More documentation updates.

2025-06-29 15:22:15 +00:00 · 2004-12-23 00:15:00 +00:00 · 2004-12-23 00:15:00 +00:00 · c8055b57d7
commit c8055b57d7
parent b2e035424a
5 changed files with 159 additions and 50 deletions
--- a/doc/xdocs/articles.html
+++ b/doc/xdocs/articles.html
@ -22,42 +22,42 @@
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
-<title>Articles, Blog Posts and Comments covering Acegi Security</title>
+<title>External Web Articles covering Acegi Security</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 </head>
 <body>
-  <h1>Articles, Blog Posts and Comments covering Acegi Security</h1>
+  <h1>External Web Articles covering Acegi Security<</h1>
  <p>Here are some of the external pages mentioning Acegi Security. If you've
 	found another, please let us know.
  <ul>
    <li><b><a href="http://www.springframework.org">Spring Forums</a></b>:
-		The first place to look for Acegi Security support (use the 'search' function).
+		The first place to look for Acegi Security support (use the 'search' function).<br><br>
 	</li>
    <li><b><a href="mail-lists.html">Acegi Security Mailing Lists</a></b>:
-		If you'd like to discuss development of the project.
+		If you'd like to discuss development of the project.<br><br>
 	</li>
    <li><b><a href="http://www.javalobby.org/articles/acegisecurity/part1.jsp">Securing Your Java Applications - Acegi Security Style</a></b>:
-		Matthew Porter wrote this good introductory article for Javalobby.
+		Matthew Porter wrote this good introductory article for Javalobby.<br><br>
 	</li>
    <li><b><a href="http://confluence.sourcebeat.com/display/SPL/Update+Chapters">Spring Live Update Chapters</a></b>:
-		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.
+		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br><br>
 	</li>
    <li><b><a href="http://tp.its.yale.edu/tiki/tiki-view_faq.php?faqId=2#q16">Central Authentication Service FAQ</a></b>:
-		A general overview of how Acegi Security is used with Yale's CAS.
+		A general overview of how Acegi Security is used with Yale's CAS.<br><br>
 	</li>
    <li><b><a href="http://jroller.com/page/habuma/20041124#simplifying_acegi_configuration">Simplifying Acegi Configuration</a></b>:
-		Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.
+		Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.<br><br>
 	</li>
    <li><b><a href="http://www.almaer.com/blog/archives/000500.html">Let's leak IoC/DI into standards. You miss them when they aren't there!</a></b>:
-		Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.
+		Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.<br><br>
 	</li>
    <li><b><a href="http://www.manageability.org/blog/stuff/single-sign-on-in-java/view">Open Source Identity Management Solutions Written in Java</a></b>:
-		From <code>manageability.org</code>.
+		From <code>manageability.org</code>.<br><br>
 	</li>
    <li><b><a href="http://www.orablogs.com/fnimphius/archives/000730.html">J2EE Security: Struts "Shale" proposal does improve web application security</a></b>:
-		Frank Nimphius' blog contained some comments on Acegi Security. See
+		Frank Nimphius' blog contains some comments on Acegi Security. See
-		our <a href="faq.html">FAQ</a> for additional JAAS comments.
+		our <a href="faq.html">FAQ</a> for additional JAAS comments.<br><br>
 	</li>
  </ul>
 </body>
--- a/doc/xdocs/faq.html
+++ b/doc/xdocs/faq.html
@ -29,8 +29,105 @@
 <body>
  <h1>Frequently Asked Questions</h1>
  <h2>What is Acegi Security?</h2>
  <p>Acegi Security is an open source project that provide comprehensive authentication
 	and authorisation services for enterprise applications based on
 	<a href="http://www.springframework.org">The Spring Framework</a>.
 	Acegi Security can authenticate using a variety of pluggable providers, and
 	can authorise both web requests and method invocations.
 	Acegi Security provides an integrated security approach across
 	these various targets, and also offers access control list (ACL) capabilities to
 	enable individual domain object instances to be secured. At an implementation
 	level, Acegi Security is managed through Spring's inversion of control and 
 	lifecycle services,	and actually enforces security using interception through
 	servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi
 	Security currently supports AOP Alliance (which is what the
 	Spring IoC container uses internally) and AspectJ, although additional frameworks
 	can be easily supported.</p>
  <h2>Why not just use web.xml security?</h2>
  <p>Let's assuming you're developing an enterprise application based on Spring.
 	There are four security concerns you typically need to address: authentication,
 	web request security, service layer security (ie your methods that implement
 	business logic), and domain object instance security (ie different domain objects
 	have different permissions). With these typical requirements in mind:
 	<ol>
 		<li><b>Authentication</b>: The servlet specification provides an approach
 			to authentication. However, you will need to configure the container 
 			to perform authentication which typically requires editing of
 			container-specific "realm" settings. This makes a non-portable
 			configuration, and if you need to write an actual Java class to implement 
 			the container's authentication interface, it becomes even more non-portable.
 			With Acegi Security you achieve complete portability - right down to the 
 			WAR level. Also, Acegi Security offers a choice of production-proven
 			authentication providers and mechanisms, meaning you can switch your 
 			authentication approaches at deployment time. This is particularly
 			valuable for software vendors writing products that need to work in
 			an unknown target environment.<br><br></li>
 		<li><b>Web request security:</b> The servlet specification provides an
 			approach to secure your request URIs. However, these URIs can only be
 			expressed in the servlet specification's own limited URI path format.
 			Acegi Security provides a far more comprehensive approach. For instance,
 			you can use Ant paths or regular expressions, you can consider parts of the
 			URI other than simply the requested page (eg you can consider request
 			parameters), and you can implement your own runtime source of configuration
 			data. This means your web request security can be dynamically changed during
 			the actual execution of your webapp.<br><br></li>
 		<li><b>Service layer and domain object security:</b> The absence of support 
 			in the servlet specification for services layer security or domain object 
 			instance security represent serious limitations for multi-tiered 
 			applications. Typically developers either ignore these requirements, or
 			implement security logic within their MVC controller code (or even worse,
 			inside the views). There are serious disadvantages with this approach:<br><br>
 				<ol>
 					<li><i>Separation of concerns:</i> Authorization is a 
 						crosscutting concern and should be implemented as such. 
 						MVC controllers or views implementing authorization code 
 						makes it more difficult to test both the controller and 
 						authorization logic, more difficult to debug, and will 
 						often lead to code duplication.</li>
 					<li><i>Support for rich clients and web services:</i> If an 
 						additional client type must ultimately be supported, any 
 						authorization code embedded within the web layer is 
 						non-reusable. It should be considered that Spring remoting 
 						exporters only export service layer beans (not MVC 
 						controllers). As such authorization logic needs to be 
 						located in the services layer to support a multitude of 
 						client types.</li>
 					<li><i>Layering issues:</i> An MVC controller or view is simply 
 						the incorrect architectural layer to implement authorization 
 						decisions concerning services layer methods or domain object 
 						instances. Whilst the Principal may be passed to the services 
 						layer to enable it to make the authorization decision, doing 
 						so would introduce an additional argument on every services 
 						layer method. A more elegant approach is to use a ThreadLocal 
 						to hold the Principal, although this would likely increase 
 						development time to a point where it would become more e
 						conomical (on a cost-benefit basis) to simply use a dedicated 
 						security framework.</li>
 					<li><i>Authorisation code quality:</i> It is often said of web 
 						frameworks that they "make it easier to do the right things, 
 						and harder to do the wrong things". Security frameworks are 
 						the same, because they are designed in an abstract manner for 
 						a wide range of purposes. Writing your own authorization code 
 						from scratch does not provide the "design check" a framework 
 						would offer, and in-house authorization code will typically 
 						lack the improvements that emerge from widespread deployment, 
 						peer review and new versions.
 				</ol>
 				</li>
 	</ol>
 	For simple applications, servlet specification may just be enough.
 	Although when considered within the context of web container portability, 
 	configuration requirements, limited web request security flexibility, and 
 	non-existent services layer and domain object instance security, it becomes 
 	clear why developers often look to alternative solutions.
 	</p>
  <h2>How do you pronounce "Acegi"?</h2>
-  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.</p>
+  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
 	Acegi isn't an acronym, name of a Greek God or anything similarly
 	impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.</p>
  <h2>Is it called "Acegi" or "Acegi Security"?</h2>
  <p>It's official name is <i>Acegi Security System for Spring</i>,
@ -39,7 +136,7 @@
 	as that gets confused with the name of the company that maintains Acegi
 	Security.</p>
-  <h2>Why catches 80% of users reporting problems?</h2>
+  <h2>What catches 80% of users reporting problems?</h2>
  <p>80% of support questions are because people have not defined
 	the necessary filters in <code>web.xml</code>, or the filters are being
 	mapped in the incorrect order. Check the 
@ -55,11 +152,6 @@
 	<code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
 	to the log and check it looks correct.</p>
  <h2>How do I store custom properties, like a user's email address?</h2>
  <p>In most cases write an <code>AuthenticationDao</code> which returns
 	a subclass of <code>User</code>. Alternatively, write your own
 	<code>UserDetails</code> implementation from scratch and return that.</p>
  <h2>I need some help. What files should I post?</h2>
  <p>The most important things to post with any support requests on the
 	<a href="http://forum.springframework.org">Spring Forums</a> are your
@ -82,6 +174,11 @@
 		log4j.category.net.sf.acegisecurity=DEBUG</pre>
  <h2>How do I store custom properties, like a user's email address?</h2>
  <p>In most cases write an <code>AuthenticationDao</code> which returns
 	a subclass of <code>User</code>. Alternatively, write your own
 	<code>UserDetails</code> implementation from scratch and return that.</p>
  <h2>Why doesn't Acegi Security use JAAS?</h2>
  <p>Acegi Security targets <i>enterprise applications</i>, which are typically
 	multi-user, data-oriented applications that are important to
--- a/doc/xdocs/index.html
+++ b/doc/xdocs/index.html
@ -25,10 +25,8 @@
        href="http://apr.apache.org/versioning.html">Apache APR Project 
        Versioning Guidelines</A> so you can identify backward 
        compatibility.<BR><BR>
-        <LI><B>Easy to use:</B> View our samples/quick-start directory for XML 
+        <LI><B>Fast results:</B> View our <a href="suggested.html">Suggested Steps</a>
-        you can simply copy and paste into applicationContext.xml and web.xml. 
+        for the fastest way to develop complex, security-compliant applications.<BR><BR>
        From there it's easy to customise Acegi Security to your unique security 
        needs.<BR><BR>
        <LI><B>Enterprise-wide single sign on:</B> Using Yale University's open 
        source <A href="http://www.yale.edu/tp/auth/">Central Authentication 
        Service</A> (CAS), the Acegi Security System for Spring can participate 
@ -61,6 +59,11 @@
        parameter on method being invoked....). This package gives you this 
        flexibility without adding security code to your Spring business 
        objects.<BR><BR>
        <LI><B>After invocation security:</B> Acegi Security can not only protect
 		methods from being invoked in the first place, but it can also
 		deal with the Objects returned from the methods. Included implementations 
 		of after invocation security can throw an exception or mutate the returned
 		object based on ACLs.<BR><BR>
        <LI><B>Secures your HTTP requests as well:</B> In addition to securing 
        your beans, the project also secures your HTTP requests. No longer is it 
        necessary to rely on web.xml security constraints. Best of all, your 
@ -81,7 +84,8 @@
        BASIC authentication requests as per RFC 1945.<BR><BR>
        <LI><B>Convenient security taglib:</B> Your JSP files can use our taglib 
        to ensure that protected content like links and messages are only 
-        displayed to users holding the appropriate granted authorities.<BR><BR>
+        displayed to users holding the appropriate granted authorities. The taglib
 		also fully integrates with Acegi Security's ACL services.<BR><BR>
        <LI><B>Application context or attribute-based configuration:</B> You 
        select the method used to configure your security environment. The 
        project supports configuration via Spring application contexts as well 
@ -93,15 +97,15 @@
        anywhere you like.<BR><BR>
        <LI><B>Event support:</B> Building upon Spring's 
        <CODE>ApplicationEvent</CODE> services, you can write your own listeners 
-        for login, invalid password and account disabled events. This enables 
+        for authentication-related events, along with authorisation-related events.
-        you to implement account lockout and audit log systems, with complete 
+		This enables you to implement account lockout and audit log systems, with
-        decoupling from Acegi Security code.<BR><BR>
+		complete decoupling from Acegi Security code.<BR><BR>
        <LI><B>Easy integration with existing databases:</B> Our implementations 
        have been designed to make it very easy to use your existing 
-        authentication schema and data (without modification).<BR><BR>
+        authentication schema and data (without modification). Of course,
-        <LI><B>Caching:</B> Use our <A 
+		you can also provide your own Data Access Object if you wish.<BR><BR>
-        href="http://ehcache.sourceforge.net/">EHCACHE</A> wrapper to cache your 
+        <LI><B>Caching:</B> Acegi Security integrates with Spring's <A 
-        authentication information, or plug in your own cache implementation. 
+        href="http://ehcache.sourceforge.net/">EHCACHE</A> factory. 
        This flexibility means your database (or other authentication 
        repository) is not repeatedly queried for authentication 
        information.<BR><BR>
@ -127,13 +131,18 @@
        request or bean invocation. This enables you to build public-facing 
        object tiers with different security configurations than your backend 
        objects.<BR><BR>
        <LI><B>Transparent security propagation:</B> Acegi Security can automatically
 		transfer its core authentication information from one machine to another,
 		using a variety of protocols including RMI and Spring's HttpInvoker.<BR><BR>
        <LI><B>Compatible with HttpServletRequest.getRemoteUser():</B> Even though
 		Acegi Security can deliver authentication using a range of pluggable mechanisms
 		(most of which require no web container configuration), we allow you to access
 		the resulting Authentication object via the getRemoteUser() method.<BR><BR>
        <LI><B>Unit tests:</B> A must-have of any quality security project, unit 
-        tests are included. Clover coverage is currently 98.3%.<BR><BR>
+        tests are included. Our unit test coverage is very high, as shown in the
-        <LI><B>Container integration tests:</B> To ensure the security project 
+		<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<BR><BR>
-        properly operates with major container versions, we provide an 
+        <LI><B>Built by Maven:</B> This assists you in effectively reusing the Acegi
-        integration test system that deploys those containers from scratch and 
+		Security artifacts in your own Maven-based projects.<BR><BR>
        fully tests our sample web application from the perspective of a HTTP 
        client.<BR><BR>
        <LI><B>Supports your own unit tests:</B> We provide a number of classes 
        that assist with your own unit testing of secured business objects. For 
        example, you can change the authentication identity and its associated 
@ -143,7 +152,8 @@
        and code quality improvements that emerge from peer review.<BR><BR>
        <LI><B>Thorough documentation:</B> All APIs are fully documented using 
        JavaDoc, with a 40+ page reference guide providing an easy-to-follow 
-        introduction.<BR><BR>
+        introduction. More documentation is provided on this web site, as
 		shown in the left hand navigation sidebar.<BR><BR>
        <LI><B>Apache license.</B><BR><BR></LI></UL><BR><B>
      <HR>
--- a/doc/xdocs/navigation.xml
+++ b/doc/xdocs/navigation.xml
@ -30,14 +30,14 @@
    <menu name="Overview">
      <item name="Home" href="index.html"/>
      <item name="Building with Maven" href="building.html"/>
-      <item name="Downloads" href="downloads.html"/>
+      <item name="Downloads" href="http://sourceforge.net/project/showfiles.php?group_id=104215"/>
    </menu>
    <menu name="Documentation">
      <item name="Suggested Steps" href="suggested.html"/>
      <item name="Reference Guide" href="reference.html"/>
      <item name="Sample SQL Schema" href="dbinit.txt"/>
-      <item name="Frequently Asked Questions" href="faq.html"/>
+      <item name="FAQ" href="faq.html"/>
      <item name="External Web Articles" href="articles.html"/>
      <item name="Upgrading to 0.7.0" href="upgrade/upgrade-06-070.html"/>
      <item name="Upgrading to 0.6" href="upgrade/upgrade-05-06.html"/>
@ -46,13 +46,12 @@
    </menu>
    <menu name="Projects">
-      <item name="Core" href="multiproject/acegi-security/index.html"/>
+      <item name="Core Framework" href="multiproject/acegi-security/index.html"/>
-      <item name="CAS" href="multiproject/acegi-security-cas/index.html"/>
+      <item name="CAS Adapter" href="multiproject/acegi-security-cas/index.html"/>
-      <item name="Catalina" href="multiproject/acegi-security-catalina/index.html"/>
+      <item name="Catalina Adapter" href="multiproject/acegi-security-catalina/index.html"/>
-      <item name="JBoss" href="multiproject/acegi-security-jboss/index.html"/>
+      <item name="JBoss Adapter" href="multiproject/acegi-security-jboss/index.html"/>
-      <item name="Jetty" href="multiproject/acegi-security-jetty/index.html"/>
+      <item name="Jetty Adapter" href="multiproject/acegi-security-jetty/index.html"/>
-      <item name="Resin" href="multiproject/acegi-security-resin/index.html"/>
+      <item name="Resin Adapter" href="multiproject/acegi-security-resin/index.html"/>
      <item name="Subproject Index" href="projects-overview.html"/>
    </menu>
    <menu name="Samples">
--- a/doc/xdocs/suggested.html
+++ b/doc/xdocs/suggested.html
@ -56,7 +56,7 @@
 	declarations or the stock-standard <code>web.xml</code>). The main
 	XML files to review are
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml?view=auto">applicationContext-acegi-security.xml</a> (from the filter webapp),
-	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorization.xml?view=auto">applicationContext-common-authorization.xml</a>,
+	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorisation.xml?view=auto">applicationContext-common-authorisation.xml</a>,
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-business.xml?view=auto">applicationContext-common-business.xml</a> (just note we add <code>contactManagerSecurity</code> to the services layer target bean), and
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml?view=auto">web.xml</a> (from the filter webapp).
 	The XML definitions are comprehensively discussed in the
@ -64,7 +64,7 @@
 	<br><br>
 	To gain the most from reviewing these XML files, we suggest you start by understanding how
-	authentication takes place. There's not much point knowing all about authorization until authentication is
+	authentication takes place. There's not much point knowing all about authorisation until authentication is
 	really clear, especially the interaction between the <code>ContextHolder</code>, the
 	authentication mechanism (such as <code>AuthenticationProcessingFilter</code>), the
 	authentication commencement process (specifically <code>SecurityEnforcementFilter</code> and
@ -111,7 +111,10 @@
 	where you would need to cross the highest and most difficult bridges first, to check they
 	are actually possible).<br><br>
-	If you've followed the steps above, and refer back to the reference guide, forums, and FAQ
+	If you've followed the steps above, and refer back to the 
 	<a href="reference.html">Reference Guide</a>, 
 	<a href="http://www.springframework.org">forums</a>, and 
 	<a href="faq.html">FAQ</a>
 	for help, you'll find it pretty easy to implement Acegi Security in your application.
 	Most importantly, you'll be using a security framework that offers you complete container
 	portability, flexibility, and community support - without needing to write and maintain your