|
|
@@ -1,239 +0,0 @@
|
|
|
-<?xml version="1.0"?>
|
|
|
-
|
|
|
-<document>
|
|
|
- <properties>
|
|
|
- <title>Acegi Security System for Spring</title>
|
|
|
- </properties>
|
|
|
-
|
|
|
-
|
|
|
- <body>
|
|
|
- <hr />
|
|
|
- <section name="What is Acegi Security?">
|
|
|
- <hr />
|
|
|
- <p>Acegi Security is a powerful, flexible security solution for enterprise software,
|
|
|
- with a particular emphasis on applications that use
|
|
|
- <a href="http://www.springframework.org/">Spring</a>. Using Acegi Security provides your
|
|
|
- applications with comprehensive authentication, authorization, instance-based access control,
|
|
|
- channel security and human user detection capabilities.
|
|
|
- </p>
|
|
|
- </section>
|
|
|
-
|
|
|
-
|
|
|
- <section name="Key Features">
|
|
|
- <ul>
|
|
|
- <li><b>Stable and mature.</b>
|
|
|
- Acegi Security 1.0.0 was released in May 2006 after
|
|
|
- more than two and a half years of use in large production software projects, 70,000+ downloads
|
|
|
- and hundreds of community contributions.
|
|
|
- In terms of release numbering, we also use the <a
|
|
|
- href="http://apr.apache.org/versioning.html">Apache APR Project
|
|
|
- Versioning Guidelines</a> so that you can easily identify release
|
|
|
- compatibility.
|
|
|
- </li>
|
|
|
- <li><b>Well documented:</b> All APIs are fully documented using
|
|
|
- <a href="http://acegisecurity.org/multiproject/acegi-security/apidocs/index.html">JavaDoc</a>,
|
|
|
- with almost 100 pages of
|
|
|
- <a href="reference.html">Reference Guide</a> documentation providing an easy-to-follow
|
|
|
- introduction. Even more documentation is provided on this web site, as
|
|
|
- shown in the left hand navigation sidebar.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Fast results:</B> View our <a href="suggested.html">suggested steps</a>
|
|
|
- for the fastest way to develop complex, security-compliant applications.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Enterprise-wide single sign on:</B> Using JA-SIG's open
|
|
|
- source <A href="http://www.ja-sig.org/products/cas/">Central Authentication
|
|
|
- Service</A> (CAS), the Acegi Security can participate
|
|
|
- in an enterprise-wide single sign on environment. You no longer need
|
|
|
- every web application to have its own authentication database. Nor are
|
|
|
- you restricted to single sign on across a single web container. Advanced
|
|
|
- single sign on features like proxy support and forced refresh of logins
|
|
|
- are supported by both CAS and Acegi Security.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Reuses your Spring expertise:</B> We use Spring application
|
|
|
- contexts for all configuration, which should help Spring developers get
|
|
|
- up-to-speed nice and quickly.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Domain object instance security:</B> In many applications it's
|
|
|
- desirable to define Access Control Lists (ACLs) for individual domain
|
|
|
- object instances. We provide a comprehensive ACL package with features
|
|
|
- including integer bit masking, permission inheritence (including
|
|
|
- blocking), a JDBC-backed ACL repository, caching and a pluggable,
|
|
|
- interface-driven design.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Non-intrusive setup:</B> The entire security system can operate
|
|
|
- within a single web application using the provided filters. There is no
|
|
|
- need to make special changes or deploy libraries to your Servlet or EJB
|
|
|
- container.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Full (but optional) container integration:</B> The credential
|
|
|
- collection and authorization capabilities of your Servlet or EJB
|
|
|
- container can be fully utilised via included "container adapters". We
|
|
|
- currently support Catalina (Tomcat), Jetty, JBoss and Resin, with
|
|
|
- additional containers easily added.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Keeps your objects free of security code:</B> Many applications
|
|
|
- need to secure data at the bean level based on any combination of
|
|
|
- parameters (user, time of day, authorities held, method being invoked,
|
|
|
- parameter on method being invoked....). This package gives you this
|
|
|
- flexibility without adding security code to your Spring business
|
|
|
- objects.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>After invocation security:</B> Acegi Security can not only protect
|
|
|
- methods from being invoked in the first place, but it can also
|
|
|
- deal with the objects returned from the methods. Included implementations
|
|
|
- of after invocation security can throw an exception or mutate the returned
|
|
|
- object based on ACLs.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Secures your HTTP requests as well:</B> In addition to securing
|
|
|
- your beans, the project also secures your HTTP requests. No longer is it
|
|
|
- necessary to rely on web.xml security constraints. Best of all, your
|
|
|
- HTTP requests can now be secured by your choice of regular expressions
|
|
|
- or Apache Ant paths, along with pluggable authentication, authorization
|
|
|
- and run-as replacement managers.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Channel security:</B> Acegi Security can
|
|
|
- automatically redirect requests across an appropriate transport channel.
|
|
|
- Whilst flexible enough to support any of your "channel" requirements (eg
|
|
|
- the remote user is a human, not a robot), a common channel security
|
|
|
- feature is to ensure your secure pages will only be available over
|
|
|
- HTTPS, and your public pages only over HTTP. Acegi Security also
|
|
|
- supports unusual port combinations (including if accessed via an
|
|
|
- intermediate server like Apache) and pluggable transport decision
|
|
|
- managers.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Supports HTTP BASIC authentication:</B> Perfect for remoting
|
|
|
- protocols or those web applications that prefer a simple browser pop-up
|
|
|
- (rather than a form login), Acegi Security can directly process HTTP
|
|
|
- BASIC authentication requests as per RFC 1945.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Supports HTTP Digest authentication:</B> For greater security than
|
|
|
- offered by BASIC authentcation, Acegi Security also supports Digest Authentication
|
|
|
- (which never sends the user's password across the wire). Digest Authentication
|
|
|
- is widely supported by modern browsers. Acegi Security's implementation complies
|
|
|
- with both RFC 2617 and RFC 2069.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Computer Associates Siteminder support:</B> Authentication can be
|
|
|
- delegated through to CA's Siteminder solution, which is common in large
|
|
|
- corporate environments.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>X509 (Certificate) support:</B> Acegi Security can easily read
|
|
|
- client-side X509 certificates for authenticating users.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>LDAP Support:</B> Do you have an LDAP directory? Acegi Security can
|
|
|
- happily authenticate against it.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Tag library support:</B> Your JSP files can use our taglib
|
|
|
- to ensure that protected content like links and messages are only
|
|
|
- displayed to users holding the appropriate granted authorities. The taglib
|
|
|
- also fully integrates with Acegi Security's ACL services, and
|
|
|
- obtaining extra information about the logged-in principal.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:</B> You
|
|
|
- select the method used to configure your security environment. The
|
|
|
- project supports configuration via Spring application contexts, as well
|
|
|
- as Jakarta Commons Attributes and Java 5's annotations feature. Some users
|
|
|
- (such as those building content management systems) pull configuration data
|
|
|
- from a database, which exemplifies Acegi Security's flexible configuration
|
|
|
- metadata system.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Various authentication backends:</B> We include the ability to
|
|
|
- retrieve your user and granted authority definitions from an XML
|
|
|
- file, JDBC datasource or Properties file. Alternatively, you can implement the
|
|
|
- single-method UserDetailsService interface and obtain authentication details from
|
|
|
- anywhere you like.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Event support:</B> Building upon Spring's
|
|
|
- <CODE>ApplicationEvent</CODE> services, you can write your own listeners
|
|
|
- for authentication-related events, along with authorisation-related events.
|
|
|
- This enables you to implement account lockout and audit log systems, with
|
|
|
- complete decoupling from Acegi Security code.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Easy integration with existing databases:</B> Our implementations
|
|
|
- have been designed to make it very easy to use your existing
|
|
|
- authentication schema and data (without modification). Of course,
|
|
|
- you can also provide your own Data Access Object if you wish.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Caching:</B> Acegi Security integrates with Spring's <A
|
|
|
- href="http://ehcache.sourceforge.net/">EHCACHE</A> factory.
|
|
|
- This flexibility means your database (or other authentication
|
|
|
- repository) is not repeatedly queried for authentication
|
|
|
- information.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Pluggable architecture:</B> Every critical aspect of the package
|
|
|
- has been modelled using high cohesion, loose coupling, interface-driven
|
|
|
- design principles. You can easily replace, customise or extend parts of
|
|
|
- the package.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Startup-time validation:</B> Every critical object dependency and
|
|
|
- configuration parameter is validated at application context startup
|
|
|
- time. Security configuration errors are therefore detected early and
|
|
|
- corrected quickly.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Remoting support:</B> Does your project use a rich client? Not a
|
|
|
- problem. Acegi Security integrates with standard Spring remoting
|
|
|
- protocols, because it automatically processes the HTTP BASIC
|
|
|
- authentication headers they present. Add our BASIC authentication filter
|
|
|
- to your web.xml and you're done. You can also easily use RMI or Digest
|
|
|
- authentication for your rich clients with a simple configuration statement.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Advanced password encoding:</B> Of course, passwords in your
|
|
|
- authentication repository need not be in plain text. We support both SHA
|
|
|
- and MD5 encoding, and also pluggable "salt" providers to maximise
|
|
|
- password security. Acegi Security doesn't even need to see the password
|
|
|
- if your backend can use a bind-based strategy for authentication (such as
|
|
|
- an LDAP directory, or a database login).<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Run-as replacement:</B> The system fully supports
|
|
|
- temporarily replacing the authenticated principal for the duration of the web
|
|
|
- request or bean invocation. This enables you to build public-facing
|
|
|
- object tiers with different security configurations than your backend
|
|
|
- objects.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Transparent security propagation:</B> Acegi Security can automatically
|
|
|
- transfer its core authentication information from one machine to another,
|
|
|
- using a variety of protocols including RMI and Spring's HttpInvoker.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Compatible with HttpServletRequest's security methods:</B> Even though
|
|
|
- Acegi Security can deliver authentication using a range of pluggable mechanisms
|
|
|
- (most of which require no web container configuration), we allow you to access
|
|
|
- the resulting Authentication object via the getRemoteUser() and other
|
|
|
- security methods on HttpServletRequest.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Unit tests:</B> A must-have of any quality security project, unit
|
|
|
- tests are included. Our unit test coverage is very high, as shown in the
|
|
|
- <a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Built by Maven:</B> This assists you in effectively reusing the Acegi
|
|
|
- Security artifacts in your own Maven-based projects.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Supports your own unit tests:</B> We provide a number of classes
|
|
|
- that assist with your own unit testing of secured business objects. For
|
|
|
- example, you can change the authentication identity and its associated
|
|
|
- granted authorities directly within your test methods.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Peer reviewed:</B> Whilst nothing is ever completely secure,
|
|
|
- using an open source security package leverages the continuous design
|
|
|
- and code quality improvements that emerge from peer review.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Community:</B> Well-known for its supportive community, Acegi Security
|
|
|
- has an active group of developers and users. Visit our project resources (below)
|
|
|
- to access these services.<br /><br />
|
|
|
- </li>
|
|
|
- <li><B>Apache license.</B> You can confidently use Acegi Security in your project.<br /><br /></li>
|
|
|
-
|
|
|
- </ul><br />
|
|
|
-
|
|
|
-
|
|
|
- </section>
|
|
|
-
|
|
|
- <section name="Project Resources">
|
|
|
- <p>
|
|
|
- <A href="http://forum.springframework.org/"><B>Support Forums</B></A><br /><br />
|
|
|
- <A href="mail-lists.html"><B>Developer Mailing List</B></A><br /><br />
|
|
|
- <A href="downloads.html"><B>Downloads</B></A>
|
|
|
- </p>
|
|
|
- </section>
|
|
|
-
|
|
|
- </body>
|
|
|
-
|
|
|
-</document>
|
Luke Taylor