MethodInvocations. Most Spring applications will - simply use the three currently supported secure object types - (MethodInvocation, JoinPoint and + simply use the three currently supported secure object types (AOP + Alliance MethodInvocation, AspectJ + JoinPoint and web request FilterInterceptor) with complete transparency. - Each of the seven key parts is discussed in detail throughout - this document. + Each of the eight key parts of Acegi Security are discussed in + detail throughout this document. Supported Secure Objects - The Acegi Security System for Spring currently supports three - secure objects. + As shown in the base of Figure 1, the Acegi Security System for + Spring currently supports three secure objects. The first handles an AOP Alliance MethodInvocation. This is the secure object type @@ -340,6 +379,17 @@ for Spring uses the request context to pass around the authentication request and response. + + + + + + + Figure 2: The ContextHolder + + + A request context is a concrete implementation of the Context interface, which exposes a single method: @@ -454,19 +504,28 @@ - Return any result received from the secure object - execution. + If an AfterInvocationManager is defined, + pass it the result of the secure object execution so that it may + throw an AccessDeniedException or mutate the + returned object if required. + + + + Return any result received from the + AfterInvocationManager, or if no + AfterInvocationManager is defined, simply + return the result provided by the secure object execution. Whilst this may seem quite involved, don't worry. Developers interact with the security process by simply implementing basic interfaces (such as AccessDecisionManager), which - are fully documented below. + are fully discussed below. The AbstractSecurityInterceptor handles the - majority of the flow listed above. Each secure object has its own - security interceptor which subclasses + majority of the flow listed above. As shown in Figure 1, each secure + object has its own security interceptor which subclasses AbstractSecurityInterceptor. Each of these secure object-specific security interceptors are discussed below. @@ -495,6 +554,7 @@ <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> net.sf.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER @@ -508,8 +568,10 @@ AuthenticationManager, AccessDecisionManager and RunAsManager, which are each discussed in separate - sections below. The MethodSecurityInterceptor is - also configured with configuration attributes that apply to different + sections below. In this case we've also defined an + AfterInvocationManager, although this is entirely + optional. The MethodSecurityInterceptor is also + configured with configuration attributes that apply to different method signatures. A full discussion of configuration attributes is provided in the High Level Design section of this document. @@ -635,6 +697,7 @@ <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> net.sf.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER @@ -784,7 +847,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { Spring: AuthenticationProcessingFilterEntryPoint for commencing a form-based authentication, BasicProcessingFilterEntryPoint for commencing a - Http Basic authentication process, and + HTTP Basic authentication process, and CasProcessingFilterEntryPoint for commencing a Yale Central Authentication Service (CAS) login. The AuthenticationProcessingFilterEntryPoint and @@ -919,8 +982,21 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authorities that have been granted to the principal. The principal and its credentials are populated by the client code, whilst the granted authorities are populated by the - AuthenticationManager. The Acegi Security System - for Spring includes several concrete Authentication + AuthenticationManager. + + + + + + + + Figure 3: Key Authentication Architecture + + + + As shown in Figure 3, the Acegi Security System for Spring + includes several concrete Authentication implementations: @@ -1177,7 +1253,10 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { User will be used directly or subclassed, although special circumstances (such as object relational mappers) may require users to write their own UserDetails implementation - from scratch. + from scratch. UserDetails is often used to store + additional principal-related properties (such as their telephone + number and email address), so they can be easily used by web + views. Given AuthenticationDao is so simple to implement, it should be easy for users to retrieve authentication @@ -1626,7 +1705,21 @@ public boolean supports(Class clazz); AccessDecisionManager to control all aspects of authorization, the Acegi Security System for Spring includes several AccessDecisionManager implementations that are - based on voting. Using this approach, a series of + based on voting. Figure 4 illustrates the relevant classes. + + + + + + + + Figure 4: Voting Decision Manager + + + + Using this approach, a series of AccessDecisionVoter implementations are polled on an authorization decision. The AccessDecisionManager then decides whether or not @@ -1676,12 +1769,12 @@ public boolean supports(Class clazz); weighting, whilst a deny vote from a particular voter may have a veto effect. - There is one concrete AccessDecisionVoter - implementation provided with the Acegi Security System for Spring. The - RoleVoter class will vote if any ConfigAttribute - begins with ROLE_. It will vote to grant access if - there is a GrantedAuthority which returns a - String representation (via the + There are two concrete AccessDecisionVoter + implementations provided with the Acegi Security System for Spring. + The RoleVoter class will vote if any + ConfigAttribute begins with ROLE_. It will vote to + grant access if there is a GrantedAuthority which + returns a String representation (via the getAuthority() method) exactly equal to one or more ConfigAttributes starting with ROLE_. If there is no exact match of any @@ -1692,7 +1785,61 @@ public boolean supports(Class clazz); RoleVoter is case sensitive on comparisons as well as the ROLE_ prefix. - It is possible to implement a custom + BasicAclEntryVoter is the other concrete voter included with + Acegi Security. It integrates with Acegi Security's + AclManager (discussed later). This voter is + designed to have multiple instances in the same application context, + such as: + + <bean id="aclContactReadVoter" class="net.sf.acegisecurity.vote.BasicAclEntryVoter"> + <property name="processConfigAttribute"><value>ACL_CONTACT_READ</value></property> + <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + </list> + </property> +</bean> + +<bean id="aclContactDeleteVoter" class="net.sf.acegisecurity.vote.BasicAclEntryVoter"> + <property name="processConfigAttribute"><value>ACL_CONTACT_DELETE</value></property> + <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.DELETE"/> + </list> + </property> +</bean> + + In the above example, you'd define + ACL_CONTACT_READ or + ACL_CONTACT_DELETE against some methods on a + MethodSecurityInterceptor or + AspectJSecurityInterceptor. When those methods are + invoked, the above applicable voter defined above would vote to grant + or deny access. The voter would look at the method invocation to + locate the first argument of type + sample.contact.Contact, and then pass that + Contact to the AclManager. The + AclManager will then return an access control list + (ACL) that applies to the current Authentication. + Assuming that ACL contains one of the listed + requirePermissions, the voter will vote to grant + access. If the ACL does not contain one of the permissions defined + against the voter, the voter will vote to deny access. + BasicAclEntryVoter is an important class as it + allows you to build truly complex applications with domain object + security entirely defined in the application context. If you're + interested in learning more about Acegi Security's ACL capabilities + and how best to apply them, please see the ACL and "After Invocation" + sections of this reference guide, and the Contacts sample + application. + + It is also possible to implement a custom AccessDecisionVoter. Several examples are provided in the Acegi Security System for Spring unit tests, including ContactSecurityVoter and @@ -1713,23 +1860,39 @@ public boolean supports(Class clazz); - Authorization Tag Library + Authorization-Related Tag Libraries - The Acegi Security System for Spring comes bundled with a JSP - tag library that eases JSP writing. The tag library is known as - authz. + The Acegi Security System for Spring comes bundled with several + JSP tag libraries that eases JSP writing. The tag libraries are known + as authz and provide a range of different + services. - This library allows you to easy develop JSP pages which - reference the security environment. For example, - authz allows you to determine if a principal holds - a particular granted authority, holds a group of granted authorities, - or does not hold a given granted authority. + All taglib classes are included in the core + acegi-security-xx.jar file, with the + authz.tld located in the JAR's + META-INF directory. This means for JSP 1.2+ web + containers you can simply include the JAR in the WAR's + WEB-INF/lib directory and it will be available. If + you're using a JSP 1.1 container, you'll need to declare the JSP + taglib in your web.xml file, and include + authz.tld in the WEB-INF/lib + directory. The following fragment is added to + web.xml: + + <taglib> + <taglib-uri>http://acegisecurity.sf.net/authz</taglib-uri> + <taglib-location>/WEB-INF/authz.tld</taglib-location> +</taglib> - Usage + AuthorizeTag + + AuthorizeTag is used to include content if + the current principal holds certain + GrantedAuthoritys. The following JSP fragment illustrates how to use the - authz taglib: + AuthorizeTag: <authz:authorize ifAllGranted="ROLE_SUPERVISOR"> <td> @@ -1737,40 +1900,8 @@ public boolean supports(Class clazz); </td> </authz:authorize> - This code was copied from the Contacts sample - application. - - What this code says is: if the principal has been granted - ROLE_SUPERVISOR, allow the tag's body to be output. - - - - Installation - - Installation is a simple matter. Simply copy the - acegi-security-taglib.jar file into your - application's WEB-INF/lib folder. The tag library - includes it's TLD, which makes it easier to work with JSP 1.2+ - containers. - - If you are using a JSP 1.1 container, you will need to declare - the JSP tag library in your application's web.xml - file, with code such as this: - - <taglib> - <taglib-uri>http://acegisecurity.sf.net/authz</taglib-uri> - <taglib-location>/WEB-INF/authz.tld</taglib-location> -</taglib> - - For JSP 1.1 containers you will also need to extract the - authz.tld file from the - acegi-security-taglib.jar file and put it into - your application's WEB-INF/lib folder. Use a - regular Zip tool, or Java's JAR utility. - - - - Reference + This tag would cause the tag's body to be output if the + principal has been granted ROLE_SUPERVISOR. The authz:authorize tag declares the following attributes: @@ -1819,6 +1950,50 @@ public boolean supports(Class clazz); ifAllGranted, and finally, ifAnyGranted. + + + AuthenticationTag + + AuthenticationTag is used to simply output + the current principal to the web page. + + The following JSP fragment illustrates how to use the + AuthenticationTag: + + <authz:authentication operation="principal"/> + + This tag would cause the principal's name to be output. The + taglib properly supports the various types of principals that can + exist in the Authentication object, such as a + String or UserDetails + instance. + + The "operation" attribute must always be "principal". This may + be expanded in the future, such as obtaining other + Authentication-related properties such as email + address or telephone numbers. + + + + AclTag + + AclTag is used to include content if the + current principal has a ACL to the indicated domain object. + + The following JSP fragment illustrates how to use the + AclTag: + + <authz:acl domainObject="${contact}" hasPermission="16,1"> + <td><A HREF="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</A></td> +</authz:acl> + + This tag would cause the tag's body to be output if the + principal holds either permission 16 or permission 1 for the + "contact" domain object. The numbers are actually integers that are + used with AbstractBasicAclEntry bit masking. + Please refer tro the ACL section of this reference guide to + understand more about the ACL capabilities of Acegi Security. + @@ -1852,6 +2027,115 @@ public boolean supports(Class clazz); + + After Invocation Handling + + + Overview + + Whilst the AccessDecisionManager is called by + the AbstractSecurityInterceptor before proceeding + with the secure object invocation, some applications need a way of + modifying the object actually returned by the secure object + invocation. Whilst you could easily implement your own AOP concern to + achieve this, Acegi Security provides a convenient hook that has + several concrete implementations that integrate with its ACL + capabilities. + + Figure 4 illustrates Acegi Security's + AfterInvocationManager and its concrete + implementations. + + + + + + + + Figure 4: After Invocation Implementation + + + + Like many other parts of Acegi Security, + AfterInvocationManager has a single concrete + implementation, AfterInvocationProvider, which + polls a list of AfterInvocationProviders. Each + AfterInvocationProvider is allowed to modify the + return object or throw an AccessDeniedException. + Indeed multiple providers can modify the object, as the result of the + previous provider is passed to the next in the list. Let's now + consider our ACL-aware implementations of + AfterInvocationProvider. + + + + ACL-Aware AfterInvocationProviders + + A common services layer method we've all written at one stage or + another looks like this: + + public Contact getById(Integer id); + + Quite often, only principals with permission to read the + Contact should be allowed to obtain it. In this + situation the AccessDecisionManager approach + provided by the AbstractSecurityInterceptor will + not suffice. This is because the identity of the + Contact is all that is available before the secure + object is invoked. The + BasicAclAfterInvocationProvider delivers a + solution, and is configured as follows: + + <bean id="afterAclRead" class="net.sf.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider"> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + </list> + </property> +</bean> + + In the above example, the Contact will be + retrieved and passed to the + BasicAclEntryAfterInvocationProvider. The provider + will thrown an AccessDeniedException if one of the + listed requirePermissions is not held by the + Authentication. The + BasicAclEntryAfterInvocationProvider queries the + AclManager to determine the ACL that applies for + this domain object to this Authentication. + + Similar to the + BasicAclEntryAfterInvocationProvider is + BasicAclEntryAfterInvocationCollectionFilteringProvider. + It is designed to remove Collection elements for + which a principal does not have access. It never thrown an + AccessDeniedException - simply silently removes the + offending elements. The provider is configured as follows: + + <bean id="afterAclCollectionRead" class="net.sf.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="net.sf.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + </list> + </property> +</bean> + + As you can imagine, the returned Object must + be a Collection for this provider to operate. It + will remove any element if the AclManager indicates + the Authentication does not hold one of the listed + requirePermissions. + + The Contacts sample application demonstrates these two + AfterInvocationProviders. + + + Run-As Authentication Replacement @@ -1875,7 +2159,11 @@ public boolean supports(Class clazz); secured invocation will be able to call other objects which require different authentication and authorization credentials. It will also be able to perform any internal security checks for specific - GrantedAuthority objects. + GrantedAuthority objects. Because Acegi Security + provides a number of helper classes that automatically configure + remoting protocols based on the contents of the + ContextHolder, these run-as replacements are + particularly useful when calling remote web services. @@ -1962,12 +2250,12 @@ public boolean supports(Class clazz); Authentication object. Developers are free to do this in whichever way they like, such as directly calling the relevant objects at runtime. However, several classes have been provided to - make this process transparent in many situations. + make this process transparent in many situations. We call these + classes "authentication mechanisms". - The net.sf.acegisecurity.ui package is - designed to make interfacing web application user interfaces with the - ContextHolder as simple as possible. There are two - major steps in doing this: + The net.sf.acegisecurity.ui package provides + authentication mechanisms for web applications. There are two major + steps in doing this: @@ -1985,18 +2273,19 @@ public boolean supports(Class clazz); There are several alternatives are available for the first step, - which will be briefly discussed in this chapter. The most popular - approach is HTTP Session Authentication, which uses the - HttpSession object and filters to authenticate the - user. Another approach is HTTP Basic Authentication, which allows - clients to use HTTP headers to present authentication information to - the Acegi Security System for Spring. Alternatively, you can also use - Yale Central Authentication Service (CAS) for enterprise-wide single - sign on. The final approach is via Container Adapters, which allow - supported web containers to perform the authentication themselves. - HTTP Session and Basic Authentication is discussed below, whilst CAS - and Container Adapters are discussed in separate sections of this - document. + which will be briefly discussed in this chapter. The most popular (and + almost always recommended) approach is HTTP Session Authentication, + which uses the HttpSession object and filters to + authenticate the user. Another approach (commonly use with web + services) is HTTP Basic Authentication, which allows clients to use + HTTP headers to present authentication information to the Acegi + Security System for Spring. Alternatively, you can also use Yale + Central Authentication Service (CAS) for enterprise-wide single sign + on. The final (generally unrecommended) approach is via Container + Adapters, which allow supported web containers to perform the + authentication themselves. HTTP Session and Basic Authentication is + discussed below, whilst CAS and Container Adapters are discussed in + separate sections of this document. @@ -2485,7 +2774,7 @@ $CATALINA_HOME/bin/startup.sh installation. There are two different ways of making spring context available - to the Jboss integration classes. + to the Jboss integration classes. The first approach is by editing your $JBOSS_HOME/server/your_config/conf/login-config.xml @@ -3412,9 +3701,6 @@ $CATALINA_HOME/bin/startup.sh Overview - THIS FEATURE WAS ADDED IN VERSION 0.6. WE WELCOME YOUR COMMENTS - AND IMPROVEMENTS. - Complex applications often will find the need to define access permissions not simply at a web request or method invocation level. Instead, security decisions need to comprise both who @@ -3497,9 +3783,22 @@ $CATALINA_HOME/bin/startup.sh The net.sf.acegisecurity.acl Package The net.sf.acegisecurity.acl package is very - simple, comprising only a handful of interfaces and a single class. It - provides the basic foundation for access control list (ACL) lookups. - The central interface is AclManager, which is + simple, comprising only a handful of interfaces and a single class, as + shown in Figure 5. It provides the basic foundation for access control + list (ACL) lookups. + + + + + + + + Figure 5: Access Control List Manager + + + + The central interface is AclManager, which is defined by two methods: public AclEntry[] getAcls(java.lang.Object domainInstance); @@ -3548,12 +3847,25 @@ public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authen Integer Masked ACLs Acegi Security System for Spring includes a production-quality - ACL provider implementation. The implementation is based on integer - masking, which is commonly used for ACL permissions given its - flexibility and speed. Anyone who has used Unix's - chmod command will know all about this type of - permission masking (eg chmod 777). You'll find the - classes and interfaces for the integer masking ACL package under + ACL provider implementation, which is shown in Figure 6. + + + + + + + + Figure 6: Basic ACL Manager + + + + The implementation is based on integer masking, which is + commonly used for ACL permissions given its flexibility and speed. + Anyone who has used Unix's chmod command will know + all about this type of permission masking (eg chmod + 777). You'll find the classes and interfaces for the integer + masking ACL package under net.sf.acegisecurity.acl.basic. Extending the AclEntry interface is a @@ -3620,9 +3932,12 @@ public java.lang.Object getRecipient(); Acegi Security includes a single BasicAclDao implementation called JdbcDaoImpl. As implied by - the name, it accesses ACL information from a JDBC database. The - default database schema and some sample data will aid in understanding - its function: + the name, JdbcDaoImpl accesses ACL information from + a JDBC database. There is also an extended version of this DAO, + JdbcExtendedDaoImpl, which provides CRUD operations + on the JDBC database, although we won't discuss these features here. + The default database schema and some sample data will aid in + understanding its function: CREATE TABLE acl_object_identity ( id IDENTITY NOT NULL,