Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More documentation updates.

This commit is contained in:
Ben Alex 2004-12-23 00:15:00 +00:00
parent b2e035424a
commit c8055b57d7
5 changed files with 159 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/xdocs/articles.html
View File

@ -22,42 +22,42 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Articles, Blog Posts and Comments covering Acegi Security</title>
<title>External Web Articles covering Acegi Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Articles, Blog Posts and Comments covering Acegi Security</h1>
<h1>External Web Articles covering Acegi Security<</h1>
<p>Here are some of the external pages mentioning Acegi Security. If you've
found another, please let us know.
<ul>
<li><b><a href="http://www.springframework.org">Spring Forums</a></b>:
The first place to look for Acegi Security support (use the 'search' function).
The first place to look for Acegi Security support (use the 'search' function).<br><br>
</li>
<li><b><a href="mail-lists.html">Acegi Security Mailing Lists</a></b>:
If you'd like to discuss development of the project.
If you'd like to discuss development of the project.<br><br>
</li>
<li><b><a href="http://www.javalobby.org/articles/acegisecurity/part1.jsp">Securing Your Java Applications - Acegi Security Style</a></b>:
Matthew Porter wrote this good introductory article for Javalobby.
Matthew Porter wrote this good introductory article for Javalobby.<br><br>
</li>
<li><b><a href="http://confluence.sourcebeat.com/display/SPL/Update+Chapters">Spring Live Update Chapters</a></b>:
Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.
Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br><br>
</li>
<li><b><a href="http://tp.its.yale.edu/tiki/tiki-view_faq.php?faqId=2#q16">Central Authentication Service FAQ</a></b>:
A general overview of how Acegi Security is used with Yale's CAS.
A general overview of how Acegi Security is used with Yale's CAS.<br><br>
</li>
<li><b><a href="http://jroller.com/page/habuma/20041124#simplifying_acegi_configuration">Simplifying Acegi Configuration</a></b>:
Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.
Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.<br><br>
</li>
<li><b><a href="http://www.almaer.com/blog/archives/000500.html">Let's leak IoC/DI into standards. You miss them when they aren't there!</a></b>:
Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.
Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.<br><br>
</li>
<li><b><a href="http://www.manageability.org/blog/stuff/single-sign-on-in-java/view">Open Source Identity Management Solutions Written in Java</a></b>:
From <code>manageability.org</code>.
From <code>manageability.org</code>.<br><br>
</li>
<li><b><a href="http://www.orablogs.com/fnimphius/archives/000730.html">J2EE Security: Struts "Shale" proposal does improve web application security</a></b>:
Frank Nimphius' blog contained some comments on Acegi Security. See
our <a href="faq.html">FAQ</a> for additional JAAS comments.
Frank Nimphius' blog contains some comments on Acegi Security. See
our <a href="faq.html">FAQ</a> for additional JAAS comments.<br><br>
</li>
</ul>
</body>

111
doc/xdocs/faq.html
View File

@ -29,8 +29,105 @@
<body>
<h1>Frequently Asked Questions</h1>
<h2>What is Acegi Security?</h2>
<p>Acegi Security is an open source project that provide comprehensive authentication
and authorisation services for enterprise applications based on
<a href="http://www.springframework.org">The Spring Framework</a>.
Acegi Security can authenticate using a variety of pluggable providers, and
can authorise both web requests and method invocations.
Acegi Security provides an integrated security approach across
these various targets, and also offers access control list (ACL) capabilities to
enable individual domain object instances to be secured. At an implementation
level, Acegi Security is managed through Spring's inversion of control and
lifecycle services, and actually enforces security using interception through
servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi
Security currently supports AOP Alliance (which is what the
Spring IoC container uses internally) and AspectJ, although additional frameworks
can be easily supported.</p>
<h2>Why not just use web.xml security?</h2>
<p>Let's assuming you're developing an enterprise application based on Spring.
There are four security concerns you typically need to address: authentication,
web request security, service layer security (ie your methods that implement
business logic), and domain object instance security (ie different domain objects
have different permissions). With these typical requirements in mind:
<ol>
<li><b>Authentication</b>: The servlet specification provides an approach
to authentication. However, you will need to configure the container
to perform authentication which typically requires editing of
container-specific "realm" settings. This makes a non-portable
configuration, and if you need to write an actual Java class to implement
the container's authentication interface, it becomes even more non-portable.
With Acegi Security you achieve complete portability - right down to the
WAR level. Also, Acegi Security offers a choice of production-proven
authentication providers and mechanisms, meaning you can switch your
authentication approaches at deployment time. This is particularly
valuable for software vendors writing products that need to work in
an unknown target environment.<br><br></li>
<li><b>Web request security:</b> The servlet specification provides an
approach to secure your request URIs. However, these URIs can only be
expressed in the servlet specification's own limited URI path format.
Acegi Security provides a far more comprehensive approach. For instance,
you can use Ant paths or regular expressions, you can consider parts of the
URI other than simply the requested page (eg you can consider request
parameters), and you can implement your own runtime source of configuration
data. This means your web request security can be dynamically changed during
the actual execution of your webapp.<br><br></li>
<li><b>Service layer and domain object security:</b> The absence of support
in the servlet specification for services layer security or domain object
instance security represent serious limitations for multi-tiered
applications. Typically developers either ignore these requirements, or
implement security logic within their MVC controller code (or even worse,
inside the views). There are serious disadvantages with this approach:<br><br>
<ol>
<li><i>Separation of concerns:</i> Authorization is a
crosscutting concern and should be implemented as such.
MVC controllers or views implementing authorization code
makes it more difficult to test both the controller and
authorization logic, more difficult to debug, and will
often lead to code duplication.</li>
<li><i>Support for rich clients and web services:</i> If an
additional client type must ultimately be supported, any
authorization code embedded within the web layer is
non-reusable. It should be considered that Spring remoting
exporters only export service layer beans (not MVC
controllers). As such authorization logic needs to be
located in the services layer to support a multitude of
client types.</li>
<li><i>Layering issues:</i> An MVC controller or view is simply
the incorrect architectural layer to implement authorization
decisions concerning services layer methods or domain object
instances. Whilst the Principal may be passed to the services
layer to enable it to make the authorization decision, doing
so would introduce an additional argument on every services
layer method. A more elegant approach is to use a ThreadLocal
to hold the Principal, although this would likely increase
development time to a point where it would become more e
conomical (on a cost-benefit basis) to simply use a dedicated
security framework.</li>
<li><i>Authorisation code quality:</i> It is often said of web
frameworks that they "make it easier to do the right things,
and harder to do the wrong things". Security frameworks are
the same, because they are designed in an abstract manner for
a wide range of purposes. Writing your own authorization code
from scratch does not provide the "design check" a framework
would offer, and in-house authorization code will typically
lack the improvements that emerge from widespread deployment,
peer review and new versions.
</ol>
</li>
</ol>
For simple applications, servlet specification may just be enough.
Although when considered within the context of web container portability,
configuration requirements, limited web request security flexibility, and
non-existent services layer and domain object instance security, it becomes
clear why developers often look to alternative solutions.
</p>
<h2>How do you pronounce "Acegi"?</h2>
<p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.</p>
<p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
Acegi isn't an acronym, name of a Greek God or anything similarly
impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.</p>
<h2>Is it called "Acegi" or "Acegi Security"?</h2>
<p>It's official name is <i>Acegi Security System for Spring</i>,
@ -39,7 +136,7 @@
as that gets confused with the name of the company that maintains Acegi
Security.</p>
<h2>Why catches 80% of users reporting problems?</h2>
<h2>What catches 80% of users reporting problems?</h2>
<p>80% of support questions are because people have not defined
the necessary filters in <code>web.xml</code>, or the filters are being
mapped in the incorrect order. Check the
@ -55,11 +152,6 @@
<code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
to the log and check it looks correct.</p>
<h2>How do I store custom properties, like a user's email address?</h2>
<p>In most cases write an <code>AuthenticationDao</code> which returns
a subclass of <code>User</code>. Alternatively, write your own
<code>UserDetails</code> implementation from scratch and return that.</p>
<h2>I need some help. What files should I post?</h2>
<p>The most important things to post with any support requests on the
<a href="http://forum.springframework.org">Spring Forums</a> are your
@ -82,6 +174,11 @@
log4j.category.net.sf.acegisecurity=DEBUG</pre>
<h2>How do I store custom properties, like a user's email address?</h2>
<p>In most cases write an <code>AuthenticationDao</code> which returns
a subclass of <code>User</code>. Alternatively, write your own
<code>UserDetails</code> implementation from scratch and return that.</p>
<h2>Why doesn't Acegi Security use JAAS?</h2>
<p>Acegi Security targets <i>enterprise applications</i>, which are typically
multi-user, data-oriented applications that are important to

48
doc/xdocs/index.html
View File

@ -25,10 +25,8 @@
href="http://apr.apache.org/versioning.html">Apache APR Project
Versioning Guidelines</A> so you can identify backward
compatibility.<BR><BR>
<LI><B>Easy to use:</B> View our samples/quick-start directory for XML
you can simply copy and paste into applicationContext.xml and web.xml.
From there it's easy to customise Acegi Security to your unique security
needs.<BR><BR>
<LI><B>Fast results:</B> View our <a href="suggested.html">Suggested Steps</a>
for the fastest way to develop complex, security-compliant applications.<BR><BR>
<LI><B>Enterprise-wide single sign on:</B> Using Yale University's open
source <A href="http://www.yale.edu/tp/auth/">Central Authentication
Service</A> (CAS), the Acegi Security System for Spring can participate
@ -61,6 +59,11 @@
parameter on method being invoked....). This package gives you this
flexibility without adding security code to your Spring business
objects.<BR><BR>
<LI><B>After invocation security:</B> Acegi Security can not only protect
methods from being invoked in the first place, but it can also
deal with the Objects returned from the methods. Included implementations
of after invocation security can throw an exception or mutate the returned
object based on ACLs.<BR><BR>
<LI><B>Secures your HTTP requests as well:</B> In addition to securing
your beans, the project also secures your HTTP requests. No longer is it
necessary to rely on web.xml security constraints. Best of all, your
@ -81,7 +84,8 @@
BASIC authentication requests as per RFC 1945.<BR><BR>
<LI><B>Convenient security taglib:</B> Your JSP files can use our taglib
to ensure that protected content like links and messages are only
displayed to users holding the appropriate granted authorities.<BR><BR>
displayed to users holding the appropriate granted authorities. The taglib
also fully integrates with Acegi Security's ACL services.<BR><BR>
<LI><B>Application context or attribute-based configuration:</B> You
select the method used to configure your security environment. The
project supports configuration via Spring application contexts as well
@ -93,15 +97,15 @@
anywhere you like.<BR><BR>
<LI><B>Event support:</B> Building upon Spring's
<CODE>ApplicationEvent</CODE> services, you can write your own listeners
for login, invalid password and account disabled events. This enables
you to implement account lockout and audit log systems, with complete
decoupling from Acegi Security code.<BR><BR>
for authentication-related events, along with authorisation-related events.
This enables you to implement account lockout and audit log systems, with
complete decoupling from Acegi Security code.<BR><BR>
<LI><B>Easy integration with existing databases:</B> Our implementations
have been designed to make it very easy to use your existing
authentication schema and data (without modification).<BR><BR>
<LI><B>Caching:</B> Use our <A
href="http://ehcache.sourceforge.net/">EHCACHE</A> wrapper to cache your
authentication information, or plug in your own cache implementation.
authentication schema and data (without modification). Of course,
you can also provide your own Data Access Object if you wish.<BR><BR>
<LI><B>Caching:</B> Acegi Security integrates with Spring's <A
href="http://ehcache.sourceforge.net/">EHCACHE</A> factory.
This flexibility means your database (or other authentication
repository) is not repeatedly queried for authentication
information.<BR><BR>
@ -127,13 +131,18 @@
request or bean invocation. This enables you to build public-facing
object tiers with different security configurations than your backend
objects.<BR><BR>
<LI><B>Transparent security propagation:</B> Acegi Security can automatically
transfer its core authentication information from one machine to another,
using a variety of protocols including RMI and Spring's HttpInvoker.<BR><BR>
<LI><B>Compatible with HttpServletRequest.getRemoteUser():</B> Even though
Acegi Security can deliver authentication using a range of pluggable mechanisms
(most of which require no web container configuration), we allow you to access
the resulting Authentication object via the getRemoteUser() method.<BR><BR>
<LI><B>Unit tests:</B> A must-have of any quality security project, unit
tests are included. Clover coverage is currently 98.3%.<BR><BR>
<LI><B>Container integration tests:</B> To ensure the security project
properly operates with major container versions, we provide an
integration test system that deploys those containers from scratch and
fully tests our sample web application from the perspective of a HTTP
client.<BR><BR>
tests are included. Our unit test coverage is very high, as shown in the
<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<BR><BR>
<LI><B>Built by Maven:</B> This assists you in effectively reusing the Acegi
Security artifacts in your own Maven-based projects.<BR><BR>
<LI><B>Supports your own unit tests:</B> We provide a number of classes
that assist with your own unit testing of secured business objects. For
example, you can change the authentication identity and its associated
@ -143,7 +152,8 @@
and code quality improvements that emerge from peer review.<BR><BR>
<LI><B>Thorough documentation:</B> All APIs are fully documented using
JavaDoc, with a 40+ page reference guide providing an easy-to-follow
introduction.<BR><BR>
introduction. More documentation is provided on this web site, as
shown in the left hand navigation sidebar.<BR><BR>
<LI><B>Apache license.</B><BR><BR></LI></UL><BR><B>
<HR>

17
doc/xdocs/navigation.xml
View File

@ -30,14 +30,14 @@
<menu name="Overview">
<item name="Home" href="index.html"/>
<item name="Building with Maven" href="building.html"/>
<item name="Downloads" href="downloads.html"/>
<item name="Downloads" href="http://sourceforge.net/project/showfiles.php?group_id=104215"/>
</menu>
<menu name="Documentation">
<item name="Suggested Steps" href="suggested.html"/>
<item name="Reference Guide" href="reference.html"/>
<item name="Sample SQL Schema" href="dbinit.txt"/>
<item name="Frequently Asked Questions" href="faq.html"/>
<item name="FAQ" href="faq.html"/>
<item name="External Web Articles" href="articles.html"/>
<item name="Upgrading to 0.7.0" href="upgrade/upgrade-06-070.html"/>
<item name="Upgrading to 0.6" href="upgrade/upgrade-05-06.html"/>
@ -46,13 +46,12 @@
</menu>
<menu name="Projects">
<item name="Core" href="multiproject/acegi-security/index.html"/>
<item name="CAS" href="multiproject/acegi-security-cas/index.html"/>
<item name="Catalina" href="multiproject/acegi-security-catalina/index.html"/>
<item name="JBoss" href="multiproject/acegi-security-jboss/index.html"/>
<item name="Jetty" href="multiproject/acegi-security-jetty/index.html"/>
<item name="Resin" href="multiproject/acegi-security-resin/index.html"/>
<item name="Subproject Index" href="projects-overview.html"/>
<item name="Core Framework" href="multiproject/acegi-security/index.html"/>
<item name="CAS Adapter" href="multiproject/acegi-security-cas/index.html"/>
<item name="Catalina Adapter" href="multiproject/acegi-security-catalina/index.html"/>
<item name="JBoss Adapter" href="multiproject/acegi-security-jboss/index.html"/>
<item name="Jetty Adapter" href="multiproject/acegi-security-jetty/index.html"/>
<item name="Resin Adapter" href="multiproject/acegi-security-resin/index.html"/>
</menu>
<menu name="Samples">

9
doc/xdocs/suggested.html
View File

@ -56,7 +56,7 @@
declarations or the stock-standard <code>web.xml</code>). The main
XML files to review are
<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml?view=auto">applicationContext-acegi-security.xml</a> (from the filter webapp),
<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorization.xml?view=auto">applicationContext-common-authorization.xml</a>,
<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorisation.xml?view=auto">applicationContext-common-authorisation.xml</a>,
<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-business.xml?view=auto">applicationContext-common-business.xml</a> (just note we add <code>contactManagerSecurity</code> to the services layer target bean), and
<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml?view=auto">web.xml</a> (from the filter webapp).
The XML definitions are comprehensively discussed in the
@ -64,7 +64,7 @@
<br><br>
To gain the most from reviewing these XML files, we suggest you start by understanding how
authentication takes place. There's not much point knowing all about authorization until authentication is
authentication takes place. There's not much point knowing all about authorisation until authentication is
really clear, especially the interaction between the <code>ContextHolder</code>, the
authentication mechanism (such as <code>AuthenticationProcessingFilter</code>), the
authentication commencement process (specifically <code>SecurityEnforcementFilter</code> and
@ -111,7 +111,10 @@
where you would need to cross the highest and most difficult bridges first, to check they
are actually possible).<br><br>
If you've followed the steps above, and refer back to the reference guide, forums, and FAQ
If you've followed the steps above, and refer back to the
<a href="reference.html">Reference Guide</a>,
<a href="http://www.springframework.org">forums</a>, and
<a href="faq.html">FAQ</a>
for help, you'll find it pretty easy to implement Acegi Security in your application.
Most importantly, you'll be using a security framework that offers you complete container
portability, flexibility, and community support - without needing to write and maintain your