Updated contacts sample info and added information on ACL database schema and using it with Postgres.

2025-09-08 20:51:41 +00:00 · 2009-05-06 14:34:27 +00:00 · 2009-05-06 14:34:27 +00:00 · 0d1ebfa85a
commit 0d1ebfa85a
parent c6dfee69d4
3 changed files with 295 additions and 345 deletions
--- a/src/docbkx/appendix-db-schema.xml
+++ b/src/docbkx/appendix-db-schema.xml
@ -1,27 +1,20 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <appendix version="5.0" xml:id="appendix-schema" xmlns="http://docbook.org/ns/docbook"
-  xmlns:xlink="http://www.w3.org/1999/xlink" 
+  xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
  xmlns:xi="http://www.w3.org/2001/XInclude">
  <info>
    <title>Security Database Schema</title>
  </info>
-  <para>
+  <para> There are various database schema used by the framework and this appendix provides a single
-    There are various database schema used by the framework and this appendix 
+    reference point to them all. You only need to provide the tables for the areas of functonality
-    provides a single reference point to them all. You only need to 
+    you require. </para>
-    provide the tables for the areas of functonality you require. 
+  <para> DDL statements are given for the HSQLDB database. You can use these as a guideline for
-  </para>
+    defining the schema for the database you are using. </para>
  <para>
    DDL statements are given for the HSQLDB database. You can use these as a guideline for defining the
    schema for the database you are using.
  </para>
  <section>
    <title>User Schema</title>
-    <para>
+    <para> The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename>
-      The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename> requires tables
+      requires tables to load the password, account status (enabled or disabled) and a list of
-      to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
+      authorities (roles) for the user.
-<programlisting xml:id="db_schema_users_authorities">
+      <programlisting xml:id="db_schema_users_authorities">
  create table users(
      username varchar_ignorecase(50) not null primary key,
      password varchar_ignorecase(50) not null,
@ -32,13 +25,10 @@
      authority varchar_ignorecase(50) not null,
      constraint fk_authorities_users foreign key(username) references users(username));
      create unique index ix_auth_username on authorities (username,authority);;
-</programlisting>      
+</programlisting></para>
    </para>
    <section>
      <title>Group Authorities</title>
-      <para>
+      <para> Spring Security 2.0 introduced support for group authorities
        Spring Security 2.0 introduced support for group authorities
        <programlisting xml:id="db-schema-groups">
 create table groups (
  id bigint generated by default as identity(start with 0) primary key, 
@ -54,33 +44,56 @@ create table group_members (
  username varchar(50) not null, 
  group_id bigint not null, 
  constraint fk_group_members_group foreign key(group_id) references groups(id));
-        </programlisting>
+        </programlisting></para>
      </para>
    </section>
  </section>
  <section>
    <title>Persistent Login (Remember-Me) Schema</title>
-    <para>
+    <para> This table is used to store data used by the more secure <link
-      This table is used to store data used by the more secure
+        xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
-      <link xlink:href="#remember-me-persistent-token">persistent token</link> remember-me implementation.
+      implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
-      If you are using <classname>JdbcTokenRepositoryImpl</classname> either directly or through the namespace,
+      directly or through the namespace, then you will need this table.
-      then you will need this table.
+      <programlisting xml:id="db-schema-remeber-me">
 <programlisting xml:id="db-schema-remeber-me">
 create table persistent_logins (
  username varchar(64) not null, 
  series varchar(64) primary key,
  token varchar(64) not null, 
  last_used timestamp not null);
-</programlisting>      
+</programlisting></para>
    </para>
  </section>
-
+  <section xml:id="dbschema-acl">
  <section>
    <title>ACL Schema</title>
-    <para>
+    <para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
-      The tables used by the Spring Security <link xlink:href="#domain-acls">ACL</link> implementation.
+        >ACL</link> implementation. <orderedlist>
-<programlisting xml:id="dbschema-acl"> 
+        <listitem>
          <para><literal>acl_sid</literal> stores the security identities recognised by the ACL
            system. These can be unique principals or authorities which may apply to multiple
            principals.</para>
        </listitem>
        <listitem>
          <para><literal>acl_class</literal> defines the domain object types to which ACLs apply.
            The <literal>class</literal> column stores the Java class name of the object. </para>
        </listitem>
        <listitem>
          <para><literal>acl_object_identity</literal> stores the object identity definitions of
            specific domai objects.</para>
        </listitem>
        <listitem>
          <para><literal>acl_entry</literal> stores the ACL permissions which apply to a specific
            object identity and security identity.</para>
        </listitem>
      </orderedlist></para>
    <para>It is assumed that the database will auto-generate the primary keys for each of the
      identities. The <literal>JdbcMutableAclService</literal> has to be able to retrieve these when
      it has created a new row in the <literal>acl_sid</literal> or <literal>acl_class</literal>
      tables. It has two properties which define the SQL needed to retrieve these values
        <literal>classIdentityQuery</literal> and <literal>sidIdentityQuery</literal>. Both of these
      default to <literal>call identity()</literal></para>
    <section>
      <title>Hypersonic SQL</title>
      <para>The default schema works with the embedded HSQLDB database that is used in unit tests
        within the
        framework.<programlisting xml:id="dbschema-acl-hsql"> 
 create table acl_sid (
  id bigint generated by default as identity(start with 100) not null primary key,
  principal boolean not null,
@ -112,12 +125,60 @@ create table acl_entry (
  constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id), 
  constraint foreign_fk_5 foreign key(sid) references acl_sid(id) );
 </programlisting></para>
      <section>
        <title>PostgreSQL</title>
        <para>
          <programlisting>create table acl_sid(
  id bigserial not null primary key,
  principal boolean not null,
  sid varchar(100) not null,
  constraint unique_uk_1 unique(sid,principal));
 create table acl_class(
  id bigserial not null primary key,
  class varchar(100) not null,
  constraint unique_uk_2 unique(class));
 create table acl_object_identity(
  id bigserial primary key,
  object_id_class bigint not null,
  object_id_identity bigint not null,
  parent_object bigint,
  owner_sid bigint,
  entries_inheriting boolean not null,
  constraint unique_uk_3 unique(object_id_class,object_id_identity),
  constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
  constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
  constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id));
 create table acl_entry(
  id bigserial primary key,
  acl_object_identity bigint not null,
  ace_order int not null,
  sid bigint not null,
  mask integer not null,
  granting boolean not null,
  audit_success boolean not null,
  audit_failure boolean not null,
  constraint unique_uk_4 unique(acl_object_identity,ace_order),
  constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
  constraint foreign_fk_5 foreign key(sid) references acl_sid(id));
 </programlisting>
        </para>
        <para>You will have to set the <literal>classIdentityQuery</literal> and
            <literal>sidIdentityQuery</literal> properties of
            <classname>JdbcMutableAclService</classname> to the following values, respectively: <itemizedlist>
            <listitem>
              <para><literal>select currval(pg_get_serial_sequence('acl_class',
                'id'))</literal></para>
            </listitem>
            <listitem>
              <para><literal>select currval(pg_get_serial_sequence('acl_sid',
                'id'))</literal></para>
            </listitem>
          </itemizedlist></para>
      </section>
    </section>
  </section>
 </appendix>
--- a/src/docbkx/samples.xml
+++ b/src/docbkx/samples.xml
@ -1,69 +1,49 @@
-<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="sample-apps">
+<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink"
-    
+    version="5.0" xml:id="sample-apps">
-<info>
+    <info>
        <title xml:id="samples">Sample Applications</title>
-</info>
+    </info>
-    <para>
+    <para> There are several sample web applications that are available with the project. To avoid
-        There are several sample web applications that are available with the
+        an overly large download, only the "tutorial" and "contacts" samples are included in the
-        project. To avoid an overly large download, only the "tutorial"
+        distribution zip file. You can either build the others yourself, or you can obtain the war
-        and "contacts" samples are included in the distribution zip file. You can 
+        files individually from the central Maven repository. We'd recommend the former. You can get
-        either build the others yourself, or you can obtain the war files 
+        the source as described in <link xlink:href="#get-source">the introduction</link> and it's
-        individually from the central Maven repository. We'd recommend the former.
+        easy to build the project using Maven. There is more information on the project web site at
        You can get the source as described in <link xlink:href="#get-source">the introduction</link>
        and it's easy to build the project using Maven. There is more information
        on the project web site at 
            <link xlink:href="http://www.springframework.org/spring-security/">
-            http://www.springframework.org/spring-security/
+            http://www.springframework.org/spring-security/ </link> if you need it. All paths
-        </link> if you need it.
+        referred to in this chapter are relative to the source directory, once you have checked it
-        All paths referred to in this chapter are relative to the source directory, once
+        out from subversion. </para>
        you have checked it out from subversion.
    </para>
    <section xml:id="tutorial-sample">
        <title>Tutorial Sample</title>
-    
+        <para> The tutorial sample is a nice basic example to get you started. It uses simple
-    <para> The tutorial sample is a nice basic example to get you started. It uses
+            namespace configuration throughout. The compiled application is included in the
        simple namespace configuration throughout. The compiled application is included in the 
            distribution zip file, ready to be deployed into your web container
-        (<filename>spring-security-samples-tutorial-2.0.x.war</filename>). 
+                (<filename>spring-security-samples-tutorial-3.0.x.war</filename>). The <link
-        The <link xlink:href="#form">form-based</link> 
+                xlink:href="#form">form-based</link> authentication mechanism is used in combination
-        authentication mechanism is used in combination with the commonly-used 
+            with the commonly-used <link xlink:href="#remember-me">remember-me</link> authentication
-        <link xlink:href="#remember-me">remember-me</link>
+            provider to automatically remember the login using cookies.</para>
-        authentication provider to automatically remember the login using
+        <para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
-        cookies.</para>
+            follow. Most importantly, you can easily add this one XML file (and its corresponding
-    
+                <literal>web.xml</literal> entries) to your existing application. Only when this
-    <para>We recommend you start with the tutorial sample, as the XML is
+            basic integration is achieved do we suggest you attempt adding in method authorization
-        minimal and easy to follow. Most importantly, you can easily add 
+            or domain object security.</para>
        this one XML file (and its corresponding <literal>web.xml</literal> entries) to your existing
        application. Only when this basic integration is achieved do we
        suggest you attempt adding in method authorization or domain object
        security.</para>
    </section>
    <section xml:id="contacts-sample">
        <title>Contacts</title>
-    
+        <para> The Contacts Sample is an advanced example in that it illustrates the more powerful
-    <para>
+            features of domain object access control lists (ACLs) in addition to basic application
-        The Contacts Sample is quite an advanced example in that it 
+            security. The application provides an interface with which the users are able to
-        illustrates the more powerful features of domain object access control lists
+            administer a simple database of contacts (the domain objects).</para>
-        in addition to basic application security.
+        <para>To deploy, simply copy the WAR file from Spring Security distribution into your
-    </para>
+            container’s <literal>webapps</literal> directory. The war should be called
-    
+                <filename>spring-security-samples-contacts-3.0.x.war</filename> (the appended
-    <para>To deploy, simply copy the WAR file from Spring
+            version number will vary depending on what release you are using). </para>
-        Security distribution into your container’s <literal>webapps</literal>
+        <para>After starting your container, check the application can load. Visit
-        directory. The war should be called <filename>spring-security-samples-contacts-2.0.0.war</filename>
+                <literal>http://localhost:8080/contacts</literal> (or whichever URL is appropriate
-        (the appended version number will vary depending on what release you are using).
+            for your web container and the WAR you deployed). </para>
-    </para>
+        <para>Next, click "Debug". You will be prompted to authenticate, and a series of usernames
-    
+            and passwords are suggested on that page. Simply authenticate with any of these and view
-    <para>After starting your container, check the application can load.
+            the resulting page. It should contain a success message similar to the following:
        Visit
        <literal>http://localhost:8080/contacts</literal>
        (or whichever URL is appropriate for your web container and the WAR
        you deployed). </para>
    <para>Next, click "Debug". You will be prompted to authenticate, and a
        series of usernames and passwords are suggested on that page. Simply
        authenticate with any of these and view the resulting page. It should
        contain a success message similar to the following:
            <literallayout>
        Authentication object is of type: org.springframework.security.providers.UsernamePasswordAuthenticationToken
@ -83,21 +63,17 @@
        ROLE_USER (getAuthority(): ROLE_USER)
        SUCCESS! Your web filters appear to be properly configured!        
-    </literallayout>
+    </literallayout></para>
-    </para>
+        <para>Once you successfully receive the above message, return to the sample application's
-    
+            home page and click "Manage". You can then try out the application. Notice that only the
-    <para>Once you successfully receive the above message, return to the
+            contacts available to the currently logged on user are displayed, and only users with
-        sample application's home page and click "Manage". You can then try
+                <literal>ROLE_SUPERVISOR</literal> are granted access to delete their contacts.
-        out the application. Notice that only the contacts available to the
+            Behind the scenes, the <classname>MethodSecurityInterceptor</classname> is securing the
-        currently logged on user are displayed, and only users with
+            business objects. </para>
-        <literal>ROLE_SUPERVISOR</literal> are granted access to delete their
+        <para>The application allows you to modify the access control lists associated with
-        contacts. Behind the scenes, the
+            different contacts. Be sure to give this a try and understand how it works by reviewing
-        <classname>MethodSecurityInterceptor</classname> is securing the business
+            the application context XML files.</para>
-        objects. </para>
+        <!--
         <para>The application allows you to modify the access control lists associated
        with different contacts. Be sure to give this a try and understand how
        it works by reviewing the application context XML files.</para>
 <!--
    TODO: Reintroduce standalone client example.
    <para>The Contacts sample application also includes a
        <literal>client</literal> directory. Inside you will find a small
@ -111,39 +87,31 @@
        <literal>client.properties</literal> to use a different target
        URL.</para>
 -->
    </section>
    <section xml:id="ldap-sample">
        <title>LDAP Sample</title>
-        <para>
+        <para> The LDAP sample application provides a basic configuration and sets up both a
-            The LDAP sample application provides a basic configuration and sets up both a namespace configuration
+            namespace configuration and an equivalent configuration using traditional beans, both in
-            and an equivalent configuration using traditional beans, both in the same application context file.
+            the same application context file. This means there are actually two identical
-            This means there are actually two identical authentication providers configured in this application.
+            authentication providers configured in this application. </para>
        </para>
    </section>
    <section xml:id="cas-sample">
        <title>CAS Sample</title>
-        <para>
+        <para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
-            The CAS sample requires that you run both a CAS server and CAS client. It isn't included in the distribution so you should check out
+            included in the distribution so you should check out the project code as described in
-            the project code as described in <link xlink:href="get-source">the introduction</link>. You'll find the relevant files under the 
+                <link xlink:href="get-source">the introduction</link>. You'll find the relevant
-            <filename>sample/cas</filename> directory. There's also a <filename>Readme.txt</filename> file in there which explains how to run
+            files under the <filename>sample/cas</filename> directory. There's also a
-            both the server and the client directly from the source tree, complete with SSL support. You have to download the CAS Server web application 
+                <filename>Readme.txt</filename> file in there which explains how to run both the
-            (a war file) from the CAS site and drop it into the <filename>samples/cas/server</filename> directory.
+            server and the client directly from the source tree, complete with SSL support. You have
-        </para>
+            to download the CAS Server web application (a war file) from the CAS site and drop it
            into the <filename>samples/cas/server</filename> directory. </para>
    </section>
    <section xml:id="preauth-sample">
        <title>Pre-Authentication Sample</title>
-        <para>
+        <para> This sample application demonstrates how to wire up beans from the <link
-            This sample application demonstrates how to wire up beans from the <link xlink:href="#preauth">pre-authentication</link> 
+                xlink:href="#preauth">pre-authentication</link> framework to make use of login
-            framework to make use of login information from a J2EE container. The user name and roles are those setup by the container.
+            information from a J2EE container. The user name and roles are those setup by the
-        </para>
+            container. </para>
-        <para>
+        <para> The code is in <filename>samples/preauth</filename> . </para>
            The code is in <filename>samples/preauth</filename> .
        </para>
    </section>
 </chapter>
--- a/src/docbkx/springsecurity.xml
+++ b/src/docbkx/springsecurity.xml
@ -1,229 +1,150 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <book version="5.0" xml:id="spring-security-reference-guide" xmlns="http://docbook.org/ns/docbook"
-    xmlns:xlink="http://www.w3.org/1999/xlink" 
+  xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
-    xmlns:xi="http://www.w3.org/2001/XInclude">
+  <info><title>Spring Security</title><subtitle>Reference Documentation</subtitle><author>
    <info>
        <title>Spring Security</title>
        <subtitle>Reference Documentation</subtitle>
        <author>
      <personname>Ben Alex, Luke Taylor</personname>
    </author>
    <releaseinfo>2.0.x</releaseinfo>
  </info>
  <toc/>
  <preface xml:id="preface">
    <title>Preface</title>
-
+    <para>Spring Security provides a comprehensive security solution for J2EE-based enterprise
-    <para>Spring Security provides a comprehensive security solution for
+      software applications. As you will discover as you venture through this reference guide, we
-    J2EE-based enterprise software applications. As you will discover as you
+      have tried to provide you a useful and highly configurable security system.</para>
-    venture through this reference guide, we have tried to provide you a
+    <para>Security is an ever-moving target, and it's important to pursue a comprehensive,
-    useful and highly configurable security system.</para>
+      system-wide approach. In security circles we encourage you to adopt "layers of security", so
-
+      that each layer tries to be as secure as possible in its own right, with successive layers
-    <para>Security is an ever-moving target, and it's important to pursue a
+      providing additional security. The "tighter" the security of each layer, the more robust and
-    comprehensive, system-wide approach. In security circles we encourage you
+      safe your application will be. At the bottom level you'll need to deal with issues such as
-    to adopt "layers of security", so that each layer tries to be as secure as
+      transport security and system identification, in order to mitigate man-in-the-middle attacks.
-    possible in its own right, with successive layers providing additional
+      Next you'll generally utilise firewalls, perhaps with VPNs or IP security to ensure only
-    security. The "tighter" the security of each layer, the more robust and
+      authorised systems can attempt to connect. In corporate environments you may deploy a DMZ to
-    safe your application will be. At the bottom level you'll need to deal
+      separate public-facing servers from backend database and application servers. Your operating
-    with issues such as transport security and system identification, in order
+      system will also play a critical part, addressing issues such as running processes as
-    to mitigate man-in-the-middle attacks. Next you'll generally utilise
+      non-privileged users and maximising file system security. An operating system will usually
-    firewalls, perhaps with VPNs or IP security to ensure only authorised
+      also be configured with its own firewall. Hopefully somewhere along the way you'll be trying
-    systems can attempt to connect. In corporate environments you may deploy a
+      to prevent denial of service and brute force attacks against the system. An intrusion
-    DMZ to separate public-facing servers from backend database and
+      detection system will also be especially useful for monitoring and responding to attacks, with
-    application servers. Your operating system will also play a critical part,
+      such systems able to take protective action such as blocking offending TCP/IP addresses in
-    addressing issues such as running processes as non-privileged users and
+      real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured
-    maximising file system security. An operating system will usually also be
+      to minimize the permissions granted to different Java types, and then your application will
-    configured with its own firewall. Hopefully somewhere along the way you'll
+      add its own problem domain-specific security configuration. Spring Security makes this latter
-    be trying to prevent denial of service and brute force attacks against the
+      area - application security - much easier. </para>
-    system. An intrusion detection system will also be especially useful for
+    <para>Of course, you will need to properly address all security layers mentioned above, together
-    monitoring and responding to attacks, with such systems able to take
+      with managerial factors that encompass every layer. A non-exhaustive list of such managerial
-    protective action such as blocking offending TCP/IP addresses in
+      factors would include security bulletin monitoring, patching, personnel vetting, audits,
-    real-time. Moving to the higher layers, your Java Virtual Machine will
+      change control, engineering management systems, data backup, disaster recovery, performance
-    hopefully be configured to minimize the permissions granted to different
+      benchmarking, load monitoring, centralised logging, incident response procedures etc.</para>
-    Java types, and then your application will add its own problem
+    <para>With Spring Security being focused on helping you with the enterprise application security
-    domain-specific security configuration. Spring Security makes this latter
+      layer, you will find that there are as many different requirements as there are business
-    area - application security - much easier. 
+      problem domains. A banking application has different needs from an ecommerce application. An
-    </para>
+      ecommerce application has different needs from a corporate sales force automation tool. These
-
+      custom requirements make application security interesting, challenging and rewarding. </para>
-    <para>Of course, you will need to properly address all security layers
+    <para>Please read <xref linkend="getting-started"/>, in its entirety to begin with. This will
-    mentioned above, together with managerial factors that encompass every
+      introduce you to the framework and the namespace-based configuration system with which you can
-    layer. A non-exhaustive list of such managerial factors would include
+      get up and running quite quickly. To get more of an understanding of an in-depth understaning
-    security bulletin monitoring, patching, personnel vetting, audits, change
+      of how Spring Security works, and some of the classes you might need to use, you should then
-    control, engineering management systems, data backup, disaster recovery,
+      read <xref linkend="overall-architecture"/>. The remaining parts of this guide are structured
-    performance benchmarking, load monitoring, centralised logging, incident
+      in a more traditional reference style, designed to be read on an as-required basis. We'd also
-    response procedures etc.</para>
+      recommend that you read up as much as possible on application security issues in general.
-
+      Spring Security is not a panacea which will solve all security issues. It is important that
-    <para>With Spring Security being focused on helping you with the
+      the application is designed with security in mind from the start. Attempting to retrofit it is
-    enterprise application security layer, you will find that there are as
+      not a good idea. In particular, if you are building a web application, you should be aware of
-    many different requirements as there are business problem domains. A
+      the many potential vulnerabilities such as cross-site scripting, request-forgery and
-    banking application has different needs from an ecommerce application. An
+      session-hijacking which you should be taking into account from the start. The OWASP web site
-    ecommerce application has different needs from a corporate sales force
+      (http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as
-    automation tool. These custom requirements make application security
+      a lot of useful reference information. </para>
-    interesting, challenging and rewarding.
+    <para>We hope that you find this reference guide useful, and we welcome your feedback and <link
-    </para>
+        xlink:href="#jira">suggestions</link>. </para>
-
+    <para>Finally, welcome to the Spring Security <link xlink:href="#community">community</link>.
    <para>Please read <xref linkend="getting-started"/>, in
    its entirety to begin with. This will introduce you to the framework and the namespace-based
    configuration system with which you can get up and running quite quickly. To get more of an understanding
    of an in-depth understaning of how Spring Security works, and some of the classes you might
    need to use, you should then read <xref linkend="overall-architecture"/>.
    The remaining parts of this guide are structured in a more traditional reference style, 
    designed to be read on an as-required basis. We'd also recommend that you read up as much as 
    possible on application security issues in general. Spring Security is not a panacea which will
    solve all security issues. It is important that the application is designed with security in 
    mind from the start. Attempting to retrofit it is not a good idea. 
    In particular, if you are building a web application, you should be aware of the many potential
    vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should
    be taking into account from the start. The OWASP web site (http://www.owasp.org/) maintains a
    top ten list of web application vulnerabilities as well as a lot of useful reference information.
    </para>
    <para>We hope that you find this reference guide useful, and we welcome
      your feedback and <link xlink:href="#jira">suggestions</link>.
    </para>
    <para>Finally, welcome to the Spring Security <link xlink:href="#community" >community</link>.
    </para>
  </preface>
  <part xml:id="getting-started">
    <title>Getting Started</title>
    <partintro>
-    <para>The later parts of this guide provide an in-depth discussion of the
+      <para>The later parts of this guide provide an in-depth discussion of the framework
-      framework architecture and implementation classes, an understanding of which is important
+        architecture and implementation classes, an understanding of which is important if you need
-      if you need to do any serious customization. In this part, we'll introduce Spring Security 2.0,
+        to do any serious customization. In this part, we'll introduce Spring Security 2.0, give a
-      give a brief overview of the project's history and take a slightly
+        brief overview of the project's history and take a slightly gentler look at how to get
-      gentler look at how to get started using the framework.
+        started using the framework. In particular, we'll look at namespace configuration which
-      In particular, we'll look at namespace configuration which provides a much simpler way of securing
+        provides a much simpler way of securing your application compared to the traditional Spring
-      your application compared to the traditional Spring bean approach where you had to wire up all the 
+        bean approach where you had to wire up all the implementation classes individually. </para>
-      implementation classes individually.
+      <para> We'll also take a look at the sample applications that are available. It's worth trying
-    </para>
+        to run these and experimenting with them a bit even before you read the later sections - you
-    <para>
+        can dip back into them as your understanding of the framework increases. </para>
      We'll also take a look at the sample applications that are available. It's worth trying to run
      these and experimenting with them a bit even before you read the later sections - you can dip back into them
      as your understanding of the framework increases.
    </para>
    </partintro>
-    
+    <xi:include href="introduction.xml"/>
-    <xi:include href="introduction.xml" />    
+    <xi:include href="namespace-config.xml"/>
    <xi:include href="namespace-config.xml" />
    <xi:include href="samples.xml"/>
    <xi:include href="community.xml"/>
  </part>
  <part xml:id="overall-architecture">
    <title>Overall Architecture</title>
    <partintro>
-      <para>Like most software, Spring Security has certain central
+      <para>Like most software, Spring Security has certain central interfaces, classes and
-      interfaces, classes and conceptual abstractions that are commonly used
+        conceptual abstractions that are commonly used throughout the framework. In this part of the
-      throughout the framework. In this part of the reference guide we will
+        reference guide we will introduce Spring Security, before examining these central elements
-      introduce Spring Security, before examining these central elements that
+        that are necessary to successfully planning and executing a Spring Security
      are necessary to successfully planning and executing a Spring Security
        integration.</para>
    </partintro>
-    
+    <xi:include href="technical-overview.xml"/>
-    <xi:include href="technical-overview.xml" />
+    <xi:include href="supporting-infrastructure.xml"/>
-
+    <xi:include href="channel-security.xml"/>
    <xi:include href="supporting-infrastructure.xml" />
    <xi:include href="channel-security.xml" />
  </part>
  <part xml:id="authentication">
    <title>Authentication</title>
    <partintro>
-      <para>We've already introduced Spring Security's authentication architecture
+      <para>We've already introduced Spring Security's authentication architecture in the <link
-        in the <link xlink:href="#technical-overview">Technical Overview</link> chapter.
+          xlink:href="#technical-overview">Technical Overview</link> chapter. In this part of the
-        In this part of the reference guide we will examine individual
+        reference guide we will examine individual authentication mechanisms and their corresponding
-      authentication mechanisms and their corresponding
+          <classname>AuthenticationProvider</classname>s. We'll also look at how to configure
-      <classname>AuthenticationProvider</classname>s. We'll also look at how to
+        authentication more generally, including if you have several authentication approaches that
-      configure authentication more generally, including if you have several
+        need to be chained together.</para>
-      authentication approaches that need to be chained together.</para>
+      <para> With some exceptions, we will be discussing the full details of Spring Security bean
-      <para>
+        configuration rather than the shorthand <link xlink:href="#ns-config">namespace
-        With some exceptions, we will be discussing the full details of Spring Security
+          syntax</link>. You should review the introduction to using namespace configuration and the
-        bean configuration rather than the shorthand
+        options it provides to see if they will meet your needs. As you come to use the framework
-        <link xlink:href="#ns-config">namespace syntax</link>. You should review
+        more, and need to customize the internal behaviour, you will probably want to understand
-        the introduction to using namespace configuration and the options it provides
+        more about how the individual services are implemented, which classes to look at extending
-        to see if they will meet your needs. As you come to use the framework more,
+        and so on. This part is more targeted at providing this kind of information. We'd recommend
-        and need to customize the internal behaviour, you will probably want to understand
+        that you supplement the content by browsing the Javadoc and the source itself <footnote>
-        more about how the individual services are implemented, which classes to look at
+          <para>Links to both Javadoc APIs and browsable source cross-reference are available from
-        extending and so on. This part is more targeted at providing this kind of information.
+            the project web site.</para>
-        We'd recommend that you supplement the content by browsing the Javadoc and the source
+        </footnote>. </para>
        itself <footnote><para>Links to both Javadoc APIs and browsable source cross-reference
        are available from the project web site.</para></footnote>.
      </para>
    </partintro>
-
+    <xi:include href="common-auth-services.xml"/>
-    <xi:include href="common-auth-services.xml" />
+    <xi:include href="dao-auth-provider.xml"/>
    <xi:include href="dao-auth-provider.xml" />    
    <xi:include href="ldap-auth-provider.xml"/>
-    
+    <xi:include href="form-authentication.xml"/>
-    <xi:include href="form-authentication.xml" />
+    <xi:include href="basic-authentication.xml"/>
-    
+    <xi:include href="digest-authentication.xml"/>
-    <xi:include href="basic-authentication.xml" />
+    <xi:include href="remember-me-authentication.xml"/>
-    
+    <xi:include href="jaas-auth-provider.xml"/>
-    <xi:include href="digest-authentication.xml" />
+    <xi:include href="preauth.xml"/>
-    
+    <xi:include href="anon-auth-provider.xml"/>
    <xi:include href="remember-me-authentication.xml" />
    <xi:include href="jaas-auth-provider.xml" />
    <xi:include href="preauth.xml" />    
    <xi:include href="anon-auth-provider.xml" />    
    <xi:include href="x509-auth-provider.xml"/>
    <xi:include href="cas-auth-provider.xml"/>
-
+    <xi:include href="runas-auth-provider.xml"/>
    <xi:include href="runas-auth-provider.xml" />
  </part>
  <part xml:id="authorization">
    <title>Authorization</title>
    <partintro>
-      <para>The advanced authorization capabilities within Spring Security
+      <para>The advanced authorization capabilities within Spring Security represent one of the most
-      represent one of the most compelling reasons for its popularity.
+        compelling reasons for its popularity. Irrespective of how you choose to authenticate -
-      Irrespective of how you choose to authenticate - whether using a Spring
+        whether using a Spring Security-provided mechanism and provider, or integrating with a
-      Security-provided mechanism and provider, or integrating with a
+        container or other non-Spring Security authentication authority - you will find the
-      container or other non-Spring Security authentication authority - you
+        authorization services can be used within your application in a consistent and simple
-      will find the authorization services can be used within your application
+        way.</para>
      in a consistent and simple way.</para>
      <para>In this part we'll explore the different
-      <classname>AbstractSecurityInterceptor</classname> implementations, which
+          <classname>AbstractSecurityInterceptor</classname> implementations, which were introduced
-      were introduced in Part I. We then move on to explore how to fine-tune
+        in Part I. We then move on to explore how to fine-tune authorization through use of domain
-      authorization through use of domain access control lists.</para>
+        access control lists.</para>
    </partintro>
    <xi:include href="authorization-common.xml"/>
    <xi:include href="secured-objects.xml"/>
    <xi:include href="domain-acls.xml"/>
  </part>
  <xi:include href="appendix-db-schema.xml"/>
  <xi:include href="appendix-namespace.xml"/>
 </book>