Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-696: Updated out of date information in site files and pom. Added aggregation of javadoc and other reports

This commit is contained in:
Luke Taylor 2008-03-06 17:15:30 +00:00
parent 44f1e751a9
commit a5ed80248d
6 changed files with 197 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
pom.xml
View File

@ -48,8 +48,12 @@
<issueManagement>
<system>jira</system>
<url>http://opensource.atlassian.com/projects/spring/browse/SEC</url>
<url>http://jira.springframework.org/browse/SEC</url>
</issueManagement>
<ciManagement>
<system>bamboo</system>
<url>http://build.springframework.org:8085/bamboo/</url>
</ciManagement>
<distributionManagement>
<repository>
@ -88,6 +92,13 @@
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>Codehaus Snapshots</id>
<url>http://snapshots.repository.codehaus.org/</url>
</pluginRepository>
</pluginRepositories>
<mailingLists>
<mailingList>
<name>Acegi Developer List</name>
@ -118,7 +129,7 @@
<id>benalex</id>
<email>benalex at users.sourceforge.net</email>
<organization>
Acegi Technology Pty Limited (http://www.acegi.com.au)
SpringSource
</organization>
<timezone>+10</timezone>
</developer>
@ -138,7 +149,7 @@
<id>luke_t</id>
<email>luke_t at users.sourceforge.net</email>
<organization>
Monkey Machine Ltd. (http://monkeymachine.ltd.uk)
SpringSource
</organization>
<timezone>0</timezone>
</developer>
@ -468,10 +479,16 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>2.3.1</version>
<configuration>
<aggregate>true</aggregate>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<configuration>
<aggregate>true</aggregate>
</configuration>
</plugin>
<!--
<plugin>
@ -493,7 +510,12 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>2.3</version>
<configuration>
<aggregate>true</aggregate>
<header>Spring Security Framework</header>
<quiet>true</quiet>
<excludePackageNames>sample,bigbank</excludePackageNames>
<links>
<link>
http://java.sun.com/j2se/1.5.0/docs/api
@ -530,6 +552,14 @@
</link>
</links>
</configuration>
<reportSets>
<reportSet>
<reports>
<report>javadoc</report>
<!-- <report>test-javadoc</report> -->
</reports>
</reportSet>
</reportSets>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
@ -539,6 +569,7 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.0.1</version>
<!--
<reportSets>
<reportSet>
<reports>
@ -550,6 +581,7 @@
</reports>
</reportSet>
</reportSets>
-->
</plugin>
</plugins>
</reporting>

36
src/site/apt/building.apt Normal file
View File

@ -0,0 +1,36 @@
------------------------
Building the Project
------------------------
Building the Project
* Install Maven
This project uses {{{"http://maven.apache.org/"}Maven}} as a build tool.
We recommend you to install Maven 2.0.7 or greater before trying
the following.
* Check out the source code
To checkout Spring Security from SVN, see our {{{"svn-usage.html"}SVN Usage}} page.
* Building with Maven
Often people reading this document just want to see if Spring Security will work
for their projects. They want to deploy a sample application, and perhaps play around with the
configuration a bit to see how it works. Assuming you've already checked out the code from subversion,
start up a command prompt and execute the following commands from the directory containing the project source:
+----------------------------------------------------------------------------------------------------------------------+
mvn install
cd samples/contacts
mvn jetty:run
+----------------------------------------------------------------------------------------------------------------------+
This should build the framework library jars, install them to your local Maven repository and run the "contacts"
sample application (JDK 1.5 or later is required). You should then be able to point your browser at
{{{http://localhost:8080/contacts/}}} to use the application.

209
src/site/apt/index.apt
View File

@ -4,207 +4,14 @@
What is Spring Security?
Spring Security is a powerful, flexible security solution for enterprise software,
with a particular emphasis on applications that use
{{{http://www.springframework.org/}Spring}}. Using Spring Security provides your
applications with comprehensive authentication, authorization, instance-based access control,
channel security and human user detection capabilities.
Spring Security is the renamed Acegi Security System for Spring, which became an official Spring
Portfolio project towards the end of 2007. It is the portolio's security offering, focused on providing a powerful and
flexible security solution for enterprise applications developed using the Spring Framework.
It is a stable and mature product - Acegi Security 1.0.0 was released in May 2006 after more than two and a half
years of use in large production software projects.
Key Features
Spring Security 2.0 builds on Acegi Security's solid foundations, adding new features such as a simplified
namespace configuration syntax.
* <<Stable and mature:>> Acegi Security 1.0.0 was released in May 2006 after
more than two and a half years of use in large production software projects, 70,000+ downloads
and hundreds of community contributions.
In terms of release numbering, we also use the
{{{http://apr.apache.org/versioning.html}Apache APR Project Versioning Guidelines}} so that you can easily identify release compatibility.
* <<Well documented:>> All APIs are fully documented using
{{{http://acegisecurity.org/multiproject/acegi-security/apidocs/index.html}JavaDoc}},
with almost 100 pages of
{{{./reference.html}Reference Guide}} documentation providing an easy-to-follow
introduction. Even more documentation is provided on this web site, as
shown in the left hand navigation sidebar.
* <<Fast results:>> View our {{{./suggested.html}suggested steps}}
for the fastest way to develop complex, security-compliant applications.
* <<Enterprise-wide single sign on:>> Using JA-SIG's open
source {{{http://www.ja-sig.org/products/cas/}Central Authentication Service}} (CAS),
the Spring Security can participate
in an enterprise-wide single sign on environment. You no longer need
every web application to have its own authentication database. Nor are
you restricted to single sign on across a single web container. Advanced
single sign on features like proxy support and forced refresh of logins
are supported by both CAS and Spring Security. Several other SSO solutions
are also provided by third party projects, including JOSSO and CAS.
* <<Reuses your Spring expertise:>> We use Spring application
contexts for all configuration, which should help Spring developers get
up-to-speed nice and quickly.
* <<Domain object instance security:>> In many applications it's
desirable to define Access Control Lists (ACLs) for individual domain
object instances. We provide a comprehensive ACL package with features
including integer bit masking, permission inheritence (including
blocking), a JDBC-backed ACL repository, caching and a pluggable,
interface-driven design.
* <<Non-intrusive setup:>> The entire security system can operate
within a single web application using the provided filters. There is no
need to make special changes or deploy libraries to your Servlet or EJB
container.
* <<Full (but optional) container integration:>> The credential
collection and authorization capabilities of your Servlet or EJB
container can be fully utilised via included "container adapters". We
currently support Catalina (Tomcat), Jetty, JBoss and Resin, with
additional containers easily added.
* <<Keeps your objects free of security code:>> Many applications
need to secure data at the bean level based on any combination of
parameters (user, time of day, authorities held, method being invoked,
parameter on method being invoked....). This package gives you this
flexibility without adding security code to your Spring business
objects.
* <<After invocation security:>> Spring Security can not only protect
methods from being invoked in the first place, but it can also
deal with the objects returned from the methods. Included implementations
of after invocation security can throw an exception or mutate the returned
object based on ACLs.
* <<Secures your HTTP requests as well:>> In addition to securing
your beans, the project also secures your HTTP requests. No longer is it
necessary to rely on web.xml security constraints. Best of all, your
HTTP requests can now be secured by your choice of regular expressions
or Apache Ant paths, along with pluggable authentication, authorization
and run-as replacement managers.
* <<Channel security:>> Spring Security can
automatically redirect requests across an appropriate transport channel.
Whilst flexible enough to support any of your "channel" requirements (eg
the remote user is a human, not a robot), a common channel security
feature is to ensure your secure pages will only be available over
HTTPS, and your public pages only over HTTP. Spring Security also
supports unusual port combinations (including if accessed via an
intermediate server like Apache) and pluggable transport decision
managers.
* <<Supports HTTP BASIC authentication:>> Perfect for remoting
protocols or those web applications that prefer a simple browser pop-up
(rather than a form login), Spring Security can directly process HTTP
BASIC authentication requests as per RFC 1945.
* <<Supports HTTP Digest authentication:>> For greater security than
offered by BASIC authentcation, Spring Security also supports Digest Authentication
(which never sends the user's password across the wire). Digest Authentication
is widely supported by modern browsers. Spring Security's implementation complies
with both RFC 2617 and RFC 2069.
* <<Computer Associates Siteminder support:>> Authentication can be
delegated through to CA's Siteminder solution, which is common in large
corporate environments.
* <<X509 (Certificate) support:>> Spring Security can easily read
client-side X509 certificates for authenticating users.
* <<LDAP Support:>> Do you have an LDAP directory? Spring Security can
happily authenticate against it.
* <<Tag library support:>> Your JSP files can use our taglib
to ensure that protected content like links and messages are only
displayed to users holding the appropriate granted authorities. The taglib
also fully integrates with Spring Security's ACL services, and
obtaining extra information about the logged-in principal.
* <<Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:>> You
select the method used to configure your security environment. The
project supports configuration via Spring application contexts, as well
as Jakarta Commons Attributes and Java 5's annotations feature. Some users
(such as those building content management systems) pull configuration data
from a database, which exemplifies Spring Security's flexible configuration
metadata system.
* <<Various authentication backends:>> We include the ability to
retrieve your user and granted authority definitions from an XML
file, JDBC datasource or Properties file. Alternatively, you can implement the
single-method UserDetailsService interface and obtain authentication details from
anywhere you like.
* <<Event support:>> Building upon Spring's
<<<ApplicationEvent>>> services, you can write your own listeners
for authentication-related events, along with authorisation-related events.
This enables you to implement account lockout and audit log systems, with
complete decoupling from Spring Security code.
* <<Easy integration with existing databases:>> Our implementations
have been designed to make it very easy to use your existing
authentication schema and data (without modification). Of course,
you can also provide your own Data Access Object if you wish.
* <<Caching:>> Spring Security integrates with Spring's {{{http://ehcache.sourceforge.net}EHCACHE}} factory.
This flexibility means your database (or other authentication
repository) is not repeatedly queried for authentication
information.
* <<Pluggable architecture:>> Every critical aspect of the package
has been modelled using high cohesion, loose coupling, interface-driven
design principles. You can easily replace, customise or extend parts of
the package.
* <<Startup-time validation:>> Every critical object dependency and
configuration parameter is validated at application context startup
time. Security configuration errors are therefore detected early and
corrected quickly.
* <<Remoting support:>> Does your project use a rich client? Not a
problem. Spring Security integrates with standard Spring remoting
protocols, because it automatically processes the HTTP BASIC
authentication headers they present. Add our BASIC authentication filter
to your web.xml and you're done. You can also easily use RMI or Digest
authentication for your rich clients with a simple configuration statement.
* <<Advanced password encoding:>> Of course, passwords in your
authentication repository need not be in plain text. We support both SHA
and MD5 encoding, and also pluggable "salt" providers to maximise
password security. Spring Security doesn't even need to see the password
if your backend can use a bind-based strategy for authentication (such as
an LDAP directory, or a database login).
* <<Run-as replacement:>> The system fully supports
temporarily replacing the authenticated principal for the duration of the web
request or bean invocation. This enables you to build public-facing
object tiers with different security configurations than your backend
objects.
* <<Transparent security propagation:>> Spring Security can automatically
transfer its core authentication information from one machine to another,
using a variety of protocols including RMI and Spring's HttpInvoker.
* <<Compatible with HttpServletRequest's security methods:>> Even though
Spring Security can deliver authentication using a range of pluggable mechanisms
(most of which require no web container configuration), we allow you to access
the resulting Authentication object via the getRemoteUser() and other
security methods on HttpServletRequest.
* <<Unit tests:>> A must-have of any quality security project, unit
tests are included. Our unit test coverage is very high, as shown in the
{{{acegi-security/cobertura/index.html}coverage report}}.
* <<Built by Maven:>> This assists you in effectively reusing the Acegi
Security artifacts in your own Maven-based projects.
* <<Supports your own unit tests:>> We provide a number of classes
that assist with your own unit testing of secured business objects. For
example, you can change the authentication identity and its associated
granted authorities directly within your test methods.
* <<Peer reviewed:>> Whilst nothing is ever completely secure,
using an open source security package leverages the continuous design
and code quality improvements that emerge from peer review.
* <<Community:>> Well-known for its supportive community, Spring Security
has an active group of developers and users. Visit our project resources (below)
to access these services.
* <<Apache license.>> You can confidently use Spring Security in your project.
~~ TODO: Expand based on original Acegi page.

92
src/site/fml/faq.fml Normal file
View File

@ -0,0 +1,92 @@
<?xml version="1.0" encoding="UTF-8"?>
<faqs title="Frequently Asked Questions" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://maven.apache.org/maven-1.x/plugins/faq/faq.xsd">
<part id="general">
<title>General</title>
<faq id="web-xml">
<question>Why not just use web.xml security?</question>
<answer>
<p>Let's assume you're developing an enterprise application based on Spring.
There are four security concerns you typically need to address: authentication,
web request security, service layer security (i.e. your methods that implement
business logic), and domain object instance security (i.e. different domain objects
have different permissions). With these typical requirements in mind:
<ol>
<li><b>Authentication</b>: The servlet specification provides an approach
to authentication. However, you will need to configure the container
to perform authentication which typically requires editing of
container-specific "realm" settings. This makes a non-portable
configuration, and if you need to write an actual Java class to implement
the container's authentication interface, it becomes even more non-portable.
With Spring Security you achieve complete portability - right down to the
WAR level. Also, Spring Security offers a choice of production-proven
authentication providers and mechanisms, meaning you can switch your
authentication approaches at deployment time. This is particularly
valuable for software vendors writing products that need to work in
an unknown target environment.<br></br><br></br></li>
<li><b>Web request security:</b> The servlet specification provides an
approach to secure your request URIs. However, these URIs can only be
expressed in the servlet specification's own limited URI path format.
Spring Security provides a far more comprehensive approach. For instance,
you can use Ant paths or regular expressions, you can consider parts of the
URI other than simply the requested page (eg you can consider HTTP GET
parameters), and you can implement your own runtime source of configuration
data. This means your web request security can be dynamically changed during
the actual execution of your webapp.<br></br><br></br></li>
<li><b>Service layer and domain object security:</b> The absence of support
in the servlet specification for services layer security or domain object
instance security represent serious limitations for multi-tiered
applications. Typically developers either ignore these requirements, or
implement security logic within their MVC controller code (or even worse,
inside the views). There are serious disadvantages with this approach:<br/><br/>
<ol>
<li><i>Separation of concerns:</i> Authorization is a
crosscutting concern and should be implemented as such.
MVC controllers or views implementing authorization code
makes it more difficult to test both the controller and
authorization logic, more difficult to debug, and will
often lead to code duplication.</li>
<li><i>Support for rich clients and web services:</i> If an
additional client type must ultimately be supported, any
authorization code embedded within the web layer is
non-reusable. It should be considered that Spring remoting
exporters only export service layer beans (not MVC
controllers). As such authorization logic needs to be
located in the services layer to support a multitude of
client types.</li>
<li><i>Layering issues:</i> An MVC controller or view is simply
the incorrect architectural layer to implement authorization
decisions concerning services layer methods or domain object
instances. Whilst the Principal may be passed to the services
layer to enable it to make the authorization decision, doing
so would introduce an additional argument on every services
layer method. A more elegant approach is to use a ThreadLocal
to hold the Principal, although this would likely increase
development time to a point where it would become more
economical (on a cost-benefit basis) to simply use a dedicated
security framework.</li>
<li><i>Authorisation code quality:</i> It is often said of web
frameworks that they "make it easier to do the right things,
and harder to do the wrong things". Security frameworks are
the same, because they are designed in an abstract manner for
a wide range of purposes. Writing your own authorization code
from scratch does not provide the "design check" a framework
would offer, and in-house authorization code will typically
lack the improvements that emerge from widespread deployment,
peer review and new versions.
</li></ol>
</li>
</ol>
For simple applications, servlet specification security may just be enough.
Although when considered within the context of web container portability,
configuration requirements, limited web request security flexibility, and
non-existent services layer and domain object instance security, it becomes
clear why developers often look to alternative solutions.
</p>
</answer>
</faq>
</part>
</faqs>

72
src/site/site.xml
View File

@ -1,76 +1,42 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
* ========================================================================
*
* Copyright 2004, 2005 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<project name="Spring Security">
<skin>
<groupId>org.springframework.maven.skins</groupId>
<artifactId>maven-spring-skin</artifactId>
<version>1.0.4</version>
</skin>
<publishDate position="left" format="d MMM yyyy"/>
<bannerLeft>
<name>Spring Security on Sourceforge</name>
<src>http://sourceforge.net/sflogo.php?group_id=104215&amp;type=5</src>
<href>http://sourceforge.net/projects/acegisecurity</href>
</bannerLeft>
<bannerRight>
<name>Spring Security</name>
<src>images/logo.gif</src>
<href>http://acegisecurity.org/</href>
</bannerRight>
<src>http://www.springframework.org/files/logo.jpg
</src>
<href>http://static.springframework.org/spring-security/
</href>
</bannerLeft>
<body>
<!--
<links>
<item name="Spring Security on Sourceforge" href="http://sourceforge.net/projects/acegisecurity" />
</links>
-->
<menu name="Overview">
<item name="Home" href="index.html"/>
<item name="Building with Maven" href="building.html"/>
<item name="Downloads" href="downloads.html"/>
<item name="Building from Source" href="building.html"/>
<item name="Downloads" href="http://www.springframework.org/download/"/>
</menu>
<menu name="Documentation">
<item name="Suggested Steps" href="suggested.html"/>
<item name="Reference Guide" href="reference.html"/>
<item name="Sample SQL Schema" href="dbinit.txt"/>
<item name="FAQ" href="faq.html"/>
<item name="Petclinic Tutorial" href="petclinic-tutorial.html"/>
<item name="External Web Articles" href="articles.html"/>
<item name="Products using Spring Security" href="powering.html"/>
<item name="Use without Spring" href="standalone.html"/>
<item name="Upgrading to 1.0.0" href="upgrade/upgrade-090-100.html"/>
<item name="Upgrading to 0.9.0" href="upgrade/upgrade-080-090.html"/>
<item name="Upgrading to 0.8.0" href="upgrade/upgrade-070-080.html"/>
<item name="Core JavaDocs" href="spring-security-core/apidocs/index.html" target="_blank"/>
<item name="Contacts HTTPS" href="spring-security-samples/spring-security-samples-contacts/sslhowto.txt"/>
<item name="Project Policies" href="policies.html"/>
<item name="Spring Security JIRA" href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040"/>
<item name="JIRA Issue tracker" href="http://jira.springframework.org/browse/SEC"/>
<item name="Road Map" href="http://jira.springframework.org/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel"/>
<item name="Community Forum" href="http://forum.springframework.org/forumdisplay.php?f=33"/>
<item name="Core Reports" href="spring-security-core/project-reports.html"/>
</menu>
<menu name="Links" type="footer">
<item name="Spring Framework" href="http://www.springframework.org/" img="http://www.springframework.org/buttons/spring_white.png"/>
<item name="Interface21" href="http://www.interface21.com/" />
</menu>
<!--
<poweredBy>
<logo name="Spring" href="http://docs.codehaus.org/display/JETTY/Jetty+Powered" img="./images/small_powered_by.gif"/>
</poweredBy>
-->
<menu ref="reports" name="Reports"/>
</body>
</project>

40
src/site/xdoc/building.xml
View File

@ -1,40 +0,0 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<document>
<properties><title>Building</title></properties>
<body>
<section name="Building Spring Security">
<subsection name="Checking Out from Subversion (SVN)">
<p>This project uses <a href="http://maven.apache.org/">Maven</a> as project manager
and build tool. We recommend you to install Maven 2.0.5 or greater before trying
the following.</p><p>To checkout Spring Security from SVN, see our
<a href="svn-usage.html">SVN Usage</a> page.</p>
</subsection>
<subsection name="Quick Build"><p>Often people reading this document just want to see if Spring Security will work
for their projects. They want to deploy a sample application, and that's about it
(after all, all the reference documentation can be read online at
<a href="http://acegisecurity.org/">http://acegisecurity.org</a>).
Assuming you've already checked out the code from subversion, start up a command prompt and
execute the following commands from the directory containing the project source:</p>
<ol>
<pre>mvn install</pre>
<pre>cd samples/contacts</pre>
<pre>mvn jetty:run</pre>
</ol>
<p>This should build the framework lirary jars, install them to your local maven repository and run the "contacts"
sample application using the maven jetty plugin (JDK 1.5 or later is required to run the Jetty plugin).
You should then be able to point your browser at
<a href="http://localhost:8080/contacts/">http://localhost:8080/contacts/</a> to use the application.
</p>
</subsection>
</section>
</body>
</document>