Versions are denoted using a standard triplet of - integers: MAJOR.MINOR.PATCH. The basic intent is that MAJOR versions - are incompatible, large-scale upgrades of the API. MINOR versions - retain source and binary compatibility with older minor versions, and - changes in the PATCH level are perfectly compatible, forwards and - backwards.
mutual authentication; - the server will then request a valid certificate from the client as - part of the SSL handshake. The server will authenticate the client by - checking that it's certificate is signed by an acceptable authority. - If a valid certificate has been provided, it can be obtained through - the servlet API in an application. Acegi Security X509 module extracts - the certificate using a filter and passes it to the configured X509 - authentication provider to allow any additional application-specific - checks to be applied. It also maps the certificate to an application - user and loads that user's set of granted authorities for use with the - standard Acegi Security infrastructure.
entry point- class, which is normally responsible for starting the authentication - process, is only invoked if the certificate is rejected and it always - returns an error to the user. With a suitable bean configuration, the - normal sequence of events is as follows
common - name(CN) in the certificate. It also allows you to set - your own regular expression to match a different part of the - subject's distinguished name. A UserDetailsService is used to - load the user information.
marissain the application.
ouattribute of each - match.
-- -Context on SecurityContextHolder is of type: - org.acegisecurity.context.SecurityContextImpl - -The Context implements SecurityContext. - -Authentication object is of type: - org.acegisecurity.adapters.PrincipalAcegiUserToken - -Authentication object as a String: - org.acegisecurity.adapters.PrincipalAcegiUserToken@e9a7c2: Username: - marissa; Password: [PROTECTED]; Authenticated: true; Granted - Authorities: ROLE_TELLER, ROLE_SUPERVISOR - -Authentication object holds the following granted - authorities: - -ROLE_TELLER (getAuthority(): ROLE_TELLER) - -ROLE_SUPERVISOR (getAuthority(): ROLE_SUPERVISOR) - -SUCCESS! Your [container adapter|web filter] appears to be - properly configured! -
Here are some of the external pages mentioning Acegi Security. If you've - found another, please let us know. -
FilterChainProxy class.manageability.org.This project uses Maven as project manager - and build tool. We recommend you to install Maven 2.0.5 or greater before trying - the following. Note there are workarounds at the bottom of this page.
To checkout Acegi Security from SVN, see our - CVS Usage page.
- -Often people reading this document just want to see if Acegi Security will work - for their projects. They want to deploy a sample application, and that's about it - (after all, all the reference documentation can be read online at - http://acegisecurity.org). - In this case, execute:
-cd $ACEGI_SECURITY/core (or cd %ACEGI_SECURITY%/core on Windows)-
mvn install-
cd $ACEGI_SECURITY/samples/contacts-
mvn package-
mvn jetty:run-
This should build main framework library, build the sample application and run the "contacts" sample application - using the maven jetty plugin. You should then be able to point your browser at - http://localhost:8080/contacts/ to use the application. -
- -- You can browse the source tree directly via - - http://acegisecurity.svn.sourceforge.net/viewvc/acegisecurity/ - -
-- The code can be checked out anonymously with the following command: -
-- svn co http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk/ -
- -If you'd prefer not to use subversion directly, please see our - downloads page - for nightly snapshots. -
-If you wish to try out this project, you are probably looking for the - acegi-security-xx.zip file, which contains all of the officially - released JARs, a copy of all documentation, and two WAR artifacts. The two WAR artifacts - are from the Contacts Sample and the Tutorial Sample application. The Tutorial Sample - consists of a "bare bones" configuration that will get you up and running quickly, whereas - the Contacts Sample illustrates more advanced features.
Please note that in order to reduce download size, we only include in the - release ZIP one of the WAR artifacts produced by the Contacts Sample application. - The WAR artifact we include is suitable for standalone deployment (specifically, it - does not require a CAS server, container adapter, X509 or LDAP setup). The official release ZIP - therefore probably contains what you need, especially if you're initially - evaluating the project. If you wish to deploy the other WAR artifacts produced by - the Contacts Sample application (ie those that target CAS, container adapters, X509 or LDAP usage), - you will need to build Acegi Security from source. - -
The acegi-security-xx-src.zip is intended for use with IDEs. It does not contain the - files needed to compile Acegi Security. It also does not contain the sources to the - sample applications. If you need any of these files, please download from SVN.
The official release ZIP files are available from the - Sourceforge File Release System.
The Acegi Security JARs are also available via the - iBiblio Maven Repository.
Detailed instructions on downloading from CVS and building from source - are provided on the Building with Maven - page.
- If you don't wish to access SVN directly, we provide - nightly SVN exports for your convenience. - There is also an automated build which uploads bundle of Acegi Security jar files to the same location. - Both binary and source archives have the date of the build and the SVN revision number appended to the filename, - so you can match them up easily. -
Acegi Security is an open source project that provides comprehensive authentication - and authorisation services for enterprise applications based on - The Spring Framework. - Acegi Security can authenticate using a variety of pluggable providers, and - can authorise both web requests and method invocations. - Acegi Security provides an integrated security approach across - these various targets, and also offers access control list (ACL) capabilities to - enable individual domain object instances to be secured. At an implementation - level, Acegi Security is managed through Spring's inversion of control and - lifecycle services, and actually enforces security using interception through - servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi - Security currently supports AOP Alliance (which is what the - Spring IoC container uses internally) and AspectJ, although additional frameworks - can be easily supported.
Let's assume you're developing an enterprise application based on Spring. - There are four security concerns you typically need to address: authentication, - web request security, service layer security (ie your methods that implement - business logic), and domain object instance security (ie different domain objects - have different permissions). With these typical requirements in mind: -
Ah-see-gee. Said quickly, without emphasis on any part. - Acegi isn't an acronym, name of a Greek God or anything similarly - impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.
It's official name is Acegi Security System for Spring, - although we're happy for it to be abbreviated to - Acegi Security. Please don't just call it Acegi, though, - as that gets confused with the name of the company that maintains Acegi - Security.
80% of support questions are because people have not defined
- the necessary filters in web.xml, or the filters are being
- mapped in the incorrect order. Check the
- Reference Guide, which
- has a specific section on filter ordering.
The next most common source of problems stem from custom
- AuthenticationDao implementations that simply don't properly
- implement the interface contract. For example, they return null instead
- of the user not found exception, or fail to add in the
- GrantedAuthority[]s. Whilst DaoAuthenticationProvider
- does its best to check the AuthenticationDao returns a valid
- UserDetails, we suggest you write the
- UserDetails object to the log and check it looks correct.
A common user problem with infinite loop and redirecting to the login page - is caused by accidently configuring the login page as a "secured" resource. - Generally make sure you mark your login page as requiring ROLE_ANONYMOUS. -
If you are securing web resources and they dont seem to be matched in the URL patterns, - check the objectDefinitionSource in the FilterSecurityInterceptor. - If you are using the CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON setting, - then the URL patterns configured MUST be in lowercase. -
- For example, making a request ending in /someAction.do will need - to be configured as: /someaction.do (Note the case). -
-<property name="objectDefinitionSource"> - <value> - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON - PATTERN_TYPE_APACHE_ANT - /index.jsp=ROLE_ANONYMOUS,ROLE_USER - /someaction.do=ROLE_USER - <value> -</property> -- -
A common user requirement is to disable / lock an account after a number of failed login attempts. - Acegi itself does not provide anything "out of the box", however in your application you can implement - and register an org.springframework.context.ApplicationListener. Inside your application - event listener you can then check for an instanceof the particular AuthenticationFailureEvent - and then call your application user management interface to update the user details. -
- For example: -
- public void onApplicationEvent(ApplicationEvent event) {
-
- // check failed event
- if(event instanceof AuthenticationFailurePasswordEvent){
- // call user management interface to increment failed login attempts, etc.
- . . .
- }
- }
-
-
- There are three things you must do to make a user password change take affect: -
The most important things to post with any support requests on the
- Spring Forums are your
- web.xml, applicationContext.xml (or whichever
- XML loads the security-related beans) as well as any custom
- AuthenticationDao you might be using. For really odd problems,
- also switch on debug-level logging and include the resulting log.
Acegi Security uses Commons Logging, just as Spring does. So you use the
- same approach as you'd use for Spring. Most people output to Log4J, so
- the following log4j.properties would work:
In most cases write an AuthenticationDao which returns
- a subclass of User. Alternatively, write your own
- UserDetails implementation from scratch and return that.
Acegi Security targets enterprise applications, which are typically - multi-user, data-oriented applications that are important to - the core business. Acegi Security was designed to provide a portable and effective - security framework for this target application type. It was not designed for securing - limited privilege runtime environments, such as web browser applets.
We did consider JAAS when designing Acegi Security, but it simply - wasn't suitable for our purpose. We needed to avoid complex JRE configurations, - we needed container portability, and we wanted maximum leveraging of the Spring IoC - container. Particularly as limited privilege runtime environments were not - an actual requirement, this lead to the natural design of Acegi Security as - it exists today.
Acegi Security already provides some JAAS integration. It can today authenticate - via delegation to a JAAS login module. This means it offers the same level of JAAS - integration as many web containers. Indeed the container adapter model supported by - Acegi Security allows Acegi Security and container-managed security to happily - co-exist and benefit from each other. Any debate about Acegi Security and JAAS - should therefore centre on the authorisation issue. An evaluation of major - containers and security frameworks would reveal that Acegi Security is by no - means unusual in not using JAAS for authorisation.
There are many examples of open source applications being preferred to - official standards. A few that come to mind in the Java community include - using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans), - Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker - (instead of JSP). It's important to recognise that many open source projects do - develop into de facto standards, and in doing so play a legitimate and beneficial - role in professional software development.
Yes. If you've written something and it works well, please feel free to share it. - Simply email the contribution to the - acegisecurity-developers list. If you haven't yet - written the contribution, we encourage you to send your thoughts to the same - list so that you can receive some initial design feedback.
For a contribution to be used, it must have appropriate unit test coverage and - detailed JavaDocs. It will ideally have some comments for the Reference Guide - as well (this can be sent in word processor or HTML format if desired). This - helps ensure the contribution maintains the same quality as the remainder of - the project.
We also welcome documentation improvements, unit tests, illustrations, - people supporting the user community (especially on the forums), design ideas, - articles, blog entries, presentations and alike. If you're looking for something - to do, you can always email the - acegisecurity-developers list and we'll be - pleased to suggest something. :-)
- Acegi Security is a powerful, flexible security solution for enterprise software, - with a particular emphasis on applications that use - Spring. Using Acegi Security provides your - applications with comprehensive authentication, authorization, instance-based access control, - channel security and human user detection capabilities. -
ApplicationEvent services, you can write your own listeners
- for authentication-related events, along with authorisation-related events.
- This enables you to implement account lockout and audit log systems, with
- complete decoupling from Acegi Security code.To complete this tutorial, you will require a servlet container (such as Tomcat) -and a general understanding of using Spring without Acegi Security. The Petclinic -sample itself is part of Spring and should help you learn Spring. We suggest you -only try to learn one thing at a time, and start with Spring/Petclinic before -Acegi Security. -
-You will also need to download: -
-Unzip both files. After unzipping Acegi Security, you'll need to unzip the -acegi-security-sample-tutorial.war file, because we need some files that are -included within it. In the code below, we'll refer to the respective unzipped -locations as %spring% and %acegi% (with the latter variable referring to the -unzipped WAR, not the original ZIP). There is no need to setup any environment -variables to complete the tutorial. -
-We now need to put some extra files into Petclinic. The following commands should work: -
-mkdir %spring%\samples\petclinic\war\WEB-INF\lib -copy %acegi%\acegilogin.jsp %spring%\samples\petclinic\war -copy %acegi%\accessDenied.jsp %spring%\samples\petclinic\war -copy %acegi%\WEB-INF\users.properties %spring%\samples\petclinic\war\WEB-INF -copy %acegi%\WEB-INF\applicationContext-acegi-security.xml %spring%\samples\petclinic\war\WEB-INF -copy %acegi%\WEB-INF\lib\acegi-security-1.0.0.jar %spring%\samples\petclinic\war\WEB-INF\lib -copy %acegi%\WEB-INF\lib\oro-2.0.8.jar %spring%\samples\petclinic\war\WEB-INF\lib -copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WEB-INF\lib --
Edit %spring%\samples\petclinic\war\WEB-INF\web.xml and insert the following block of code. -
-<filter> - <filter-name>Acegi Filter Chain Proxy</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.acegisecurity.util.FilterChainProxy</param-value> - </init-param> -</filter> - -<filter-mapping> - <filter-name>Acegi Filter Chain Proxy</filter-name> - <url-pattern>/*</url-pattern> -</filter-mapping> --Next, locate the "contextConfigLocation" parameter, and add a new line into the existing param-value. -The resulting block will look like this: -
-<context-param> - <param-name>contextConfigLocation</param-name> - <param-value> - /WEB-INF/applicationContext-jdbc.xml - /WEB-INF/applicationContext-acegi-security.xml - </param-value> -</context-param> --
-To make it easier to experiment with the application, now edit -%spring%\samples\petclinic\war\WEB-INF\jsp\footer.jsp. Add a new "logout" link, as shown: -
-<table style="width:100%"><tr> - <td><A href="<c:url value="/welcome.htm"/>">Home</A></td> - <td><A href="<c:url value="/j_acegi_logout"/>">Logout</A></td> - <td style="text-align:right;color:silver">PetClinic :: a Spring Framework demonstration</td> -</tr></table> --
-Our last step is to specify which URLs require authorization and which do not. Let's -edit %spring%\samples\petclinic\war\WEB-INF\applicationContext-acegi-security.xml. -Locate the bean definition for FilterSecurityInterceptor. Edit its objectDefinitionSource -property so that it reflects the following: -
-<property name="objectDefinitionSource"> - <value> - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON - PATTERN_TYPE_APACHE_ANT - /acegilogin.jsp=IS_AUTHENTICATED_ANONYMOUSLY - /**=IS_AUTHENTICATED_REMEMBERED - </value> -</property> --
Start the Hypersonic server (this is just normal Petclinic configuration): -
-cd %spring%\samples\petclinic\db\hsqldb -server --
-Insert some data (again, normal Petclinic configuration): -
-cd %spring%\samples\petclinic -build setupDB --
-Use Petclinic's Ant build script and deploy to your servlet container: -
-cd %spring%\samples\petclinic -build warfile -copy dist\petclinic.war %TOMCAT_HOME%\webapps --
Finally, start your container and try to visit the home page. -Your request should be intercepted and you will be forced to login.
-Whilst you've now secured your web requests, you might want to stop users -from being able to add clinic visits unless authorized. We'll make it so -you need to hold ROLE_SUPERVISOR to add a clinic visit. -
-In %spring%\samples\petclinic\war\WEB-INF\applicationContext-jdbc.xml, locate -the TransactionProxyFactoryBean definition. Add an additional property after -the existing "preInterceptors" property: -
-<property name="postInterceptors" ref="methodSecurityInterceptor"/> --
-Finally, we need to add in the referred-to "methodSecurityInterceptor" bean definition. -So pop an extra bean definition in, as shown below: -
-<bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"> - <bean class="org.acegisecurity.vote.AffirmativeBased"> - <property name="allowIfAllAbstainDecisions" value="false"/> - <property name="decisionVoters"> - <list> - <bean class="org.acegisecurity.vote.RoleVoter"/> - <bean class="org.acegisecurity.vote.AuthenticatedVoter"/> - </list> - </property> - </bean> - </property> - <property name="objectDefinitionSource"> - <value> - org.springframework.samples.petclinic.Clinic.*=IS_AUTHENTICATED_REMEMBERED - org.springframework.samples.petclinic.Clinic.storeVisit=ROLE_SUPERVISOR - </value> - </property> -</bean> --
-Redeploy your web application. Use the earlier process to do that. Be careful to -ensure that the old Petclinic WAR is replaced by the new Petclinic WAR in your -servlet container. Login as "marissa", who has ROLE_SUPERVISOR. You will be able to -then view a customer and add a visit. Logout, then login as anyone other than Marissa. -You will receive an access denied error when you attempt to add a visit. -
-To clean things up a bit, you might want to wrap up by hiding the "add visit" link -unless you are authorized to use it. Acegi Security provides a tag library to help -you do that. Edit %spring%\samples\petclinic\war\WEB-INF\jsp\owner.jsp. Add -the following line to the top of the file: -
-<%@ taglib prefix="authz" uri="http://acegisecurity.org/authz" %> --Next, scroll down and find the link to "add visit". Modify it as follows: -
-<authz:authorize ifAllGranted="ROLE_SUPERVISOR">
- <FORM method=GET action="<c:url value="/addVisit.htm"/>" name="formVisitPet<c:out value="${pet.id}"/>">
- <INPUT type="hidden" name="petId" value="<c:out value="${pet.id}"/>"/>
- <INPUT type="submit" value="Add Visit"/>
- </FORM>
-</authz:authorize>
-
--These steps can be applied to your own application. Although we do suggest -that you visit http://acegisecurity.org -and in particular review the "Suggested Steps" for getting started with Acegi -Security. The suggested steps are optimized for learning Acegi Security quickly -and applying it to your own projects. It also includes realistic time estimates -for each step so you can plan your integration activities.
The following policies and procedures are intended to ensure that Acegi Security will - continue to achieve its project objectives and support the community in the context of an - expanding development team. - -
- The following was unanimously supported by the community supporting following - discussion - on acegisecurity-developer. The policies and procedures below represent version 1.0 - and are effective 1 August 2005. -
Thanks for your help in connection with the above. If you have any suggestions for improving these - policies and procedures, please use the acegisecurity-developer list to raise them. - -
- Ben Alex
- Project Admin
-
-
- $Id$ - - - -
Many open source and commercial products either use Acegi Security or at least - support it. Following is a partial list of such products. If you've integrated Acegi - Security with some other product, please let us know (preferably with a URL - to some page explaining the integration/use)... - -
| Document | Description |
|---|---|
| - Reference Guide HTML Single Page - | -- The reference guide in a single html page. - | -
| - Reference Guide PDF - | -- The PDF version of the reference guide. - | -
Sometimes we get asked can Acegi Security be used without Spring. - This page provides a detailed answer.
Acegi Security started out as a method interceptor for Spring IoC container
- managed beans. Typically such beans provide services layer functions.
- Over time Acegi Security grew to offer authentication services, ThreadLocal management,
- web request filtering, extra AOP support,
- ACL features, additional authentication mechanisms and so on (for those interested,
- see our change log).
There's plenty written about why the - Spring Framework - is a good fit for modern applications. If you're not familiar with the benefits - Spring offers, please take a few minutes to learn more about it. In numerous - situations Spring will save you many months (or even years) of development time. - Not to mention your solutions will be better architected - (designed), better coded (implemented), and better supported (maintained) in the future. -
Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle
- methods such as afterPropertiesSet(). Some Acegi Security classes also
- publish events to the ApplicationContext, although you could provide a mock
- implementation of ApplicationContext easily enough which no-ops the method.
- In other words, if you particularly didn't want Spring in your application, you could
- avoid its use by writing equivalent getter, setter and lifecycle invocation processes
- in standard Java code. This is a natural consequence of the Spring way of development,
- which emphasises framework independence (it is not because we think there are good
- reasons people would not use Spring).
If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC - services, don't forget you can always deploy Acegi Security and the Spring - IoC container solely for configuring Acegi Security. Spring does not mandate its - use in every part of your application. It will work quite successfully doing nothing more than - acting as a configuration mechanism for Acegi Security. Whilst some may regard this as excessive, - it's really no different than the traditional approach of every framework having its very - own XML or other proprietary configuration system. The main difference is that Spring is an - actual de facto standard, and you can gradually introduce it to other parts of your application - over time (if desired).
Acegi Security does not use any other Spring capabilities. Most notably, the
- entire architecture is based around Filters, not Spring's MVC framework.
- This allows it to be used with any MVC framework, or even with just straight JSPs.
- Acegi Security uses the AOP Alliance and AspectJ interfaces for method interception -
- it does not use any Spring-specific interfaces. As a consequence, Acegi Security is very
- portable to applications that do not leverage any of Spring's capabilities. We should note
- there are several very simple data access objects (DAOs) that use Spring's JDBC abstraction
- layer, although each of these are defined by a simple interface and it is very common in
- even native Spring-powered applications for these to be re-implemented using the application's
- persistence framework of choice (eg Hibernate).
-
-
In summary, we recommend you take a look at Spring and consider using it in your - applications. Irrespective of whether you do so or not, we strongly recommend you use it - for configuration and lifecycle management of Acegi Security. If that is also not desired, - Acegi Security can easily be executed without Spring at all, providing you implement - similar IoC services. Acegi Security has very minimal dependencies directly on Spring, - with it being useful in many non-Spring applications and with non-Spring frameworks. - - -
Presented below are the steps we encourage you to take in order to gain the most - out of Acegi Security in a realistic timeframe. -
acegi-security-sample-contacts-filter.war,
- which is also included in the release ZIP file.ContactManagerBackend
- which shows how we create and delete ACL permissions. The rest of the Java code has no
- security awareness, with all security services being declared in the XML files
- (don't worry, there aren't any new XML formats to learn: they're all standard Spring IoC container
- declarations or the stock-standard web.xml). The main
- XML files to review are
- applicationContext-acegi-security.xml (from the filter webapp),
- applicationContext-common-authorization.xml,
- applicationContext-common-business.xml (just note we add contactManagerSecurity to the services layer target bean), and
- web.xml (from the filter webapp).
- The XML definitions are comprehensively discussed in the
- Reference Guide.
- Please note the time estimates are just that: estimates. They will vary considerably depending - on how much experience you have, particularly with Java and Spring. They will also vary depending - on how complex your intended security-enabled application will be. Some people need to push the domain - object instance access control list capabilities to the maximum, whilst others don't even need anything - beyond web request security. The good thing is Acegi Security will either directly support your future - needs, or provide a clearly-defined extension point for addressing them. - -
- We welcome your feedback about how long it has actually taken you to complete each step, so we - can update this page and help new users better assess their project timetables in the future. - Any other tips on what you found helpful in learning Acegi Security are also very welcome. - - -
Several changes were made between version 0.3 and 0.4 of the project. -These changes increased the modularity of the code, enhanced unit testing, -made package roles clearer, and added compelling alternatives to container -adapters and using web.xml security constraints to protect HTTP resources. - -
Unfortunately, changes to the API and package locations were required. The -following should help most casual users of the project update their -applications: - -
-We hope you find the new features useful in your projects. - - - -
The following should help most casual users of the project update their -applications: -
-There are also lots of new features you might wish to consider for your -projects. These include CAS integration, pluggable password encoders -(such as MD5 and SHA), along with pluggable salt sources. We hope you find -the new features useful in your projects. - - - - -
-The following should help most casual users of the project update their -applications: -
- String username = authentication.getPrincipal();
- if (authentication.getPrincipal() instanceof User) {
- username = ((User) authentication.getPrincipal()).getUsername();
- }
-
- public User loadUserByUsername(String username)
- throws UsernameNotFoundException, DataAccessException {
-
- to:
-
- public UserDetails loadUserByUsername(String username)
- throws UsernameNotFoundException, DataAccessException {
-
-
- Existing concrete implementations would be returning User, which implements
- UserDetails, so no further code changes should be required.
-
- <filter>
- <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
- <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
- <init-param>
- <param-name>targetClass</param-name>
- <param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>
- </init-param>
- </filter>
-
-
- <bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter"/>
-
--The following should help most casual users of the project update their -applications: -
-The following should help most casual users of the project update their -applications: - -
-The following should help most casual users of the project update their -applications: - -
ContextHolder and all of its
- related classes have been removed. This significant change was made for the sake of consistency
- with the core Spring project's approach of a single ThreadLocal per use case,
- instead of a shared ThreadLocal for multiple use cases as the previous
- ContextHolder allowed. This is an important change in 0.9.0. Many applications
- will need to modify their code (and possibly web views) if they directly interact with the old
- ContextHolder. The replacement security ThreadLocal is called
-
- SecurityContextHolder and provides a single getter/setter for a
- SecurityContext.
- SecurityContextHolder guarantees to never return a null SecurityContext.
- SecurityContext provides single getter/setter for Authentication.ContextHolder,
- SecureContext and Context to directly call SecurityContextHolder
- and work with the SecurityContext (instead of the now removed Context
- and SecureContext interfaces).
- SecureContext ctx = SecureContextUtils.getSecureContext();
-
- to:
- SecurityContext ctx = SecurityContextHolder.getContext();
-
-
- <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
- <property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property>
- </bean>
-
- to:
- <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
- <property name="context"><value>net.sf.acegisecurity.context.SecurityContextImpl</value></property>
- </bean>
-
- Context
- implementations, your applications no longer need to perform checking of null and
- unexpected Context implementation types.AbstractProcessingFilter has changed its getter/setter approach used for customised
- authentication exception directions. See the
- AbstractProcessingFilter JavaDocs to learn more.AnonymousProcessingFilter now has a removeAfterRequest property, which defaults to true. This
- will cause the anonymous authentication token to be set to null at the end of each request, thus
- avoiding the expense of creating a HttpSession in HttpSessionContextIntegrationFilter. You may
- set this property to false if you would like the anoymous authentication token to be preserved,
- which would be an unusual requirement.LoggerListener has changed. See the net.sf.acegisecurity.event package.
- <bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/>
-
- to:
- <bean id="loggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/>
- <authz:authentication> JSP tag will generally need to set the operation
- property equal to "username", as reflection is now used to retrieve the property displayed.net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter should note that it has been
- renamed to net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.-The following should help most casual users of the project update their -applications: -