Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-540,SEC-541: Changes for maven 2 site generation and use of docbkx.

This commit is contained in:
Luke Taylor 2007-09-02 10:00:44 +00:00
parent 4e452046ec
commit f9e16d6ee3
31 changed files with 565 additions and 7377 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
adapters/cas/src/main/site/site.xml Normal file
View File

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<project name="Acegi Security CAS Adapter">
<body>
<menu ref="parent"/>
<menu ref="reports"/>
</body>
</project>

64
pom.xml
View File

@ -3,15 +3,17 @@
<groupId>org.acegisecurity</groupId>
<artifactId>acegi-security-parent</artifactId>
<version>1.0.5-SNAPSHOT</version>
<name>Acegi Security System for Spring - Parent</name>
<name>Acegi Security</name>
<packaging>pom</packaging>
<modules>
<module>core</module>
<module>core-tiger</module>
<module>adapters</module>
<module>core-tiger</module>
<module>adapters</module>
<module>samples</module>
<module>doc</module>
<!--
<module>doc</module>
-->
</modules>
<description>Acegi Security System for Spring</description>
@ -61,10 +63,11 @@
<site>
<id>sourceforge.net</id>
<name>Acegi Website at Sourceforge</name>
<url>
<!--<url>file:///Users/luke/acegisite/</url>-->
<url>
scp://shell.sourceforge.net/home/groups/a/ac/acegisecurity/htdocs/maven2
</url>
</site>
</site>
</distributionManagement>
<repositories>
@ -86,9 +89,19 @@
<enabled>false</enabled>
</releases>
</repository>
</repositories>
</repositories>
<mailingLists>
<pluginRepositories>
<pluginRepository>
<id>agilejava.com</id>
<url>http://agilejava.com/maven/</url>
<releases>
<enabled>true</enabled>
</releases>
</pluginRepository>
</pluginRepositories>
<mailingLists>
<mailingList>
<name>Acegi Developer List</name>
<subscribe>
@ -366,9 +379,25 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>2.0-beta-5</version>
<version>2.0-BETA-5</version>
</plugin>
</plugins>
<plugin>
<groupId>com.agilejava.docbkx</groupId>
<artifactId>docbkx-maven-plugin</artifactId>
<version>2.0.6</version>
<dependencies>
<dependency>
<groupId>org.docbook</groupId>
<artifactId>docbook-xml</artifactId>
<version>4.4</version>
<scope>runtime</scope>
</dependency>
</dependencies>
<configuration>
<targetDirectory>${basedir}/target/site/guide</targetDirectory>
</configuration>
</plugin>
</plugins>
</build>
<reporting>
@ -382,7 +411,8 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
</plugin>
<plugin>
<!--
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<configuration>
@ -391,18 +421,22 @@
</configLocation>
</configuration>
</plugin>
<plugin>
-->
<!--
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
</plugin>
-->
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
</plugin>
<plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<configuration>
<links>
<link>
http://java.sun.com/j2se/1.5.0/docs/api
@ -457,7 +491,7 @@
<groupId>org.codehaus.mojo</groupId>
<artifactId>taglist-maven-plugin</artifactId>
</plugin>
</plugins>
</plugins>
</reporting>
<dependencyManagement>

6323
src/docbook/acegi.xml
View File

File diff suppressed because it is too large Load Diff

61
src/site/apt/building.apt
View File

@ -1,61 +0,0 @@
-----------------------
Building Acegi Security
-----------------------
Building Acegi Security System
* Checking Out from Subversion (SVN)
This project uses <a href="http://maven.apache.org">Maven</a> as project manager
and build tool. We recommend you to install Maven 2.0.4 or greater before trying
the following.
To checkout Acegi Security from SVN, see our {{{svn-usage.html}SVN Usage}} page.
* Quick Build
Often people reading this document just want to see if Acegi Security will work
for their projects. They want to deploy a sample application, and that's about it
(after all, all the reference documentation can be read online at
{{{http://acegisecurity.org}http://acegisecurity.org}}).
In this case, execute:
TODO: Update to use tutorial app and maven 2
+----------------------------------------------------------------------------------------------------------------------+
cd $ACEGI_SECURITY/core (or cd %ACEGI_SECURITY%/core on Windows)
mvn install
cd $ACEGI_SECURITY/samples/contacts
maven multiwar:multiwar
copy $ACEGI_SECURITY/samples/contacts/target/acegi-security-sample-contacts-filter.war $YOUR_CONTAINER/webapps
+----------------------------------------------------------------------------------------------------------------------+
Then load up your web container and visit
{{{http://localhost:8080/acegi-security-sample-contacts-filter/}http://localhost:8080/acegi-security-sample-contacts-filter/}}
(or whatever location is appropriate for your web container).
* Building All JARs
Sometimes people are already using Acegi Security, and they just want to build the
latest code from CVS. To build all artifacts (JARs) and install them into
your local Maven repository, simply perform a SVN checkout, and then execute:
+----------------------------------------------------------------------------------------------------------------------+
cd $ACEGI_SECURITY
mvn install
+----------------------------------------------------------------------------------------------------------------------+
You can then check your <<<$HOME/.m2/repository/org/acegisecurity>>>
directory and it should contain all of the latest Acegi Security JARs.
* Building The Site
By "site" we mean the web site you can browse at
{{{http://acegisecurity.org}http://acegisecurity.org}},
which includes the reference documentation and all of the Maven reports.
If you'd like a local copy, simply execute:
+----------------------------------------------------------------------------------------------------------------------+
cd $ACEGI_SECURITY
mvn clean site
+----------------------------------------------------------------------------------------------------------------------+

50
src/site/apt/downloads.apt
View File

@ -1,50 +0,0 @@
---------
Downloads
---------
Acegi Security Downloads
If you wish to try out this project, you are probably looking for the
<<acegi-security-xx.zip>> file, which contains all of the officially
released JARs, a copy of all documentation, and two WAR artifacts. The two WAR artifacts
are from the Contacts Sample and the Tutorial Sample application. The Tutorial Sample
consists of a "bare bones" configuration that will get you up and running quickly, whereas
the Contacts Sample illustrates more advanced features.
Please note that in order to reduce download size, we only include in the
release ZIP one of the WAR artifacts produced by the Contacts Sample application.
The WAR artifact we include is suitable for standalone deployment (specifically, it
does not require a CAS server, container adapter, X509 or LDAP setup). The official release ZIP
therefore probably contains what you need, especially if you're initially
evaluating the project. If you wish to deploy the other WAR artifacts produced by
the Contacts Sample application (ie those that target CAS, container adapters, X509 or LDAP usage),
you will need to build Acegi Security from source.
The acegi-security-xx-src.zip is intended for use with IDEs. It does not contain the
files needed to compile Acegi Security. It also does not contain the sources to the
sample applications. If you need any of these files, please download from SVN.
* Official Releases
The official release ZIP files are available from the
{{{http://sourceforge.net/project/showfiles.php?group_id=104215}Sourceforge File Release System}}.
* Maven Dependencies
The Acegi Security JARs are also available via the
{{{http://www.ibiblio.org/maven2/org/acegisecurity}iBiblio Maven Repository}}.
* Building From Source
Detailed instructions on downloading from CVS and building from source
are provided on the {{{building.html}Building with Maven}}
page.
* SVN Snapshots and Daily Builds
If you don't wish to access SVN directly, we provide
{{{http://acegisecurity.sourceforge.net/nightly/}nightly SVN exports}}
There is also an automated build which uploads bundle of Acegi Security jar files to the same location.
Both binary and source archives have the date of the build and the SVN revision number appended to the filename,
so you can match them up easily.

74
src/site/apt/standalone.apt
View File

@ -1,74 +0,0 @@
----------------------------------
Acegi Security Use Without Spring
----------------------------------
Acegi Security Use Without Spring
* Introduction
Sometimes we get asked can Acegi Security be used without Spring.
This page provides a detailed answer.
* History
Acegi Security started out as a method interceptor for Spring IoC container
managed beans. Typically such beans provide services layer functions.
Over time Acegi Security grew to offer authentication services, <<<ThreadLocal>>> management,
web request filtering, extra AOP support,
ACL features, additional authentication mechanisms and so on (for those interested,
see our {{{changes-report.html}change log}}).
* Why Use Spring
There's plenty written about why the
{{{http://www.springframework.org}Spring Framework}}
is a good fit for modern applications. If you're not familiar with the benefits
Spring offers, please take a few minutes to learn more about it. In numerous
situations Spring will save you many months (or even years) of development time.
Not to mention your solutions will be better architected
(designed), better coded (implemented), and better supported (maintained) in the future.
* Acegi Security Dependencies on Spring
Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle
methods such as <<<afterPropertiesSet()>>>. Some Acegi Security classes also
publish events to the <<<ApplicationContext>>>, although you could provide a mock
implementation of <<<ApplicationContext>>> easily enough which no-ops the method.
In other words, if you particularly didn't want Spring in your application, you <could>
avoid its use by writing equivalent getter, setter and lifecycle invocation processes
in standard Java code. This is a natural consequence of the Spring way of development,
which emphasises framework independence (it is <not> because we think there are good
reasons people would <not> use Spring).
If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC
services, don't forget you can always deploy Acegi Security and the Spring
IoC container solely for configuring Acegi Security. Spring does not mandate its
use in every part of your application. It will work quite successfully doing nothing more than
acting as a configuration mechanism for Acegi Security. Whilst some may regard this as excessive,
it's really no different than the traditional approach of every framework having its very
own XML or other proprietary configuration system. The main difference is that Spring is an
actual de facto standard, and you can gradually introduce it to other parts of your application
over time (if desired).
Acegi Security does <not> use any other Spring capabilities. Most notably, the
entire architecture is based around <<<Filter>>>s, not Spring's MVC framework.
This allows it to be used with any MVC framework, or even with just straight JSPs.
Acegi Security uses the AOP Alliance and AspectJ interfaces for method interception -
it does not use any Spring-specific interfaces. As a consequence, Acegi Security is very
portable to applications that do not leverage <any> of Spring's capabilities. We should note
there are several very simple data access objects (DAOs) that use Spring's JDBC abstraction
layer, although each of these are defined by a simple interface and it is very common in
even native Spring-powered applications for these to be re-implemented using the application's
persistence framework of choice (eg Hibernate).
* Conclusion
In summary, we recommend you take a look at Spring and consider using it in your
applications. Irrespective of whether you do so or not, we strongly recommend you use it
for configuration and lifecycle management of Acegi Security. If that is also not desired,
Acegi Security can easily be executed without Spring at all, providing you implement
similar IoC services. Acegi Security has very minimal dependencies directly on Spring,
with it being useful in many non-Spring applications and with non-Spring frameworks.

9
src/site/apt/suggested.apt
View File

@ -15,7 +15,7 @@ Suggested Steps
Estimated time: 30 minutes.
[[2]] Next, follow the <a href="petclinic-tutorial.html">Petclinic tutorial</a>, which
[[2]] Next, follow the {{{petclinic-tutorial.html}Petclinic Tutorial}}, which
covers how to add Acegi Security to the commonly-used Petclinic sample application
that ships with Spring. This will give you a hands-on approach to integrating
Acegi Security into your own application.
@ -42,15 +42,14 @@ Suggested Steps
security is implemented, particularly with domain object access control lists. This will
really round-out the rest of the framework for you.
The actual java (TODO: link) code
The actual java code
is a completely standard Spring application, except <<<ContactManagerBackend>>>
which shows how we create and delete ACL permissions. The rest of the Java code has no
security awareness, with all security services being declared in the XML files
(don't worry, there aren't any new XML formats to learn: they're all standard Spring IoC container
declarations or the stock-standard <<<web.xml>>>). The main
XML files to review are
declarations or the stock-standard <<<web.xml>>>).
TODO: SVN Links:
~~ The main X ML files to review are TODO: SVN Links:
~~ <a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml?view=auto">applicationContext-acegi-security.xml</a> (from the filter webapp),
~~ <a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorization.xml?view=auto">applicationContext-common-authorization.xml</a>,

41
src/site/resources/css/site.css Normal file
View File

@ -0,0 +1,41 @@
#poweredBy {
visibility: hidden;
}
#leftColumn {
border: none;
background-color: white;
}
h2 {
padding: 4px 4px 4px 6px;
border: none;
color: black;
background-color: white;
font-weight:normal;
font-size: large;
text-align: center;
}
h3 {
padding: 4px 4px 4px 6px;
border: none;
color: black;
background-color: white;
font-weight: normal;
font-size: large;
}
h4 {
padding: 4px 4px 4px 6px;
border: none;
background-color: white;
color: black;
font-weight: normal;
font-size: large;
}
h5 {
padding: 4px 4px 4px 6px;
background-color: white;
color: black;
}

4
src/site/resources/dbinit.txt
View File

@ -1,4 +1,4 @@
--- $Id$
--- $Id: dbinit.txt 1729 2006-11-12 23:03:16Z benalex $
--- Sample Hypersonic SQL compatible schema and data
---
@ -61,7 +61,7 @@ CREATE TABLE acl_permission (
--- Mask integer 14 = read and write and create permissions
---------------------------------------------------------------------
--- *** INHERITED RIGHTS FOR DIFFERENT INSTANCES AND RECIPIENTS ***
--- *** INHERITED RIGHTS FOR DIFFERENT INSTANCES AND RECIPIENTS ***
--- INSTANCE RECIPIENT PERMISSION(S) (COMMENT #INSTANCE)
---------------------------------------------------------------------
--- 1 ROLE_SUPERVISOR Administer

0
src/docbook/resources/images/ACLSecurity.gif → src/site/resources/guide/images/ACLSecurity.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 3.9 KiB

After

Width:  |  Height:  |  Size: 3.9 KiB

0
src/docbook/resources/images/AccessDecisionVoting.gif → src/site/resources/guide/images/AccessDecisionVoting.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.3 KiB

After

Width:  |  Height:  |  Size: 6.3 KiB

0
src/docbook/resources/images/AfterInvocation.gif → src/site/resources/guide/images/AfterInvocation.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.6 KiB

After

Width:  |  Height:  |  Size: 4.6 KiB

0
src/docbook/resources/images/Authentication.gif → src/site/resources/guide/images/Authentication.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 13 KiB

After

Width:  |  Height:  |  Size: 13 KiB

0
src/docbook/resources/images/BasicAclProvider.gif → src/site/resources/guide/images/BasicAclProvider.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 9.7 KiB

After

Width:  |  Height:  |  Size: 9.7 KiB

0
src/docbook/resources/images/Context.gif → src/site/resources/guide/images/Context.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 4.2 KiB

After

Width:  |  Height:  |  Size: 4.2 KiB

0
src/docbook/resources/images/Permissions.gif → src/site/resources/guide/images/Permissions.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 14 KiB

After

Width:  |  Height:  |  Size: 14 KiB

0
src/docbook/resources/images/SecurityInterception.gif → src/site/resources/guide/images/SecurityInterception.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 5.4 KiB

After

Width:  |  Height:  |  Size: 5.4 KiB

0
src/docbook/resources/images/logo.gif → src/site/resources/guide/images/logo.gif
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 8.7 KiB

After

Width:  |  Height:  |  Size: 8.7 KiB

0
src/docbook/resources/images/logo.psd → src/site/resources/guide/images/logo.psd
View File

70
src/site/resources/powering.html
View File

@ -1,70 +0,0 @@
<!--
* ========================================================================
*
* Copyright 2005 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Products Using Acegi Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Products Using Acegi Security</h1>
<p>Many open source and commercial products either use Acegi Security or at least
support it. Following is a partial list of such products. If you've integrated Acegi
Security with some other product, please let us know (preferably with a URL
to some page explaining the integration/use)...
<h2>Out-Of-the-Box Supported by Acegi Security</h2>
<ul>
<li><b><a href="http://springframework.org/">Spring Framework</a></b>: J2EE abstraction framework.<br><br></li>
<li><b><a href="http://eclipse.org/aspectj/">AspectJ</a></b>: AOP framework.<br><br></li>
<li><b><a href="http://jcaptcha.sourceforge.net/">JCaptcha</a></b>: Detects human users.<br><br></li>
<li><b><a href="http://www.ja-sig.org/products/cas/">JA-SIG CAS</a></b>: Single Sign On system.<br><br></li>
<li><b><a href="http://www3.ca.com/Solutions/Product.asp?ID=5262">SiteMinder</a></b>: Single Sign On system.<br><br></li>
</ul>
<h2>Open Source Projects</h2>
<ul>
<li><b><a href="http://appfuse.org/">AppFuse</a></b>: Helps jump-start application development. <a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurity">Integration details</a>.<br><br></li>
<li><b><a href="http://www.andromda.org">AndroMDA</a></b>: Code generation framework that uses model driven architecture (MDA). <a href="http://team.andromda.org/docs/andromda-spring-cartridge/howto8.html">Integration details</a>.<br><br></li>
<li><b><a href="http://mule.codehaus.org/">Mule</a></b>: Enterprise service bus (ESB) messaging framework. <a href="http://mule.codehaus.org/Acegi+Security">Integration details</a>.<br><br></li>
<li><b><a href="http://rollerweblogger.org">Roller</a></b>: Blog server. <a href="http://rollerweblogger.org/wiki/Wiki.jsp?page=Proposal_AcegiSecurity">Integration details</a>.<br><br></li>
<li><b><a href="http://getahead.ltd.uk/dwr/">DWR</a></b>: AJAX tool. <a href="http://getahead.ltd.uk/dwr/security">Integration details</a>.<br><br></li>
<li><b><a href="http://sourceforge.net/projects/oaj">OAJ (OpenAccountingJ)</a></b>: Replaces OpenAccounting PHP.<br><br></li>
<li><b><a href="http://oness.sourceforge.net/">ONESS</a></b>: Sample web application.<br><br></li>
<li><b><a href="http://sourceforge.net/projects/hispacta">HISPACTA</a></b>: Sample web application.<br><br></li>
<li><b><a href="https://atleap.dev.java.net/">Blandware AtLeap</a></b>: Multilingal free Java CMS.<br><br></li>
<li><b><a href="http://photostructure.com/">PhotoStructure</a></b>: A photo management solution.<br><br></li>
<li><b><a href="http://app.ess.ch/tudu/welcome.action">Tudu Lists</a></b>: AJAX and RSS powered to-do list manager.<br><br></li>
</ul>
<h2>Commercial Deployments</h2>
<ul>
<li>A global financial institution uses Acegi Security's SiteMinder integration in a physical security management application.<br><br></li>
<li>A central bank that uses Acegi Security for many of its internal applications with the CAS integration.<br><br></li>
<li>Several Australian Government departments use Acegi Security for securing SOAP-based web services and web applications.<br><br></li>
<li>Enterprise Systems and Services at Rutgers University uses Acegi Security in conjunction with JA-SIG Central Authentication Service to provide authentication and authorization capabilities to its applications including those used by staff and students as well as those utilized by web services.<br><br></li>
<li>Plus many more... ;-)<br><br></li>
</ul>
</body>
</html>

29
src/site/site.xml
View File

@ -22,11 +22,12 @@
<project name="Acegi Security">
<bannerLeft>
<name>Acegi Security</name>
<name>Acegi Security on Sourceforge</name>
<src>http://sourceforge.net/sflogo.php?group_id=104215&amp;type=5</src>
<href>http://acegisecurity.sourceforge.net</href>
<href>http://sourceforge.net/projects/acegisecurity</href>
</bannerLeft>
<bannerRight>
<src>Acegi Security</src>
<src>http://acegisecurity.org/logo.gif</src>
<href>http://acegisecurity.org/</href>
</bannerRight>
@ -37,14 +38,13 @@
</links>
<menu name="Overview">
<item name="Home" href="/"/>
<item name="Building with Maven" href="building.html"/>
<item name="Downloads" href="downloads.html"/>
</menu>
<menu name="Documentation">
<item name="Suggested Steps" href="suggested.html"/>
<item name="Reference Guide" href="docbook/acegi.html"/>
<item name="Reference Guide" href="reference.html"/>
<item name="Sample SQL Schema" href="dbinit.txt"/>
<item name="FAQ" href="faq.html"/>
<item name="Petclinic Tutorial" href="petclinic-tutorial.html"/>
@ -55,28 +55,13 @@
<item name="Upgrading to 0.9.0" href="upgrade/upgrade-080-090.html"/>
<item name="Upgrading to 0.8.0" href="upgrade/upgrade-070-080.html"/>
<item name="Core JavaDocs" href="acegi-security/apidocs/index.html" target="_blank"/>
<item name="Contacts HTTPS" href="acegi-security-sample-contacts/ssl/howto.txt"/>
<item name="Contacts HTTPS" href="acegi-security-samples/acegi-security-sample-contacts/ssl/howto.txt"/>
<item name="Project Policies" href="policies.html"/>
<item name="Acegi Security JIRA" href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040"/>
<item name="Blog" href="http://blog.springframework.com/ben.alex/"/>
<item name="Core Reports" href="acegi-security/index.html"/>
</menu>
<menu name="Projects">
<item name="Core Framework" href="acegi-security/index.html"/>
<item name="CAS Adapter" href="acegi-security-cas/index.html"/>
<item name="Catalina Adapter" href="acegi-security-adapters/acegi-security-catalina/index.html"/>
<item name="JBoss Adapter" href="acegi-security-adapters/acegi-security-jboss/index.html"/>
<item name="Jetty Adapter" href="acegi-security-adapters/acegi-security-jetty/index.html"/>
<item name="Resin Adapter" href="acegi-security-adapters/acegi-security-resin/index.html"/>
</menu>
<!--
<menu name="Samples">
<item name="Contacts" href="acegi-security-sample-contacts/index.html"/>
<item name="Attributes" href="acegi-security-sample-attributes/index.html"/>
</menu>
-->
<menu name="" type="footer">
<menu name="Links" type="footer">
<item name="Spring Framework" href="http://www.springframework.org/" img="http://www.springframework.org/buttons/spring_white.png"/>
</menu>

138
src/site/resources/articles.html → src/site/xdoc/articles.xml
View File

@ -1,163 +1,153 @@
<!--
* ========================================================================
*
* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>External Web Articles covering Acegi Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>External Web Articles covering Acegi Security</h1>
<p>Here are some of the external pages mentioning Acegi Security. If you've
<?xml version="1.0" encoding="ISO-8859-1"?>
<document><properties><title>External Web Articles covering Acegi Security</title></properties><body><section name="External Web Articles covering Acegi Security"><p>Here are some of the external pages mentioning Acegi Security. If you've
found another, please let us know.
<ul>
<li><b><a href="http://forum.springframework.org">Spring Forums</a></b>:
The first place to look for Acegi Security support (use the 'search' function).<br><br>
The first place to look for Acegi Security support (use the 'search' function).<br></br><br></br>
</li>
<li><b><a href="mail-lists.html">Acegi Security Mailing Lists</a></b>:
If you'd like to discuss development of the project.<br><br>
If you'd like to discuss development of the project.<br></br><br></br>
</li>
<li><b><a href="powering.html">Numerous frameworks using Acegi Security</a></b>:
Look here first for how to integrate with major third-party frameworks...<br></br><br></br>
</li>
<li><b><a href="http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html">Propagating Acegi Security's Context in a WSS UsernameToken SOAP Header via XFire using WSS4J</a></b>:
Thanks to Michael Vorburger.<br></br><br></br>
</li>
<li><b><a href="http://www.ibm.com/developerworks/java/library/j-acegi1/index.html">DeveloperWorks Series on Using Acegi Security</a></b>:
A 3-part series by Bilal Siddiqui.<br></br><br></br>
</li>
<li><b><a href="http://alexfletcher.typepad.com/all_bets_off/2006/02/what_acegi_mean.html">What Acegi Means to the Enterprise</a></b>:
A blog entry by Alex Fletcher.<br></br><br></br>
</li>
<li><b><a href="http://jroller.com/page/sjivan?entry=ajax_based_login_using_aceci">AJAX-based login via Acegi Security</a></b>:
Sanjiv Jivan offers a way of approaching AJAX login.<br></br><br></br>
</li>
<li><b><a href="http://weblog.morosystems.cz/spring/Spring-Acegi-JCaptcha-integration">Acegi Security and Captcha Layer</a></b>:
How to use Acegi Security with JCaptcha.<br><br>
How to use Acegi Security with JCaptcha.<br></br><br></br>
</li>
<li><b><a href="http://java.sys-con.com/read/171482_1.htm">Introduction to Acegi: Mastering the security framework</a></b>:
Java Developer's Journal (JDJ) article by David Hardwick.<br><br>
Java Developer's Journal (JDJ) article by David Hardwick.<br></br><br></br>
</li>
<li><b><a href="http://www.javalobby.org/articles/acegisecurity/part1.jsp">Securing Your Java Applications - Acegi Security Style</a></b>:
Matthew Porter wrote this good introductory article for Javalobby.<br><br>
Matthew Porter wrote this good introductory article for Javalobby.<br></br><br></br>
</li>
<li><b><a href="http://home.hccnet.nl/bart.van.riel/">Acegi Spring Tutorial</a></b>:
Available in PDF and HTML formats, thanks to Bart van Riel.<br><br>
Available in PDF and HTML formats, thanks to Bart van Riel.<br></br><br></br>
</li>
<li><b><a href="http://peter.jteam.nl/wp-trackback.php?p=6">Testing Acegi Security</a></b>:
Peter Veentjer discussed how to test Acegi Security-protected objects in isolation.<br><br>
Peter Veentjer discussed how to test Acegi Security-protected objects in isolation.<br></br><br></br>
</li>
<li><b><a href="http://iremia.univ-reunion.fr/intranet/wiki/Wiki.jsp?page=DWRandAcegi">Integrating DWR and Acegi Security</a></b>:
Explanation on using Acegi Security's MethodSecurityInterceptor with DWR.<br><br>
Explanation on using Acegi Security's MethodSecurityInterceptor with DWR.<br></br><br></br>
</li>
<li><b><a href="http://dev.eclipse.org/mhonarc/lists/aspectj-users/msg05355.html">AspectJ with Acegi Security</a></b>:
AspectJ with Acegi Security thread on the AspectJ list.<br><br>
AspectJ with Acegi Security thread on the AspectJ list.<br></br><br></br>
</li>
<li><b><a href="http://www.acooke.org/cute/SessionLim0.html">Session Limitation with Acegi Security</a></b>:
Andrew Cooke discusses using concurrent sessions.<br><br>
Andrew Cooke discusses using concurrent sessions.<br></br><br></br>
</li>
<li><b><a href="http://jroller.com/page/paskos?entry=acegi_portable_independent_and_rich">Acegi: Portable, Independent and Rich Webapp Security</a></b>:
Pascal Gehl relates his experience in migrating from CMA to Acegi Security.<br><br>
Pascal Gehl relates his experience in migrating from CMA to Acegi Security.<br></br><br></br>
</li>
<li><b><a href="http://affy.blogspot.com/2005/10/how-do-i-create-private-bean-using.html">Creating a private bean with Acegi</a></b>:
By David Medinets.<br><br>
By David Medinets.<br></br><br></br>
</li>
<li><b><a href="http://affy.blogspot.com/2005/10/acegi-tutorial-example-of-method-based.html">Method based access control and JUnit for testing</a></b>:
By David Medinets.<br><br>
By David Medinets.<br></br><br></br>
</li>
<li><b><a href="http://affy.blogspot.com/2005/10/acegi-example-of-when-to-use.html">Acegi: When to use AffirmativeBased voting</a></b>:
By David Medinets.<br><br>
By David Medinets.<br></br><br></br>
</li>
<li><b><a href="http://raibledesigns.com/page/rd/20050617#presentations_acegi_security_and_spring">Acegi Security High-Level Overview Presentation</a></b>:
Matt Raible has provided a nice <a href="http://www2.java.no/web/files/moter/mai05/AcegiSecurity.pdf">PDF presentation</a> comparing Acegi Security and J2EE CMA.<br><br>
Matt Raible has provided a nice <a href="http://www2.java.no/web/files/moter/mai05/AcegiSecurity.pdf">PDF presentation</a> comparing Acegi Security and J2EE CMA.<br></br><br></br>
</li>
<li><b><a href="http://jroller.com/page/raible?entry=how_to_upgrade_to_upgrade">How to upgrade to upgrade from Acegi Security 0.9.0 to 1.0 RC1</a></b>:
Matt Raible's upgrade instructions.<br><br>
Matt Raible's upgrade instructions.<br></br><br></br>
</li>
<li><b><a href="http://jaredtech.blogspot.com/2005/08/webworkvelocityacegi-config.html">Webwork + Velocity + Acegi Config</a></b>:
Jared Odulio offers some configuration tips.<br><br>
Jared Odulio offers some configuration tips.<br></br><br></br>
</li>
<li><b><a href="http://www.almaer.com/blog/archives/000640.html">Container Managed Security: If your standard covers a lowest common denominator</a></b>:
"For this reason I end up using something like Acegi Security", Dion Almaer comments after listing a series of missing hooks from the Servlet Spec security approach.<br><br>
"For this reason I end up using something like Acegi Security", Dion Almaer comments after listing a series of missing hooks from the Servlet Spec security approach.<br></br><br></br>
</li>
<li><b><a href="http://opensource.atlassian.com/seraph/status.html">Seraph Development Status</a></b>:
The fine folks at Atlassian have noted, "for more complex needs than Seraph meets, we suggest considering alternative frameworks like ACEGI, which provides more functionality (at the cost of greater complexity)."<br><br>
The fine folks at Atlassian have noted, "for more complex needs than Seraph meets, we suggest considering alternative frameworks like ACEGI, which provides more functionality (at the cost of greater complexity)."<br></br><br></br>
</li>
<li><b><a href="http://www.javalobby.org/java/forums/t91426.html">Implementing application-specific UserDetails in Acegi</a></b>:
Andrei Tudose has provided a JavaLobby article on this common customization point.<br></br><br></br>
</li>
<li><b><a href="http://raibledesigns.com/page/rd/20050104#re_j2ee_app_server_security">J2EE App Server Security</a></b>:
"After using Acegi for the last month, I think I'm going to ditch the 'standard' J2EE security stuff", blogged Matt Raible. I should note
our CVS tree has become stable and there are <a href="building.html">build instructions</a>.<br><br>
our CVS tree has become stable and there are <a href="building.html">build instructions</a>.<br></br><br></br>
</li>
<li><b><a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseAuthentication">AppFuse Authentication</a></b>:
Discusses AppFuse 1.8+'s replacement of Container-Managed Authentication (CMA) with Acegi Security.<br><br>
Discusses AppFuse 1.8+'s replacement of Container-Managed Authentication (CMA) with Acegi Security.<br></br><br></br>
</li>
<li><b><a href="http://www.jroller.com/page/fairTrade?entry=integrating_acegi_and_jsf_revisited"> Integrating Acegi and JSF: Revisited</a></b>:
Thanks to tony_k.<br><br>
Thanks to tony_k.<br></br><br></br>
</li>
<li><b><a href="http://www.jroller.com/page/vtatai/20050505#integrating_acegi_with_jsf">Java Server Faces (JSF) with Acegi Security</a></b>:
Covers using these two frameworks - thanks to Victor Tatai.<br><br>
Covers using these two frameworks - thanks to Victor Tatai.<br></br><br></br>
</li>
<li><b><a href="http://www.jroller.com/page/cagataycivici?entry=acegi_jsf_components_hit_the">Acegi Security Java Server Faces (JSF) components</a></b>:
Cagatay Civici has provided a JSF version of our taglibs.<br><br>
Cagatay Civici has provided a JSF version of our taglibs.<br></br><br></br>
</li>
<li><b><a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurity">Acegi Security use with AppFuse</a></b>:
The popular AppFuse project now uses Acegi Security instead of container managed authentication!<br><br>
The popular AppFuse project now uses Acegi Security instead of container managed authentication!<br></br><br></br>
</li>
<li><b><a href="http://jroller.com/page/habuma/20041124#simplifying_acegi_configuration">Simplifying Acegi Configuration</a></b>:
Craig Walls provides a good approach to reusing your Acegi Security configuration between projects. This has been
<a href="http://www.picklematrix.net/archives/000974.html">updated</a> by Seth Ladd for release 0.7.0.<br><br>
<a href="http://www.picklematrix.net/archives/000974.html">updated</a> by Seth Ladd for release 0.7.0.<br></br><br></br>
</li>
<li><b><a href="http://confluence.sourcebeat.com/display/SPL/Update+Chapters">Spring Live Update Chapters</a></b>:
Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br><br>
Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br></br><br></br>
</li>
<li><b><a href="http://www.china-pub.com/computers/common/info.asp?id=24483">Mastering Spring (Chinese) Book</a></b>:
Acegi Security is included in Chapter 17 of this book.<br><br>
Acegi Security is included in Chapter 17 of this book.<br></br><br></br>
</li>
<li><b><a href="http://www.manning.com/walls2">Spring In Action</a></b>:
Craig Walls has also written another popular Spring book, which includes Acegi Security in Chapter 11.<br><br>
Craig Walls has also written another popular Spring book, which includes Acegi Security in Chapter 11.<br></br><br></br>
</li>
<li><b><a href="http://www.ja-sig.org/products/cas/client/faq.html#8">Central Authentication Service FAQ</a></b>:
A general overview of how Acegi Security is used with JA-SIG's CAS.<br><br>
A general overview of how Acegi Security is used with JA-SIG's CAS.<br></br><br></br>
</li>
<li><b><a href="http://oness.sourceforge.net/JavaHispano%20Acegi%20presentacion.pdf">JavaHispano 2004 Acegi Security Presentation</a></b>:
Carlos Sanchez's presentation (in Spanish), delivered 17 December 2004. An
<a href="http://oness.sourceforge.net/JavaHispano%20Acegi.pdf">article</a> was also published.
<br><br>
<br></br><br></br>
</li>
<li><b><a href="http://up-u.com/?p=183">Annotations in Acegi Security</a></b>:
An implementation of JDK 1.5 annotations with Acegi Security's SecurityConfig.<br><br>
An implementation of JDK 1.5 annotations with Acegi Security's SecurityConfig.<br></br><br></br>
</li>
<li><b><a href="http://www.fstxblog.com/completely-geeked/2005/05/java-acegi-security-simple-example-v2.html">Acegi Security - The Simplest Possible Example</a></b>:
Reid Carlberg has provided a downloadable WAR containing the simplest possible Acegi Security 0.8.2 configuration.<br><br>
Reid Carlberg has provided a downloadable WAR containing the simplest possible Acegi Security 0.8.2 configuration.<br></br><br></br>
</li>
<li><b><a href="http://fishdujour.typepad.com/blog/2005/02/junit_testing_w.html">JUnit Testing with Acegi Security</a></b>:
A tip from Gavin Terrill on unit testing with Acegi Security.<br><br>
A tip from Gavin Terrill on unit testing with Acegi Security.<br></br><br></br>
</li>
<li><b><a href="http://jroller.com/page/carlossg/20050226#acegi_security_reducing_configuration_in">Acegi Security: reducing configuration in web.xml</a></b>:
Carlos Sanchez provides an overview of our new <code>FilterChainProxy</code> class.<br><br>
Carlos Sanchez provides an overview of our new <code>FilterChainProxy</code> class.<br></br><br></br>
</li>
<li><b><a href="http://www.manageability.org/blog/stuff/single-sign-on-in-java/view">Open Source Identity Management Solutions Written in Java</a></b>:
From <code>manageability.org</code>.<br><br>
From <code>manageability.org</code>.<br></br><br></br>
</li>
<li><b><a href="http://www.porterhome.com/blog/matthew/2005/03/13/1110732830996.html">WW Live: Integrating Acegi and WebWork</a></b>:
Discussion about enhancing Acegi Security and WebWork integration.<br><br>
Discussion about enhancing Acegi Security and WebWork integration.<br></br><br></br>
</li>
<li><b><a href="http://www.orablogs.com/fnimphius/archives/000730.html">J2EE Security: Struts "Shale" proposal does improve web application security</a></b>:
Frank Nimphius' blog contains some comments on Acegi Security. See
our <a href="faq.html">FAQ</a> for additional JAAS comments.<br><br>
our <a href="faq.html">FAQ</a> for additional JAAS comments.<br></br><br></br>
</li>
<li><b><a href="http://jakarta.apache.org/commons/attributes/faq.html">Anyone else using C-A (Commons Attributes)?</a></b>: Acegi Security made the list
of projects using Jakarta Commons Attributes. Our
<a href="/multiproject/acegi-security-sample-attributes/index.html">Attributes Sample</a>
demonstrates C-A integration.<br><br>
demonstrates C-A integration.<br></br><br></br>
</li>
<li><b><a href="http://www.arroco.com/cgi-bin/blosxom.cgi/2005/08/22#acegi-javadoc">Documenting the Future At the Expense of the Present</a></b>:
Blog entry on the JavaDocs missing from Acegi release ZIPs. They're actually there. Just check /docs/multiproject/acegi-security/apidocs/.<br><br>
<li><b><a href="http://www.arroco.com/cgi-bin/blosxom.cgi/2005/08/22#acegi-javadoc">Documenting the Future At the Expense of the Present</a></b>:
Blog entry on the JavaDocs missing from Acegi release ZIPs. They're actually there. Just check /docs/multiproject/acegi-security/apidocs/.<br></br><br></br>
</li>
</ul>
</body>
</html>
</p></section></body></document>

40
src/site/xdoc/building.xml Normal file
View File

@ -0,0 +1,40 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<document>
<properties><title>Building</title></properties>
<body>
<section name="Building Acegi Security System">
<subsection name="Checking Out from Subversion (SVN)">
<p>This project uses <a href="http://maven.apache.org">Maven</a> as project manager
and build tool. We recommend you to install Maven 2.0.5 or greater before trying
the following. <b>Note there are workarounds at the bottom of this page.</b></p><p>To checkout Acegi Security from SVN, see our
<a href="cvs-usage.html">CVS Usage</a> page.</p>
</subsection>
<subsection name="Quick Build"><p>Often people reading this document just want to see if Acegi Security will work
for their projects. They want to deploy a sample application, and that's about it
(after all, all the reference documentation can be read online at
<a href="http://acegisecurity.org">http://acegisecurity.org</a>).
In this case, execute:</p>
<ol>
<pre>cd $ACEGI_SECURITY/core (or cd %ACEGI_SECURITY%/core on Windows)</pre>
<pre>mvn install</pre>
<pre>cd $ACEGI_SECURITY/samples/contacts</pre>
<pre>mvn package</pre>
<pre>mvn jetty:run</pre>
</ol>
<p>This should build main framework library, build the sample application and run the "contacts" sample application
using the maven jetty plugin. You should then be able to point your browser at
<a href="http://localhost:8080/contacts/">http://localhost:8080/contacts/</a> to use the application.
</p>
</subsection>
</section>
</body>
</document>

33
src/site/xdoc/cvs-usage.xml Normal file
View File

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<document>
<properties>
<title>Subversion Usage</title>
</properties>
<body>
<section name="Accessing the Source">
<subsection name="Web Access">
<p>
You can browse the source tree directly via
<a href="http://acegisecurity.svn.sourceforge.net/viewvc/acegisecurity/">
http://acegisecurity.svn.sourceforge.net/viewvc/acegisecurity/
</a>
</p>
</subsection>
<subsection name="Subversion Command-Line Access">
<p>
The code can be checked out anonymously with the following command:
</p>
<p>
svn co http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk/
</p>
</subsection>
<subsection name="Nightly Snapshots">
<p>If you'd prefer not to use subversion directly, please see our
<a href="downloads.html">downloads page</a>
for nightly snapshots.
</p>
</subsection>
</section>
</body>
</document>

28
src/site/xdoc/downloads.xml Normal file
View File

@ -0,0 +1,28 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<document><properties><title>Acegi Security Downloads</title></properties><body><section name="Acegi Security Downloads"><p>If you wish to try out this project, you are probably looking for the
<strong>acegi-security-xx.zip</strong> file, which contains all of the officially
released JARs, a copy of all documentation, and two WAR artifacts. The two WAR artifacts
are from the Contacts Sample and the Tutorial Sample application. The Tutorial Sample
consists of a "bare bones" configuration that will get you up and running quickly, whereas
the Contacts Sample illustrates more advanced features.</p><p>Please note that in order to reduce download size, we only include in the
release ZIP one of the WAR artifacts produced by the Contacts Sample application.
The WAR artifact we include is suitable for standalone deployment (specifically, it
does not require a CAS server, container adapter, X509 or LDAP setup). The official release ZIP
therefore probably contains what you need, especially if you're initially
evaluating the project. If you wish to deploy the other WAR artifacts produced by
the Contacts Sample application (ie those that target CAS, container adapters, X509 or LDAP usage),
you will need to build Acegi Security from source.
</p><p>The acegi-security-xx-src.zip is intended for use with IDEs. It does not contain the
files needed to compile Acegi Security. It also does not contain the sources to the
sample applications. If you need any of these files, please download from SVN.</p><subsection name="Official Releases"><p>The official release ZIP files are available from the
<a href="http://sourceforge.net/project/showfiles.php?group_id=104215">Sourceforge File Release System</a>.</p></subsection><subsection name="Maven Dependencies"><p>The Acegi Security JARs are also available via the
<a href="http://www.ibiblio.org/maven2/org/acegisecurity">iBiblio Maven Repository</a>.</p></subsection><subsection name="Building From Source"><p>Detailed instructions on downloading from CVS and building from source
are provided on the <a href="building.html">Building with Maven</a>
page.</p></subsection><subsection name="SVN Snapshots and Daily Builds"><p>
If you don't wish to access SVN directly, we provide
<a href="http://acegisecurity.sourceforge.net/nightly/">nightly SVN exports</a> for your convenience.
There is also an automated build which uploads bundle of Acegi Security jar files to the same location.
Both binary and source archives have the date of the build and the SVN revision number appended to the filename,
so you can match them up easily.
</p></subsection></section></body></document>

287
src/site/resources/faq.html → src/site/xdoc/faq.xml
View File

@ -1,36 +1,16 @@
<!--
* ========================================================================
*
* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<?xml version="1.0" encoding="ISO-8859-1"?>
<document>
<properties>
<title>Frequently Asked Questions (FAQ) on Acegi Security</title>
</properties>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<body>
<head>
<title>Frequently Asked Questions (FAQ) on Acegi Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<section name="Frequently Asked Questions">
<body>
<h1>Frequently Asked Questions</h1>
<h2>What is Acegi Security?</h2>
<p>Acegi Security is an open source project that provides comprehensive authentication
<subsection name="What is Acegi Security?">
<p>Acegi Security is an open source project that provides comprehensive authentication
and authorisation services for enterprise applications based on
<a href="http://www.springframework.org">The Spring Framework</a>.
Acegi Security can authenticate using a variety of pluggable providers, and
@ -38,32 +18,35 @@
Acegi Security provides an integrated security approach across
these various targets, and also offers access control list (ACL) capabilities to
enable individual domain object instances to be secured. At an implementation
level, Acegi Security is managed through Spring's inversion of control and
level, Acegi Security is managed through Spring's inversion of control and
lifecycle services, and actually enforces security using interception through
servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi
Security currently supports AOP Alliance (which is what the
Spring IoC container uses internally) and AspectJ, although additional frameworks
can be easily supported.</p>
<h2>Why not just use web.xml security?</h2>
<p>Let's assume you're developing an enterprise application based on Spring.
</subsection>
<subsection name="Why not just use web.xml security?">
<p>Let's assume you're developing an enterprise application based on Spring.
There are four security concerns you typically need to address: authentication,
web request security, service layer security (ie your methods that implement
business logic), and domain object instance security (ie different domain objects
have different permissions). With these typical requirements in mind:
<ol>
<li><b>Authentication</b>: The servlet specification provides an approach
to authentication. However, you will need to configure the container
to authentication. However, you will need to configure the container
to perform authentication which typically requires editing of
container-specific "realm" settings. This makes a non-portable
configuration, and if you need to write an actual Java class to implement
configuration, and if you need to write an actual Java class to implement
the container's authentication interface, it becomes even more non-portable.
With Acegi Security you achieve complete portability - right down to the
With Acegi Security you achieve complete portability - right down to the
WAR level. Also, Acegi Security offers a choice of production-proven
authentication providers and mechanisms, meaning you can switch your
authentication providers and mechanisms, meaning you can switch your
authentication approaches at deployment time. This is particularly
valuable for software vendors writing products that need to work in
an unknown target environment.<br><br></li>
an unknown target environment.<br></br><br></br></li>
<li><b>Web request security:</b> The servlet specification provides an
approach to secure your request URIs. However, these URIs can only be
expressed in the servlet specification's own limited URI path format.
@ -72,132 +55,145 @@
URI other than simply the requested page (eg you can consider HTTP GET
parameters), and you can implement your own runtime source of configuration
data. This means your web request security can be dynamically changed during
the actual execution of your webapp.<br><br></li>
<li><b>Service layer and domain object security:</b> The absence of support
in the servlet specification for services layer security or domain object
instance security represent serious limitations for multi-tiered
the actual execution of your webapp.<br></br><br></br></li>
<li><b>Service layer and domain object security:</b> The absence of support
in the servlet specification for services layer security or domain object
instance security represent serious limitations for multi-tiered
applications. Typically developers either ignore these requirements, or
implement security logic within their MVC controller code (or even worse,
inside the views). There are serious disadvantages with this approach:<br><br>
inside the views). There are serious disadvantages with this approach:<br></br><br></br>
<ol>
<li><i>Separation of concerns:</i> Authorization is a
crosscutting concern and should be implemented as such.
MVC controllers or views implementing authorization code
makes it more difficult to test both the controller and
authorization logic, more difficult to debug, and will
<li><i>Separation of concerns:</i> Authorization is a
crosscutting concern and should be implemented as such.
MVC controllers or views implementing authorization code
makes it more difficult to test both the controller and
authorization logic, more difficult to debug, and will
often lead to code duplication.</li>
<li><i>Support for rich clients and web services:</i> If an
additional client type must ultimately be supported, any
authorization code embedded within the web layer is
non-reusable. It should be considered that Spring remoting
exporters only export service layer beans (not MVC
controllers). As such authorization logic needs to be
located in the services layer to support a multitude of
<li><i>Support for rich clients and web services:</i> If an
additional client type must ultimately be supported, any
authorization code embedded within the web layer is
non-reusable. It should be considered that Spring remoting
exporters only export service layer beans (not MVC
controllers). As such authorization logic needs to be
located in the services layer to support a multitude of
client types.</li>
<li><i>Layering issues:</i> An MVC controller or view is simply
the incorrect architectural layer to implement authorization
decisions concerning services layer methods or domain object
instances. Whilst the Principal may be passed to the services
layer to enable it to make the authorization decision, doing
so would introduce an additional argument on every services
layer method. A more elegant approach is to use a ThreadLocal
to hold the Principal, although this would likely increase
<li><i>Layering issues:</i> An MVC controller or view is simply
the incorrect architectural layer to implement authorization
decisions concerning services layer methods or domain object
instances. Whilst the Principal may be passed to the services
layer to enable it to make the authorization decision, doing
so would introduce an additional argument on every services
layer method. A more elegant approach is to use a ThreadLocal
to hold the Principal, although this would likely increase
development time to a point where it would become more
economical (on a cost-benefit basis) to simply use a dedicated
economical (on a cost-benefit basis) to simply use a dedicated
security framework.</li>
<li><i>Authorisation code quality:</i> It is often said of web
frameworks that they "make it easier to do the right things,
and harder to do the wrong things". Security frameworks are
the same, because they are designed in an abstract manner for
a wide range of purposes. Writing your own authorization code
from scratch does not provide the "design check" a framework
would offer, and in-house authorization code will typically
lack the improvements that emerge from widespread deployment,
<li><i>Authorisation code quality:</i> It is often said of web
frameworks that they "make it easier to do the right things,
and harder to do the wrong things". Security frameworks are
the same, because they are designed in an abstract manner for
a wide range of purposes. Writing your own authorization code
from scratch does not provide the "design check" a framework
would offer, and in-house authorization code will typically
lack the improvements that emerge from widespread deployment,
peer review and new versions.
</ol>
</li></ol>
</li>
</ol>
For simple applications, servlet specification security may just be enough.
Although when considered within the context of web container portability,
configuration requirements, limited web request security flexibility, and
non-existent services layer and domain object instance security, it becomes
Although when considered within the context of web container portability,
configuration requirements, limited web request security flexibility, and
non-existent services layer and domain object instance security, it becomes
clear why developers often look to alternative solutions.
</p>
</p></subsection>
<h2>How do you pronounce "Acegi"?</h2>
<p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
<subsection name="How do you pronounce &quot;Acegi&quot;?">
<p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
Acegi isn't an acronym, name of a Greek God or anything similarly
impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.</p>
<h2>Is it called "Acegi" or "Acegi Security"?</h2>
<p>It's official name is <i>Acegi Security System for Spring</i>,
</subsection>
<subsection name="Is it called &quot;Acegi&quot; or &quot;Acegi Security&quot;?">
<p>It's official name is <i>Acegi Security System for Spring</i>,
although we're happy for it to be abbreviated to
<i>Acegi Security</i>. Please don't just call it <i>Acegi</i>, though,
as that gets confused with the name of the company that maintains Acegi
Security.</p>
Security.</p></subsection>
<h2>What catches 80% of users reporting problems?</h2>
<p>80% of support questions are because people have not defined
<subsection name="What catches 80% of users reporting problems?">
<p>80% of support questions are because people have not defined
the necessary filters in <code>web.xml</code>, or the filters are being
mapped in the incorrect order. Check the
mapped in the incorrect order. Check the
<a href="reference.html">Reference Guide</a>, which
has a specific section on filter ordering.</p>
<h2>I'm sure my filters are ordered correctly. What else could be wrong?</h2>
<p>The next most common source of problems stem from custom
has a specific section on filter ordering.</p></subsection>
<subsection name="I&apos;m sure my filters are ordered correctly. What else could be wrong?">
<p>The next most common source of problems stem from custom
<code>AuthenticationDao</code> implementations that simply don't properly
implement the interface contract. For example, they return <code>null</code> instead
of the user not found exception, or fail to add in the
<code>GrantedAuthority[]</code>s. Whilst <code>DaoAuthenticationProvider</code>
does its best to check the <code>AuthenticationDao</code> returns a valid
does its best to check the <code>AuthenticationDao</code> returns a valid
<code>UserDetails</code>, we suggest you write the
<code>UserDetails</code> object to the log and check it looks correct.</p>
<code>UserDetails</code> object to the log and check it looks correct.</p></subsection>
<h2>Common Problem #1: My application goes into an "endless loop" when I try to login, what's going on?</h2>
<p>A common user problem with infinite loop and redirecting to the login page
<subsection name="Common Problem #1: My application goes into an &quot;endless loop&quot; when I try to login, what&apos;s going on?">
<p>A common user problem with infinite loop and redirecting to the login page
is caused by accidently configuring the login page as a "secured" resource.
Generally make sure you mark your login page as requiring ROLE_ANONYMOUS.
</p>
</p></subsection>
<h2>Common Problem #2: My application pages don't seem to be protected.</h2>
<p>If you are securing web resources and they dont seem to be matched in the URL patterns,
<subsection name="Common Problem #2: My application pages don&apos;t seem to be protected.">
<p>If you are securing web resources and they dont seem to be matched in the URL patterns,
check the objectDefinitionSource in the FilterSecurityInterceptor.
If you are using the <tt>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</tt> setting,
then the URL patterns configured MUST be in lowercase.
<p>
For example, making a request ending in <tt>/someAction.do</tt> will need
</p><p>
For example, making a request ending in <tt>/someAction.do</tt> will need
to be configured as: <tt>/someaction.do</tt> (Note the case).
<pre>
&lt;property name="objectDefinitionSource">
&lt;value>
&lt;property name="objectDefinitionSource"&gt;
&lt;value&gt;
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS,ROLE_USER
/someaction.do=ROLE_USER
&lt;value>
&lt;/property>
/someaction.do=ROLE_USER
&lt;value&gt;
&lt;/property&gt;
</pre>
<h2>Common Problem #3: How do I disable a user after a number of failed logins?</h2>
<p>A common user requirement is to disable / lock an account after a number of failed login attempts.
Acegi itself does not provide anything "out of the box", however in your application you can implement
</p></subsection>
<subsection name="Common Problem #3: How do I disable a user after a number of failed logins?">
<p>A common user requirement is to disable / lock an account after a number of failed login attempts.
Acegi itself does not provide anything "out of the box", however in your application you can implement
and register an <tt>org.springframework.context.ApplicationListener</tt>. Inside your application
event listener you can then check for an instanceof the particular <tt>AuthenticationFailureEvent</tt>
and then call your application user management interface to update the user details.
<p>
</p><p>
For example:
<pre>
public void onApplicationEvent(ApplicationEvent event) {
// check failed event
if(event instanceof AuthenticationFailurePasswordEvent){
// call user management interface to increment failed login attempts, etc.
. . .
}
}
}
</pre>
<h2>Common Problem #4: I am changing my password using a web controller and DAO, why is my password still not being refreshed?</h2>
</p></subsection>
<subsection name="Common Problem #4: I am changing my password using a web controller and DAO, why is my password still not being refreshed?">
<p>There are three things you must do to make a user password change take affect:
<ul>
<li> Change the password using your authentication DAO</li>
@ -205,48 +201,54 @@
<li> Update the <tt>SecurityContextHolder</tt> to include the new <tt>Authentication</tt> object and password</li>
</ul>
<h2>I need some help. What files should I post?</h2>
</p>
</subsection>
<subsection name="I need some help. What files should I post?">
<p>The most important things to post with any support requests on the
<a href="http://forum.springframework.org">Spring Forums</a> are your
<code>web.xml</code>, <code>applicationContext.xml</code> (or whichever
XML loads the security-related beans) as well as any custom
<code>AuthenticationDao</code> you might be using. For really odd problems,
also switch on debug-level logging and include the resulting log.</p>
also switch on debug-level logging and include the resulting log.</p></subsection>
<subsection name="How do I switch on debug-level logging?">
<h2>How do I switch on debug-level logging?</h2>
<p>Acegi Security uses Commons Logging, just as Spring does. So you use the
same approach as you'd use for Spring. Most people output to Log4J, so
the following <code>log4j.properties</code> would work:</p>
<pre>
the following <code>log4j.properties</code> would work:</p><source>
log4j.rootCategory=WARN, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p %c - %m%n
log4j.category.net.sf.acegisecurity=DEBUG</pre>
<h2>How do I store custom properties, like a user's email address?</h2>
log4j.category.net.sf.acegisecurity=DEBUG
</source></subsection>
<subsection name="How do I store custom properties, like a user&apos;s email address?">
<p>In most cases write an <code>AuthenticationDao</code> which returns
a subclass of <code>User</code>. Alternatively, write your own
<code>UserDetails</code> implementation from scratch and return that.</p>
<code>UserDetails</code> implementation from scratch and return that.</p></subsection>
<h2>Why doesn't Acegi Security use JAAS?</h2>
<p>Acegi Security targets <i>enterprise applications</i>, which are typically
<subsection name="Why doesn&apos;t Acegi Security use JAAS?">
<p>Acegi Security targets <i>enterprise applications</i>, which are typically
multi-user, data-oriented applications that are important to
the core business. Acegi Security was designed to provide a portable and effective
security framework for this target application type. It was not designed for securing
limited privilege runtime environments, such as web browser applets.</p>
<p>We did consider JAAS when designing Acegi Security, but it simply
<p>We did consider JAAS when designing Acegi Security, but it simply
wasn't suitable for our purpose. We needed to avoid complex JRE configurations,
we needed container portability, and we wanted maximum leveraging of the Spring IoC
container. Particularly as limited privilege runtime environments were not
an actual requirement, this lead to the natural design of Acegi Security as
it exists today.</p>
<p>Acegi Security already provides some JAAS integration. It can today authenticate
it exists today.</p><p>Acegi Security already provides some JAAS integration. It can today authenticate
via delegation to a JAAS login module. This means it offers the same level of JAAS
integration as many web containers. Indeed the container adapter model supported by
Acegi Security allows Acegi Security and container-managed security to happily
@ -254,34 +256,33 @@
should therefore centre on the authorisation issue. An evaluation of major
containers and security frameworks would reveal that Acegi Security is by no
means unusual in not using JAAS for authorisation.</p>
<p>There are many examples of open source applications being preferred to
<p>There are many examples of open source applications being preferred to
official standards. A few that come to mind in the Java community include
using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans),
Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker
(instead of JSP). It's important to recognise that many open source projects do
develop into de facto standards, and in doing so play a legitimate and beneficial
role in professional software development.</p>
role in professional software development.</p></subsection>
<h2>Do you welcome contributions?</h2>
<p>Yes. If you've written something and it works well, please feel free to share it.
Simply email the contribution to the
<subsection name="Do you welcome contributions?">
<p>Yes. If you've written something and it works well, please feel free to share it.
Simply email the contribution to the
<a href="mail-lists.html">acegisecurity-developers</a> list. If you haven't yet
written the contribution, we encourage you to send your thoughts to the same
written the contribution, we encourage you to send your thoughts to the same
list so that you can receive some initial design feedback.</p>
<p>For a contribution to be used, it must have appropriate unit test coverage and
<p>For a contribution to be used, it must have appropriate unit test coverage and
detailed JavaDocs. It will ideally have some comments for the Reference Guide
as well (this can be sent in word processor or HTML format if desired). This
helps ensure the contribution maintains the same quality as the remainder of
the project.</p>
<p>We also welcome documentation improvements, unit tests, illustrations,
the project.</p><p>We also welcome documentation improvements, unit tests, illustrations,
people supporting the user community (especially on the forums), design ideas,
articles, blog entries, presentations and alike. If you're looking for something
to do, you can always email the
<a href="mail-lists.html">acegisecurity-developers</a> list and we'll be
pleased to suggest something. :-)</p>
pleased to suggest something. :-)</p></subsection>
</body>
</html>
</section>
</body>
</document>

204
src/site/resources/policies.html → src/site/xdoc/policies.xml
View File

@ -1,131 +1,103 @@
<!--
* ========================================================================
*
* Copyright 2005 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Project Policies and Procedures</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Project Policies and Procedures Version 1.0</h1>
<p>The following policies and procedures are intended to ensure that Acegi Security will
<?xml version="1.0" encoding="ISO-8859-1"?>
<document><properties><title>Project Policies and Procedures</title></properties><body><section name="Project Policies and Procedures Version 1.0"><p>The following policies and procedures are intended to ensure that Acegi Security will
continue to achieve its project objectives and support the community in the context of an
expanding development team.
<p>
</p><p>
The following was unanimously supported by the community supporting following
<a href="http://www.mail-archive.com/acegisecurity-developer%40lists.sourceforge.net/msg01174.html">discussion</a>
on acegisecurity-developer. The policies and procedures below represent version 1.0
and are effective 1 August 2005.
<ul type="1">
<li>
This project uses <a href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040">JIRA</a>. Please log a task in JIRA for any changes you make to SVN, with the exception of very minor changes that users are unlikely to ever be interested in searching for and/or the change affects code that has never been in an officially released version of the project (eg ongoing changes to a new feature in SVN HEAD that hasn't been released previously).<br><br>
</li>
<li>
Any users running from SVN HEAD are warmly encouraged to <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-cvs">join acegisecurity-cvs</a> so that they can keep an eye on commit comments. Developers are encouraged to join acegisecurity-cvs and read the commit comments. If anyone has a concern with any commit, please raise it on <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-developer">acegisecurity-developer</a> so that the broader community can participate (not acegisecurity-cvs). Alternatively, contact the author of the change directly if you think that would be more appropriate or diplomatic.<br><br>
</li>
<li>
Please make your commit comments informative, yet not too detailed. Detailed comments are ideally placed in the JIRA task. In the case of a contribution by a non-developer, please use the SVN commits to reflect who provided the contribution and add that person's name to /pom.xml in the contributors section. If the contributors section does not list the name of someone who has contributed accepted code, please add them or let me know so that I can do so.<br><br>
</li>
<li>
If you add a major new feature, please announce it on acegisecurity-developer. That way people using the project have an idea of what is coming up in the next release, and any implementation-specific comments can be received prior to the first release when users will start expecting some degree of consistency and stability. It also encourages people to try out your new feature.<br><br>
</li>
<li>
Please make sure /docs/xdocs/changes.xml has a reference to JIRA for the upcoming release version. You don't need to add the name of contributors to /doc/xdocs/changes.xml, as acknowledgement is already provided via /pom.xml, source code @author tags, the SVN commit message, and typically a JIRA task.<br><br>
</li>
<li>
Please edit /docs/xdocs/upgrade/upgrade-xx-yy.html if you make a change that is significant and you think users who are upgrading should be aware of it. Equally, users are encouraged to consult the upgrade-xx-yy.html file before they deploy subsequent official release JARs.<br><br>
</li>
<li>
Please use Jalopy with the /jalopy.xml file to format your Java code before checkin. This keeps our code consistent and ensures the license message is correct. There are plugins for all major IDEs.<br><br>
</li>
<li>
The /sandbox can be used to obtain feedback from fellow developers and the community about your code, general approach or new ideas. If you have SVN rights, please use /sandbox instead of emailing ZIP files to other developers for feedback. The community should understand that code in the sandbox is unsupported, subject to refactoring, may not have any unit tests, and may be removed at any time. The /sandbox will never be included in official release ZIPs. It's a "scratching pad" only.<br><br>
</li>
<li>
Unit tests are important to any security project, and we have a good history of high coverage. You can view the <a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/clover/index.html">latest coverage report</a> online (rebuilt every 24 hours). Please keep an eye on coverage and don't hesitate to add more unit tests. Please do not check code into /core unless it has at least an exercising unit test - use the /sandbox instead.<br><br>
</li>
<li>
Never check in code if the unit tests fail. This means, at minimum, successfully running "maven test:test" from /core. Always name your unit test classes so they end in "*Tests" - this ensures that Maven picks them up. If there is code in SVN which you didn't write and it is breaking the unit tests, please correct it yourself - don't leave SVN "broken" whilst waiting for the responsible developer to address it (the delay causes confusing and long-running threads on the list and forum). You can always rollback to the previous working version if in doubt of how the class works (just remember to comment the commit appropriately and let the author know).<br><br>
</li>
<li>
Please update the reference guide and JavaDocs for any new major features. The JavaDocs should always be correct. The reference guide may be kept updated with less rigor, although please briefly discuss any major new features. <a href="http://www.xmlmind.com/xmleditor/">XMLmind</a> can be used if you don't have a DocBook editor.<br><br>
</li>
<li>
Developers please keep an eye on the <a href="http://forum.springframework.org">Acegi Security forum</a>. It's a very active forum, and it takes a lot of work if not shared around. Please don't hesitate to reply to users - I try to read every thread and correct/confirm the situation if someone mentions they're unsure. I also will generally send developers an email if there's a question I can't answer as I didn't write the code.<br><br>
</li>
<li>
In the future, I will put to vote any proposed new developers. New developers will be firstly encouraged to attach patches to JIRA tasks to illustrate their understanding of the project, or, if they're long-time users, they might be given access without this JIRA stage if they're undertaking a major new feature.<br><br>
</li>
<li>
Developers should be subscribed to acegisecurity-developer. Obviously it would take significant time to read every thread, but reading the high priority messages (as indicated by the subject line) is needed to ensure we all have a way of communicating.<br><br>
</li>
<li>
Please do not hesitate to assign yourself any JIRA task that is unassigned, or assigned to me and not in the "In Progress" status. Also feel free to approach fellow developers to volunteer to work on tasks they might be assigned but haven't started.<br><br>
</li>
<li>
No code in SVN is "sacred". If you have a good idea or refactoring for an area of code that someone else wrote, raise it on acegisecurity-developer or contact the author directly. Please don't commit changes to such code unless it is a unit test failure correction, or you've firstly raised it on the acegisecurity-developer list or directly with the author.<br><br>
</li>
<li>
People's priorities are ever-changing, and we're all short on time. For this reason it's perfectly understandable that over time developers will move on to other things. This is not a negative reflection in any way - just part of any long-term project. If a developer no longer has the time or inclination to participate in the project , please send an email to acegisecurity-developer or myself. I will remove the SVN rights and reassign any JIRA tasks. Importantly, this helps find a new maintainer of the former developer's code (or, in very extreme cases, their code might be relocated to the sandbox or removed).<br><br>
</li>
<li>
Use CDATA inside XML files for multi-line properties. There is no tab/space policy for XML files, although try to maintain whatever the file is already using. The tab/space policy for Java files is managed by Jalopy.<br><br>
This project uses <a href="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040">JIRA</a>. Please log a task in JIRA for any changes you make to SVN, with the exception of very minor changes that users are unlikely to ever be interested in searching for and/or the change affects code that has never been in an officially released version of the project (eg ongoing changes to a new feature in SVN HEAD that hasn't been released previously).<br></br><br></br>
</li>
<li>
Keep the warm community spirit. The Spring community is a nice place to be - especially compared with some of the other open source communities out there where people are abused, ignored, insulted or excluded. No policy or procedure (including those above) should ever compromise operating in a considerate and diplomatic manner that respects the dignity of each individual member of the community. If in doubt, please contact me directly first. If I am ever guilty of this, please let me know and I will correct myself.<br><br>
Any users running from SVN HEAD are warmly encouraged to <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-cvs">join acegisecurity-cvs</a> so that they can keep an eye on commit comments. Developers are encouraged to join acegisecurity-cvs and read the commit comments. If anyone has a concern with any commit, please raise it on <a href="http://lists.sourceforge.net/mailman/listinfo/acegisecurity-developer">acegisecurity-developer</a> so that the broader community can participate (not acegisecurity-cvs). Alternatively, contact the author of the change directly if you think that would be more appropriate or diplomatic.<br></br><br></br>
</li>
<li>
Please make your commit comments informative, yet not too detailed. Detailed comments are ideally placed in the JIRA task. In the case of a contribution by a non-developer, please use the SVN commits to reflect who provided the contribution and add that person's name to /pom.xml in the contributors section. If the contributors section does not list the name of someone who has contributed accepted code, please add them or let me know so that I can do so.<br></br><br></br>
</li>
<li>
If you add a major new feature, please announce it on acegisecurity-developer. That way people using the project have an idea of what is coming up in the next release, and any implementation-specific comments can be received prior to the first release when users will start expecting some degree of consistency and stability. It also encourages people to try out your new feature.<br></br><br></br>
</li>
<li>
Please make sure /docs/xdocs/changes.xml has a reference to JIRA for the upcoming release version. You don't need to add the name of contributors to /doc/xdocs/changes.xml, as acknowledgement is already provided via /pom.xml, source code @author tags, the SVN commit message, and typically a JIRA task.<br></br><br></br>
</li>
<li>
Please edit /docs/xdocs/upgrade/upgrade-xx-yy.html if you make a change that is significant and you think users who are upgrading should be aware of it. Equally, users are encouraged to consult the upgrade-xx-yy.html file before they deploy subsequent official release JARs.<br></br><br></br>
</li>
<li>
Please use Jalopy with the /jalopy.xml file to format your Java code before checkin. This keeps our code consistent and ensures the license message is correct. There are plugins for all major IDEs.<br></br><br></br>
</li>
<li>
The /sandbox can be used to obtain feedback from fellow developers and the community about your code, general approach or new ideas. If you have SVN rights, please use /sandbox instead of emailing ZIP files to other developers for feedback. The community should understand that code in the sandbox is unsupported, subject to refactoring, may not have any unit tests, and may be removed at any time. The /sandbox will never be included in official release ZIPs. It's a "scratching pad" only.<br></br><br></br>
</li>
<li>
Unit tests are important to any security project, and we have a good history of high coverage. You can view the <a href="http://acegisecurity.sourceforge.net/multiproject/acegi-security/clover/index.html">latest coverage report</a> online (rebuilt every 24 hours). Please keep an eye on coverage and don't hesitate to add more unit tests. Please do not check code into /core unless it has at least an exercising unit test - use the /sandbox instead.<br></br><br></br>
</li>
<li>
Never check in code if the unit tests fail. This means, at minimum, successfully running "mvn test" from /core. Always name your unit test classes so they end in "*Tests" - this ensures that Maven picks them up. If there is code in SVN which you didn't write and it is breaking the unit tests, please correct it yourself - don't leave SVN "broken" whilst waiting for the responsible developer to address it (the delay causes confusing and long-running threads on the list and forum). You can always rollback to the previous working version if in doubt of how the class works (just remember to comment the commit appropriately and let the author know).<br></br><br></br>
</li>
<li>
Please update the reference guide and JavaDocs for any new major features. The JavaDocs should always be correct. The reference guide may be kept updated with less rigor, although please briefly discuss any major new features. <a href="http://www.xmlmind.com/xmleditor/">XMLmind</a> can be used if you don't have a DocBook editor.<br></br><br></br>
</li>
<li>
Developers please keep an eye on the <a href="http://forum.springframework.org">Acegi Security forum</a>. It's a very active forum, and it takes a lot of work if not shared around. Please don't hesitate to reply to users - I try to read every thread and correct/confirm the situation if someone mentions they're unsure. I also will generally send developers an email if there's a question I can't answer as I didn't write the code.<br></br><br></br>
</li>
<li>
In the future, I will put to vote any proposed new developers. New developers will be firstly encouraged to attach patches to JIRA tasks to illustrate their understanding of the project, or, if they're long-time users, they might be given access without this JIRA stage if they're undertaking a major new feature.<br></br><br></br>
</li>
<li>
Developers should be subscribed to acegisecurity-developer. Obviously it would take significant time to read every thread, but reading the high priority messages (as indicated by the subject line) is needed to ensure we all have a way of communicating.<br></br><br></br>
</li>
<li>
Please do not hesitate to assign yourself any JIRA task that is unassigned, or assigned to me and not in the "In Progress" status. Also feel free to approach fellow developers to volunteer to work on tasks they might be assigned but haven't started.<br></br><br></br>
</li>
<li>
No code in SVN is "sacred". If you have a good idea or refactoring for an area of code that someone else wrote, raise it on acegisecurity-developer or contact the author directly. Please don't commit changes to such code unless it is a unit test failure correction, or you've firstly raised it on the acegisecurity-developer list or directly with the author.<br></br><br></br>
</li>
<li>
People's priorities are ever-changing, and we're all short on time. For this reason it's perfectly understandable that over time developers will move on to other things. This is not a negative reflection in any way - just part of any long-term project. If a developer no longer has the time or inclination to participate in the project , please send an email to acegisecurity-developer or myself. I will remove the SVN rights and reassign any JIRA tasks. Importantly, this helps find a new maintainer of the former developer's code (or, in very extreme cases, their code might be relocated to the sandbox or removed).<br></br><br></br>
</li>
<li>
Use CDATA inside XML files for multi-line properties. There is no tab/space policy for XML files, although try to maintain whatever the file is already using. The tab/space policy for Java files is managed by Jalopy.<br></br><br></br>
</li>
<li>
Keep the warm community spirit. The Spring community is a nice place to be - especially compared with some of the other open source communities out there where people are abused, ignored, insulted or excluded. No policy or procedure (including those above) should ever compromise operating in a considerate and diplomatic manner that respects the dignity of each individual member of the community. If in doubt, please contact me directly first. If I am ever guilty of this, please let me know and I will correct myself.<br></br><br></br>
</li>
</ul>
<p>Thanks for your help in connection with the above. If you have any suggestions for improving these
</p><p>Thanks for your help in connection with the above. If you have any suggestions for improving these
policies and procedures, please use the acegisecurity-developer list to raise them.
<p>
Ben Alex<br>
</p><p>
Ben Alex<br></br>
Project Admin
<p>
$Id: policies.html 1377 2006-04-25 00:22:00Z benalex $
</body>
</html>
</p><p>
$Id: policies.xml 1984 2007-08-29 11:00:28Z luke_t $
</p></section></body></document>

39
src/site/xdoc/powering.xml Normal file
View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<document><properties><title>Products Using Acegi Security</title></properties><body><section name="Products Using Acegi Security"><p>Many open source and commercial products either use Acegi Security or at least
support it. Following is a partial list of such products. If you've integrated Acegi
Security with some other product, please let us know (preferably with a URL
to some page explaining the integration/use)...
</p><subsection name="Out-Of-the-Box Supported by Acegi Security"><ul>
<li><b><a href="http://springframework.org/">Spring Framework</a></b>: J2EE abstraction framework.<br></br><br></br></li>
<li><b><a href="http://eclipse.org/aspectj/">AspectJ</a></b>: AOP framework.<br></br><br></br></li>
<li><b><a href="http://jcaptcha.sourceforge.net/">JCaptcha</a></b>: Detects human users.<br></br><br></br></li>
<li><b><a href="http://www.ja-sig.org/products/cas/">JA-SIG CAS</a></b>: Single Sign On system.<br></br><br></br></li>
<li><b><a href="http://www3.ca.com/Solutions/Product.asp?ID=5262">SiteMinder</a></b>: Single Sign On system.<br></br><br></br></li>
</ul></subsection><subsection name="Open Source Projects"><ul>
<li><b><a href="http://www.opennms.org/">OpenNMS</a></b>: An open source network management platform <a href="http://www.opennms.org/index.php/Acegi_Security_and_LDAP">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://appfuse.org/">AppFuse</a></b>: Helps jump-start application development. <a href="http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurity">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://www.andromda.org">AndroMDA</a></b>: Code generation framework that uses model driven architecture (MDA). <a href="http://team.andromda.org/docs/andromda-spring-cartridge/howto8.html">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://mule.codehaus.org/">Mule</a></b>: Enterprise service bus (ESB) messaging framework. <a href="http://mule.codehaus.org/Acegi+Security">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://rollerweblogger.org">Roller</a></b>: Blog server. <a href="http://rollerweblogger.org/wiki/Wiki.jsp?page=Proposal_AcegiSecurity">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://getahead.ltd.uk/dwr/">DWR</a></b>: AJAX tool. <a href="http://getahead.ltd.uk/dwr/security">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://sourceforge.net/projects/oaj">OAJ (OpenAccountingJ)</a></b>: Replaces OpenAccounting PHP.<br></br><br></br></li>
<li><b><a href="http://oness.sourceforge.net/">ONESS</a></b>: Sample web application.<br></br><br></br></li>
<li><b><a href="http://sourceforge.net/projects/hispacta">HISPACTA</a></b>: Sample web application.<br></br><br></br></li>
<li><b><a href="https://atleap.dev.java.net/">Blandware AtLeap</a></b>: Multilingal free Java CMS.<br></br><br></br></li>
<li><b><a href="http://photostructure.com/">PhotoStructure</a></b>: A photo management solution.<br></br><br></br></li>
<li><b><a href="http://app.ess.ch/tudu/welcome.action">Tudu Lists</a></b>: AJAX and RSS powered to-do list manager.<br></br><br></br></li>
<li><b><a href="http://trails.dev.java.net/">Trails</a></b>: Native Java Ruby-On-Rails-like framework. <a href="http://os.inspiring.nl/confluence/display/trails/Using+Security">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://grails.codehaus.org/">Grails</a></b>: Native Java and Groovy Ruby-On-Rails-like framework. <a href="http://bbweblog.kevinhooke.com/BBWeblog/viewPost.do?entryID=803&amp;instanceID=1&amp;categoryID=111&amp;action=detail">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://tapestry.apache.org/">Tapestry</a></b>: The original Java event-driven web framework. <a href="http://www.carmanconsulting.com/tapestry-acegi">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://jtrac.info/">JTrac</a></b>: A Java-based issue management system. <a href="http://jtrac.info/doc/html/faq.html">Integration details</a>.<br></br><br></br></li>
<li><b><a href="http://plazma.sourceforge.net/">Plazma</a></b>: Swing-based ERP and CRM system for SMEs.<br></br><br></br></li>
<li><b><a href="http://www.jasypt.org/">Jasypt</a></b>: Java encryption project. <a href="http://www.jasypt.org/faq.html#i-am-already-using-spring-security-for-encrypting-passwords">Integration details</a>.<br></br><br></br></li>
</ul></subsection><subsection name="Commercial Deployments"><ul>
<li>A global financial institution uses Acegi Security's SiteMinder integration in a physical security management application.<br></br><br></br></li>
<li>A central bank that uses Acegi Security for many of its internal applications with the CAS integration.<br></br><br></br></li>
<li>Several Australian Government departments use Acegi Security for securing SOAP-based web services and web applications.<br></br><br></br></li>
<li>Enterprise Systems and Services at Rutgers University uses Acegi Security in conjunction with JA-SIG Central Authentication Service to provide authentication and authorization capabilities to its applications including those used by staff and students as well as those utilized by web services.<br></br><br></br></li>
<li><a href="http://www.elasticpath.com/ecommerce/architecture/soa.jsp">Elastic Path</a> uses Acegi Security for security.<br></br><br></br></li>
<li>Plus many more... ;-)<br></br><br></br></li>
</ul></subsection></section></body></document>

75
src/site/resources/standalone.html → src/site/xdoc/standalone.xml
View File

@ -1,68 +1,26 @@
<!--
* ========================================================================
*
* Copyright 2005 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Acegi Security Use Without Spring</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Acegi Security Use Without Spring</h1>
<h2>Introduction</h2>
<p>Sometimes we get asked can Acegi Security be used without Spring.
This page provides a detailed answer.</p>
<h2>History</h2>
<p>Acegi Security started out as a method interceptor for Spring IoC container
<?xml version="1.0" encoding="ISO-8859-1"?>
<document><properties><title>Acegi Security Use Without Spring</title></properties><body><section name="Acegi Security Use Without Spring"><subsection name="Introduction"><p>Sometimes we get asked can Acegi Security be used without Spring.
This page provides a detailed answer.</p></subsection><subsection name="History"><p>Acegi Security started out as a method interceptor for Spring IoC container
managed beans. Typically such beans provide services layer functions.
Over time Acegi Security grew to offer authentication services, <code>ThreadLocal</code> management,
web request filtering, extra AOP support,
ACL features, additional authentication mechanisms and so on (for those interested,
see our <a href="changes-report.html">change log</a>).</p>
<h2>Why Use Spring</h2>
<p>There's plenty written about why the
<a href="http://www.springframework.org">Spring Framework</a>
see our <a href="changes-report.html">change log</a>).</p></subsection><subsection name="Why Use Spring"><p>There's plenty written about why the
<a href="http://www.springframework.org">Spring Framework</a>
is a good fit for modern applications. If you're not familiar with the benefits
Spring offers, please take a few minutes to learn more about it. In numerous
situations Spring will save you many months (or even years) of development time.
Not to mention your solutions will be better architected
(designed), better coded (implemented), and better supported (maintained) in the future.
</p>
<h2>Acegi Security Dependencies on Spring</h2>
<p>Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle
methods such as <code>afterPropertiesSet()</code>. Some Acegi Security classes also
</p></subsection><subsection name="Acegi Security Dependencies on Spring"><p>Acegi Security relies on the Spring IoC container to wire its classes, and execute lifecycle
methods such as <code>afterPropertiesSet()</code>. Some Acegi Security classes also
publish events to the <code>ApplicationContext</code>, although you could provide a mock
implementation of <code>ApplicationContext</code> easily enough which no-ops the method.
In other words, if you particularly didn't want Spring in your application, you <i>could</i>
avoid its use by writing equivalent getter, setter and lifecycle invocation processes
in standard Java code. This is a natural consequence of the Spring way of development,
which emphasises framework independence (it is <i>not</i> because we think there are good
reasons people would <i>not</i> use Spring).</p>
<p>If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC
reasons people would <i>not</i> use Spring).</p><p>If it sounds too hard (it's not) or counter-productive (it is) to replace Spring's IoC
services, don't forget you can always deploy Acegi Security and the Spring
IoC container solely for configuring Acegi Security. Spring does not mandate its
use in every part of your application. It will work quite successfully doing nothing more than
@ -70,26 +28,23 @@
it's really no different than the traditional approach of every framework having its very
own XML or other proprietary configuration system. The main difference is that Spring is an
actual de facto standard, and you can gradually introduce it to other parts of your application
over time (if desired).</p>
<p>Acegi Security does <i>not</i> use any other Spring capabilities. Most notably, the
over time (if desired).</p><p>Acegi Security does <i>not</i> use any other Spring capabilities. Most notably, the
entire architecture is based around <code>Filter</code>s, not Spring's MVC framework.
This allows it to be used with any MVC framework, or even with just straight JSPs.
Acegi Security uses the AOP Alliance and AspectJ interfaces for method interception -
it does not use any Spring-specific interfaces. As a consequence, Acegi Security is very
portable to applications that do not leverage <i>any</i> of Spring's capabilities. We should note
there are several very simple data access objects (DAOs) that use Spring's JDBC abstraction
layer, although each of these are defined by a simple interface and it is very common in
layer, although each of these are defined by a simple interface and it is very common in
even native Spring-powered applications for these to be re-implemented using the application's
persistence framework of choice (eg Hibernate).
<h1>Conclusion</h1>
<p>In summary, we recommend you take a look at Spring and consider using it in your
</p></subsection></section><section name="Conclusion"><p>In summary, we recommend you take a look at Spring and consider using it in your
applications. Irrespective of whether you do so or not, we strongly recommend you use it
for configuration and lifecycle management of Acegi Security. If that is also not desired,
Acegi Security can easily be executed without Spring at all, providing you implement
similar IoC services. Acegi Security has very minimal dependencies directly on Spring,
with it being useful in many non-Spring applications and with non-Spring frameworks.
</body>
</html>
</p></section></body></document>

293
src/site/xdocs/changes.xml
View File

@ -1,293 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
* ========================================================================
*
* Copyright 2004, 2005 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
**** THIS FILE SHOULD ONLY BE USED TO POINT TO JIRA FOR EACH RELEASE!!!! (BPA, 4 November 2005) ****
-->
<document>
<properties>
<title>Acegi Security changes</title>
</properties>
<body>
<release version="1.0.0 Final" date="In CVS">
<action dev="benalex" type="update">All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040</action>
</release>
<release version="1.0.0 RC2" date="2006-02-09">
<action dev="benalex" type="update">All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040</action>
</release>
<release version="1.0.0 RC1" date="2005-12-05">
<action dev="benalex" type="update">All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040</action>
</release>
<release version="0.9.0" date="2005-11-11">
<action dev="benalex" type="update">All changes are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040</action>
</release>
<release version="0.8.3" date="2005-05-12">
<action dev="benalex" type="fix">HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)</action>
</release>
<release version="0.8.1.1" date="2005-07-12">
<action dev="benalex" type="fix">HttpSessionContextIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)</action>
</release>
<release version="0.7.1" date="2005-07-12">
<action dev="benalex" type="fix">AbstractIntegrationFilter elegantly handles IOExceptions and ServletExceptions within filter chain (see http://opensource.atlassian.com/projects/spring/browse/SEC-20)</action>
</release>
<release version="0.8.2" date="2005-04-20">
<action dev="benalex" type="fix">Correct location of AuthenticationSimpleHttpInvokerRequestExecutor in clientContext.xml</action>
<action dev="benalex" type="fix">TokenBasedRememberMeServices changed to use long instead of int for tokenValiditySeconds (SPR-807)</action>
<action dev="benalex" type="fix">Handle null Authentication.getAuthorities() in AuthorizeTag</action>
<action dev="benalex" type="fix">PasswordDaoAuthenticationProvider no longer stores String against Authentication.setDetails()</action>
<action dev="benalex" type="update">Update commons-codec dependency to 1.3</action>
<action dev="raykrueger" type="update">AbstractProcessingFilter no longer has setters for failures, it uses the exceptionMappings property</action>
<action dev="benalex" type="update">Update to match Spring 1.2-RC2 official JAR dependencies</action>
<action dev="raykrueger" type="update">AuthenticationProcessingFilter now provides an obtainUsername method</action>
<action dev="luke_t" type="update">Correct PathBasedFilterInvocationDefinitionMap compatibility with Spring 1.2-RC2</action>
<action dev="luke_t" type="update">Refactoring to leverage Spring's Assert class and mocks where possible</action>
</release>
<release version="0.8.1" date="2005-03-22">
<action dev="luke_t" type="add">X509 (certificate-based) authentication support</action>
<action dev="benalex" type="update">UserDetails now advises locked accounts, with corresponding DaoAuthenticationProvider events and enforcement</action>
<action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods return null if user is anonymous</action>
<action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action>
<action dev="benalex" type="update">User now provides a more useful toString() method</action>
<action dev="benalex" type="update">Update to match Spring 1.1.5 official JAR dependencies (NB: now using Servlet 2.4 and related JSP/taglib JARs)</action>
<action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action>
<action dev="benalex" type="fix">FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans</action>
<action dev="fbos" type="fix">Corrected Authz parsing of whitespace in GrantedAuthoritys</action>
<action dev="benalex" type="fix">TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users</action>
<action dev="benalex" type="fix">HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection</action>
<action dev="benalex" type="fix">StringSplitUtils.split() ignored delimiter argument</action>
<action dev="benalex" type="fix">DigestProcessingFilter now provides userCache getter and setter</action>
<action dev="benalex" type="fix">Contacts Sample made to work with UserDetails-based Principal</action>
<action dev="benalex" type="update">Documentation improvements</action>
<action dev="benalex" type="update">Test coverage improvements</action>
</release>
<release version="0.8.0" date="2005-03-03">
<action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action>
<action dev="benalex" type="add">Added pluggable remember-me services</action>
<action dev="benalex" type="add">Added pluggable mechnism to prevent concurrent login sessions</action>
<action dev="benalex" type="add">FilterChainProxy added to significantly simplify web.xml configuration of Acegi Security</action>
<action dev="benalex" type="add">AuthenticationProcessingFilter now provides hook for extra credentials (eg postcodes)</action>
<action dev="benalex" type="add">New WebAuthenticationDetails class now used by processing filters for Authentication.setDetails()</action>
<action dev="benalex" type="add">Additional debug-level logging</action>
<action dev="benalex" type="add">Improved Tapestry support in AbstractProcessingFilter</action>
<action dev="benalex" type="update">Made ConfigAttributeDefinition and ConfigAttribute Serializable</action>
<action dev="benalex" type="update">User now accepts blank passwords (null passwords still rejected)</action>
<action dev="benalex" type="update">FilterToBeanProxy now searches hierarchical bean factories</action>
<action dev="benalex" type="update">User now accepted blank passwords (null passwords still rejected)</action>
<action dev="benalex" type="update">ContextHolderAwareRequestWrapper now provides a getUserPrincipal() method</action>
<action dev="benalex" type="update">HttpSessionIntegrationFilter no longer creates a HttpSession unnecessarily</action>
<action dev="benalex" type="update">FilterSecurityInterceptor now only executes once per request (improves performance with SiteMesh)</action>
<action dev="raykrueger" type="update">JaasAuthenticatinProvider now uses System.property "java.security.auth.login.config"</action>
<action dev="raykrueger" type="update">JaasAuthenticationCallbackHandler Authentication is passed to handle method setAuthentication removed</action>
<action dev="raykrueger" type="update">Added AuthenticationException to the AutenticationEntryPoint.commence method signature</action>
<action dev="raykrueger" type="update">Added AccessDeniedException to the SecurityEncorcementFilter.sendAccessDeniedError method signature</action>
<action dev="benalex" type="update">FilterToBeanProxy now addresses lifecycle mismatch (IoC container vs servlet container) issue</action>
<action dev="benalex" type="update">Significantly refactor "well-known location model" to authentication processing mechanism and HttpSessionContextIntegrationFilter model</action>
<action dev="benalex" type="fix">Correct issue with JdbcDaoImpl default SQL query not using consistent case sensitivity</action>
<action dev="benalex" type="fix">Improve Linux and non-Sun JDK (specifically IBM JDK) compatibility</action>
<action dev="benalex" type="fix">Log4j now included in generated WAR artifacts (fixes issue with Log4j listener)</action>
<action dev="benalex" type="fix">Correct NullPointerException in FilterInvocationDefinitionSource implementations</action>
</release>
<release version="0.7.0" date="2005-01-16">
<action dev="carlossg" type="add">Major CVS repository restructure to support Maven and eliminate libraries</action>
<action dev="benalex" type="update">Major improvements to Contacts sample application (now demos ACL security)</action>
<action dev="benalex" type="add">Added AfterInvocationManager to mutate objects return from invocations</action>
<action dev="benalex" type="add">Added BasicAclEntryAfterInvocationProvider to ACL evaluate returned Object</action>
<action dev="benalex" type="add">Added BasicAclEntryAfterInvocationCollectionFilteringProvider</action>
<action dev="benalex" type="add">Added security propagation during RMI invocations (from sandbox)</action>
<action dev="benalex" type="add">Added security propagation for Spring's HTTP invoker</action>
<action dev="benalex" type="add">Added BasicAclEntryVoter, which votes based on AclManager permissions</action>
<action dev="benalex" type="add">Added AspectJ support (especially useful for instance-level security)</action>
<action dev="benalex" type="add">Added MethodDefinitionSourceAdvisor for performance and autoproxying</action>
<action dev="benalex" type="add">Added MethodDefinitionMap querying of interfaces defined by secure objects</action>
<action dev="benalex" type="add">Added AuthenticationProcessingFilter.setDetails for use by subclasses</action>
<action dev="benalex" type="add">Added 403-causing exception to HttpSession via SecurityEnforcementFilter</action>
<action dev="benalex" type="add">Added net.sf.acegisecurity.intercept.event package</action>
<action dev="benalex" type="add">Added BasicAclExtendedDao interface and JdbcExtendedDaoImpl for ACL CRUD</action>
<action dev="benalex" type="add">Added additional remoting protocol demonstrations to Contacts sample</action>
<action dev="benalex" type="add">Added AbstractProcessingFilter property to always use defaultTargetUrl</action>
<action dev="benalex" type="add">Added ContextHolderAwareRequestWrapper to integrate with getRemoteUser()</action>
<action dev="benalex" type="add">Added attempted username to view if processed by AuthenticationProcessingFilter</action>
<action dev="benalex" type="add">Added UserDetails account and credentials expiration methods</action>
<action dev="benalex" type="add">Added exceptions and events to support new UserDetails methods</action>
<action dev="benalex" type="add">Added new exceptions to JBoss container adapter</action>
<action dev="benalex" type="update">Improved BasicAclProvider to only respond to specified ACL object requests</action>
<action dev="benalex" type="update">Refactored MethodDefinitionSource to work with Method, not MethodInvocation</action>
<action dev="benalex" type="update">Refactored AbstractFilterInvocationDefinitionSource to work with URL Strings alone</action>
<action dev="benalex" type="update">Refactored AbstractSecurityInterceptor to better support other AOP libraries</action>
<action dev="benalex" type="update">Improved performance of JBoss container adapter (see reference docs)</action>
<action dev="benalex" type="update">Made DaoAuthenticationProvider detect null in Authentication.principal</action>
<action dev="benalex" type="update">Improved JaasAuthenticationProvider startup error detection</action>
<action dev="benalex" type="update">Refactored EH-CACHE implementations to use Spring IoC defined caches instead</action>
<action dev="benalex" type="update">AbstractProcessingFilter now has various hook methods to assist subclasses</action>
<action dev="benalex" type="update">DaoAuthenticationProvider better detects AuthenticationDao interface violations</action>
<action dev="benalex" type="update">The User class has a new constructor (the old constructor is deprecated)</action>
<action dev="benalex" type="fix">Fixed ambiguous column references in JdbcDaoImpl default query</action>
<action dev="benalex" type="fix">Fixed AbstractProcessingFilter to use removeAttribute (JRun compatibility)</action>
<action dev="benalex" type="fix">Fixed GrantedAuthorityEffectiveAclResolver support of UserDetails principals</action>
<action dev="benalex" type="fix">Fixed HttpSessionIntegrationFilter "cannot commit to container" during logoff</action>
<action dev="benalex" type="update">Moved MethodSecurityInterceptor to ...intercept.method.aopalliance package</action>
<action dev="benalex" type="update">Documentation improvements</action>
<action dev="benalex" type="update">Test coverage improvements</action>
</release>
<release version="0.6.1" date="2004-09-24">
<action dev="benalex" type="update">Resolved to use http://apr.apache.org/versioning.html for future versioning</action>
<action dev="benalex" type="add">Added additional DaoAuthenticationProvider event when user not found</action>
<action dev="benalex" type="add">Added Authentication.getDetails() to DaoAuthenticationProvider response</action>
<action dev="benalex" type="add">Added DaoAuthenticationProvider.hideUserNotFoundExceptions (default=true)</action>
<action dev="benalex" type="add">Added PasswordAuthenticationProvider for password-validating DAOs (eg LDAP)</action>
<action dev="benalex" type="add">Added FilterToBeanProxy compatibility with ContextLoaderServlet (lazy inits)</action>
<action dev="benalex" type="add">Added convenience methods to ConfigAttributeDefinition</action>
<action dev="benalex" type="update">Improved sample applications' bean reference notation</action>
<action dev="benalex" type="update">Clarified contract for ObjectDefinitionSource.getAttributes(Object)</action>
<action dev="benalex" type="update">Extracted removeUserFromCache(String) to UserCache interface</action>
<action dev="benalex" type="update">Improved ConfigAttributeEditor so it trims preceding and trailing spaces</action>
<action dev="benalex" type="update">Refactored UsernamePasswordAuthenticationToken.getDetails() to Object</action>
<action dev="benalex" type="fix">Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource change</action>
<action dev="benalex" type="fix">Fixed EH-CACHE-based caching implementation behaviour when cache exists</action>
<action dev="benalex" type="fix">Fixed Ant "release" target not including project.properties</action>
<action dev="benalex" type="fix">Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided to method</action>
<action dev="benalex" type="update">Documentation improvements</action>
</release>
<release version="0.6" date="2004-08-08">
<action dev="benalex" type="add">Added domain object instance access control list (ACL) packages</action>
<action dev="benalex" type="add">Added feature so DaoAuthenticationProvider returns User in Authentication</action>
<action dev="benalex" type="add">Added AbstractIntegrationFilter.secureContext property for custom contexts</action>
<action dev="benalex" type="add">Added stack trace logging to SecurityEnforcementFilter</action>
<action dev="benalex" type="add">Added exception-specific target URLs to AbstractProcessingFilter</action>
<action dev="benalex" type="add">Added JdbcDaoImpl hook so subclasses can insert custom granted authorities</action>
<action dev="raykrueger" type="add">Added AuthenticationProvider that wraps JAAS login modules</action>
<action dev="fbos" type="add">Added support for EL expressions in the authz tag library</action>
<action dev="benalex" type="add">Added failed Authentication object to AuthenticationExceptions</action>
<action dev="benalex" type="add">Added signed JARs to all official release builds (see readme.txt)</action>
<action dev="benalex" type="add">Added remote client authentication validation package</action>
<action dev="benalex" type="add">Added protected sendAccessDeniedError method to SecurityEnforcementFilter</action>
<action dev="benalex" type="update">Updated Authentication to be serializable (Weblogic support)</action>
<action dev="benalex" type="update">Updated JAR to Spring 1.1 RC 1</action>
<action dev="benalex" type="update">Updated to Clover 1.3</action>
<action dev="benalex" type="update">Updated to HSQLDB version 1.7.2 Release Candidate 6D</action>
<action dev="benalex" type="update">Refactored User to net.sf.acegisecurity.UserDetails interface</action>
<action dev="benalex" type="update">Refactored CAS package to store UserDetails in CasAuthenticationToken</action>
<action dev="benalex" type="update">Improved organisation of DaoAuthenticationProvider to facilitate subclassing</action>
<action dev="benalex" type="update">Improved test coverage (now 98.3%)</action>
<action dev="benalex" type="update">Improved JDBC-based tests to use in-memory database rather than filesystem</action>
<action dev="benalex" type="update">Fixed Linux compatibility issues (directory case sensitivity etc)</action>
<action dev="benalex" type="update">Fixed AbstractProcessingFilter to handle servlet spec container differences</action>
<action dev="benalex" type="update">Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue</action>
<action dev="benalex" type="fix">Fixed CasAuthenticationToken if proxy granting ticket callback not requested</action>
<action dev="benalex" type="fix">Fixed EH-CACHE handling on web context refresh</action>
<action dev="benalex" type="update">Documentation improvements</action>
</release>
<release version="0.5.1" date="2004-06-05">
<action dev="benalex" type="add">Added samples/quick-start</action>
<action dev="benalex" type="add">Added NullRunAsManager and made default for AbstractSecurityInterceptor</action>
<action dev="benalex" type="add">Added event notification (see net.sf.acegisecurity.providers.dao.event)</action>
<action dev="benalex" type="update">Updated JAR to Spring 1.0.2</action>
<action dev="benalex" type="update">Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release</action>
<action dev="benalex" type="update">Updated GrantedAuthorityImpl to be serializable (JBoss support)</action>
<action dev="benalex" type="update">Updated Authentication interface to present extra details for a request</action>
<action dev="benalex" type="update">Updated Authentication interface to subclass java.security.Principal</action>
<action dev="benalex" type="update">Refactored DaoAuthenticationProvider caching (refer to reference docs)</action>
<action dev="benalex" type="update">Improved HttpSessionIntegrationFilter to manage additional attributes</action>
<action dev="benalex" type="update">Improved URL encoding during redirects</action>
<action dev="benalex" type="fix">Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS)</action>
<action dev="fbos" type="fix">Fixed issue with NullPointerExceptions in taglib</action>
<action dev="benalex" type="update">Removed DaoAuthenticationToken and session-based caching</action>
<action dev="benalex" type="update">Documentation improvements</action>
<action dev="benalex" type="update">Upgrade Note: DaoAuthenticationProvider no longer has a "key" property</action>
</release>
<release version="0.5" date="2004-04-28">
<action dev="benalex" type="add">Added single sign on support via Yale Central Authentication Service (CAS)</action>
<action dev="benalex" type="add">Added full support for HTTP Basic Authentication</action>
<action dev="benalex" type="add">Added caching for DaoAuthenticationProvider successful authentications</action>
<action dev="benalex" type="add">Added Burlap and Hessian remoting to Contacts sample application</action>
<action dev="colins" type="add">Added pluggable password encoders including plaintext, SHA and MD5</action>
<action dev="benalex" type="add">Added pluggable salt sources to enhance security of hashed passwords</action>
<action dev="benalex" type="add">Added FilterToBeanProxy to obtain filters from Spring application context</action>
<action dev="colins" type="add">Added support for prepending strings to roles created by JdbcDaoImpl</action>
<action dev="colins" type="add">Added support for user definition of SQL statements used by JdbcDaoImpl</action>
<action dev="colins" type="add">Added definable prefixes to avoid expectation of "ROLE_" GrantedAuthoritys</action>
<action dev="benalex" type="add">Added pluggable AuthenticationEntryPoints to SecurityEnforcementFilter</action>
<action dev="benalex" type="add">Added Apache Ant path syntax support to SecurityEnforcementFilter</action>
<action dev="benalex" type="add">Added filter to automate web channel requirements (eg HTTPS redirection)</action>
<action dev="benalex" type="update">Updated JAR to Spring 1.0.1</action>
<action dev="benalex" type="update">Updated several classes to use absolute (not relative) redirection URLs</action>
<action dev="benalex" type="update">Refactored filters to use Spring application context lifecycle support</action>
<action dev="benalex" type="update">Improved constructor detection of nulls in User and other key objects</action>
<action dev="benalex" type="fix">Fixed FilterInvocation.getRequestUrl() to also include getPathInfo()</action>
<action dev="benalex" type="fix">Fixed Contacts sample application <A></A> tags</action>
<action dev="benalex" type="update">Established acegisecurity-developer mailing list</action>
<action dev="benalex" type="update">Documentation improvements</action>
</release>
<release version="0.4" date="2004-04-03">
<action dev="benalex" type="add">Added HTTP session authentication as an alternative to container adapters</action>
<action dev="benalex" type="add">Added HTTP request security interceptor (offers considerable flexibility)</action>
<action dev="fbos" type="add">Added security taglib</action>
<action dev="benalex" type="add">Added Clover test coverage instrumentation (currently 97.2%)</action>
<action dev="benalex" type="add">Added support for Catalina (Tomcat) 4.1.30 to in-container integration tests</action>
<action dev="benalex" type="add">Added HTML test and summary reporting to in-container integration tests</action>
<action dev="benalex" type="update">Updated JARs to Spring Framework release 1.0, with associated AOP changes</action>
<action dev="benalex" type="update">Updated to Apache License version 2.0</action>
<action dev="benalex" type="update">Updated copyright with permission of past contributors</action>
<action dev="benalex" type="update">Refactored unit tests to use mock objects and focus on a single class each</action>
<action dev="benalex" type="update">Refactored many classes to enable insertion of mock objects during testing</action>
<action dev="benalex" type="update">Refactored core classes to ease support of new secure object types</action>
<action dev="benalex" type="update">Changed package layout to better describe the role of contained items</action>
<action dev="benalex" type="update">Changed the extractor to extract additional classes from JBoss and Catalina</action>
<action dev="benalex" type="update">Changed Jetty container adapter configuration (see reference documentation)</action>
<action dev="benalex" type="update">Improved AutoIntegrationFilter handling of deployments without JBoss JARs</action>
<action dev="benalex" type="fix">Fixed case handling support in data access object authentication provider</action>
<action dev="benalex" type="update">Documentation improvements</action>
</release>
<release version="0.3" date="2004-03-18">
<action dev="benalex" type="add">Added "in container" unit test system for container adapters and sample app</action>
<action dev="benalex" type="add">Added library extractor tool to reduce the "with deps" ZIP release sizes</action>
<action dev="benalex" type="add">Added unit test to the attributes sample</action>
<action dev="benalex" type="add">Added Jalopy source formatting</action>
<action dev="benalex" type="update">Modified all files to use net.sf.acegisecurity namespace</action>
<action dev="benalex" type="update">Renamed springsecurity.xml to acegisecurity.xml for consistency</action>
<action dev="benalex" type="update">Reduced length of ZIP and JAR filenames</action>
<action dev="benalex" type="update">Clarified licenses and sources for all included libraries</action>
<action dev="benalex" type="update">Updated documentation to reflect new file and package names</action>
<action dev="benalex" type="update">Setup Sourceforge.net project and added to CVS etc</action>
</release>
<release version="0.2" date="2004-03-10">
<action dev="benalex" type="add">Added Commons Attributes support and sample (thanks to Cameron Braid)</action>
<action dev="benalex" type="add">Added JBoss container adapter</action>
<action dev="benalex" type="add">Added Resin container adapter</action>
<action dev="benalex" type="add">Added JDBC DAO authentication provider</action>
<action dev="benalex" type="add">Added several filter implementations for container adapter integration</action>
<action dev="benalex" type="add">Added SecurityInterceptor startup time validation of ConfigAttributes</action>
<action dev="benalex" type="add">Added more unit tests</action>
<action dev="benalex" type="update">Refactored ConfigAttribute to interface and added concrete implementation</action>
<action dev="benalex" type="update">Enhanced diagnostics information provided by sample application debug.jsp</action>
<action dev="benalex" type="update">Modified sample application for wider container portability (Resin, JBoss)</action>
<action dev="benalex" type="fix">Fixed switch block in voting decision manager implementations</action>
<action dev="benalex" type="update">Removed Spring MVC interceptor for container adapter integration</action>
<action dev="benalex" type="update">Documentation improvements</action>
</release>
<release version="0.1" date="2004-03-03">
<action dev="benalex" type="add">Initial public release</action>
</release>
</body>
</document>

69
src/site/xdocs/reference.xml
View File

@ -1,69 +0,0 @@
<?xml version="1.0"?>
<!--
* ========================================================================
*
* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<document>
<properties>
<title>Reference Documentation</title>
</properties>
<body>
<section name="Reference Documentation">
<subsection name="Overview of the Reference Documentation">
<table>
<tr><th>Document</th><th>Description</th></tr>
<!-- disabled by Ben Alex on 9 April 2005 as it is still not auto-updating on Monkey Machine nightly build
<tr>
<td>
<a href="docbook/index.html">Reference Guide HTML One Page per Chapter</a>
</td>
<td>
The reference guide using one page per chapter.
</td>
</tr>
-->
<tr>
<td>
<a href="docbook/acegi.html">Reference Guide HTML Single Page</a>
</td>
<td>
The reference guide in a single html page.
</td>
</tr>
<tr>
<td>
<a href="docbook/acegi.pdf">Reference Guide PDF</a>
</td>
<td>
The PDF version of the reference guide.
</td>
</tr>
</table>
</subsection>
</section>
</body>
</document>