diff --git a/doc/xdocs/index.php b/doc/xdocs/index.php new file mode 100644 index 0000000000..0718d58a2d --- /dev/null +++ b/doc/xdocs/index.php @@ -0,0 +1,174 @@ + +Acegi Security System for Spring - Acegi Security System for Spring
+




+
+
+ +
Mission Statement
+
+

To provide comprehensive security services for The Spring Framework. +


+
+ +
Key Features
+
+

+
    +
  • It is ready NOW. As explained in the reference guide, the API + is now quite stable. We also use the Apache APR Project + Versioning Guidelines so you can identify backward + compatibility.



    +
  • Fast results: View our suggested steps + for the fastest way to develop complex, security-compliant applications.



    +
  • Enterprise-wide single sign on: Using Yale University's open + source Central Authentication + Service (CAS), the Acegi Security System for Spring can participate + in an enterprise-wide single sign on environment. You no longer need + every web application to have its own authentication database. Nor are + you restricted to single sign on across a single web container. Advanced + single sign on features like proxy support and forced refresh of logins + are supported by both CAS and Acegi Security.



    +
  • Reuses your Spring expertise: We use Spring application + contexts for all configuration, which should help Spring developers get + up-to-speed nice and quickly.



    +
  • Domain object instance security: In many applications it's + desirable to define Access Control Lists (ACLs) for individual domain + object instances. We provide a comprehensive ACL package with features + including integer bit masking, permission inheritence (including + blocking), a JDBC-backed ACL repository, caching and a pluggable, + interface-driven design.



    +
  • Non-intrusive setup: The entire security system can operate + within a single web application using the provided filters. There is no + need to make special changes or deploy libraries to your Servlet or EJB + container.



    +
  • Full (but optional) container integration: The credential + collection and authorization capabilities of your Servlet or EJB + container can be fully utilised via included "container adapters". We + currently support Catalina (Tomcat), Jetty, JBoss and Resin, with + additional containers easily added.



    +
  • Keeps your objects free of security code: Many applications + need to secure data at the bean level based on any combination of + parameters (user, time of day, authorities held, method being invoked, + parameter on method being invoked....). This package gives you this + flexibility without adding security code to your Spring business + objects.



    +
  • After invocation security: Acegi Security can not only protect + methods from being invoked in the first place, but it can also + deal with the Objects returned from the methods. Included implementations + of after invocation security can throw an exception or mutate the returned + object based on ACLs.



    +
  • Secures your HTTP requests as well: In addition to securing + your beans, the project also secures your HTTP requests. No longer is it + necessary to rely on web.xml security constraints. Best of all, your + HTTP requests can now be secured by your choice of regular expressions + or Apache Ant paths, along with pluggable authentication, authorization + and run-as replacement managers.



    +
  • Channel security: The Acegi Security System for Spring can + automatically redirect requests across an appropriate transport channel. + Whilst flexible enough to support any of your "channel" requirements (eg + the remote user is a human, not a robot), a common channel security + feature is to ensure your secure pages will only be available over + HTTPS, and your public pages only over HTTP. Acegi Security also + supports unusual port combinations and pluggable transport decision + managers.



    +
  • Supports HTTP BASIC authentication: Perfect for remoting + protocols or those web applications that prefer a simple browser pop-up + (rather than a form login), Acegi Security can directly process HTTP + BASIC authentication requests as per RFC 1945.



    +
  • Supports HTTP Digest authentication: For greater security than + offered by BASIC authentcation, Acegi Security also supports Digest Authentication + (which never sends the user's password across the wire). Digest Authentication + is widely supported by modern browsers. Acegi Security's implementation complies + with both RFC 2617 and RFC 2069.



    +
  • Convenient security taglib: Your JSP files can use our taglib + to ensure that protected content like links and messages are only + displayed to users holding the appropriate granted authorities. The taglib + also fully integrates with Acegi Security's ACL services.



    +
  • Application context or attribute-based configuration: You + select the method used to configure your security environment. The + project supports configuration via Spring application contexts as well + as Jakarta Commons Attributes.



    +
  • Various authentication backends: We include the ability to + retrieve your user and granted authority definitions from either an XML + file or JDBC datasource. Alternatively, you can implement the + single-method DAO interface and obtain authentication details from + anywhere you like.



    +
  • Event support: Building upon Spring's + ApplicationEvent services, you can write your own listeners + for authentication-related events, along with authorisation-related events. + This enables you to implement account lockout and audit log systems, with + complete decoupling from Acegi Security code.



    +
  • Easy integration with existing databases: Our implementations + have been designed to make it very easy to use your existing + authentication schema and data (without modification). Of course, + you can also provide your own Data Access Object if you wish.



    +
  • Caching: Acegi Security integrates with Spring's EHCACHE factory. + This flexibility means your database (or other authentication + repository) is not repeatedly queried for authentication + information.



    +
  • Pluggable architecture: Every critical aspect of the package + has been modelled using high cohesion, loose coupling, interface-driven + design principles. You can easily replace, customise or extend parts of + the package.



    +
  • Startup-time validation: Every critical object dependency and + configuration parameter is validated at application context startup + time. Security configuration errors are therefore detected early and + corrected quickly.



    +
  • Remoting support: Does your project use a rich client? Not a + problem. Acegi Security integrates with standard Spring remoting + protocols, because it automatically processes the HTTP BASIC + authentication headers they present. Add our BASIC authentication filter + to your web.xml and you're done.



    +
  • Advanced password encoding: Of course, passwords in your + authentication repository need not be in plain text. We support both SHA + and MD5 encoding, and also pluggable "salt" providers to maximise + password security.



    +
  • Run-as replacement: The security system fully supports + temporarily replacing the authenticated user for the duration of the web + request or bean invocation. This enables you to build public-facing + object tiers with different security configurations than your backend + objects.



    +
  • Transparent security propagation: Acegi Security can automatically + transfer its core authentication information from one machine to another, + using a variety of protocols including RMI and Spring's HttpInvoker.



    +
  • Compatible with HttpServletRequest.getRemoteUser(): Even though + Acegi Security can deliver authentication using a range of pluggable mechanisms + (most of which require no web container configuration), we allow you to access + the resulting Authentication object via the getRemoteUser() method.



    +
  • Unit tests: A must-have of any quality security project, unit + tests are included. Our unit test coverage is very high, as shown in the + coverage report.



    +
  • Built by Maven: This assists you in effectively reusing the Acegi + Security artifacts in your own Maven-based projects.



    +
  • Supports your own unit tests: We provide a number of classes + that assist with your own unit testing of secured business objects. For + example, you can change the authentication identity and its associated + granted authorities directly within your test methods.



    +
  • Peer reviewed: Whilst nothing is ever completely secure, + using an open source security package leverages the continuous design + and code quality improvements that emerge from peer review.



    +
  • Thorough documentation: All APIs are fully documented using + JavaDoc, with a 40+ page + Reference Guide providing an easy-to-follow + introduction. More documentation is provided on this web site, as + shown in the left hand navigation sidebar.



    +
  • Apache license.





+
+ +
Project Resources
+
+

+
Support + Forums



Downloads +