Mission Statement


To provide comprehensive security services for The Spring Framework.


Key Features


  • It is ready NOW. As explained in the reference guide, the API is now quite stable. We also use the Apache APR Project Versioning Guidelines so you can identify backward compatibility.



  • Fast results: View our suggested steps for the fastest way to develop complex, security-compliant applications.



  • Enterprise-wide single sign on: Using Yale University's open source Central Authentication Service (CAS), the Acegi Security System for Spring can participate in an enterprise-wide single sign on environment. You no longer need every web application to have its own authentication database. Nor are you restricted to single sign on across a single web container. Advanced single sign on features like proxy support and forced refresh of logins are supported by both CAS and Acegi Security.



  • Reuses your Spring expertise: We use Spring application contexts for all configuration, which should help Spring developers get up-to-speed nice and quickly.



  • Domain object instance security: In many applications it's desirable to define Access Control Lists (ACLs) for individual domain object instances. We provide a comprehensive ACL package with features including integer bit masking, permission inheritence (including blocking), a JDBC-backed ACL repository, caching and a pluggable, interface-driven design.



  • Non-intrusive setup: The entire security system can operate within a single web application using the provided filters. There is no need to make special changes or deploy libraries to your Servlet or EJB container.



  • Full (but optional) container integration: The credential collection and authorization capabilities of your Servlet or EJB container can be fully utilised via included "container adapters". We currently support Catalina (Tomcat), Jetty, JBoss and Resin, with additional containers easily added.



  • Keeps your objects free of security code: Many applications need to secure data at the bean level based on any combination of parameters (user, time of day, authorities held, method being invoked, parameter on method being invoked....). This package gives you this flexibility without adding security code to your Spring business objects.



  • After invocation security: Acegi Security can not only protect methods from being invoked in the first place, but it can also deal with the Objects returned from the methods. Included implementations of after invocation security can throw an exception or mutate the returned object based on ACLs.



  • Secures your HTTP requests as well: In addition to securing your beans, the project also secures your HTTP requests. No longer is it necessary to rely on web.xml security constraints. Best of all, your HTTP requests can now be secured by your choice of regular expressions or Apache Ant paths, along with pluggable authentication, authorization and run-as replacement managers.



  • Channel security: The Acegi Security System for Spring can automatically redirect requests across an appropriate transport channel. Whilst flexible enough to support any of your "channel" requirements (eg the remote user is a human, not a robot), a common channel security feature is to ensure your secure pages will only be available over HTTPS, and your public pages only over HTTP. Acegi Security also supports unusual port combinations and pluggable transport decision managers.



  • Supports HTTP BASIC authentication: Perfect for remoting protocols or those web applications that prefer a simple browser pop-up (rather than a form login), Acegi Security can directly process HTTP BASIC authentication requests as per RFC 1945.



  • Supports HTTP Digest authentication: For greater security than offered by BASIC authentcation, Acegi Security also supports Digest Authentication (which never sends the user's password across the wire). Digest Authentication is widely supported by modern browsers. Acegi Security's implementation complies with both RFC 2617 and RFC 2069.



  • Convenient security taglib: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Acegi Security's ACL services.



  • Application context or attribute-based configuration: You select the method used to configure your security environment. The project supports configuration via Spring application contexts as well as Jakarta Commons Attributes.



  • Various authentication backends: We include the ability to retrieve your user and granted authority definitions from either an XML file or JDBC datasource. Alternatively, you can implement the single-method DAO interface and obtain authentication details from anywhere you like.



  • Event support: Building upon Spring's ApplicationEvent services, you can write your own listeners for authentication-related events, along with authorisation-related events. This enables you to implement account lockout and audit log systems, with complete decoupling from Acegi Security code.



  • Easy integration with existing databases: Our implementations have been designed to make it very easy to use your existing authentication schema and data (without modification). Of course, you can also provide your own Data Access Object if you wish.



  • Caching: Acegi Security integrates with Spring's EHCACHE factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information.



  • Pluggable architecture: Every critical aspect of the package has been modelled using high cohesion, loose coupling, interface-driven design principles. You can easily replace, customise or extend parts of the package.



  • Startup-time validation: Every critical object dependency and configuration parameter is validated at application context startup time. Security configuration errors are therefore detected early and corrected quickly.



  • Remoting support: Does your project use a rich client? Not a problem. Acegi Security integrates with standard Spring remoting protocols, because it automatically processes the HTTP BASIC authentication headers they present. Add our BASIC authentication filter to your web.xml and you're done.



  • Advanced password encoding: Of course, passwords in your authentication repository need not be in plain text. We support both SHA and MD5 encoding, and also pluggable "salt" providers to maximise password security.



  • Run-as replacement: The security system fully supports temporarily replacing the authenticated user for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.



  • Transparent security propagation: Acegi Security can automatically transfer its core authentication information from one machine to another, using a variety of protocols including RMI and Spring's HttpInvoker.



  • Compatible with HttpServletRequest.getRemoteUser(): Even though Acegi Security can deliver authentication using a range of pluggable mechanisms (most of which require no web container configuration), we allow you to access the resulting Authentication object via the getRemoteUser() method.



  • Unit tests: A must-have of any quality security project, unit tests are included. Our unit test coverage is very high, as shown in the coverage report.



  • Built by Maven: This assists you in effectively reusing the Acegi Security artifacts in your own Maven-based projects.



  • Supports your own unit tests: We provide a number of classes that assist with your own unit testing of secured business objects. For example, you can change the authentication identity and its associated granted authorities directly within your test methods.



  • Peer reviewed: Whilst nothing is ever completely secure, using an open source security package leverages the continuous design and code quality improvements that emerge from peer review.



  • Thorough documentation: All APIs are fully documented using JavaDoc, with a 40+ page Reference Guide providing an easy-to-follow introduction. More documentation is provided on this web site, as shown in the left hand navigation sidebar.



  • Apache license.





Project Resources


Support Forums



Downloads