SEC-696: Updated out of date information in site files and pom. Added aggregation of javadoc and other reports
This commit is contained in:
parent
44f1e751a9
commit
a5ed80248d
38
pom.xml
38
pom.xml
|
@ -48,8 +48,12 @@
|
||||||
|
|
||||||
<issueManagement>
|
<issueManagement>
|
||||||
<system>jira</system>
|
<system>jira</system>
|
||||||
<url>http://opensource.atlassian.com/projects/spring/browse/SEC</url>
|
<url>http://jira.springframework.org/browse/SEC</url>
|
||||||
</issueManagement>
|
</issueManagement>
|
||||||
|
<ciManagement>
|
||||||
|
<system>bamboo</system>
|
||||||
|
<url>http://build.springframework.org:8085/bamboo/</url>
|
||||||
|
</ciManagement>
|
||||||
|
|
||||||
<distributionManagement>
|
<distributionManagement>
|
||||||
<repository>
|
<repository>
|
||||||
|
@ -88,6 +92,13 @@
|
||||||
</repository>
|
</repository>
|
||||||
</repositories>
|
</repositories>
|
||||||
|
|
||||||
|
<pluginRepositories>
|
||||||
|
<pluginRepository>
|
||||||
|
<id>Codehaus Snapshots</id>
|
||||||
|
<url>http://snapshots.repository.codehaus.org/</url>
|
||||||
|
</pluginRepository>
|
||||||
|
</pluginRepositories>
|
||||||
|
|
||||||
<mailingLists>
|
<mailingLists>
|
||||||
<mailingList>
|
<mailingList>
|
||||||
<name>Acegi Developer List</name>
|
<name>Acegi Developer List</name>
|
||||||
|
@ -118,7 +129,7 @@
|
||||||
<id>benalex</id>
|
<id>benalex</id>
|
||||||
<email>benalex at users.sourceforge.net</email>
|
<email>benalex at users.sourceforge.net</email>
|
||||||
<organization>
|
<organization>
|
||||||
Acegi Technology Pty Limited (http://www.acegi.com.au)
|
SpringSource
|
||||||
</organization>
|
</organization>
|
||||||
<timezone>+10</timezone>
|
<timezone>+10</timezone>
|
||||||
</developer>
|
</developer>
|
||||||
|
@ -138,7 +149,7 @@
|
||||||
<id>luke_t</id>
|
<id>luke_t</id>
|
||||||
<email>luke_t at users.sourceforge.net</email>
|
<email>luke_t at users.sourceforge.net</email>
|
||||||
<organization>
|
<organization>
|
||||||
Monkey Machine Ltd. (http://monkeymachine.ltd.uk)
|
SpringSource
|
||||||
</organization>
|
</organization>
|
||||||
<timezone>0</timezone>
|
<timezone>0</timezone>
|
||||||
</developer>
|
</developer>
|
||||||
|
@ -468,10 +479,16 @@
|
||||||
<groupId>org.apache.maven.plugins</groupId>
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
<artifactId>maven-surefire-report-plugin</artifactId>
|
<artifactId>maven-surefire-report-plugin</artifactId>
|
||||||
<version>2.3.1</version>
|
<version>2.3.1</version>
|
||||||
|
<configuration>
|
||||||
|
<aggregate>true</aggregate>
|
||||||
|
</configuration>
|
||||||
</plugin>
|
</plugin>
|
||||||
<plugin>
|
<plugin>
|
||||||
<groupId>org.apache.maven.plugins</groupId>
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
<artifactId>maven-jxr-plugin</artifactId>
|
<artifactId>maven-jxr-plugin</artifactId>
|
||||||
|
<configuration>
|
||||||
|
<aggregate>true</aggregate>
|
||||||
|
</configuration>
|
||||||
</plugin>
|
</plugin>
|
||||||
<!--
|
<!--
|
||||||
<plugin>
|
<plugin>
|
||||||
|
@ -493,7 +510,12 @@
|
||||||
<plugin>
|
<plugin>
|
||||||
<groupId>org.apache.maven.plugins</groupId>
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
<artifactId>maven-javadoc-plugin</artifactId>
|
<artifactId>maven-javadoc-plugin</artifactId>
|
||||||
|
<version>2.3</version>
|
||||||
<configuration>
|
<configuration>
|
||||||
|
<aggregate>true</aggregate>
|
||||||
|
<header>Spring Security Framework</header>
|
||||||
|
<quiet>true</quiet>
|
||||||
|
<excludePackageNames>sample,bigbank</excludePackageNames>
|
||||||
<links>
|
<links>
|
||||||
<link>
|
<link>
|
||||||
http://java.sun.com/j2se/1.5.0/docs/api
|
http://java.sun.com/j2se/1.5.0/docs/api
|
||||||
|
@ -530,6 +552,14 @@
|
||||||
</link>
|
</link>
|
||||||
</links>
|
</links>
|
||||||
</configuration>
|
</configuration>
|
||||||
|
<reportSets>
|
||||||
|
<reportSet>
|
||||||
|
<reports>
|
||||||
|
<report>javadoc</report>
|
||||||
|
<!-- <report>test-javadoc</report> -->
|
||||||
|
</reports>
|
||||||
|
</reportSet>
|
||||||
|
</reportSets>
|
||||||
</plugin>
|
</plugin>
|
||||||
<plugin>
|
<plugin>
|
||||||
<groupId>org.codehaus.mojo</groupId>
|
<groupId>org.codehaus.mojo</groupId>
|
||||||
|
@ -539,6 +569,7 @@
|
||||||
<groupId>org.apache.maven.plugins</groupId>
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
<artifactId>maven-project-info-reports-plugin</artifactId>
|
<artifactId>maven-project-info-reports-plugin</artifactId>
|
||||||
<version>2.0.1</version>
|
<version>2.0.1</version>
|
||||||
|
<!--
|
||||||
<reportSets>
|
<reportSets>
|
||||||
<reportSet>
|
<reportSet>
|
||||||
<reports>
|
<reports>
|
||||||
|
@ -550,6 +581,7 @@
|
||||||
</reports>
|
</reports>
|
||||||
</reportSet>
|
</reportSet>
|
||||||
</reportSets>
|
</reportSets>
|
||||||
|
-->
|
||||||
</plugin>
|
</plugin>
|
||||||
</plugins>
|
</plugins>
|
||||||
</reporting>
|
</reporting>
|
||||||
|
|
|
@ -0,0 +1,36 @@
|
||||||
|
------------------------
|
||||||
|
Building the Project
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
Building the Project
|
||||||
|
|
||||||
|
* Install Maven
|
||||||
|
|
||||||
|
This project uses {{{"http://maven.apache.org/"}Maven}} as a build tool.
|
||||||
|
We recommend you to install Maven 2.0.7 or greater before trying
|
||||||
|
the following.
|
||||||
|
|
||||||
|
* Check out the source code
|
||||||
|
|
||||||
|
To checkout Spring Security from SVN, see our {{{"svn-usage.html"}SVN Usage}} page.
|
||||||
|
|
||||||
|
* Building with Maven
|
||||||
|
|
||||||
|
Often people reading this document just want to see if Spring Security will work
|
||||||
|
for their projects. They want to deploy a sample application, and perhaps play around with the
|
||||||
|
configuration a bit to see how it works. Assuming you've already checked out the code from subversion,
|
||||||
|
start up a command prompt and execute the following commands from the directory containing the project source:
|
||||||
|
|
||||||
|
+----------------------------------------------------------------------------------------------------------------------+
|
||||||
|
|
||||||
|
mvn install
|
||||||
|
|
||||||
|
cd samples/contacts
|
||||||
|
|
||||||
|
mvn jetty:run
|
||||||
|
|
||||||
|
+----------------------------------------------------------------------------------------------------------------------+
|
||||||
|
|
||||||
|
This should build the framework library jars, install them to your local Maven repository and run the "contacts"
|
||||||
|
sample application (JDK 1.5 or later is required). You should then be able to point your browser at
|
||||||
|
{{{http://localhost:8080/contacts/}}} to use the application.
|
|
@ -4,207 +4,14 @@
|
||||||
|
|
||||||
What is Spring Security?
|
What is Spring Security?
|
||||||
|
|
||||||
Spring Security is a powerful, flexible security solution for enterprise software,
|
Spring Security is the renamed Acegi Security System for Spring, which became an official Spring
|
||||||
with a particular emphasis on applications that use
|
Portfolio project towards the end of 2007. It is the portolio's security offering, focused on providing a powerful and
|
||||||
{{{http://www.springframework.org/}Spring}}. Using Spring Security provides your
|
flexible security solution for enterprise applications developed using the Spring Framework.
|
||||||
applications with comprehensive authentication, authorization, instance-based access control,
|
It is a stable and mature product - Acegi Security 1.0.0 was released in May 2006 after more than two and a half
|
||||||
channel security and human user detection capabilities.
|
years of use in large production software projects.
|
||||||
|
|
||||||
Key Features
|
Spring Security 2.0 builds on Acegi Security's solid foundations, adding new features such as a simplified
|
||||||
|
namespace configuration syntax.
|
||||||
|
|
||||||
* <<Stable and mature:>> Acegi Security 1.0.0 was released in May 2006 after
|
|
||||||
more than two and a half years of use in large production software projects, 70,000+ downloads
|
|
||||||
and hundreds of community contributions.
|
|
||||||
In terms of release numbering, we also use the
|
|
||||||
{{{http://apr.apache.org/versioning.html}Apache APR Project Versioning Guidelines}} so that you can easily identify release compatibility.
|
|
||||||
|
|
||||||
* <<Well documented:>> All APIs are fully documented using
|
~~ TODO: Expand based on original Acegi page.
|
||||||
{{{http://acegisecurity.org/multiproject/acegi-security/apidocs/index.html}JavaDoc}},
|
|
||||||
with almost 100 pages of
|
|
||||||
{{{./reference.html}Reference Guide}} documentation providing an easy-to-follow
|
|
||||||
introduction. Even more documentation is provided on this web site, as
|
|
||||||
shown in the left hand navigation sidebar.
|
|
||||||
|
|
||||||
* <<Fast results:>> View our {{{./suggested.html}suggested steps}}
|
|
||||||
for the fastest way to develop complex, security-compliant applications.
|
|
||||||
|
|
||||||
* <<Enterprise-wide single sign on:>> Using JA-SIG's open
|
|
||||||
source {{{http://www.ja-sig.org/products/cas/}Central Authentication Service}} (CAS),
|
|
||||||
the Spring Security can participate
|
|
||||||
in an enterprise-wide single sign on environment. You no longer need
|
|
||||||
every web application to have its own authentication database. Nor are
|
|
||||||
you restricted to single sign on across a single web container. Advanced
|
|
||||||
single sign on features like proxy support and forced refresh of logins
|
|
||||||
are supported by both CAS and Spring Security. Several other SSO solutions
|
|
||||||
are also provided by third party projects, including JOSSO and CAS.
|
|
||||||
|
|
||||||
* <<Reuses your Spring expertise:>> We use Spring application
|
|
||||||
contexts for all configuration, which should help Spring developers get
|
|
||||||
up-to-speed nice and quickly.
|
|
||||||
|
|
||||||
* <<Domain object instance security:>> In many applications it's
|
|
||||||
desirable to define Access Control Lists (ACLs) for individual domain
|
|
||||||
object instances. We provide a comprehensive ACL package with features
|
|
||||||
including integer bit masking, permission inheritence (including
|
|
||||||
blocking), a JDBC-backed ACL repository, caching and a pluggable,
|
|
||||||
interface-driven design.
|
|
||||||
|
|
||||||
* <<Non-intrusive setup:>> The entire security system can operate
|
|
||||||
within a single web application using the provided filters. There is no
|
|
||||||
need to make special changes or deploy libraries to your Servlet or EJB
|
|
||||||
container.
|
|
||||||
|
|
||||||
* <<Full (but optional) container integration:>> The credential
|
|
||||||
collection and authorization capabilities of your Servlet or EJB
|
|
||||||
container can be fully utilised via included "container adapters". We
|
|
||||||
currently support Catalina (Tomcat), Jetty, JBoss and Resin, with
|
|
||||||
additional containers easily added.
|
|
||||||
|
|
||||||
* <<Keeps your objects free of security code:>> Many applications
|
|
||||||
need to secure data at the bean level based on any combination of
|
|
||||||
parameters (user, time of day, authorities held, method being invoked,
|
|
||||||
parameter on method being invoked....). This package gives you this
|
|
||||||
flexibility without adding security code to your Spring business
|
|
||||||
objects.
|
|
||||||
|
|
||||||
* <<After invocation security:>> Spring Security can not only protect
|
|
||||||
methods from being invoked in the first place, but it can also
|
|
||||||
deal with the objects returned from the methods. Included implementations
|
|
||||||
of after invocation security can throw an exception or mutate the returned
|
|
||||||
object based on ACLs.
|
|
||||||
|
|
||||||
* <<Secures your HTTP requests as well:>> In addition to securing
|
|
||||||
your beans, the project also secures your HTTP requests. No longer is it
|
|
||||||
necessary to rely on web.xml security constraints. Best of all, your
|
|
||||||
HTTP requests can now be secured by your choice of regular expressions
|
|
||||||
or Apache Ant paths, along with pluggable authentication, authorization
|
|
||||||
and run-as replacement managers.
|
|
||||||
|
|
||||||
* <<Channel security:>> Spring Security can
|
|
||||||
automatically redirect requests across an appropriate transport channel.
|
|
||||||
Whilst flexible enough to support any of your "channel" requirements (eg
|
|
||||||
the remote user is a human, not a robot), a common channel security
|
|
||||||
feature is to ensure your secure pages will only be available over
|
|
||||||
HTTPS, and your public pages only over HTTP. Spring Security also
|
|
||||||
supports unusual port combinations (including if accessed via an
|
|
||||||
intermediate server like Apache) and pluggable transport decision
|
|
||||||
managers.
|
|
||||||
|
|
||||||
* <<Supports HTTP BASIC authentication:>> Perfect for remoting
|
|
||||||
protocols or those web applications that prefer a simple browser pop-up
|
|
||||||
(rather than a form login), Spring Security can directly process HTTP
|
|
||||||
BASIC authentication requests as per RFC 1945.
|
|
||||||
|
|
||||||
* <<Supports HTTP Digest authentication:>> For greater security than
|
|
||||||
offered by BASIC authentcation, Spring Security also supports Digest Authentication
|
|
||||||
(which never sends the user's password across the wire). Digest Authentication
|
|
||||||
is widely supported by modern browsers. Spring Security's implementation complies
|
|
||||||
with both RFC 2617 and RFC 2069.
|
|
||||||
|
|
||||||
* <<Computer Associates Siteminder support:>> Authentication can be
|
|
||||||
delegated through to CA's Siteminder solution, which is common in large
|
|
||||||
corporate environments.
|
|
||||||
|
|
||||||
* <<X509 (Certificate) support:>> Spring Security can easily read
|
|
||||||
client-side X509 certificates for authenticating users.
|
|
||||||
|
|
||||||
* <<LDAP Support:>> Do you have an LDAP directory? Spring Security can
|
|
||||||
happily authenticate against it.
|
|
||||||
|
|
||||||
* <<Tag library support:>> Your JSP files can use our taglib
|
|
||||||
to ensure that protected content like links and messages are only
|
|
||||||
displayed to users holding the appropriate granted authorities. The taglib
|
|
||||||
also fully integrates with Spring Security's ACL services, and
|
|
||||||
obtaining extra information about the logged-in principal.
|
|
||||||
|
|
||||||
* <<Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:>> You
|
|
||||||
select the method used to configure your security environment. The
|
|
||||||
project supports configuration via Spring application contexts, as well
|
|
||||||
as Jakarta Commons Attributes and Java 5's annotations feature. Some users
|
|
||||||
(such as those building content management systems) pull configuration data
|
|
||||||
from a database, which exemplifies Spring Security's flexible configuration
|
|
||||||
metadata system.
|
|
||||||
|
|
||||||
* <<Various authentication backends:>> We include the ability to
|
|
||||||
retrieve your user and granted authority definitions from an XML
|
|
||||||
file, JDBC datasource or Properties file. Alternatively, you can implement the
|
|
||||||
single-method UserDetailsService interface and obtain authentication details from
|
|
||||||
anywhere you like.
|
|
||||||
|
|
||||||
* <<Event support:>> Building upon Spring's
|
|
||||||
<<<ApplicationEvent>>> services, you can write your own listeners
|
|
||||||
for authentication-related events, along with authorisation-related events.
|
|
||||||
This enables you to implement account lockout and audit log systems, with
|
|
||||||
complete decoupling from Spring Security code.
|
|
||||||
|
|
||||||
* <<Easy integration with existing databases:>> Our implementations
|
|
||||||
have been designed to make it very easy to use your existing
|
|
||||||
authentication schema and data (without modification). Of course,
|
|
||||||
you can also provide your own Data Access Object if you wish.
|
|
||||||
|
|
||||||
* <<Caching:>> Spring Security integrates with Spring's {{{http://ehcache.sourceforge.net}EHCACHE}} factory.
|
|
||||||
This flexibility means your database (or other authentication
|
|
||||||
repository) is not repeatedly queried for authentication
|
|
||||||
information.
|
|
||||||
|
|
||||||
* <<Pluggable architecture:>> Every critical aspect of the package
|
|
||||||
has been modelled using high cohesion, loose coupling, interface-driven
|
|
||||||
design principles. You can easily replace, customise or extend parts of
|
|
||||||
the package.
|
|
||||||
|
|
||||||
* <<Startup-time validation:>> Every critical object dependency and
|
|
||||||
configuration parameter is validated at application context startup
|
|
||||||
time. Security configuration errors are therefore detected early and
|
|
||||||
corrected quickly.
|
|
||||||
|
|
||||||
* <<Remoting support:>> Does your project use a rich client? Not a
|
|
||||||
problem. Spring Security integrates with standard Spring remoting
|
|
||||||
protocols, because it automatically processes the HTTP BASIC
|
|
||||||
authentication headers they present. Add our BASIC authentication filter
|
|
||||||
to your web.xml and you're done. You can also easily use RMI or Digest
|
|
||||||
authentication for your rich clients with a simple configuration statement.
|
|
||||||
|
|
||||||
* <<Advanced password encoding:>> Of course, passwords in your
|
|
||||||
authentication repository need not be in plain text. We support both SHA
|
|
||||||
and MD5 encoding, and also pluggable "salt" providers to maximise
|
|
||||||
password security. Spring Security doesn't even need to see the password
|
|
||||||
if your backend can use a bind-based strategy for authentication (such as
|
|
||||||
an LDAP directory, or a database login).
|
|
||||||
|
|
||||||
* <<Run-as replacement:>> The system fully supports
|
|
||||||
temporarily replacing the authenticated principal for the duration of the web
|
|
||||||
request or bean invocation. This enables you to build public-facing
|
|
||||||
object tiers with different security configurations than your backend
|
|
||||||
objects.
|
|
||||||
|
|
||||||
* <<Transparent security propagation:>> Spring Security can automatically
|
|
||||||
transfer its core authentication information from one machine to another,
|
|
||||||
using a variety of protocols including RMI and Spring's HttpInvoker.
|
|
||||||
|
|
||||||
* <<Compatible with HttpServletRequest's security methods:>> Even though
|
|
||||||
Spring Security can deliver authentication using a range of pluggable mechanisms
|
|
||||||
(most of which require no web container configuration), we allow you to access
|
|
||||||
the resulting Authentication object via the getRemoteUser() and other
|
|
||||||
security methods on HttpServletRequest.
|
|
||||||
|
|
||||||
* <<Unit tests:>> A must-have of any quality security project, unit
|
|
||||||
tests are included. Our unit test coverage is very high, as shown in the
|
|
||||||
{{{acegi-security/cobertura/index.html}coverage report}}.
|
|
||||||
|
|
||||||
* <<Built by Maven:>> This assists you in effectively reusing the Acegi
|
|
||||||
Security artifacts in your own Maven-based projects.
|
|
||||||
|
|
||||||
* <<Supports your own unit tests:>> We provide a number of classes
|
|
||||||
that assist with your own unit testing of secured business objects. For
|
|
||||||
example, you can change the authentication identity and its associated
|
|
||||||
granted authorities directly within your test methods.
|
|
||||||
|
|
||||||
* <<Peer reviewed:>> Whilst nothing is ever completely secure,
|
|
||||||
using an open source security package leverages the continuous design
|
|
||||||
and code quality improvements that emerge from peer review.
|
|
||||||
|
|
||||||
* <<Community:>> Well-known for its supportive community, Spring Security
|
|
||||||
has an active group of developers and users. Visit our project resources (below)
|
|
||||||
to access these services.
|
|
||||||
|
|
||||||
* <<Apache license.>> You can confidently use Spring Security in your project.
|
|
|
@ -0,0 +1,92 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<faqs title="Frequently Asked Questions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:noNamespaceSchemaLocation="http://maven.apache.org/maven-1.x/plugins/faq/faq.xsd">
|
||||||
|
|
||||||
|
<part id="general">
|
||||||
|
<title>General</title>
|
||||||
|
<faq id="web-xml">
|
||||||
|
<question>Why not just use web.xml security?</question>
|
||||||
|
<answer>
|
||||||
|
|
||||||
|
<p>Let's assume you're developing an enterprise application based on Spring.
|
||||||
|
There are four security concerns you typically need to address: authentication,
|
||||||
|
web request security, service layer security (i.e. your methods that implement
|
||||||
|
business logic), and domain object instance security (i.e. different domain objects
|
||||||
|
have different permissions). With these typical requirements in mind:
|
||||||
|
<ol>
|
||||||
|
<li><b>Authentication</b>: The servlet specification provides an approach
|
||||||
|
to authentication. However, you will need to configure the container
|
||||||
|
to perform authentication which typically requires editing of
|
||||||
|
container-specific "realm" settings. This makes a non-portable
|
||||||
|
configuration, and if you need to write an actual Java class to implement
|
||||||
|
the container's authentication interface, it becomes even more non-portable.
|
||||||
|
With Spring Security you achieve complete portability - right down to the
|
||||||
|
WAR level. Also, Spring Security offers a choice of production-proven
|
||||||
|
authentication providers and mechanisms, meaning you can switch your
|
||||||
|
authentication approaches at deployment time. This is particularly
|
||||||
|
valuable for software vendors writing products that need to work in
|
||||||
|
an unknown target environment.<br></br><br></br></li>
|
||||||
|
<li><b>Web request security:</b> The servlet specification provides an
|
||||||
|
approach to secure your request URIs. However, these URIs can only be
|
||||||
|
expressed in the servlet specification's own limited URI path format.
|
||||||
|
Spring Security provides a far more comprehensive approach. For instance,
|
||||||
|
you can use Ant paths or regular expressions, you can consider parts of the
|
||||||
|
URI other than simply the requested page (eg you can consider HTTP GET
|
||||||
|
parameters), and you can implement your own runtime source of configuration
|
||||||
|
data. This means your web request security can be dynamically changed during
|
||||||
|
the actual execution of your webapp.<br></br><br></br></li>
|
||||||
|
<li><b>Service layer and domain object security:</b> The absence of support
|
||||||
|
in the servlet specification for services layer security or domain object
|
||||||
|
instance security represent serious limitations for multi-tiered
|
||||||
|
applications. Typically developers either ignore these requirements, or
|
||||||
|
implement security logic within their MVC controller code (or even worse,
|
||||||
|
inside the views). There are serious disadvantages with this approach:<br/><br/>
|
||||||
|
<ol>
|
||||||
|
<li><i>Separation of concerns:</i> Authorization is a
|
||||||
|
crosscutting concern and should be implemented as such.
|
||||||
|
MVC controllers or views implementing authorization code
|
||||||
|
makes it more difficult to test both the controller and
|
||||||
|
authorization logic, more difficult to debug, and will
|
||||||
|
often lead to code duplication.</li>
|
||||||
|
<li><i>Support for rich clients and web services:</i> If an
|
||||||
|
additional client type must ultimately be supported, any
|
||||||
|
authorization code embedded within the web layer is
|
||||||
|
non-reusable. It should be considered that Spring remoting
|
||||||
|
exporters only export service layer beans (not MVC
|
||||||
|
controllers). As such authorization logic needs to be
|
||||||
|
located in the services layer to support a multitude of
|
||||||
|
client types.</li>
|
||||||
|
<li><i>Layering issues:</i> An MVC controller or view is simply
|
||||||
|
the incorrect architectural layer to implement authorization
|
||||||
|
decisions concerning services layer methods or domain object
|
||||||
|
instances. Whilst the Principal may be passed to the services
|
||||||
|
layer to enable it to make the authorization decision, doing
|
||||||
|
so would introduce an additional argument on every services
|
||||||
|
layer method. A more elegant approach is to use a ThreadLocal
|
||||||
|
to hold the Principal, although this would likely increase
|
||||||
|
development time to a point where it would become more
|
||||||
|
economical (on a cost-benefit basis) to simply use a dedicated
|
||||||
|
security framework.</li>
|
||||||
|
<li><i>Authorisation code quality:</i> It is often said of web
|
||||||
|
frameworks that they "make it easier to do the right things,
|
||||||
|
and harder to do the wrong things". Security frameworks are
|
||||||
|
the same, because they are designed in an abstract manner for
|
||||||
|
a wide range of purposes. Writing your own authorization code
|
||||||
|
from scratch does not provide the "design check" a framework
|
||||||
|
would offer, and in-house authorization code will typically
|
||||||
|
lack the improvements that emerge from widespread deployment,
|
||||||
|
peer review and new versions.
|
||||||
|
</li></ol>
|
||||||
|
</li>
|
||||||
|
</ol>
|
||||||
|
For simple applications, servlet specification security may just be enough.
|
||||||
|
Although when considered within the context of web container portability,
|
||||||
|
configuration requirements, limited web request security flexibility, and
|
||||||
|
non-existent services layer and domain object instance security, it becomes
|
||||||
|
clear why developers often look to alternative solutions.
|
||||||
|
</p>
|
||||||
|
</answer>
|
||||||
|
|
||||||
|
</faq>
|
||||||
|
</part>
|
||||||
|
</faqs>
|
|
@ -1,76 +1,42 @@
|
||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||||
|
|
||||||
<!--
|
|
||||||
* ========================================================================
|
|
||||||
*
|
|
||||||
* Copyright 2004, 2005 Acegi Technology Pty Limited
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*
|
|
||||||
* ========================================================================
|
|
||||||
-->
|
|
||||||
|
|
||||||
<project name="Spring Security">
|
<project name="Spring Security">
|
||||||
<bannerLeft>
|
<skin>
|
||||||
<name>Spring Security on Sourceforge</name>
|
<groupId>org.springframework.maven.skins</groupId>
|
||||||
<src>http://sourceforge.net/sflogo.php?group_id=104215&type=5</src>
|
<artifactId>maven-spring-skin</artifactId>
|
||||||
<href>http://sourceforge.net/projects/acegisecurity</href>
|
<version>1.0.4</version>
|
||||||
</bannerLeft>
|
</skin>
|
||||||
<bannerRight>
|
<publishDate position="left" format="d MMM yyyy"/>
|
||||||
<name>Spring Security</name>
|
<bannerLeft>
|
||||||
<src>images/logo.gif</src>
|
<name>Spring Security</name>
|
||||||
<href>http://acegisecurity.org/</href>
|
<src>http://www.springframework.org/files/logo.jpg
|
||||||
</bannerRight>
|
</src>
|
||||||
|
<href>http://static.springframework.org/spring-security/
|
||||||
|
</href>
|
||||||
|
</bannerLeft>
|
||||||
<body>
|
<body>
|
||||||
|
<!--
|
||||||
<links>
|
<links>
|
||||||
<item name="Spring Security on Sourceforge" href="http://sourceforge.net/projects/acegisecurity" />
|
<item name="Spring Security on Sourceforge" href="http://sourceforge.net/projects/acegisecurity" />
|
||||||
</links>
|
</links>
|
||||||
|
-->
|
||||||
<menu name="Overview">
|
<menu name="Overview">
|
||||||
<item name="Home" href="index.html"/>
|
<item name="Home" href="index.html"/>
|
||||||
<item name="Building with Maven" href="building.html"/>
|
<item name="Building from Source" href="building.html"/>
|
||||||
<item name="Downloads" href="downloads.html"/>
|
<item name="Downloads" href="http://www.springframework.org/download/"/>
|
||||||
</menu>
|
</menu>
|
||||||
|
|
||||||
<menu name="Documentation">
|
<menu name="Documentation">
|
||||||
<item name="Suggested Steps" href="suggested.html"/>
|
<item name="Suggested Steps" href="suggested.html"/>
|
||||||
<item name="Reference Guide" href="reference.html"/>
|
<item name="Reference Guide" href="reference.html"/>
|
||||||
<item name="Sample SQL Schema" href="dbinit.txt"/>
|
|
||||||
<item name="FAQ" href="faq.html"/>
|
<item name="FAQ" href="faq.html"/>
|
||||||
<item name="Petclinic Tutorial" href="petclinic-tutorial.html"/>
|
<item name="JIRA Issue tracker" href="http://jira.springframework.org/browse/SEC"/>
|
||||||
<item name="External Web Articles" href="articles.html"/>
|
<item name="Road Map" href="http://jira.springframework.org/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel"/>
|
||||||
<item name="Products using Spring Security" href="powering.html"/>
|
|
||||||
<item name="Use without Spring" href="standalone.html"/>
|
|
||||||
<item name="Upgrading to 1.0.0" href="upgrade/upgrade-090-100.html"/>
|
|
||||||
<item name="Upgrading to 0.9.0" href="upgrade/upgrade-080-090.html"/>
|
|
||||||
<item name="Upgrading to 0.8.0" href="upgrade/upgrade-070-080.html"/>
|
|
||||||
<item name="Core JavaDocs" href="spring-security-core/apidocs/index.html" target="_blank"/>
|
|
||||||
<item name="Contacts HTTPS" href="spring-security-samples/spring-security-samples-contacts/sslhowto.txt"/>
|
|
||||||
<item name="Project Policies" href="policies.html"/>
|
|
||||||
<item name="Spring Security JIRA" href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040"/>
|
|
||||||
<item name="Community Forum" href="http://forum.springframework.org/forumdisplay.php?f=33"/>
|
<item name="Community Forum" href="http://forum.springframework.org/forumdisplay.php?f=33"/>
|
||||||
<item name="Core Reports" href="spring-security-core/project-reports.html"/>
|
|
||||||
</menu>
|
</menu>
|
||||||
|
|
||||||
<menu name="Links" type="footer">
|
<menu ref="reports" name="Reports"/>
|
||||||
<item name="Spring Framework" href="http://www.springframework.org/" img="http://www.springframework.org/buttons/spring_white.png"/>
|
|
||||||
<item name="Interface21" href="http://www.interface21.com/" />
|
|
||||||
</menu>
|
|
||||||
<!--
|
|
||||||
<poweredBy>
|
|
||||||
<logo name="Spring" href="http://docs.codehaus.org/display/JETTY/Jetty+Powered" img="./images/small_powered_by.gif"/>
|
|
||||||
</poweredBy>
|
|
||||||
-->
|
|
||||||
</body>
|
</body>
|
||||||
</project>
|
</project>
|
||||||
|
|
|
@ -1,40 +0,0 @@
|
||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
||||||
<document>
|
|
||||||
<properties><title>Building</title></properties>
|
|
||||||
<body>
|
|
||||||
<section name="Building Spring Security">
|
|
||||||
|
|
||||||
<subsection name="Checking Out from Subversion (SVN)">
|
|
||||||
|
|
||||||
<p>This project uses <a href="http://maven.apache.org/">Maven</a> as project manager
|
|
||||||
and build tool. We recommend you to install Maven 2.0.5 or greater before trying
|
|
||||||
the following.</p><p>To checkout Spring Security from SVN, see our
|
|
||||||
<a href="svn-usage.html">SVN Usage</a> page.</p>
|
|
||||||
|
|
||||||
</subsection>
|
|
||||||
|
|
||||||
<subsection name="Quick Build"><p>Often people reading this document just want to see if Spring Security will work
|
|
||||||
for their projects. They want to deploy a sample application, and that's about it
|
|
||||||
(after all, all the reference documentation can be read online at
|
|
||||||
<a href="http://acegisecurity.org/">http://acegisecurity.org</a>).
|
|
||||||
Assuming you've already checked out the code from subversion, start up a command prompt and
|
|
||||||
execute the following commands from the directory containing the project source:</p>
|
|
||||||
<ol>
|
|
||||||
<pre>mvn install</pre>
|
|
||||||
<pre>cd samples/contacts</pre>
|
|
||||||
<pre>mvn jetty:run</pre>
|
|
||||||
</ol>
|
|
||||||
|
|
||||||
<p>This should build the framework lirary jars, install them to your local maven repository and run the "contacts"
|
|
||||||
sample application using the maven jetty plugin (JDK 1.5 or later is required to run the Jetty plugin).
|
|
||||||
You should then be able to point your browser at
|
|
||||||
<a href="http://localhost:8080/contacts/">http://localhost:8080/contacts/</a> to use the application.
|
|
||||||
</p>
|
|
||||||
|
|
||||||
</subsection>
|
|
||||||
|
|
||||||
</section>
|
|
||||||
|
|
||||||
</body>
|
|
||||||
|
|
||||||
</document>
|
|
Loading…
Reference in New Issue