Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Various changes to support 1.0.0 release.

This commit is contained in:
Ben Alex 2006-05-29 10:57:47 +00:00
parent 120124f79e
commit 318bd88968
4 changed files with 61 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
doc/xdocs/building.html
View File

@ -116,48 +116,5 @@
<pre>maven clover:html-report -Dmaven.jar.override=on -Dmaven.jar.clover-ant=1.3.3_01</pre>
</ol>
<h2>CVS-over-SSH Workarounds</h2>
<p>Another possible problem is related to CVS-over-SSH ("ext" in CVSROOT) appearing to freeze.
The following instructions assume you're an Acegi Security developer who has CVS access
to the project, as if you're not then you shouldn't be trying to use CVS-over-SSH.
The instructions above all relate to goals which use the default, anonymous
pserver CVS repository.</p>
<p>If you really need authenticated SSH-based access, first check your
<code>$ACEGI_SECURITY/build.properties</code> contains a
<code>maven.username</code> equal to your SourceForge username. If your Maven CVS
or SSH commands still don't work, test you have automatic CVS-over-SSH access operational
by executing the following command:</p>
<ol>
<pre>cvs -d :ext:YOUR_SOURCEFORGE_USERNAME@cvs.sourceforge.net:/cvsroot/acegisecurity</pre>
</ol>
<p>If this CVS command executes without requiring any interaction such as password
entry, you're ready to proceed. If it fails (or requires a password entry), you
probably need to review your CVS setup. This varies depending on your CVS client.</p>
<p>One Windows-based command line CVS-over-SSH-with-auto-login setup that
works very well is to install
<a href="http://www.cvsnt.com/">CVSNT</a> (which has a CVS client console utility)
and
<a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/">PuTTY</a> (download
<code>putty.zip</code>) together, and use
PuTTY's Pageant to automatically authenticate. A resource that describes in detail
how to configure WinCVS (which internally uses CVSNT's command line client) with PuTTY
(including automatic SSH authentication) is
<a href="http://sourceforge.net/docman/display_doc.php?docid=766&group_id=1">SourceForge's instructions</a>.
One issue with the SourceForge instructions is they forget to mention how to
tell the CVS command-line client to use <code>plink.exe</code>, which is PuTTY's SSH command-line
version. The solution is to execute
<code>set CVS_RSH=C:\Program Files\putty\plink.exe</code>
(or whatever path is appropriate to plink) before running the CVS command line.
In fairness, the SourceForge instructions target the Windows front-end to CVS, whilst
we need the command-line version to work.</p>
<p>It is worth noting that as the Maven project uses the anonymous pserver
repository for most operations, these setup instructions really only apply if
doing something like deploying the site over SSH etc.</p>
</body>
</html>

92
doc/xdocs/index.html
View File

@ -9,10 +9,13 @@
<CENTER><B>
<HR>
<CENTER>Mission Statement</CENTER></B>
<CENTER>What is Acegi Security?</CENTER></B>
<HR>
<BR>To provide comprehensive security services for <A
href="http://www.springframework.org/"><I>The Spring Framework</I></A>.
<BR>Acegi Security is a powerful, flexible security solution for enterprise software,
with a particular emphasis on applications that use
<A href="http://www.springframework.org/">Spring</A>. Using Acegi Security provides your
applications with comprehensive authentication, authorization, instance-based access control,
channel security and human user detection capabilities.
</CENTER><BR><B>
<HR>
@ -20,16 +23,24 @@
<HR>
<BR>
<UL>
<LI><B>It is ready NOW.</B> As explained in the reference guide, the API
is now quite stable. We also use the <A
<LI><B>Stable and mature.</B> Acegi Security 1.0.0 was released in May 2006 after
more than two and a half years of use in large production software projects, 70,000+ downloads
and hundreds of community contributions.
In terms of release numbering, we also use the <A
href="http://apr.apache.org/versioning.html">Apache APR Project
Versioning Guidelines</A> so you can identify backward
Versioning Guidelines</A> so that you can easily identify release
compatibility.<BR><BR>
<LI><B>Well documented:</B> All APIs are fully documented using
<a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/index.html">JavaDoc</a>,
with almost 100 pages of
<a href="reference.html">Reference Guide</a> documentation providing an easy-to-follow
introduction. Even more documentation is provided on this web site, as
shown in the left hand navigation sidebar.<BR><BR>
<LI><B>Fast results:</B> View our <a href="suggested.html">suggested steps</a>
for the fastest way to develop complex, security-compliant applications.<BR><BR>
<LI><B>Enterprise-wide single sign on:</B> Using JA-SIG's open
source <A href="http://www.ja-sig.org/products/cas/">Central Authentication
Service</A> (CAS), the Acegi Security System for Spring can participate
Service</A> (CAS), the Acegi Security can participate
in an enterprise-wide single sign on environment. You no longer need
every web application to have its own authentication database. Nor are
you restricted to single sign on across a single web container. Advanced
@ -61,7 +72,7 @@
objects.<BR><BR>
<LI><B>After invocation security:</B> Acegi Security can not only protect
methods from being invoked in the first place, but it can also
deal with the Objects returned from the methods. Included implementations
deal with the objects returned from the methods. Included implementations
of after invocation security can throw an exception or mutate the returned
object based on ACLs.<BR><BR>
<LI><B>Secures your HTTP requests as well:</B> In addition to securing
@ -70,13 +81,14 @@
HTTP requests can now be secured by your choice of regular expressions
or Apache Ant paths, along with pluggable authentication, authorization
and run-as replacement managers.<BR><BR>
<LI><B>Channel security:</B> The Acegi Security System for Spring can
<LI><B>Channel security:</B> Acegi Security can
automatically redirect requests across an appropriate transport channel.
Whilst flexible enough to support any of your "channel" requirements (eg
the remote user is a human, not a robot), a common channel security
feature is to ensure your secure pages will only be available over
HTTPS, and your public pages only over HTTP. Acegi Security also
supports unusual port combinations and pluggable transport decision
supports unusual port combinations (including if accessed via an
intermediate server like Apache) and pluggable transport decision
managers.<BR><BR>
<LI><B>Supports HTTP BASIC authentication:</B> Perfect for remoting
protocols or those web applications that prefer a simple browser pop-up
@ -87,18 +99,29 @@
(which never sends the user's password across the wire). Digest Authentication
is widely supported by modern browsers. Acegi Security's implementation complies
with both RFC 2617 and RFC 2069.<BR><BR>
<LI><B>Convenient security taglib:</B> Your JSP files can use our taglib
<LI><B>Computer Associates Siteminder support:</B> Authentication can be
delegated through to CA's Siteminder solution, which is common in large
corporate environments.<BR><BR>
<LI><B>X509 (Certificate) support:</B> Acegi Security can easily read
client-side X509 certificates for authenticating users.<BR><BR>
<LI><B>LDAP Support:</B> Do you have an LDAP directory? Acegi Security can
happily authenticate against it.<BR><BR>
<LI><B>Tag library support:</B> Your JSP files can use our taglib
to ensure that protected content like links and messages are only
displayed to users holding the appropriate granted authorities. The taglib
also fully integrates with Acegi Security's ACL services.<BR><BR>
<LI><B>Application context or attribute-based configuration:</B> You
also fully integrates with Acegi Security's ACL services, and
obtaining extra information about the logged-in principal.<BR><BR>
<LI><B>Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:</B> You
select the method used to configure your security environment. The
project supports configuration via Spring application contexts as well
as Jakarta Commons Attributes.<BR><BR>
project supports configuration via Spring application contexts, as well
as Jakarta Commons Attributes and Java 5's annotations feature. Some users
(such as those building content management systems) pull configuration data
from a database, which exemplifies Acegi Security's flexible configuration
metadata system.<BR><BR>
<LI><B>Various authentication backends:</B> We include the ability to
retrieve your user and granted authority definitions from either an XML
file or JDBC datasource. Alternatively, you can implement the
single-method DAO interface and obtain authentication details from
retrieve your user and granted authority definitions from an XML
file, JDBC datasource or Properties file. Alternatively, you can implement the
single-method UserDetailsService interface and obtain authentication details from
anywhere you like.<BR><BR>
<LI><B>Event support:</B> Building upon Spring's
<CODE>ApplicationEvent</CODE> services, you can write your own listeners
@ -126,23 +149,27 @@
problem. Acegi Security integrates with standard Spring remoting
protocols, because it automatically processes the HTTP BASIC
authentication headers they present. Add our BASIC authentication filter
to your web.xml and you're done.<BR><BR>
to your web.xml and you're done. You can also easily use RMI or Digest
authentication for your rich clients with a simple configuration statement.<BR><BR>
<LI><B>Advanced password encoding:</B> Of course, passwords in your
authentication repository need not be in plain text. We support both SHA
and MD5 encoding, and also pluggable "salt" providers to maximise
password security.<BR><BR>
<LI><B>Run-as replacement:</B> The security system fully supports
temporarily replacing the authenticated user for the duration of the web
password security. Acegi Security doesn't even need to see the password
if your backend can use a bind-based strategy for authentication (such as
an LDAP directory, or a database login).<BR><BR>
<LI><B>Run-as replacement:</B> The system fully supports
temporarily replacing the authenticated principal for the duration of the web
request or bean invocation. This enables you to build public-facing
object tiers with different security configurations than your backend
objects.<BR><BR>
<LI><B>Transparent security propagation:</B> Acegi Security can automatically
transfer its core authentication information from one machine to another,
using a variety of protocols including RMI and Spring's HttpInvoker.<BR><BR>
<LI><B>Compatible with HttpServletRequest.getRemoteUser():</B> Even though
<LI><B>Compatible with HttpServletRequest's security methods:</B> Even though
Acegi Security can deliver authentication using a range of pluggable mechanisms
(most of which require no web container configuration), we allow you to access
the resulting Authentication object via the getRemoteUser() method.<BR><BR>
the resulting Authentication object via the getRemoteUser() and other
security methods on HttpServletRequest.<BR><BR>
<LI><B>Unit tests:</B> A must-have of any quality security project, unit
tests are included. Our unit test coverage is very high, as shown in the
<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<BR><BR>
@ -155,19 +182,18 @@
<LI><B>Peer reviewed:</B> Whilst nothing is ever completely secure,
using an open source security package leverages the continuous design
and code quality improvements that emerge from peer review.<BR><BR>
<LI><B>Thorough documentation:</B> All APIs are fully documented using
<a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/index.html">JavaDoc</a>, with a 40+ page
<a href="reference.html">Reference Guide</a> providing an easy-to-follow
introduction. More documentation is provided on this web site, as
shown in the left hand navigation sidebar.<BR><BR>
<LI><B>Apache license.</B><BR><BR></LI></UL><BR><B>
<LI><B>Community:</B> Well-known for its supportive community, Acegi Security
has an active group of developers and users. Visit our project resources (below)
to access these services.<BR><BR>
<LI><B>Apache license.</B> You can confidently use Acegi Security in your project.<BR><BR></LI></UL><BR><B>
<HR>
<CENTER>Project Resources</CENTER></B>
<HR>
<BR>
<CENTER><A href="http://forum.springframework.org/"><B>Support
Forums</B></A><BR><BR><A
href="http://sourceforge.net/project/showfiles.php?group_id=104215"><B>Downloads</B></A>
<CENTER>
<A href="http://forum.springframework.org/"><B>Support Forums</B></A><BR><BR>
<A href="mail-lists.html"><B>Developer Mailing List</B></A><BR><BR>
<A href="downloads.html"><B>Downloads</B></A>
</CENTER></FONT>
</BODY></HTML>

2
project.properties
View File

@ -16,7 +16,7 @@ maven.compile.source=1.3
#signature.storepass=
#signature.keystore=
maven.javadoc.links=http://java.sun.com/j2se/1.4.2/docs/api/,http://www.springframework.org/docs/api/
maven.javadoc.links=http://java.sun.com/j2se/1.5.0/docs/api/,http://www.springframework.org/docs/api/,http://jakarta.apache.org/commons/lang/api/index.html,http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/index.html,http://jakarta.apache.org/commons/codec/apidocs/index.html,http://jakarta.apache.org/commons/collections/api/,http://jakarta.apache.org/commons/logging/apidocs/index.html,http://tomcat.apache.org/tomcat-5.0-doc/servletapi/index.html
maven.repo.remote=http://www.ibiblio.org/maven,http://acegisecurity.sourceforge.net/maven,http://svn.apache.org/repository/

2
project.xml
View File

@ -479,7 +479,7 @@
</build>
<reports>
<!-- report>maven-changelog-plugin</report -->
<report>maven-checkstyle-plugin</report>
<!-- report>maven-checkstyle-plugin</report -->
<report>maven-clover-plugin</report>
<report>maven-javadoc-plugin</report>
<report>maven-jdepend-plugin</report>