Suggested Steps
Presented below are the steps we encourage you to take in order to gain the most
out of Acegi Security in a realistic timeframe.
-
First of all, deploy the "Tutorial Sample", which is included in the main distribution
ZIP file. The sample doesn't do a great deal, but it does give you a template that can
be quickly and easily used to integrate into your own project.
Estimated time: 30 minutes.
-
Next, follow the Petclinic tutorial, which
covers how to add Acegi Security to the commonly-used Petclinic sample application
that ships with Spring. This will give you a hands-on approach to integrating
Acegi Security into your own application.
Estimated time: 1 hour.
-
Next, review the Reference Guide, and in particular
Part I. It has been designed to give you a solid overview. Go through the beans
defined in the "Tutorial Sample" and understand their main purpose within the overall
framework. Once you understand this, you'll have no difficulty moving on to more
complex examples. You can also experiment in the Petclinic tutorial that you
implemented in the last step.
Estimated time: 1 day.
-
If you have relatively simple security needs, you can probably start to integrate
Acegi Security into your application at this point. Just use the "Tutorial Sample"
as your basis (now that you understand how it works). Those with more complicated
requirements should review the "Contacts Sample" application.
This will probably involve deploying
acegi-security-sample-contacts-filter.war
,
which is also included in the release ZIP file.
The purpose of understanding the "Contacts Sample" is to get a better feel for how method
security is implemented, particularly with domain object access control lists. This will
really round-out the rest of the framework for you.
The actual java code
is a completely standard Spring application, except ContactManagerBackend
which shows how we create and delete ACL permissions. The rest of the Java code has no
security awareness, with all security services being declared in the XML files
(don't worry, there aren't any new XML formats to learn: they're all standard Spring IoC container
declarations or the stock-standard web.xml
). The main
XML files to review are
applicationContext-acegi-security.xml (from the filter webapp),
applicationContext-common-authorization.xml,
applicationContext-common-business.xml (just note we add contactManagerSecurity
to the services layer target bean), and
web.xml (from the filter webapp).
The XML definitions are comprehensively discussed in the
Reference Guide.
Please note the release ZIP files do not include the sample application Java source code. You
will need to download from SVN if you would like to access the Java sources.
Estimated time: 1-2 days.
- By now you will have a good grasp on how Acegi Security works, and all that is left to
do is design your own application's implementation.
We strongly recommend that you start your actual integration with the "Tutorial Sample".
Don't start by integrating with the "Contacts Sample", even if you have complex needs.
Most people reporting problems on the forums do so because of a configuration problem,
as they're trying to make far too many changes at once without really knowing what
they're doing. Instead, make changes one at a time, starting from the bare bones configuration
provided by the "Tutorial Sample".
If you've followed the steps above, and refer back to the
Reference Guide,
forums, and
FAQ
for help, you'll find it pretty easy to implement Acegi Security in your application.
Most importantly, you'll be using a security framework that offers you complete container
portability, flexibility, and community support - without needing to write and maintain your
own code.
Estimated time: 1-5 days.
Please note the time estimates are just that: estimates. They will vary considerably depending
on how much experience you have, particularly with Java and Spring. They will also vary depending
on how complex your intended security-enabled application will be. Some people need to push the domain
object instance access control list capabilities to the maximum, whilst others don't even need anything
beyond web request security. The good thing is Acegi Security will either directly support your future
needs, or provide a clearly-defined extension point for addressing them.
We welcome your feedback about how long it has actually taken you to complete each step, so we
can update this page and help new users better assess their project timetables in the future.
Any other tips on what you found helpful in learning Acegi Security are also very welcome.