From 44f1e751a9273a27e7218493ac1c8166185514ee Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 6 Mar 2008 13:41:59 +0000 Subject: [PATCH] SEC-696: Update Maven Site for deployment to springframework.org. Removed much of the existing acegi site files. --- src/site/apt/svn-usage.apt | 2 +- .../announcements/announcement-0.1.txt | 16 - .../announcements/announcement-0.2.txt | 34 -- .../announcements/announcement-0.3.txt | 28 -- .../announcements/announcement-0.4.txt | 40 --- .../announcements/announcement-0.5.1.txt | 37 --- .../announcements/announcement-0.5.txt | 42 --- .../announcements/announcement-0.6.1.txt | 39 --- .../announcements/announcement-0.6.txt | 50 --- .../announcements/announcement-0.7.0.txt | 68 ---- .../announcements/announcement-0.7.1.txt | 18 -- .../announcements/announcement-0.8.0.txt | 59 ---- .../announcements/announcement-0.8.1.1.txt | 18 -- .../announcements/announcement-0.8.1.txt | 43 --- .../announcements/announcement-0.8.2.txt | 33 -- .../announcements/announcement-0.8.3.txt | 18 -- .../announcements/announcement-0.9.0.txt | 17 - .../announcement-1.0.0 Final.txt | 17 - .../announcements/announcement-1.0.0 RC1.txt | 17 - .../announcements/announcement-1.0.0 RC2.txt | 17 - src/site/resources/css/site.css | 55 ---- src/site/resources/dbinit.txt | 92 ------ src/site/resources/images/logo.gif | Bin 8827 -> 0 bytes src/site/xdoc/articles.xml | 153 --------- src/site/xdoc/changes.xml | 293 ------------------ src/site/xdoc/downloads.xml | 71 ----- src/site/xdoc/faq.xml | 288 ----------------- src/site/xdoc/policies.xml | 103 ------ src/site/xdoc/powering.xml | 41 --- src/site/xdoc/standalone.xml | 50 --- src/site/xdoc/upgrade/upgrade-03-04.xml | 48 --- src/site/xdoc/upgrade/upgrade-04-05.xml | 54 ---- src/site/xdoc/upgrade/upgrade-05-06.xml | 76 ----- src/site/xdoc/upgrade/upgrade-06-070.xml | 55 ---- src/site/xdoc/upgrade/upgrade-070-080.xml | 41 --- src/site/xdoc/upgrade/upgrade-080-090.xml | 95 ------ src/site/xdoc/upgrade/upgrade-090-100.xml | 95 ------ 37 files changed, 1 insertion(+), 2222 deletions(-) delete mode 100644 src/site/resources/announcements/announcement-0.1.txt delete mode 100644 src/site/resources/announcements/announcement-0.2.txt delete mode 100644 src/site/resources/announcements/announcement-0.3.txt delete mode 100644 src/site/resources/announcements/announcement-0.4.txt delete mode 100644 src/site/resources/announcements/announcement-0.5.1.txt delete mode 100644 src/site/resources/announcements/announcement-0.5.txt delete mode 100644 src/site/resources/announcements/announcement-0.6.1.txt delete mode 100644 src/site/resources/announcements/announcement-0.6.txt delete mode 100644 src/site/resources/announcements/announcement-0.7.0.txt delete mode 100644 src/site/resources/announcements/announcement-0.7.1.txt delete mode 100644 src/site/resources/announcements/announcement-0.8.0.txt delete mode 100644 src/site/resources/announcements/announcement-0.8.1.1.txt delete mode 100644 src/site/resources/announcements/announcement-0.8.1.txt delete mode 100644 src/site/resources/announcements/announcement-0.8.2.txt delete mode 100644 src/site/resources/announcements/announcement-0.8.3.txt delete mode 100644 src/site/resources/announcements/announcement-0.9.0.txt delete mode 100644 src/site/resources/announcements/announcement-1.0.0 Final.txt delete mode 100644 src/site/resources/announcements/announcement-1.0.0 RC1.txt delete mode 100644 src/site/resources/announcements/announcement-1.0.0 RC2.txt delete mode 100644 src/site/resources/css/site.css delete mode 100644 src/site/resources/dbinit.txt delete mode 100644 src/site/resources/images/logo.gif delete mode 100644 src/site/xdoc/articles.xml delete mode 100644 src/site/xdoc/changes.xml delete mode 100644 src/site/xdoc/downloads.xml delete mode 100644 src/site/xdoc/faq.xml delete mode 100644 src/site/xdoc/policies.xml delete mode 100644 src/site/xdoc/powering.xml delete mode 100644 src/site/xdoc/standalone.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-03-04.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-04-05.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-05-06.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-06-070.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-070-080.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-080-090.xml delete mode 100644 src/site/xdoc/upgrade/upgrade-090-100.xml diff --git a/src/site/apt/svn-usage.apt b/src/site/apt/svn-usage.apt index f071e545ea..292874f8b6 100644 --- a/src/site/apt/svn-usage.apt +++ b/src/site/apt/svn-usage.apt @@ -31,7 +31,7 @@ Subversion Usage +----------------------------------------------------------------------------------------------------------------------+ Specific tagged releases can be checked out from the URL - {{{"http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/tags/}}}. + {{{"http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/tags/"}}}. diff --git a/src/site/resources/announcements/announcement-0.1.txt b/src/site/resources/announcements/announcement-0.1.txt deleted file mode 100644 index 3847e81c63..0000000000 --- a/src/site/resources/announcements/announcement-0.1.txt +++ /dev/null @@ -1,16 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Initial public release - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.2.txt b/src/site/resources/announcements/announcement-0.2.txt deleted file mode 100644 index 07e4456486..0000000000 --- a/src/site/resources/announcements/announcement-0.2.txt +++ /dev/null @@ -1,34 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.2 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added Commons Attributes support and sample (thanks to Cameron Braid) -o Added JBoss container adapter -o Added Resin container adapter -o Added JDBC DAO authentication provider -o Added several filter implementations for container adapter integration -o Added SecurityInterceptor startup time validation of ConfigAttributes -o Added more unit tests - - Fixed bugs: - -o Fixed switch block in voting decision manager implementations - - Changes: - -o Refactored ConfigAttribute to interface and added concrete implementation -o Enhanced diagnostics information provided by sample application debug.jsp -o Modified sample application for wider container portability (Resin, JBoss) -o Removed Spring MVC interceptor for container adapter integration -o Documentation improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.3.txt b/src/site/resources/announcements/announcement-0.3.txt deleted file mode 100644 index 2d45aa0501..0000000000 --- a/src/site/resources/announcements/announcement-0.3.txt +++ /dev/null @@ -1,28 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.3 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added "in container" unit test system for container adapters and sample app -o Added library extractor tool to reduce the "with deps" ZIP release sizes -o Added unit test to the attributes sample -o Added Jalopy source formatting - - Changes: - -o Modified all files to use net.sf.acegisecurity namespace -o Renamed springsecurity.xml to acegisecurity.xml for consistency -o Reduced length of ZIP and JAR filenames -o Clarified licenses and sources for all included libraries -o Updated documentation to reflect new file and package names -o Setup Sourceforge.net project and added to CVS etc - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.4.txt b/src/site/resources/announcements/announcement-0.4.txt deleted file mode 100644 index 4005eeebe6..0000000000 --- a/src/site/resources/announcements/announcement-0.4.txt +++ /dev/null @@ -1,40 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.4 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added HTTP session authentication as an alternative to container adapters -o Added HTTP request security interceptor (offers considerable flexibility) -o Added security taglib -o Added Clover test coverage instrumentation (currently 97.2%) -o Added support for Catalina (Tomcat) 4.1.30 to in-container integration - tests -o Added HTML test and summary reporting to in-container integration tests - - Fixed bugs: - -o Fixed case handling support in data access object authentication provider - - Changes: - -o Updated JARs to Spring Framework release 1.0, with associated AOP changes -o Updated to Apache License version 2.0 -o Updated copyright with permission of past contributors -o Refactored unit tests to use mock objects and focus on a single class each -o Refactored many classes to enable insertion of mock objects during testing -o Refactored core classes to ease support of new secure object types -o Changed package layout to better describe the role of contained items -o Changed the extractor to extract additional classes from JBoss and Catalina -o Changed Jetty container adapter configuration (see reference documentation) -o Improved AutoIntegrationFilter handling of deployments without JBoss JARs -o Documentation improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.5.1.txt b/src/site/resources/announcements/announcement-0.5.1.txt deleted file mode 100644 index fb33c6ce33..0000000000 --- a/src/site/resources/announcements/announcement-0.5.1.txt +++ /dev/null @@ -1,37 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.5.1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added samples/quick-start -o Added NullRunAsManager and made default for AbstractSecurityInterceptor -o Added event notification (see net.sf.acegisecurity.providers.dao.event) - - Fixed bugs: - -o Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) -o Fixed issue with NullPointerExceptions in taglib - - Changes: - -o Updated JAR to Spring 1.0.2 -o Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release -o Updated GrantedAuthorityImpl to be serializable (JBoss support) -o Updated Authentication interface to present extra details for a request -o Updated Authentication interface to subclass java.security.Principal -o Refactored DaoAuthenticationProvider caching (refer to reference docs) -o Improved HttpSessionIntegrationFilter to manage additional attributes -o Improved URL encoding during redirects -o Removed DaoAuthenticationToken and session-based caching -o Documentation improvements -o Upgrade Note: DaoAuthenticationProvider no longer has a "key" property - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.5.txt b/src/site/resources/announcements/announcement-0.5.txt deleted file mode 100644 index ea221fec8d..0000000000 --- a/src/site/resources/announcements/announcement-0.5.txt +++ /dev/null @@ -1,42 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.5 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added single sign on support via Yale Central Authentication Service (CAS) -o Added full support for HTTP Basic Authentication -o Added caching for DaoAuthenticationProvider successful authentications -o Added Burlap and Hessian remoting to Contacts sample application -o Added pluggable password encoders including plaintext, SHA and MD5 -o Added pluggable salt sources to enhance security of hashed passwords -o Added FilterToBeanProxy to obtain filters from Spring application context -o Added support for prepending strings to roles created by JdbcDaoImpl -o Added support for user definition of SQL statements used by JdbcDaoImpl -o Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys -o Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter -o Added Apache Ant path syntax support to SecurityEnforcementFilter -o Added filter to automate web channel requirements (eg HTTPS redirection) - - Fixed bugs: - -o Fixed FilterInvocation.getRequestUrl() to also include getPathInfo() -o Fixed Contacts sample application tags - - Changes: - -o Updated JAR to Spring 1.0.1 -o Updated several classes to use absolute (not relative) redirection URLs -o Refactored filters to use Spring application context lifecycle support -o Improved constructor detection of nulls in User and other key objects -o Established acegisecurity-developer mailing list -o Documentation improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.6.1.txt b/src/site/resources/announcements/announcement-0.6.1.txt deleted file mode 100644 index 780c9fc191..0000000000 --- a/src/site/resources/announcements/announcement-0.6.1.txt +++ /dev/null @@ -1,39 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.6.1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added additional DaoAuthenticationProvider event when user not found -o Added Authentication.getDetails() to DaoAuthenticationProvider response -o Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true) -o Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP) -o Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy - inits) -o Added convenience methods to ConfigAttributeDefinition - - Fixed bugs: - -o Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change -o Fixed EH-CACHE-based caching implementation behaviour when cache exists -o Fixed Ant "release" target not including project.properties -o Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method - - Changes: - -o Resolved to use http://apr.apache.org/versioning.html for future versioning -o Improved sample applications' bean reference notation -o Clarified contract for ObjectDefinitionSource.getAttributes(Object) -o Extracted removeUserFromCache(String) to UserCache interface -o Improved ConfigAttributeEditor so it trims preceding and trailing spaces -o Refactored UsernamePasswordAuthenticationToken.getDetails() to Object -o Documentation improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.6.txt b/src/site/resources/announcements/announcement-0.6.txt deleted file mode 100644 index 363447ace6..0000000000 --- a/src/site/resources/announcements/announcement-0.6.txt +++ /dev/null @@ -1,50 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.6 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added domain object instance access control list (ACL) packages -o Added feature so DaoAuthenticationProvider returns User in Authentication -o Added AbstractIntegrationFilter.secureContext property for custom contexts -o Added stack trace logging to SecurityEnforcementFilter -o Added exception-specific target URLs to AbstractProcessingFilter -o Added JdbcDaoImpl hook so subclasses can insert custom granted authorities -o Added AuthenticationProvider that wraps JAAS login modules -o Added support for EL expressions in the authz tag library -o Added failed Authentication object to AuthenticationExceptions -o Added signed JARs to all official release builds (see readme.txt) -o Added remote client authentication validation package -o Added protected sendAccessDeniedError method to SecurityEnforcementFilter - - Fixed bugs: - -o Fixed CasAuthenticationToken if proxy granting ticket callback not - requested -o Fixed EH-CACHE handling on web context refresh - - Changes: - -o Updated Authentication to be serializable (Weblogic support) -o Updated JAR to Spring 1.1 RC 1 -o Updated to Clover 1.3 -o Updated to HSQLDB version 1.7.2 Release Candidate 6D -o Refactored User to net.sf.acegisecurity.UserDetails interface -o Refactored CAS package to store UserDetails in CasAuthenticationToken -o Improved organisation of DaoAuthenticationProvider to facilitate - subclassing -o Improved test coverage (now 98.3%) -o Improved JDBC-based tests to use in-memory database rather than filesystem -o Fixed Linux compatibility issues (directory case sensitivity etc) -o Fixed AbstractProcessingFilter to handle servlet spec container differences -o Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue -o Documentation improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.7.0.txt b/src/site/resources/announcements/announcement-0.7.0.txt deleted file mode 100644 index e74befdfef..0000000000 --- a/src/site/resources/announcements/announcement-0.7.0.txt +++ /dev/null @@ -1,68 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.7.0 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Major CVS repository restructure to support Maven and eliminate libraries -o Added AfterInvocationManager to mutate objects return from invocations -o Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object -o Added BasicAclEntryAfterInvocationCollectionFilteringProvider -o Added security propagation during RMI invocations (from sandbox) -o Added security propagation for Spring's HTTP invoker -o Added BasicAclEntryVoter, which votes based on AclManager permissions -o Added AspectJ support (especially useful for instance-level security) -o Added MethodDefinitionSourceAdvisor for performance and autoproxying -o Added MethodDefinitionMap querying of interfaces defined by secure objects -o Added AuthenticationProcessingFilter.setDetails for use by subclasses -o Added 403-causing exception to HttpSession via SecurityEnforcementFilter -o Added net.sf.acegisecurity.intercept.event package -o Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD -o Added additional remoting protocol demonstrations to Contacts sample -o Added AbstractProcessingFilter property to always use defaultTargetUrl -o Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser() -o Added attempted username to view if processed by - AuthenticationProcessingFilter -o Added UserDetails account and credentials expiration methods -o Added exceptions and events to support new UserDetails methods -o Added new exceptions to JBoss container adapter - - Fixed bugs: - -o Fixed ambiguous column references in JdbcDaoImpl default query -o Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility) -o Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails - principals -o Fixed HttpSessionIntegrationFilter "cannot commit to container" during - logoff - - Changes: - -o Major improvements to Contacts sample application (now demos ACL security) -o Improved BasicAclProvider to only respond to specified ACL object requests -o Refactored MethodDefinitionSource to work with Method, not MethodInvocation -o Refactored AbstractFilterInvocationDefinitionSource to work with URL - Strings alone -o Refactored AbstractSecurityInterceptor to better support other AOP - libraries -o Improved performance of JBoss container adapter (see reference docs) -o Made DaoAuthenticationProvider detect null in Authentication.principal -o Improved JaasAuthenticationProvider startup error detection -o Refactored EH-CACHE implementations to use Spring IoC defined caches - instead -o AbstractProcessingFilter now has various hook methods to assist subclasses -o DaoAuthenticationProvider better detects AuthenticationDao interface - violations -o The User class has a new constructor (the old constructor is deprecated) -o Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package -o Documentation improvements -o Test coverage improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.7.1.txt b/src/site/resources/announcements/announcement-0.7.1.txt deleted file mode 100644 index 37c028483c..0000000000 --- a/src/site/resources/announcements/announcement-0.7.1.txt +++ /dev/null @@ -1,18 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.7.1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Fixed bugs: - -o AbstractIntegrationFilter elegantly handles IOExceptions and - ServletExceptions within filter chain (see - http://opensource.atlassian.com/projects/spring/browse/SEC-20) - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.8.0.txt b/src/site/resources/announcements/announcement-0.8.0.txt deleted file mode 100644 index d66aadb974..0000000000 --- a/src/site/resources/announcements/announcement-0.8.0.txt +++ /dev/null @@ -1,59 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.8.0 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o Added Digest Authentication support (RFC 2617 and RFC 2069) -o Added pluggable remember-me services -o Added pluggable mechnism to prevent concurrent login sessions -o FilterChainProxy added to significantly simplify web.xml configuration of - Acegi Security -o AuthenticationProcessingFilter now provides hook for extra credentials (eg - postcodes) -o New WebAuthenticationDetails class now used by processing filters for - Authentication.setDetails() -o Additional debug-level logging -o Improved Tapestry support in AbstractProcessingFilter - - Fixed bugs: - -o Correct issue with JdbcDaoImpl default SQL query not using consistent case - sensitivity -o Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility -o Log4j now included in generated WAR artifacts (fixes issue with Log4j - listener) -o Correct NullPointerException in FilterInvocationDefinitionSource - implementations - - Changes: - -o Made ConfigAttributeDefinition and ConfigAttribute Serializable -o User now accepts blank passwords (null passwords still rejected) -o FilterToBeanProxy now searches hierarchical bean factories -o User now accepted blank passwords (null passwords still rejected) -o ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method -o HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily -o FilterSecurityInterceptor now only executes once per request (improves - performance with SiteMesh) -o JaasAuthenticatinProvider now uses System.property - "java.security.auth.login.config" -o JaasAuthenticationCallbackHandler Authentication is passed to handle method - setAuthentication removed -o Added AuthenticationException to the AutenticationEntryPoint.commence - method signature -o Added AccessDeniedException to the - SecurityEncorcementFilter.sendAccessDeniedError method signature -o FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs - servlet container) issue -o Significantly refactor "well-known location model" to authentication - processing mechanism and HttpSessionContextIntegrationFilter model - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.8.1.1.txt b/src/site/resources/announcements/announcement-0.8.1.1.txt deleted file mode 100644 index 44a55895d9..0000000000 --- a/src/site/resources/announcements/announcement-0.8.1.1.txt +++ /dev/null @@ -1,18 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.8.1.1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Fixed bugs: - -o HttpSessionContextIntegrationFilter elegantly handles IOExceptions and - ServletExceptions within filter chain (see - http://opensource.atlassian.com/projects/spring/browse/SEC-20) - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.8.1.txt b/src/site/resources/announcements/announcement-0.8.1.txt deleted file mode 100644 index 1c6c1dd883..0000000000 --- a/src/site/resources/announcements/announcement-0.8.1.txt +++ /dev/null @@ -1,43 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.8.1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - New Features: - -o X509 (certificate-based) authentication support - - Fixed bugs: - -o SecurityEnforcementFilter caused NullPointerException when anonymous - authentication used with BasicProcessingFilterEntryPoint -o FilterChainProxy now supports replacement of ServletRequest and - ServetResponse by Filter beans -o Corrected Authz parsing of whitespace in GrantedAuthoritys -o TokenBasedRememberMeServices now respects expired users, expired - credentials and disabled users -o HttpSessionContextIntegrationFilter now handles HttpSession invalidation - without redirection -o StringSplitUtils.split() ignored delimiter argument -o DigestProcessingFilter now provides userCache getter and setter -o Contacts Sample made to work with UserDetails-based Principal - - Changes: - -o UserDetails now advises locked accounts, with corresponding - DaoAuthenticationProvider events and enforcement -o ContextHolderAwareRequestWrapper methods return null if user is anonymous -o AbstractBasicAclEntry improved compatibility with Hibernate -o User now provides a more useful toString() method -o Update to match Spring 1.1.5 official JAR dependencies (NB: now using - Servlet 2.4 and related JSP/taglib JARs) -o Documentation improvements -o Test coverage improvements - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.8.2.txt b/src/site/resources/announcements/announcement-0.8.2.txt deleted file mode 100644 index 97d61975bd..0000000000 --- a/src/site/resources/announcements/announcement-0.8.2.txt +++ /dev/null @@ -1,33 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.8.2 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Fixed bugs: - -o Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in - clientContext.xml -o TokenBasedRememberMeServices changed to use long instead of int for - tokenValiditySeconds (SPR-807) -o Handle null Authentication.getAuthorities() in AuthorizeTag -o PasswordDaoAuthenticationProvider no longer stores String against - Authentication.setDetails() - - Changes: - -o Update commons-codec dependency to 1.3 -o AbstractProcessingFilter no longer has setters for failures, it uses the - exceptionMappings property -o Update to match Spring 1.2-RC2 official JAR dependencies -o AuthenticationProcessingFilter now provides an obtainUsername method -o Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring - 1.2-RC2 -o Refactoring to leverage Spring's Assert class and mocks where possible - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.8.3.txt b/src/site/resources/announcements/announcement-0.8.3.txt deleted file mode 100644 index 34dd613712..0000000000 --- a/src/site/resources/announcements/announcement-0.8.3.txt +++ /dev/null @@ -1,18 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.8.3 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Fixed bugs: - -o HttpSessionContextIntegrationFilter elegantly handles IOExceptions and - ServletExceptions within filter chain (see - http://opensource.atlassian.com/projects/spring/browse/SEC-20) - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-0.9.0.txt b/src/site/resources/announcements/announcement-0.9.0.txt deleted file mode 100644 index 41a958d220..0000000000 --- a/src/site/resources/announcements/announcement-0.9.0.txt +++ /dev/null @@ -1,17 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 0.9.0 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Changes: - -o All changes are in JIRA at - http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-1.0.0 Final.txt b/src/site/resources/announcements/announcement-1.0.0 Final.txt deleted file mode 100644 index a987b207f0..0000000000 --- a/src/site/resources/announcements/announcement-1.0.0 Final.txt +++ /dev/null @@ -1,17 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 1.0.0 Final release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Changes: - -o All changes are in JIRA at - http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-1.0.0 RC1.txt b/src/site/resources/announcements/announcement-1.0.0 RC1.txt deleted file mode 100644 index 38558daab4..0000000000 --- a/src/site/resources/announcements/announcement-1.0.0 RC1.txt +++ /dev/null @@ -1,17 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 1.0.0 RC1 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Changes: - -o All changes are in JIRA at - http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/announcements/announcement-1.0.0 RC2.txt b/src/site/resources/announcements/announcement-1.0.0 RC2.txt deleted file mode 100644 index b2da0a6d17..0000000000 --- a/src/site/resources/announcements/announcement-1.0.0 RC2.txt +++ /dev/null @@ -1,17 +0,0 @@ -The acegi-security-doc team is pleased to announce the Acegi Security System -for Spring 1.0.0 RC2 release! - -http://acegisecurity.org/ - -Acegi Security System for Spring - -Changes in this version include: - - Changes: - -o All changes are in JIRA at - http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - -Have fun! --The acegi-security-doc team - \ No newline at end of file diff --git a/src/site/resources/css/site.css b/src/site/resources/css/site.css deleted file mode 100644 index 3b6994bd0b..0000000000 --- a/src/site/resources/css/site.css +++ /dev/null @@ -1,55 +0,0 @@ - -#poweredBy { - visibility: hidden; -} - -#bannerLeft img { - padding: 35px 0 0 25px -} - -#leftColumn { - margin: 30px 0 0 5px; - border: none; - background-color: white; -} - -#navcolumn li { - line-height: 1.5em; - font-size: 0.95em; -} - -#navcolumn h5 { - font-size: 0.95em; -} - -h2 { - padding: 0; - border: none; - color: black; - background-color: white; - font-weight:bold; - font-size: large; - text-align: center; -} -h3 { - padding: 0; - border: none; - color: black; - background-color: white; - font-weight: normal; - font-size: large; -} -h4 { - padding: 0; - border: none; - background-color: white; - color: black; - font-weight: normal; - font-size: large; -} - -h5 { - padding: 0; - background-color: white; - color: black; -} diff --git a/src/site/resources/dbinit.txt b/src/site/resources/dbinit.txt deleted file mode 100644 index 26cdd99acb..0000000000 --- a/src/site/resources/dbinit.txt +++ /dev/null @@ -1,92 +0,0 @@ ---- $Id$ - ---- Sample Hypersonic SQL compatible schema and data ---- ---- All Spring Security JDBC DAOs can be customised to use a different schema. ---- In addition, the Spring Security JDBC DAOs do not even need to be used ---- with Spring Security, and an entirely customised persistence strategy ---- can be employed via standard interfaces (eg in-memory, Hibernate etc). - -SET IGNORECASE TRUE; - -CREATE TABLE users ( - username VARCHAR(50) NOT NULL PRIMARY KEY, - password VARCHAR(50) NOT NULL, - enabled BIT NOT NULL -); - -CREATE TABLE authorities ( - username VARCHAR(50) NOT NULL, - authority VARCHAR(50) NOT NULL -); -CREATE UNIQUE INDEX ix_auth_username ON authorities ( username, authority ); - -ALTER TABLE authorities ADD CONSTRAINT fk_authorities_users foreign key (username) REFERENCES users(username); - -INSERT INTO users VALUES ('rod', 'koala', true); -INSERT INTO users VALUES ('dianne', 'emu', true); -INSERT INTO users VALUES ('scott', 'wombat', true); -INSERT INTO users VALUES ('peter', 'opal', false); - -INSERT INTO authorities VALUES ('rod', 'ROLE_TELLER'); -INSERT INTO authorities VALUES ('rod', 'ROLE_SUPERVISOR'); -INSERT INTO authorities VALUES ('dianne', 'ROLE_TELLER'); -INSERT INTO authorities VALUES ('scott', 'ROLE_TELLER'); -INSERT INTO authorities VALUES ('peter', 'ROLE_TELLER'); - ---- Indexes auto created in HSQLDB for primary keys and unique columns - -CREATE TABLE acl_object_identity ( - id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY, - object_identity VARCHAR_IGNORECASE(250) NOT NULL, - parent_object BIGINT, - acl_class VARCHAR_IGNORECASE(250) NOT NULL, - CONSTRAINT unique_object_identity UNIQUE(object_identity), - FOREIGN KEY (parent_object) REFERENCES acl_object_identity(id) -); - -CREATE TABLE acl_permission ( - id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 0) NOT NULL PRIMARY KEY, - acl_object_identity BIGINT NOT NULL, - recipient VARCHAR_IGNORECASE(100) NOT NULL, - mask INTEGER NOT NULL, - CONSTRAINT unique_recipient UNIQUE(acl_object_identity, recipient), - FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id) -); - ---- Mask integer 0 = no permissions ---- Mask integer 1 = administer ---- Mask integer 2 = read ---- Mask integer 6 = read and write permissions ---- Mask integer 14 = read and write and create permissions - ---------------------------------------------------------------------- ---- *** INHERITED RIGHTS FOR DIFFERENT INSTANCES AND RECIPIENTS *** ---- INSTANCE RECIPIENT PERMISSION(S) (COMMENT #INSTANCE) ---------------------------------------------------------------------- ---- 1 ROLE_SUPERVISOR Administer ---- 2 ROLE_SUPERVISOR None (overrides parent #1) ---- rod Read ---- 3 ROLE_SUPERVISOR Administer (from parent #1) ---- scott Read, Write, Create ---- 4 ROLE_SUPERVISOR Administer (from parent #1) ---- 5 ROLE_SUPERVISOR Administer (from parent #3) ---- scott Read, Write, Create (from parent #3) ---- 6 ROLE_SUPERVISOR Administer (from parent #3) ---- scott Administer (overrides parent #3) ---------------------------------------------------------------------- - -INSERT INTO acl_object_identity VALUES (1, 'org.springframework.security.acl.DomainObject:1', null, 'org.springframework.security.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (2, 'org.springframework.security.acl.DomainObject:2', 1, 'org.springframework.security.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (3, 'org.springframework.security.acl.DomainObject:3', 1, 'org.springframework.security.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (4, 'org.springframework.security.acl.DomainObject:4', 1, 'org.springframework.security.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (5, 'org.springframework.security.acl.DomainObject:5', 3, 'org.springframework.security.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (6, 'org.springframework.security.acl.DomainObject:6', 3, 'org.springframework.security.acl.basic.SimpleAclEntry'); - -INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); -INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); -INSERT INTO acl_permission VALUES (null, 2, 'rod', 2); -INSERT INTO acl_permission VALUES (null, 3, 'scott', 14); -INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); - - diff --git a/src/site/resources/images/logo.gif b/src/site/resources/images/logo.gif deleted file mode 100644 index 130cc4589a37c471d3992c6687d25f402d8d0e28..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8827 zcmWldcRbXO|G?kt_If*e)hV*;$co0>CgLbtI-|(yDhkQxjBGlRgzC&hbV5nvb7qJ- zQ6H^u7aAYQ=h{p8^?UvQdOTixJe^>Tu#B14+PF09amLUcdfyN5`Xr@@Be$v9)#e z(CsUyg(V;ag02y6zV1#=bwjuNju-8VJ{WcA(DhfZKX%_9ot|E3X?gJS)flL_-Yd7b zzNP-f_V=?b{>2*aPL2#|CblX%?MVjY@v_pa=5tSB!~%_v*&rKyyLaDQg## z^77H?C)0J!XNY^EKYsiUnY-S(^D^ONJ)~#f)qVPZFUHHNsy@8!4-EIKs;x`TItK1d zn|pkDU_=7?@G_I!@p8EQ`~juJ4Ap=rox~*A!Vd~cn2`=-HZ-=jpHbFOz1YzWdPa=h z9oE^Ka-p?4D5zC+f8yxm!}iV^ExpwrKgyhTMt}dl)XMIP>-E&-x1|JI)^h!+Eu}5>qohi@$Qa8jnfFuQ0=Q2^&gT zyJN3(*Gr}URn~Q?$7Q=Z%B|h3cmH-17@Sm^vok5DJg2#xn^i{O{q^M8aDDS-h$46G zRv&d=Iusbr+q*^f-~FYfU(}ETN+Ac{Exv9P_nyAqzwqv}T0lVOwPqz|R)WwkwcLj!7+UyGV#gQSb~uTq~UZXZ(EoSW}rt9;wdz{reX!Za=tU)0QpgJU!3<{=FO=;&4wg@Z zfnb>A9ZuU3{p%R=c#<4i>1akA6DbUU&OA%RXPj^>Y2l3BB#j!6TO&?wn$Wk5;>O zG>%tU9h`qU(sBOYxreFGzGDev7fe<@{GRfquQ3#Jj%75lg!A1kxf2 z?0NHPYuetp*b;++tTEHsRn%6@-eaOiH-ly}*gn^ooNDlN?jOB>+S%%NhPJGyMO4_h zq%$*^r~WtWGc%@oe!J+z@f+)#T`nr)RRHFMLwo72W8_~<=G$$1b%~YK~;r|Yo2?Ex+JQb6t zSv*(nqhF?Onl$PfGGW_*x4oPKFRXu+eNuxoAAM$0b%aqHp0)SagPLKZlU5zQsQQ8) z%*`|jzn5D_4Ha+U32)Dol1-GI6_=YtQXbVTtREGn z>hzMfl+{eIRu@Vcv6lzE`nR|=nP$TS!QV4V$*r^Q@K`tQlquP)WT<=_?Xn#JRtvot z6a|(z=9LI_)+kWv1@LsU&{?C=rfJFgyNKVw?$O-zOeVv6IT5M{3o(xB7Izk)4V9F( z0L|3;eBioWUyRM~Z}JNfD`P9OA(u}=z|z86uVh_f{YNF70ZW`twccoM2dF6s#xFNV zVKElyCt;f=Xv98`JVvPCf$bIjoBcLMRR_7QXwP zS;JNfoQu>EkSCh0HDiAJ2xxmE0uYcFP{c4;nCb!;c23$`99pXKYcvv}V;c;fik;+1 zx2?T&zTEhnE=Oc}A2U^4F1w5e=7gqygG+3*!T7jv?e%YWzr$muldVQggE(Ul1-5ZHBlTO&>?ix%*S*Ja&6saqbq(pNItp@{6~Hn z4U0+N@ceZ$!3j+Q<*>?&UJYU{=k^x6?b`N6`&EvC^XY)muvqEWY#wlyt(%UqU{zu{ zau%S`BDg3}A;b$!AXgAz>dKr)KRJ?#YZndQ4L{QClV+*Q(rKf2&N@oH@_dS*z2DVw z#^rFp8S}e^WZqcdHA``m~c3^a~5ae5CSS|Wn#dAl2Mb}ngP7*6pdbZOAG+BYYS~J zOaEk62s^bCozhE7s`4|58mP&9LQS$_&5IzXbo~8LEt-OG*7!t6ac~btrK0vEI|;Dc z+d*|}#dFXl2VjaY)hofTV*EK-x>_?t7hYdl8^6S4icPmiGZkq5xS0IyriXJ^P}KO# z*`8DO$SJ@9(uH!=#u$02de8KF+Xov5Uzz1#RMxEfWZGc;quS;uJSItpz^xI~?spVG`s4cTBde^JR zMKg1%Z>tmKN~d3{RNQbeO?qUa5qWgR53wU;-|s!tOmrv@Q4r<%HBMAk*YDBetp z(|;75*m7m-nZOz_c}^r*x5hzy=}Fivr?(HucC&|W zyqq8XV*O7?U-_-*O}*Vqf#HFhUgW4HDYPnyt%Dk<-XVJS3kd}$Y^dSHkwlq~S~Wgs z8lwBr2b5IAFUfutpvwRH5(xK44?unL#!WepzleC%IAZy>pr=f5%_aY1+ewz*X4Pt# zXY*^+uQk@k5cxsAaN^&qEkKiTeYY-3;vWXP8%{om`cP;>4Trtc41DiP3(YVUx{&U` zDr?6DCfN4{zcS4x7zj-GZNvg`2K+&a1n!vFL3-5DdRA;rE99yl`tt7V=U^ZECrP)` z4;dp%UJEPk__OkT0~{@1-6C~*s;g9wSRa~`KHvr7g?rW-yN?H3sbGi`Frc`DmrdGk z^?*7&sC0h^YL(kWrla<%nqmkRJ!Y9?Pgz|)Y91jUF%4kd=k`@E01DhjpLYlM5}0vL zln9Nsqd>Bp<_QyOXs?e5XH4bt_g7UbtyxyNrV-28nj(Aw9F!iraCK?-+SeK2nL$iF zh6`VSF#0zctg0X?*evC%TZwJqyC{(z`E4o)|4|oOd74H&pwP>~loa^6 zUeg(1N!&2<*sXl2^ljNzsd(Yu_0Qm)`_`S;;!#Pt@*0s!cG<}%!5g~8M7o%; zp((U5#GeJ3NI8D>sa^x%XDD&(WGa=1v`jf^*8;{UiHH&F#9Npz z7=F%%x^P!u?{7``;vUB=irg<31=u9m?Q+2J=6dE;vmHxKbFEuzMqa?M=OVmm`ajAu}j84$X{?j_jA z&eH^NyHL1Pj4PIrO;ET&M*hVGhdGovDL$SL=?REU0-`O;B!3W47KDymO|@iG_Ol7E z0eq^M_Uj5xPRm@I2+XhAThHFL@g#4syD;qykLCxACJDw|40pcvId}zHQ_h^SLhdBO zM|l(z04D^<9B!$QMG|7gfgExpiaX84ofeS(LgBjQVWd$;{;$HLOiZQyBmvtSEVMhf#!Z7#<- zu%IXa?~g)t;=@cW;7dc`;%mmvWV~m!;1u6_cu~1dzS}xy`02O5sTX36l}L1g93QDonU!5(=*n1lT6S z=Ky?=2q{QLl4YcW%UtZP5bAz~ZV?0po6-5xl{F2U$D9lwi_h|htb7`1tGTJ-lu!Dh5Q= zeLWW*fOd`4UERPGvB^GMU{pXMbHO}rDfO|CPA2!CMiMZ>Z6VH<1AYYPlPo$(0L-xH z85=4ZS;Sf^ng5?0Cr3i2lq?};gsYyNz*zZ+Ul;l;4E7;`M}l7=t)!* z5#&>OGIE`xTDiO~YEe;=DGZw~XZCY&^yw-kK`BRoG*&hY=+}fq69WNy8lP&*#<>d` zqw}E{>k1Md>XH$TvY;T8l)^&{dJwLR6u~AO$H0ryBpSGRH9#|z;utL8kuN?+n1dp= zwXVsV*dT+wS!2%j>MG#5TC1i*)j#tIsuGydndAEro)xyv7=Y82a3}$&XM-u-t$OKn z9~ON6A)!S;^v0S8F~a%$=D};tB!Et0(`@;)$gM3eITTGX5{%I7e zMK=*5Ck2xw$KsMat>07oS#ZoFC|N{E!kYb;D@B1@t6imd7K$+5!qcqwy=u6>gd_|= zx`6XZuJjmyct%QkEx@f&2jwILCw}eN=w;1Qcpgej#sDP=^@&TfP}*P>(>&lx$OhVH z*tlu5-Ih(;E+kd5PGI6jcMO-uBECkU01o3U4_@<=bWTig;vp#_B(O^Up$L4nABho> z%~&{`Tl3D8D~($TAJ)M=nB8J-`y0)l- z7v0T^?8qMsiQ zsCs<#n{_1TW5DmHCT{tGx+pIs*%xR%yV07t!kJPgMaD7OE@1p0E^%@U{)dIrMDJ_L zaC1@ui(L^Yh1(2nPP1{QsdvL-Njo@X&1LSN`C%Nx!mj|RvkM@be~(v)z}P-ksD%7Z zAo#E;FT6f0(5KWivZhN?qf-cw!KZ}vt4jtha-dW`C2gtq-i?WPHhdo)S2d=s7vkc% zqyz!5SxS&fVa#nrSk)L~Ko3p5>CSJQl#=KYsNNnQ$ETfTGmLp4wu#^(BqS`zJ?~mO zt0T$x1vX((hghI5?a>!==pFFjuns`|mBS+fzqz~QjG6sh%33l0x){Dkec1Ny@og#o ztO_}vL!Kp)1BJL66glwjiLF$m$ZHJd;)=Q8C3I-Mn(>QIJGbrUX!WL zrD*ekZxV(#k7g!@3o-aU=b^U@_qc+nDIgXD(0VDnUP_pj!g4M5jc+nY0#dY)q#|G- zh3%N2KVphZl#na=B(a1XA*NtOqs_r}YVDB+)|`uH)OFTBArdAg^ zSAiDY&sSnooG&*o zP}oS~fU5vRk4~*%192FBZ|1by=}{MKR<$Mu5XU$=C74*yg*y5ZS7L51TR>%}B(>&2 z_ZkzkVTo}21z7xAc8uLO=n=N;Dubpq>fljF{-4%FH(m;OuxLqWUlJF1z@;jQiFJ4Bb@B6cA@lp*5o`e{WJNnk z#E2V3GX5>r6XP%d-z1`Z#t=w?7mKJRe_~38*&-M#Lh_3iSfL3%#}aVw3m5G}E}!%< z7^-viduPA+=KD;7{bOH4{yH_0$&C5GTIsiEmx}=xK6w|HxDlg0;{i5YP)7f+X7dZh zMZ%Z6bd~`4vM5@V)wpk|SmZZ03h^;QKu!YZh^T)aB3MSU6qA+t(~pV}7Xd+u!E}vZ zcOoaU+!Bpkmt3Zc7N))XPe13`YwO3TF9isc(wRxI@W0wrZ&}taKH(yl%GnHWSw}0B zE~bfz!z>&NxO;#GB|ZDJZ5KIMdP9*X+ax3}p}8=Cx8#8g;+Lk2)2VH8PY(P2FQ>kL z_>12&(|s$yI;;r%sk%$+o-KPNQ$b3;!NPBr;e187B-vkP;t37fr}eVlLf&HGe}rN_ z;a${s_v4TWfd7k2KFdW^mZh{MF{6KmF*8DL*z&&MXzxm`jKk&*v)cj@Uv&O&p9RmK zYZyhL_J$kK`hbp~ED%*E_F5gLQw{X9+Y-C?4A-bz26krEdX>nncJ{W${?(bt&{uGG zD2`w zixVJu@T^A5Qm-_<9V-roKC!SUt*hr(8W>*a6j1dS85Q)8sEU`)j;lMsH|rE^XGolr2x^%Qu#Cx=p)lWi1y9<;fcw>8FK;SI-_4^(Mvw+R7$G zpr4#`<499EG0Q9bcpy{YLRq;jPt2fPoL*h>{VBIk;Q$AFaa;*SZF6dOT&potiJuuX z+mup!VDL?D0m|>%+$nLVnrol1XPjvA&&9Y&27+6!=tUQL6pQmPl>}?S zdG#UL33G5E%76f@sF)|96J=uGM&5%i{Sfettk3G^Fe_6-Td(deKu<@eV^gL(?ghN; znO#Bfm+O~T6T1x2?3?(*v}oRh)~P*AVW)SV`^W&+z4|TL3c^gS(cXin?J(rhUg;BQm{aH_#b6x?uVp32HM@7~7v@OwoZrs{7#n--sGEPV`iWTI8|W=X^y+0UoDep><7G+o zZS$y$VhRHVc4U9Z+;3zEUr`-hc0$FV5>Kzb0;4MoV*rbjPL5Rq%1$h&@0ZOZ8;Dxj zMirSSKHt;3C9o&CaDlB;vr0804B^+Cp}by&H}AcmhnX3ERvF$GrtOmswc|}#T8!7c z4Ecw`%?v9ch5e>){<3eS@xTA!FKrK1zWHr1Htx=`P85V53iQ#YP!gv0+-!=QKB&4D z%oskaGzDY_CH0ZWSccrR#6ee7gOp)?if!C2Q#%3O3zN?^#DJ5FlXt1hwM^BmTtr?V zTyeJh*lJEF6}1W@dCB^3EQxWN4j`f=_B1}Em7OBxBibma{##|3`G@>nw3-7sr+SQ4 zn_`stx3!Cs-CfeeidF*EbqZ3%(+X2r|Hc^!kt6R|)?TfkDY0D@twlAhu3OQL41gNq zbmsJBButp45a2avu!p9b9})4E&38|IwLRG=m%x&KB`WjmsYHygvQboE(TS;ilkp)U zABR|_!&BFdP#=pQoOOAZOCso$9!xhnnI2_uEchM<@8 z!4GZ0paFaOx+X}s)|S%VGqWP*rn8DWkQ4e10uJ+fo%ZuHUzrOj#|0~W8m#ZHtzJyX zjd+HOc;GXzrd;pvA8Z{J3aA_PEi0+345=)NiX*>4N~dr36T*H_;@KyVuiY6McV)TG z3F+vL1_Q;{&Yn~6GnBtyKOYv?GR+uft-!O>X{?ycB*gM^LGEozS}1<5vRCndD4li} z#ZPTDr)HaJ`~2lPIQ8H^fbi{c+|4@=LI=X-@K%{5DiAPyH%w_Aw@u^elOXl(e{M!{ z2UphzKAX3&yR!P%%lTY1*QHpH38DF04#@br)xaU9RVbaVm0nlP)nKUfBC-A4J-h!@ zaX*i)K@A14zKpR|?Cd+Gy-d6#l#?WeO=X!YI?JH(O_xZqsk6>yU*!&9t$RJ6%&uQb z>ItoA+wu7h#jc*7_+%N!)BZT55QR7be=af$9u9bZqru<)G;q5jtlEemrmKnlE52*@ ziMZe6-|^*rGCsiT+;@XHQU6-s7YD0Xu!b#ux1Y^in4SDE-TCDvv@37pv$ac#F-?>E z4)=B|8Llf3{}w$UdI-RviDU~(g&0}D)6x~K>@FwsA6aZl|AUk~&VNY&Fk1Rrf)orH z`7k2(R{TRv)S&JJixtxQHUsv=%vUA}JH4VNKYXWd{GUn5g(Fe(frr!FUOC3;TvLi| z)gQIp@AhHO>@mW7{VCfGC7K>wvFY2mZH;uG8{}6hW>p#@zUu>(g!%T}s!vSlWW?j? z{p~j}Vv~;9aS$~iqwPGNy<7p;Nn70Ezbs!__lJxGt5?X8yk@2MUb00Hf8IaaNUvgxk8!Er^&~s&>`W1xKluLI zf2P!o@tz;o36cLReiUU7Fy$xqXVm7)Qw`^Q(#ExZ)a{u#k*4?Y%JuyNI}~@GrZIIz zLH}M|o~Nj?EI;HOvg*9f`u=W(P|o*ikD=O&45#Ye$ETFPa`uGhkUp`(4tTE*HdQdL zb^l}K8&Lnl&en2eonOz-e`INMuTnobzaGl(sQP;uaiL}y-XdJ0jqw;QHn+mvI&+WQ znya&VS!I(~bguG(;Zg~pA zm;Y{~ppo-}d%dwj{)sgX<`^n>_r5%GOZ|rJOSfAv{}%gA_V#bttv#J2?7HQhbh#u5 z=Klbq4S;h1 diff --git a/src/site/xdoc/articles.xml b/src/site/xdoc/articles.xml deleted file mode 100644 index 341bd10207..0000000000 --- a/src/site/xdoc/articles.xml +++ /dev/null @@ -1,153 +0,0 @@ - -External Web Articles covering Spring Security

Here are some of the external pages mentioning Spring Security. If you've - found another, please let us know. -

- - -

 \ No newline at end of file diff --git a/src/site/xdoc/changes.xml b/src/site/xdoc/changes.xml deleted file mode 100644 index b6222441c3..0000000000 --- a/src/site/xdoc/changes.xml +++ /dev/null @@ -1,293 +0,0 @@ - - - - - - - Spring Security changes - - - - All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - - - All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - - - All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - - - All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040 - - - HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20) - - - HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20) - - - AbstractIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20) - - - Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml - TokenBasedRememberMeServices changed to use long instead of int for tokenValiditySeconds (SPR-807) - Handle null Authentication.getAuthorities() in AuthorizeTag - PasswordDaoAuthenticationProvider no longer stores String against Authentication.setDetails() - Update commons-codec dependency to 1.3 - AbstractProcessingFilter no longer has setters for failures, it uses the exceptionMappings property - Update to match Spring 1.2-RC2 official JAR dependencies - AuthenticationProcessingFilter now provides an obtainUsername method - Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring 1.2-RC2 - Refactoring to leverage Spring's Assert class and mocks where possible - - - X509 (certificate-based) authentication support - UserDetails now advises locked accounts, with corresponding DaoAuthenticationProvider events and enforcement - ContextHolderAwareRequestWrapper methods return null if user is anonymous - AbstractBasicAclEntry improved compatibility with Hibernate - User now provides a more useful toString() method - Update to match Spring 1.1.5 official JAR dependencies (NB: now using Servlet 2.4 and related JSP/taglib JARs) - SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint - FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans - Corrected Authz parsing of whitespace in GrantedAuthoritys - TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users - HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection - StringSplitUtils.split() ignored delimiter argument - DigestProcessingFilter now provides userCache getter and setter - Contacts Sample made to work with UserDetails-based Principal - Documentation improvements - Test coverage improvements - - - Added Digest Authentication support (RFC 2617 and RFC 2069) - Added pluggable remember-me services - Added pluggable mechnism to prevent concurrent login sessions - FilterChainProxy added to significantly simplify web.xml configuration of Acegi Security - AuthenticationProcessingFilter now provides hook for extra credentials (eg postcodes) - New WebAuthenticationDetails class now used by processing filters for Authentication.setDetails() - Additional debug-level logging - Improved Tapestry support in AbstractProcessingFilter - Made ConfigAttributeDefinition and ConfigAttribute Serializable - User now accepts blank passwords (null passwords still rejected) - FilterToBeanProxy now searches hierarchical bean factories - User now accepted blank passwords (null passwords still rejected) - ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method - HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily - FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh) - JaasAuthenticatinProvider now uses System.property "java.security.auth.login.config" - JaasAuthenticationCallbackHandler Authentication is passed to handle method setAuthentication removed - Added AuthenticationException to the AutenticationEntryPoint.commence method signature - Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature - FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs servlet container) issue - Significantly refactor "well-known location model" to authentication processing mechanism and HttpSessionContextIntegrationFilter model - Correct issue with JdbcDaoImpl default SQL query not using consistent case sensitivity - Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility - Log4j now included in generated WAR artifacts (fixes issue with Log4j listener) - Correct NullPointerException in FilterInvocationDefinitionSource implementations - - - Major CVS repository restructure to support Maven and eliminate libraries - Major improvements to Contacts sample application (now demos ACL security) - Added AfterInvocationManager to mutate objects return from invocations - Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object - Added BasicAclEntryAfterInvocationCollectionFilteringProvider - Added security propagation during RMI invocations (from sandbox) - Added security propagation for Spring's HTTP invoker - Added BasicAclEntryVoter, which votes based on AclManager permissions - Added AspectJ support (especially useful for instance-level security) - Added MethodDefinitionSourceAdvisor for performance and autoproxying - Added MethodDefinitionMap querying of interfaces defined by secure objects - Added AuthenticationProcessingFilter.setDetails for use by subclasses - Added 403-causing exception to HttpSession via SecurityEnforcementFilter - Added net.sf.acegisecurity.intercept.event package - Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD - Added additional remoting protocol demonstrations to Contacts sample - Added AbstractProcessingFilter property to always use defaultTargetUrl - Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser() - Added attempted username to view if processed by AuthenticationProcessingFilter - Added UserDetails account and credentials expiration methods - Added exceptions and events to support new UserDetails methods - Added new exceptions to JBoss container adapter - Improved BasicAclProvider to only respond to specified ACL object requests - Refactored MethodDefinitionSource to work with Method, not MethodInvocation - Refactored AbstractFilterInvocationDefinitionSource to work with URL Strings alone - Refactored AbstractSecurityInterceptor to better support other AOP libraries - Improved performance of JBoss container adapter (see reference docs) - Made DaoAuthenticationProvider detect null in Authentication.principal - Improved JaasAuthenticationProvider startup error detection - Refactored EH-CACHE implementations to use Spring IoC defined caches instead - AbstractProcessingFilter now has various hook methods to assist subclasses - DaoAuthenticationProvider better detects AuthenticationDao interface violations - The User class has a new constructor (the old constructor is deprecated) - Fixed ambiguous column references in JdbcDaoImpl default query - Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility) - Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails principals - Fixed HttpSessionIntegrationFilter "cannot commit to container" during logoff - Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package - Documentation improvements - Test coverage improvements - - - Resolved to use http://apr.apache.org/versioning.html for future versioning - Added additional DaoAuthenticationProvider event when user not found - Added Authentication.getDetails() to DaoAuthenticationProvider response - Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true) - Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP) - Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy inits) - Added convenience methods to ConfigAttributeDefinition - Improved sample applications' bean reference notation - Clarified contract for ObjectDefinitionSource.getAttributes(Object) - Extracted removeUserFromCache(String) to UserCache interface - Improved ConfigAttributeEditor so it trims preceding and trailing spaces - Refactored UsernamePasswordAuthenticationToken.getDetails() to Object - Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change - Fixed EH-CACHE-based caching implementation behaviour when cache exists - Fixed Ant "release" target not including project.properties - Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method - Documentation improvements - - - Added domain object instance access control list (ACL) packages - Added feature so DaoAuthenticationProvider returns User in Authentication - Added AbstractIntegrationFilter.secureContext property for custom contexts - Added stack trace logging to SecurityEnforcementFilter - Added exception-specific target URLs to AbstractProcessingFilter - Added JdbcDaoImpl hook so subclasses can insert custom granted authorities - Added AuthenticationProvider that wraps JAAS login modules - Added support for EL expressions in the authz tag library - Added failed Authentication object to AuthenticationExceptions - Added signed JARs to all official release builds (see readme.txt) - Added remote client authentication validation package - Added protected sendAccessDeniedError method to SecurityEnforcementFilter - Updated Authentication to be serializable (Weblogic support) - Updated JAR to Spring 1.1 RC 1 - Updated to Clover 1.3 - Updated to HSQLDB version 1.7.2 Release Candidate 6D - Refactored User to net.sf.acegisecurity.UserDetails interface - Refactored CAS package to store UserDetails in CasAuthenticationToken - Improved organisation of DaoAuthenticationProvider to facilitate subclassing - Improved test coverage (now 98.3%) - Improved JDBC-based tests to use in-memory database rather than filesystem - Fixed Linux compatibility issues (directory case sensitivity etc) - Fixed AbstractProcessingFilter to handle servlet spec container differences - Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue - Fixed CasAuthenticationToken if proxy granting ticket callback not requested - Fixed EH-CACHE handling on web context refresh - Documentation improvements - - - Added samples/quick-start - Added NullRunAsManager and made default for AbstractSecurityInterceptor - Added event notification (see net.sf.acegisecurity.providers.dao.event) - Updated JAR to Spring 1.0.2 - Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release - Updated GrantedAuthorityImpl to be serializable (JBoss support) - Updated Authentication interface to present extra details for a request - Updated Authentication interface to subclass java.security.Principal - Refactored DaoAuthenticationProvider caching (refer to reference docs) - Improved HttpSessionIntegrationFilter to manage additional attributes - Improved URL encoding during redirects - Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) - Fixed issue with NullPointerExceptions in taglib - Removed DaoAuthenticationToken and session-based caching - Documentation improvements - Upgrade Note: DaoAuthenticationProvider no longer has a "key" property - - - Added single sign on support via Yale Central Authentication Service (CAS) - Added full support for HTTP Basic Authentication - Added caching for DaoAuthenticationProvider successful authentications - Added Burlap and Hessian remoting to Contacts sample application - Added pluggable password encoders including plaintext, SHA and MD5 - Added pluggable salt sources to enhance security of hashed passwords - Added FilterToBeanProxy to obtain filters from Spring application context - Added support for prepending strings to roles created by JdbcDaoImpl - Added support for user definition of SQL statements used by JdbcDaoImpl - Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys - Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter - Added Apache Ant path syntax support to SecurityEnforcementFilter - Added filter to automate web channel requirements (eg HTTPS redirection) - Updated JAR to Spring 1.0.1 - Updated several classes to use absolute (not relative) redirection URLs - Refactored filters to use Spring application context lifecycle support - Improved constructor detection of nulls in User and other key objects - Fixed FilterInvocation.getRequestUrl() to also include getPathInfo() - Fixed Contacts sample application tags - Established acegisecurity-developer mailing list - Documentation improvements - - - Added HTTP session authentication as an alternative to container adapters - Added HTTP request security interceptor (offers considerable flexibility) - Added security taglib - Added Clover test coverage instrumentation (currently 97.2%) - Added support for Catalina (Tomcat) 4.1.30 to in-container integration tests - Added HTML test and summary reporting to in-container integration tests - Updated JARs to Spring Framework release 1.0, with associated AOP changes - Updated to Apache License version 2.0 - Updated copyright with permission of past contributors - Refactored unit tests to use mock objects and focus on a single class each - Refactored many classes to enable insertion of mock objects during testing - Refactored core classes to ease support of new secure object types - Changed package layout to better describe the role of contained items - Changed the extractor to extract additional classes from JBoss and Catalina - Changed Jetty container adapter configuration (see reference documentation) - Improved AutoIntegrationFilter handling of deployments without JBoss JARs - Fixed case handling support in data access object authentication provider - Documentation improvements - - - Added "in container" unit test system for container adapters and sample app - Added library extractor tool to reduce the "with deps" ZIP release sizes - Added unit test to the attributes sample - Added Jalopy source formatting - Modified all files to use net.sf.acegisecurity namespace - Renamed springsecurity.xml to acegisecurity.xml for consistency - Reduced length of ZIP and JAR filenames - Clarified licenses and sources for all included libraries - Updated documentation to reflect new file and package names - Setup Sourceforge.net project and added to CVS etc - - - Added Commons Attributes support and sample (thanks to Cameron Braid) - Added JBoss container adapter - Added Resin container adapter - Added JDBC DAO authentication provider - Added several filter implementations for container adapter integration - Added SecurityInterceptor startup time validation of ConfigAttributes - Added more unit tests - Refactored ConfigAttribute to interface and added concrete implementation - Enhanced diagnostics information provided by sample application debug.jsp - Modified sample application for wider container portability (Resin, JBoss) - Fixed switch block in voting decision manager implementations - Removed Spring MVC interceptor for container adapter integration - Documentation improvements - - - Initial public release - - - diff --git a/src/site/xdoc/downloads.xml b/src/site/xdoc/downloads.xml deleted file mode 100644 index 7e55fa9b0c..0000000000 --- a/src/site/xdoc/downloads.xml +++ /dev/null @@ -1,71 +0,0 @@ - - - - Spring Security Downloads - - -
-

- If you wish to try out this project, you are probably - looking for the - spring-security-xx.zip - file, which contains all of the officially released - JARs, a copy of all documentation, and two WAR - artifacts. The two WAR artifacts are from the Contacts - Sample and the Tutorial Sample application. The Tutorial - Sample consists of a "bare bones" configuration that - will get you up and running quickly, whereas the - Contacts Sample illustrates more advanced features. -

- -

- The spring-security-xx-src.zip is intended for use with - IDEs. It does not contain the files needed to compile - Spring Security. It also does not contain the sources to - the sample applications. If you need any of these files, - please download from SVN. -

- -

- The official release ZIP files are available from - the - - Sourceforge File Release System - - . -

- - -

- The Spring Security JARs are also available via the - - Central Maven Repository - - . -

- - -

- Detailed instructions on downloading from CVS and - building from source are provided on the - Building with Maven - page. -

- - -

- If you don't wish to access SVN directly, we provide - - nightly snaphot builds - - for your convenience. These should contain both source and binary - jars. The archive files are labelled with both the build date and the - subversion revision number used for the build. -

- -
- - \ No newline at end of file diff --git a/src/site/xdoc/faq.xml b/src/site/xdoc/faq.xml deleted file mode 100644 index a97257aeff..0000000000 --- a/src/site/xdoc/faq.xml +++ /dev/null @@ -1,288 +0,0 @@ - - - - Frequently Asked Questions (FAQ) on Acegi Security - - - - -
- - - -

Acegi Security is an open source project that provides comprehensive authentication - and authorisation services for enterprise applications based on - The Spring Framework. - Acegi Security can authenticate using a variety of pluggable providers, and - can authorise both web requests and method invocations. - Acegi Security provides an integrated security approach across - these various targets, and also offers access control list (ACL) capabilities to - enable individual domain object instances to be secured. At an implementation - level, Acegi Security is managed through Spring's inversion of control and - lifecycle services, and actually enforces security using interception through - servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi - Security currently supports AOP Alliance (which is what the - Spring IoC container uses internally) and AspectJ, although additional frameworks - can be easily supported.

- - - - - -

Let's assume you're developing an enterprise application based on Spring. - There are four security concerns you typically need to address: authentication, - web request security, service layer security (ie your methods that implement - business logic), and domain object instance security (ie different domain objects - have different permissions). With these typical requirements in mind: -

    -
  1. Authentication: The servlet specification provides an approach - to authentication. However, you will need to configure the container - to perform authentication which typically requires editing of - container-specific "realm" settings. This makes a non-portable - configuration, and if you need to write an actual Java class to implement - the container's authentication interface, it becomes even more non-portable. - With Acegi Security you achieve complete portability - right down to the - WAR level. Also, Acegi Security offers a choice of production-proven - authentication providers and mechanisms, meaning you can switch your - authentication approaches at deployment time. This is particularly - valuable for software vendors writing products that need to work in - an unknown target environment.



    2. -
  2. Web request security: The servlet specification provides an - approach to secure your request URIs. However, these URIs can only be - expressed in the servlet specification's own limited URI path format. - Acegi Security provides a far more comprehensive approach. For instance, - you can use Ant paths or regular expressions, you can consider parts of the - URI other than simply the requested page (eg you can consider HTTP GET - parameters), and you can implement your own runtime source of configuration - data. This means your web request security can be dynamically changed during - the actual execution of your webapp.



    3. -
  3. Service layer and domain object security: The absence of support - in the servlet specification for services layer security or domain object - instance security represent serious limitations for multi-tiered - applications. Typically developers either ignore these requirements, or - implement security logic within their MVC controller code (or even worse, - inside the views). There are serious disadvantages with this approach:



    -
      -
    1. Separation of concerns: Authorization is a - crosscutting concern and should be implemented as such. - MVC controllers or views implementing authorization code - makes it more difficult to test both the controller and - authorization logic, more difficult to debug, and will - often lead to code duplication.
      2. -
    2. Support for rich clients and web services: If an - additional client type must ultimately be supported, any - authorization code embedded within the web layer is - non-reusable. It should be considered that Spring remoting - exporters only export service layer beans (not MVC - controllers). As such authorization logic needs to be - located in the services layer to support a multitude of - client types.
      3. -
    3. Layering issues: An MVC controller or view is simply - the incorrect architectural layer to implement authorization - decisions concerning services layer methods or domain object - instances. Whilst the Principal may be passed to the services - layer to enable it to make the authorization decision, doing - so would introduce an additional argument on every services - layer method. A more elegant approach is to use a ThreadLocal - to hold the Principal, although this would likely increase - development time to a point where it would become more - economical (on a cost-benefit basis) to simply use a dedicated - security framework.
      4. -
    4. Authorisation code quality: It is often said of web - frameworks that they "make it easier to do the right things, - and harder to do the wrong things". Security frameworks are - the same, because they are designed in an abstract manner for - a wide range of purposes. Writing your own authorization code - from scratch does not provide the "design check" a framework - would offer, and in-house authorization code will typically - lack the improvements that emerge from widespread deployment, - peer review and new versions. -
    -
    4. -
- For simple applications, servlet specification security may just be enough. - Although when considered within the context of web container portability, - configuration requirements, limited web request security flexibility, and - non-existent services layer and domain object instance security, it becomes - clear why developers often look to alternative solutions. -

- - - -

Ah-see-gee. Said quickly, without emphasis on any part. - Acegi isn't an acronym, name of a Greek God or anything similarly - impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.

- - - - - -

It's official name is Spring Security, - although we're happy for it to be abbreviated to - Acegi Security. Please don't just call it Acegi, though, - as that gets confused with the name of the company that maintains Acegi - Security.

 - - - -

80% of support questions are because people have not defined - the necessary filters in web.xml, or the filters are being - mapped in the incorrect order. Check the - Reference Guide, which - has a specific section on filter ordering.

 - - - -

The next most common source of problems stem from custom - AuthenticationDao implementations that simply don't properly - implement the interface contract. For example, they return null instead - of the user not found exception, or fail to add in the - GrantedAuthority[]s. Whilst DaoAuthenticationProvider - does its best to check the AuthenticationDao returns a valid - UserDetails, we suggest you write the - UserDetails object to the log and check it looks correct.

 - - - -

A common user problem with infinite loop and redirecting to the login page - is caused by accidently configuring the login page as a "secured" resource. - Generally make sure you mark your login page as requiring ROLE_ANONYMOUS. -

- - - -

If you are securing web resources and they dont seem to be matched in the URL patterns, - check the objectDefinitionSource in the FilterSecurityInterceptor. - If you are using the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON setting, - then the URL patterns configured MUST be in lowercase. -

- For example, making a request ending in /someAction.do will need - to be configured as: /someaction.do (Note the case). -

-<property name="objectDefinitionSource">
-  <value>
-    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
-    PATTERN_TYPE_APACHE_ANT
-    /index.jsp=ROLE_ANONYMOUS,ROLE_USER
-    /someaction.do=ROLE_USER
-  <value>
-</property>
-
- -

- - - -

A common user requirement is to disable / lock an account after a number of failed login attempts. - Acegi itself does not provide anything "out of the box", however in your application you can implement - and register an org.springframework.context.ApplicationListener. Inside your application - event listener you can then check for an instanceof the particular AuthenticationFailureEvent - and then call your application user management interface to update the user details. -

- For example: - 

-     public void onApplicationEvent(ApplicationEvent event) {
-
-       // check failed event
-       if(event instanceof AuthenticationFailurePasswordEvent){
-          // call user management interface to increment failed login attempts, etc.
-          . . .
-       }
-     }
-
- -

- - -

There are three things you must do to make a user password change take affect: -

    -
  • Change the password using your authentication DAO
    • -
  • Remove the user from the User Cache (i.e. if you have a cache configured)
    • -
  • Update the SecurityContextHolder to include the new Authentication object and password
    • -
- -

- - - - - -

The most important things to post with any support requests on the - Spring Forums are your - web.xml, applicationContext.xml (or whichever - XML loads the security-related beans) as well as any custom - AuthenticationDao you might be using. For really odd problems, - also switch on debug-level logging and include the resulting log.

 - - - -

Acegi Security uses Commons Logging, just as Spring does. So you use the - same approach as you'd use for Spring. Most people output to Log4J, so - the following log4j.properties would work:

- log4j.rootCategory=WARN, stdout - - log4j.appender.stdout=org.apache.log4j.ConsoleAppender - log4j.appender.stdout.layout=org.apache.log4j.PatternLayout - log4j.appender.stdout.layout.ConversionPattern=%d %p %c - %m%n - - log4j.category.net.sf.acegisecurity=DEBUG - - - - - -

In most cases write an AuthenticationDao which returns - a subclass of User. Alternatively, write your own - UserDetails implementation from scratch and return that.

 - - - -

Acegi Security targets enterprise applications, which are typically - multi-user, data-oriented applications that are important to - the core business. Acegi Security was designed to provide a portable and effective - security framework for this target application type. It was not designed for securing - limited privilege runtime environments, such as web browser applets.

- -

We did consider JAAS when designing Acegi Security, but it simply - wasn't suitable for our purpose. We needed to avoid complex JRE configurations, - we needed container portability, and we wanted maximum leveraging of the Spring IoC - container. Particularly as limited privilege runtime environments were not - an actual requirement, this lead to the natural design of Acegi Security as - it exists today.

Acegi Security already provides some JAAS integration. It can today authenticate - via delegation to a JAAS login module. This means it offers the same level of JAAS - integration as many web containers. Indeed the container adapter model supported by - Acegi Security allows Acegi Security and container-managed security to happily - co-exist and benefit from each other. Any debate about Acegi Security and JAAS - should therefore centre on the authorisation issue. An evaluation of major - containers and security frameworks would reveal that Acegi Security is by no - means unusual in not using JAAS for authorisation.

-

There are many examples of open source applications being preferred to - official standards. A few that come to mind in the Java community include - using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans), - Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker - (instead of JSP). It's important to recognise that many open source projects do - develop into de facto standards, and in doing so play a legitimate and beneficial - role in professional software development.

 - - -

Yes. If you've written something and it works well, please feel free to share it. - Simply email the contribution to the - acegisecurity-developers list. If you haven't yet - written the contribution, we encourage you to send your thoughts to the same - list so that you can receive some initial design feedback.

-

For a contribution to be used, it must have appropriate unit test coverage and - detailed JavaDocs. It will ideally have some comments for the Reference Guide - as well (this can be sent in word processor or HTML format if desired). This - helps ensure the contribution maintains the same quality as the remainder of - the project.

We also welcome documentation improvements, unit tests, illustrations, - people supporting the user community (especially on the forums), design ideas, - articles, blog entries, presentations and alike. If you're looking for something - to do, you can always email the - acegisecurity-developers list and we'll be - pleased to suggest something. :-)

 - -
- - - - \ No newline at end of file diff --git a/src/site/xdoc/policies.xml b/src/site/xdoc/policies.xml deleted file mode 100644 index fbe8cee43a..0000000000 --- a/src/site/xdoc/policies.xml +++ /dev/null @@ -1,103 +0,0 @@ - -Project Policies and Procedures

The following policies and procedures are intended to ensure that Spring Security will - continue to achieve its project objectives and support the community in the context of an - expanding development team. - -

- The following was unanimously supported by the community supporting following - discussion - on acegisecurity-developer. The policies and procedures below represent version 1.0 - and are effective 1 August 2005. -

    - -
  • - This project uses JIRA. Please log a task in JIRA for any changes you make to SVN, with the exception of very minor changes that users are unlikely to ever be interested in searching for and/or the change affects code that has never been in an officially released version of the project (eg ongoing changes to a new feature in SVN HEAD that hasn't been released previously).



    -
    • - -
  • - Any users running from SVN HEAD are warmly encouraged to join acegisecurity-cvs so that they can keep an eye on commit comments. Developers are encouraged to join acegisecurity-cvs and read the commit comments. If anyone has a concern with any commit, please raise it on acegisecurity-developer so that the broader community can participate (not acegisecurity-cvs). Alternatively, contact the author of the change directly if you think that would be more appropriate or diplomatic.



    -
    • - -
  • - Please make your commit comments informative, yet not too detailed. Detailed comments are ideally placed in the JIRA task. In the case of a contribution by a non-developer, please use the SVN commits to reflect who provided the contribution and add that person's name to /pom.xml in the contributors section. If the contributors section does not list the name of someone who has contributed accepted code, please add them or let me know so that I can do so.



    -
    • - -
  • - If you add a major new feature, please announce it on acegisecurity-developer. That way people using the project have an idea of what is coming up in the next release, and any implementation-specific comments can be received prior to the first release when users will start expecting some degree of consistency and stability. It also encourages people to try out your new feature.



    -
    • - -
  • - Please make sure /docs/xdocs/changes.xml has a reference to JIRA for the upcoming release version. You don't need to add the name of contributors to /doc/xdocs/changes.xml, as acknowledgement is already provided via /pom.xml, source code @author tags, the SVN commit message, and typically a JIRA task.



    -
    • - -
  • - Please edit /docs/xdocs/upgrade/upgrade-xx-yy.html if you make a change that is significant and you think users who are upgrading should be aware of it. Equally, users are encouraged to consult the upgrade-xx-yy.html file before they deploy subsequent official release JARs.



    -
    • - -
  • - Please use Jalopy with the /jalopy.xml file to format your Java code before checkin. This keeps our code consistent and ensures the license message is correct. There are plugins for all major IDEs.



    -
    • - -
  • - The /sandbox can be used to obtain feedback from fellow developers and the community about your code, general approach or new ideas. If you have SVN rights, please use /sandbox instead of emailing ZIP files to other developers for feedback. The community should understand that code in the sandbox is unsupported, subject to refactoring, may not have any unit tests, and may be removed at any time. The /sandbox will never be included in official release ZIPs. It's a "scratching pad" only.



    -
    • - -
  • - Unit tests are important to any security project, and we have a good history of high coverage. You can view the latest coverage report online (rebuilt every 24 hours). Please keep an eye on coverage and don't hesitate to add more unit tests. Please do not check code into /core unless it has at least an exercising unit test - use the /sandbox instead.



    -
    • - -
  • - Never check in code if the unit tests fail. This means, at minimum, successfully running "mvn test" from /core. Always name your unit test classes so they end in "*Tests" - this ensures that Maven picks them up. If there is code in SVN which you didn't write and it is breaking the unit tests, please correct it yourself - don't leave SVN "broken" whilst waiting for the responsible developer to address it (the delay causes confusing and long-running threads on the list and forum). You can always rollback to the previous working version if in doubt of how the class works (just remember to comment the commit appropriately and let the author know).



    -
    • - -
  • - Please update the reference guide and JavaDocs for any new major features. The JavaDocs should always be correct. The reference guide may be kept updated with less rigor, although please briefly discuss any major new features. XMLmind can be used if you don't have a DocBook editor.



    -
    • - -
  • - Developers please keep an eye on the Spring Security forum. It's a very active forum, and it takes a lot of work if not shared around. Please don't hesitate to reply to users - I try to read every thread and correct/confirm the situation if someone mentions they're unsure. I also will generally send developers an email if there's a question I can't answer as I didn't write the code.



    -
    • - -
  • - In the future, I will put to vote any proposed new developers. New developers will be firstly encouraged to attach patches to JIRA tasks to illustrate their understanding of the project, or, if they're long-time users, they might be given access without this JIRA stage if they're undertaking a major new feature.



    -
    • - -
  • - Developers should be subscribed to acegisecurity-developer. Obviously it would take significant time to read every thread, but reading the high priority messages (as indicated by the subject line) is needed to ensure we all have a way of communicating.



    -
    • - -
  • - Please do not hesitate to assign yourself any JIRA task that is unassigned, or assigned to me and not in the "In Progress" status. Also feel free to approach fellow developers to volunteer to work on tasks they might be assigned but haven't started.



    -
    • - -
  • - No code in SVN is "sacred". If you have a good idea or refactoring for an area of code that someone else wrote, raise it on acegisecurity-developer or contact the author directly. Please don't commit changes to such code unless it is a unit test failure correction, or you've firstly raised it on the acegisecurity-developer list or directly with the author.



    -
    • - -
  • - People's priorities are ever-changing, and we're all short on time. For this reason it's perfectly understandable that over time developers will move on to other things. This is not a negative reflection in any way - just part of any long-term project. If a developer no longer has the time or inclination to participate in the project , please send an email to acegisecurity-developer or myself. I will remove the SVN rights and reassign any JIRA tasks. Importantly, this helps find a new maintainer of the former developer's code (or, in very extreme cases, their code might be relocated to the sandbox or removed).



    -
    • - -
  • - Use CDATA inside XML files for multi-line properties. There is no tab/space policy for XML files, although try to maintain whatever the file is already using. The tab/space policy for Java files is managed by Jalopy.



    -
    • - -
  • - Keep the warm community spirit. The Spring community is a nice place to be - especially compared with some of the other open source communities out there where people are abused, ignored, insulted or excluded. No policy or procedure (including those above) should ever compromise operating in a considerate and diplomatic manner that respects the dignity of each individual member of the community. If in doubt, please contact me directly first. If I am ever guilty of this, please let me know and I will correct myself.



    -
    • - -
- -

Thanks for your help in connection with the above. If you have any suggestions for improving these - policies and procedures, please use the acegisecurity-developer list to raise them. - -

- Ben Alex

- Project Admin - -

- $Id$ - - - -

 \ No newline at end of file diff --git a/src/site/xdoc/powering.xml b/src/site/xdoc/powering.xml deleted file mode 100644 index c796200d12..0000000000 --- a/src/site/xdoc/powering.xml +++ /dev/null @@ -1,41 +0,0 @@ - -Products Using Spring Security

Many open source and commercial products either use Acegi Security or at least - support it. Following is a partial list of such products. If you've integrated Spring - Security with some other product, please let us know (preferably with a URL - to some page explaining the integration/use)... - -

    -
  • Atlassian Crowd: Single Sign On system. Integration details.



    • -
  • A global financial institution uses Spring Security's SiteMinder integration in a physical security management application.



    • -
  • Elastic Path uses Spring Security for security.



    • -
  • A central bank that uses Spring Security for many of its internal applications with the CAS integration.



    • -
  • Several Australian Government departments use Spring Security for securing SOAP-based web services and web applications.



    • -
  • Enterprise Systems and Services at Rutgers University uses Spring Security in conjunction with JA-SIG Central Authentication Service to provide authentication and authorization capabilities to its applications including those used by staff and students as well as those utilized by web services.



    • -
  • Plus many more... ;-)



    • -
diff --git a/src/site/xdoc/standalone.xml b/src/site/xdoc/standalone.xml deleted file mode 100644 index 0a9ba42647..0000000000 --- a/src/site/xdoc/standalone.xml +++ /dev/null @@ -1,50 +0,0 @@ - -Acegi Security Use Without Spring

Sometimes we get asked can Acegi Security be used without Spring. - This page provides a detailed answer.

Acegi Security started out as a method interceptor for Spring IoC container - managed beans. Typically such beans provide services layer functions. - Over time Acegi Security grew to offer authentication services, ThreadLocal management, - web request filtering, extra AOP support, - ACL features, additional authentication mechanisms and so on (for those interested, - see our change log).

There's plenty written about why the - Spring Framework - is a good fit for modern applications. If you're not familiar with the benefits - Spring offers, please take a few minutes to learn more about it. In numerous - situations Spring will save you many months (or even years) of development time. - Not to mention your solutions will be better architected - (designed), better coded (implemented), and better supported (maintained) in the future. -

Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle - methods such as afterPropertiesSet(). Some Acegi Security classes also - publish events to the ApplicationContext, although you could provide a mock - implementation of ApplicationContext easily enough which no-ops the method. - In other words, if you particularly didn't want Spring in your application, you could - avoid its use by writing equivalent getter, setter and lifecycle invocation processes - in standard Java code. This is a natural consequence of the Spring way of development, - which emphasises framework independence (it is not because we think there are good - reasons people would not use Spring).

If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC - services, don't forget you can always deploy Acegi Security and the Spring - IoC container solely for configuring Acegi Security. Spring does not mandate its - use in every part of your application. It will work quite successfully doing nothing more than - acting as a configuration mechanism for Acegi Security. Whilst some may regard this as excessive, - it's really no different than the traditional approach of every framework having its very - own XML or other proprietary configuration system. The main difference is that Spring is an - actual de facto standard, and you can gradually introduce it to other parts of your application - over time (if desired).

Acegi Security does not use any other Spring capabilities. Most notably, the - entire architecture is based around Filters, not Spring's MVC framework. - This allows it to be used with any MVC framework, or even with just straight JSPs. - Acegi Security uses the AOP Alliance and AspectJ interfaces for method interception - - it does not use any Spring-specific interfaces. As a consequence, Acegi Security is very - portable to applications that do not leverage any of Spring's capabilities. We should note - there are several very simple data access objects (DAOs) that use Spring's JDBC abstraction - layer, although each of these are defined by a simple interface and it is very common in - even native Spring-powered applications for these to be re-implemented using the application's - persistence framework of choice (eg Hibernate). - -

In summary, we recommend you take a look at Spring and consider using it in your - applications. Irrespective of whether you do so or not, we strongly recommend you use it - for configuration and lifecycle management of Acegi Security. If that is also not desired, - Acegi Security can easily be executed without Spring at all, providing you implement - similar IoC services. Acegi Security has very minimal dependencies directly on Spring, - with it being useful in many non-Spring applications and with non-Spring frameworks. - - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-03-04.xml b/src/site/xdoc/upgrade/upgrade-03-04.xml deleted file mode 100644 index 71007bc590..0000000000 --- a/src/site/xdoc/upgrade/upgrade-03-04.xml +++ /dev/null @@ -1,48 +0,0 @@ - -Acegi Security - Upgrading from version 0.3 to 0.4

Several changes were made between version 0.3 and 0.4 of the project. -These changes increased the modularity of the code, enhanced unit testing, -made package roles clearer, and added compelling alternatives to container -adapters and using web.xml security constraints to protect HTTP resources. - -

Unfortunately, changes to the API and package locations were required. The -following should help most casual users of the project update their -applications: - -

    -
  • All references to net.sf.acegisecurity.SecurityInterceptor become - net.sf.acegisecurity.intercept.method.MethodSecurityInterceptor.
    • - -
  • All references to net.sf.acegisecurity.MethodDefinitionAttributes become - net.sf.acegisecurity.intercept.method.MethodDefinitionAttributes.
    • - -
  • All references to net.sf.acegisecurity.adapters.AutoIntegrationFilter become - net.sf.acegisecurity.ui.AutoIntegrationFilter (see your web.xml).
    • - -
  • If you're using container adapters (extremely likely), consider replacing - them with the net.sf.acegisecurity.ui.webapp package. This will avoid - the need to have JARs in your container classloader, and is a lot cleaner. - Refer to the reference documentation or Contacts sample application.
    • - -
  • If you're using web.xml s for securing HTTP URLs - (extremely likely), consider replacing it with the - net.sf.acegisecurity.intercept.web package. This will give you considerably - more flexibility, and reuse the same concepts as you'd be familiar with - via the method security interception system. Refer to the reference - documentation or Contacts sample application.
    • - -
  • The Contacts sample application now builds two distributions: contacts.war - can be instantly deployed without configuring any container adapters, - whilst contacts-container-adapter.war still uses container adapters. The - contacts.war uses the net.sf.acegisecurity.intercept.web package to - protect HTTP URLs, rather than web.xml s.
    • - -
  • If you're using the Jetty container adapter, please check the jetty.xml - requirements in the reference documentation. There has been a minor change.
    • -
- -

-We hope you find the new features useful in your projects. - - - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-04-05.xml b/src/site/xdoc/upgrade/upgrade-04-05.xml deleted file mode 100644 index 255a9c5bb6..0000000000 --- a/src/site/xdoc/upgrade/upgrade-04-05.xml +++ /dev/null @@ -1,54 +0,0 @@ - -Acegi Security - Upgrading from version 0.4 to 0.5

The following should help most casual users of the project update their -applications: -

    - -
  • All filters are now loaded via FilterToBeanProxy. The FilterToBeanProxy - obtains the filter from a Spring application context via the - WebApplicationContextUtils.getApplicationContext() method. Refer to the - reference documentation to see the new configuration of filters.
    • - -
  • SecurityEnforcementFilter now requires an AuthenticationEntryPoint - and PortResolver. Refer to the reference documentation to see the - alternatives AuthenticationEntryPoint implementations available. Simply - use the PortResolverImpl for the PortResolver requirement.
    • - -
  • Any of your login or login failure pages that previously referred to - AuthenticationProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY - should now use - net.sf.acegisecurity.ui.AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY.
    • - -
  • DaoAuthenticationProvider no longer provides setters for case sensitivity - handling. The respective AuthenticationDao implementations should decide - whether or not to return User instances reflecting the exact case of the - requested username. The new PlaintextPasswordEncoder offers a setter for - ignoring the password case (defaults to require exact case matches).
    • - -
  • DaoAuthenticationProvider now provides caching. Successful authentications - return DaoAuthenticationTokens. You must set the mandatory "key" property - on DaoAuthenticationProvider so these tokens can be validated. You may - also wish to change the "refreshTokenInterval" property from the default - of 60,000 milliseconds.
    • - -
  • If you're using container adapters, please refer to the reference - documentation as additional JARs are now required in your container - classloader.
    • - -
  • Whilst not really a change needed to your program, if you're using - Acegi Security please consider joining the acegisecurity-developer mailing - list. This is currently the best way to keep informed about the project's - status and provide feedback in design discussions. You can join at - https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer. - Please continue using the Spring Users mailing list for general support.
    • -
- -

-There are also lots of new features you might wish to consider for your -projects. These include CAS integration, pluggable password encoders -(such as MD5 and SHA), along with pluggable salt sources. We hope you find -the new features useful in your projects. - - - - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-05-06.xml b/src/site/xdoc/upgrade/upgrade-05-06.xml deleted file mode 100644 index bb7540c837..0000000000 --- a/src/site/xdoc/upgrade/upgrade-05-06.xml +++ /dev/null @@ -1,76 +0,0 @@ - -Acegi Security - Upgrading from version 0.3 to 0.4

-The following should help most casual users of the project update their -applications: -

    -
  • -Locate and remove all property references to - DaoAuthenticationProvider.key and - DaoAuthenticationProvider.refreshTokenInterval.
    • - -
  • If you are using DaoAuthenticationProvider and either (i) you are using - container adapters or (ii) your code relies on the Authentication object - having its getPrincipal() return a String, you must set the new - DaoAuthenticationProvider property, forcePrincipalAsString, to true. - By default DaoAuthenticationProvider returns an Authentication object - containing the relevant User, which allows access to additional properties. - Where possible, we recommend you change your code to something like this, - so that you can leave forcePrincipalAsString to the false default:



    - - String username = authentication.getPrincipal();

    - if (authentication.getPrincipal() instanceof User) {

    - username = ((User) authentication.getPrincipal()).getUsername();

    - } -

    -
    • - -
  • The signature of AuthenticationDaos have changed. In concrete - implementations, modify the User to UserDetails, as shown below:



    - - public User loadUserByUsername(String username)

    - throws UsernameNotFoundException, DataAccessException {



    - - to:



    - - public UserDetails loadUserByUsername(String username)

    - throws UsernameNotFoundException, DataAccessException {



    -     - - Existing concrete implementations would be returning User, which implements - UserDetails, so no further code changes should be required. -
    • -
  • Similar signature changes (User -> UserDetails) are also required to any - custom implementations of UserCache and SaltSource.
    • - -
  • Any custom event listeners relying on AuthenticationEvent should note a - UserDetails is now provided in the AuthenticationEvent (not a User).
    • - -
  • CAS users should note the CasAuthoritiesPopulator interface signature has - changed. Most CAS users will be using DaoCasAuthoritiesPopulator, so this - change is unlikely to require any action.
    • - -
  • Please check your web.xml for whether you are using AutoIntegrationFilter. - Previously this class was loaded directly by web.xml as a filter. It is - now recommended to load it via FilterToBeanProxy and define it as a - bean in your application context. This usually involves making the entry - in web.xml match the following:



    - - <filter>

    - <filter-name>Spring Security Auto Integration Filter</filter-name>

    - <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>

    - <init-param>

    - <param-name>targetClass</param-name>

    - <param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>

    - </init-param>

    - </filter>

    -     -



    - Then add the following to applicationContext.xml:



    - - <bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter"/>

    -     -
    • -
- - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-06-070.xml b/src/site/xdoc/upgrade/upgrade-06-070.xml deleted file mode 100644 index 73bf74289b..0000000000 --- a/src/site/xdoc/upgrade/upgrade-06-070.xml +++ /dev/null @@ -1,55 +0,0 @@ - -Acegi Security - Upgrading from version 0.6 to 0.7

-The following should help most casual users of the project update their -applications: -

    -
  • UserDetails now has two extra methods. Most people who have extended -Acegi Security's default User implementation of UserDetails will be fine, as -the constructor sets sensible defaults for the extra methods. People who -have written their own UserDetails implementation from scratch will need to -add the additional two methods. Returning true to both methods will normally -be correct. -
    • -
  • AutoIntegrationFilter has been removed. User should instead use - HttpSessionIntegrationFilter (in most cases), or HttpRequestIntegrationFilter - (if using most container adapters) or JbossIntegrationFilter (if using the - JBoss container adapter).
    • - -
  • MethodDefinitionMap, which is usually used by MethodSecurityInterceptor - for its objectDefinitionSource property, has been changed. From 0.7.0, when - MethodDefinitionMap is queried for configuration attributes associated with - secure MethodInvocations, it will use any method matching in the method - invocation class (as it always has) plus any method matching any interface - the MethodInvocation class directly implements. So consider a PersonManager - interface, a PersonManagerImpl class that implements it, and a definition of - PersonManager.findAll=ROLE_FOO. In this example, any query for either - PersonManager.findAll OR PersonManagerImpl.findAll will return ROLE_FOO. - As we have always encouraged definition against the interface names (as per - this example), this change should not adversely impact users. This change - was necessary because of the new MethodDefinitionSourceAdvisor (see below). - Refer to the MethodDefinitionMap JavaDocs for further clarification.
    • - -
  • MethodDefinitionSourceAdvisor can now be used instead of defining proxies - for secure business objects. The advisor is fully compatible with both - MethodDefinitionMap and MethodDefinitionAttributes. Using an advisor allows - caching of which methods the MethodSecurityInterceptor should handle, thus - providing a performance benefit as MethodSecurityInterceptor is not called - for public (non-secure) objects. It also simplifies configuration.
    • - -
  • MethodSecurityInterceptor has moved from - net.sf.acegisecurity.intercept.method.MethodSecurityInterceptor to - net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor. - A simple find and replace will suffice to update your application contexts.
    • - -
  • All of the EH-CACHE cache implementations provided with Acegi Security have - now been refactored to use a net.sf.ehcache.Cache obtained from - EhCacheManagerFactoryBean, which is included with Spring 1.1.1 and above. - See http://opensource.atlassian.com/confluence/spring/display/DISC/Caching+the+result+of+methods+using+Spring+and+EHCache - for more about this bean, or the Contacts sample application for how to - configure the EH-CACHE implementations provided with Acegi Security. - Note the "cache" property is now required, and the old internally-managed - cache properties have been removed.
    • -
- - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-070-080.xml b/src/site/xdoc/upgrade/upgrade-070-080.xml deleted file mode 100644 index 2ce1289095..0000000000 --- a/src/site/xdoc/upgrade/upgrade-070-080.xml +++ /dev/null @@ -1,41 +0,0 @@ - -Acegi Security - Upgrading from version 0.7.0 to 0.8.0

-The following should help most casual users of the project update their -applications: - -

    - -
  • HttpSessionIntegrationFilter has been removed. Use net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter instead. - Note you will need to set the mandatory "context" property to something like "net.sf.acegisecurity.context.security.SecureContextImpl". - It's not the default because we want no dependencies between the context package and the rest of Acegi Security.



    • - -
  • Filter ordering has changed. See the reference guide for confirmation of the correct ordering. Basically you should have - HttpSessionContextIntegrationFilter appear before any of your authentication mechanisms.



    • - -
  • IoC container hosted filter chains can now be used instead of lengthy web.xml declarations. See the reference guide or the - Contacts Sample for further information.



    • - -
  • Certain classes have been moved to new packages: ContextHolderAwareRequestWrapper (and its filter), - AuthenticationSimpleHttpInvokerRequestExecutor, ContextPropagatingRemoteInvocation, - SecureContext (and its implementation). These classes were moved as part of refactorings aimed at - improving the simplicity of the project's design.



    • - -
  • If you wish to use the new ConcurrentSessionController you must declare the HttpSessionEventPublisher context listener in your - web.xml



    • - -
  • The JaasAuthenticationCallbackHandler interface has had it's setAuthentication method removed. - The handle method now takes both the Callback and Authentication objects as arguments.



    • - -
  • Added AuthenticationException to the AutenticationEntryPoint.commence method signature.



    • - -
  • Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature.



    • - -
  • The Authentication.getDetails() no longer returns simply the IP address used for authentication. - It now returns a WebAuthenticationDetails instance, which contains the IP address, session information, - and can be extended to store further details.



    • - -
- - - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-080-090.xml b/src/site/xdoc/upgrade/upgrade-080-090.xml deleted file mode 100644 index fc3271ecd1..0000000000 --- a/src/site/xdoc/upgrade/upgrade-080-090.xml +++ /dev/null @@ -1,95 +0,0 @@ - -Acegi Security - Upgrading from version 0.8.0 to 0.9.0

-The following should help most casual users of the project update their -applications: - -

    - -
  • The most significant change in 0.9.0 is that ContextHolder and all of its - related classes have been removed. This significant change was made for the sake of consistency - with the core Spring project's approach of a single ThreadLocal per use case, - instead of a shared ThreadLocal for multiple use cases as the previous - ContextHolder allowed. This is an important change in 0.9.0. Many applications - will need to modify their code (and possibly web views) if they directly interact with the old - ContextHolder. The replacement security ThreadLocal is called - - SecurityContextHolder and provides a single getter/setter for a - SecurityContext. - SecurityContextHolder guarantees to never return a null SecurityContext. - SecurityContext provides single getter/setter for Authentication.



    - - To migrate, simply modify all your code that previously worked with ContextHolder, - SecureContext and Context to directly call SecurityContextHolder - and work with the SecurityContext (instead of the now removed Context - and SecureContext interfaces).



    - - For example, change:

    - - SecureContext ctx = SecureContextUtils.getSecureContext();

    -     - to:

    - - SecurityContext ctx = SecurityContextHolder.getContext();

    -     -

    - and change:

    - - <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">

    - <property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property>

    - </bean>

    -     - to:

    - - <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">

    - <property name="context"><value>net.sf.acegisecurity.context.SecurityContextImpl</value></property>

    - </bean>

    -     -

    - - We apologise for the inconvenience, but on a more positive note this means you receive strict - type checking, you no longer need to mess around with casting to and from Context - implementations, your applications no longer need to perform checking of null and - unexpected Context implementation types.



    • - -
  • AbstractProcessingFilter has changed its getter/setter approach used for customised - authentication exception directions. See the - AbstractProcessingFilter JavaDocs to learn more.



    • - -
  • AnonymousProcessingFilter now has a removeAfterRequest property, which defaults to true. This - will cause the anonymous authentication token to be set to null at the end of each request, thus - avoiding the expense of creating a HttpSession in HttpSessionContextIntegrationFilter. You may - set this property to false if you would like the anoymous authentication token to be preserved, - which would be an unusual requirement.



    • - -
  • Event publishing has been refactored. New event classes have been added, and the location of - LoggerListener has changed. See the net.sf.acegisecurity.event package.

    -

    - For example, change:

    - - <bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/>

    -     - to:

    - - <bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/> -



    -
    • - -
  • Users of the <authz:authentication> JSP tag will generally need to set the operation - property equal to "username", as reflection is now used to retrieve the property displayed.



    • - -
  • - Users of net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter should note that it has been - renamed to net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.



    -
    • - -
  • - The concurrent session support handling has changed. Please refer to the Reference Guide to - review the new configuration requirements.



    -
    • - - -
- - - -

 \ No newline at end of file diff --git a/src/site/xdoc/upgrade/upgrade-090-100.xml b/src/site/xdoc/upgrade/upgrade-090-100.xml deleted file mode 100644 index 3fd7f5d9a7..0000000000 --- a/src/site/xdoc/upgrade/upgrade-090-100.xml +++ /dev/null @@ -1,95 +0,0 @@ - -Acegi Security - Upgrading from version 0.8.0 to 1.0.0

-The following should help most casual users of the project update their -applications: -

    - -
  • The top level package name has changed. Simply find "net.sf.acegisecurity" and replace with - "org.springframework.security". -
    • - -
  • -DaoAuthenticationProvider has a property, authenticationDao. This property should now be renamed to -userDetailsService. -
    • - -
  • -In JSPs, each "authz" taglib prefix must be changed from uri="http://acegisecurity.sf.net/authz" -to uri="http://acegisecurity.org/authz". -
    • - -
  • net.sf.acegisecurity.providers.dao.AuthenticationDao is now - org.springframework.security.userdetails.UserDetailsService. - The interface signature has not changed. Similarly, User and UserDetails have moved into the latter's package as well. -If you've implemented your own AuthenticationDao, you'll need to change the class it's implementing and quite likely -the import packages for User and UserDetails. In addition, if using JdbcDaoImpl or InMemoryDaoImpl please -note they have moved to this new package.
    • - -
  • Acegi Security is now localised. In net.sf.acegisecurity you will find a messages.properties. It is -suggested to register this in your application context, perhaps using ReloadableResourceBundleMessageSource. -If you do not do this, the default messages included in the source code will be used so this change is -not critical. The Spring LocaleContextHolder class is used to determine the locale of messages included in -exceptions. At present only the default messages.properties is included (which is in English). If -you localise this file to another language, please consider attaching it to a -new JIRA task -so that we can include it in future Acegi Security releases.
    • - -
    - -
  • - org.springframework.security.ui.rememberme.RememberMeProcessingFilter now requires an authenticationManager property. This will generally -point to an implementation of org.springframework.security.providers.ProviderManager. -
    • - -
  • - org.springframework.security.intercept.web.AuthenticationEntryPoint has moved to a new location, - org.springframework.security.ui.AuthenticationEntryPoint. -
    • - -
  • - org.springframework.security.intercept.web.SecurityEnforcementFilter has moved to a new location and name, - org.springframework.security.ui.ExceptionTranslationFilter. In addition, the "filterSecurityInterceptor" -property on the old SecurityEnforcementFilter class has been removed. This is because -SecurityEnforcementFilter will no longer delegate to FilterSecurityInterceptor as it has in the -past. Because this delegation feature has been removed (see SEC-144 for a background as to why), -please add a new filter definition for FilterSecurityInterceptor to the end of your -FilterChainProxy. Generally you'll also rename the old SecurityEnforcementFilter entry in your -FilterChainProxy to ExceptionTranslationFilter, more accurately reflecting its purpose. -If you are not using FilterChainProxy (although we recommend that you do), you will need to add -an additional filter entry to web.xml and use FilterToBeanProxy to access the FilterSecurityInterceptor. -
    • - -
  • -If you are directly using SecurityContextHolder.setContext(SecurityContext) - which is not -very common - please not that best practise is now to call SecurityContextHolder.clearContext() -if you wish to erase the contents of the SecurityContextHolder. Previously code such as -SecurityContextHolder.setContext(new SecurityContextImpl()) would have been used. The revised -method internally stores null, which helps avoids redeployment issue caused by the previous -approaches (see SEC-159 for further details). -
    • - -
    - -
  • -AbstractProcessingFilter.onUnsuccessfulAuthentication(HttpServletRequest, HttpServletResponse) -has changed it signature (SEC-238). If subclassing, please override the new signature. -
    • - -
  • -ExceptionTranslationFilter no longer provides a sendAccessDenied() method. Use the -new AccessDeniedHandler instead if custom handling is required. -
    • - -
  • -There have been some changes to the LDAP provider APIs to allow for future improvements, as detailed in -SEC-264. These -should only affect users who have written their own extensions to the provider. The general LDAP -classes are now in the packages org.springframework.security.ldap and the - org.springframework.security.userdetails.ldap - package has been introduced. The search and authentication classes now return an -LdapUserDetails -instance. The LdapAuthoritiesPopulator interface and its default implementation now both make use of -LdapUserDetails. Any customized versions should be updated to use the new method signatures. -
    • - -
 \ No newline at end of file