|
|
@@ -46,7 +46,7 @@
|
|
|
can be easily supported.</p>
|
|
|
|
|
|
<h2>Why not just use web.xml security?</h2>
|
|
|
- <p>Let's assuming you're developing an enterprise application based on Spring.
|
|
|
+ <p>Let's assume you're developing an enterprise application based on Spring.
|
|
|
There are four security concerns you typically need to address: authentication,
|
|
|
web request security, service layer security (ie your methods that implement
|
|
|
business logic), and domain object instance security (ie different domain objects
|
|
|
@@ -102,8 +102,8 @@
|
|
|
so would introduce an additional argument on every services
|
|
|
layer method. A more elegant approach is to use a ThreadLocal
|
|
|
to hold the Principal, although this would likely increase
|
|
|
- development time to a point where it would become more e
|
|
|
- conomical (on a cost-benefit basis) to simply use a dedicated
|
|
|
+ development time to a point where it would become more
|
|
|
+ economical (on a cost-benefit basis) to simply use a dedicated
|
|
|
security framework.</li>
|
|
|
<li><i>Authorisation code quality:</i> It is often said of web
|
|
|
frameworks that they "make it easier to do the right things,
|
|
|
@@ -117,7 +117,7 @@
|
|
|
</ol>
|
|
|
</li>
|
|
|
</ol>
|
|
|
- For simple applications, servlet specification may just be enough.
|
|
|
+ For simple applications, servlet specification security may just be enough.
|
|
|
Although when considered within the context of web container portability,
|
|
|
configuration requirements, limited web request security flexibility, and
|
|
|
non-existent services layer and domain object instance security, it becomes
|
|
|
@@ -148,9 +148,10 @@
|
|
|
<code>AuthenticationDao</code> implementations that simply don't properly
|
|
|
implement the interface. For example, they return <code>null</code> instead
|
|
|
of the user not found exception, or fail to add in the
|
|
|
- <code>GrantedAuthority[]</code>s. We suggest you write the
|
|
|
- <code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
|
|
|
- to the log and check it looks correct.</p>
|
|
|
+ <code>GrantedAuthority[]</code>s. Whilst <code>DaoAuthenticationProvider</code>
|
|
|
+ does its best to check the <code>AuthenticationDao</code>returns a valid
|
|
|
+ <code>UserDetails</code>, we suggest you write the
|
|
|
+ <code>UserDetails</code> object to the log and check it looks correct.</p>
|
|
|
|
|
|
<h2>I need some help. What files should I post?</h2>
|
|
|
<p>The most important things to post with any support requests on the
|
|
|
@@ -208,7 +209,7 @@
|
|
|
Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker
|
|
|
(instead of JSP). It's important to recognise that many open source projects do
|
|
|
develop into de facto standards, and in doing so play a legitimate and beneficial
|
|
|
- role in the software development profession.</p>
|
|
|
+ role in professional software development.</p>
|
|
|
|
|
|
<h2>Do you welcome contributions?</h2>
|
|
|
<p>Yes. If you've written something and it works well, please feel free to share it.
|
Ben Alex