More documentation updates.

doc/xdocs/articles.html

@@ -22,42 +22,42 @@
 <html xmlns="http://www.w3.org/1999/xhtml">
 
 <head>
-<title>Articles, Blog Posts and Comments covering Acegi Security</title>
+<title>External Web Articles covering Acegi Security</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 </head>
 
 <body>
-  <h1>Articles, Blog Posts and Comments covering Acegi Security</h1>
+  <h1>External Web Articles covering Acegi Security<</h1>
   <p>Here are some of the external pages mentioning Acegi Security. If you've
 	found another, please let us know.
   <ul>
     <li><b><a href="http://www.springframework.org">Spring Forums</a></b>:
-		The first place to look for Acegi Security support (use the 'search' function).
+		The first place to look for Acegi Security support (use the 'search' function).<br><br>
 	</li>
     <li><b><a href="mail-lists.html">Acegi Security Mailing Lists</a></b>:
-		If you'd like to discuss development of the project.
+		If you'd like to discuss development of the project.<br><br>
 	</li>
     <li><b><a href="http://www.javalobby.org/articles/acegisecurity/part1.jsp">Securing Your Java Applications - Acegi Security Style</a></b>:
-		Matthew Porter wrote this good introductory article for Javalobby.
+		Matthew Porter wrote this good introductory article for Javalobby.<br><br>
 	</li>
     <li><b><a href="http://confluence.sourcebeat.com/display/SPL/Update+Chapters">Spring Live Update Chapters</a></b>:
-		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.
+		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.<br><br>
 	</li>
     <li><b><a href="http://tp.its.yale.edu/tiki/tiki-view_faq.php?faqId=2#q16">Central Authentication Service FAQ</a></b>:
-		A general overview of how Acegi Security is used with Yale's CAS.
+		A general overview of how Acegi Security is used with Yale's CAS.<br><br>
 	</li>
     <li><b><a href="http://jroller.com/page/habuma/20041124#simplifying_acegi_configuration">Simplifying Acegi Configuration</a></b>:
-		Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.
+		Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.<br><br>
 	</li>
     <li><b><a href="http://www.almaer.com/blog/archives/000500.html">Let's leak IoC/DI into standards. You miss them when they aren't there!</a></b>:
-		Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.
+		Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.<br><br>
 	</li>
     <li><b><a href="http://www.manageability.org/blog/stuff/single-sign-on-in-java/view">Open Source Identity Management Solutions Written in Java</a></b>:
-		From <code>manageability.org</code>.
+		From <code>manageability.org</code>.<br><br>
 	</li>
     <li><b><a href="http://www.orablogs.com/fnimphius/archives/000730.html">J2EE Security: Struts "Shale" proposal does improve web application security</a></b>:
-		Frank Nimphius' blog contained some comments on Acegi Security. See
-		our <a href="faq.html">FAQ</a> for additional JAAS comments.
+		Frank Nimphius' blog contains some comments on Acegi Security. See
+		our <a href="faq.html">FAQ</a> for additional JAAS comments.<br><br>
 	</li>
   </ul>
 </body>

doc/xdocs/faq.html

@@ -29,8 +29,105 @@
 <body>
   <h1>Frequently Asked Questions</h1>
   
+  <h2>What is Acegi Security?</h2>
+  <p>Acegi Security is an open source project that provide comprehensive authentication
+	and authorisation services for enterprise applications based on
+	<a href="http://www.springframework.org">The Spring Framework</a>.
+	Acegi Security can authenticate using a variety of pluggable providers, and
+	can authorise both web requests and method invocations.
+	Acegi Security provides an integrated security approach across
+	these various targets, and also offers access control list (ACL) capabilities to
+	enable individual domain object instances to be secured. At an implementation
+	level, Acegi Security is managed through Spring's inversion of control and 
+	lifecycle services,	and actually enforces security using interception through
+	servlet Filters and Java AOP frameworks. In terms of AOP framework support, Acegi
+	Security currently supports AOP Alliance (which is what the
+	Spring IoC container uses internally) and AspectJ, although additional frameworks
+	can be easily supported.</p>
+
+  <h2>Why not just use web.xml security?</h2>
+  <p>Let's assuming you're developing an enterprise application based on Spring.
+	There are four security concerns you typically need to address: authentication,
+	web request security, service layer security (ie your methods that implement
+	business logic), and domain object instance security (ie different domain objects
+	have different permissions). With these typical requirements in mind:
+	<ol>
+		<li><b>Authentication</b>: The servlet specification provides an approach
+			to authentication. However, you will need to configure the container 
+			to perform authentication which typically requires editing of
+			container-specific "realm" settings. This makes a non-portable
+			configuration, and if you need to write an actual Java class to implement 
+			the container's authentication interface, it becomes even more non-portable.
+			With Acegi Security you achieve complete portability - right down to the 
+			WAR level. Also, Acegi Security offers a choice of production-proven
+			authentication providers and mechanisms, meaning you can switch your 
+			authentication approaches at deployment time. This is particularly
+			valuable for software vendors writing products that need to work in
+			an unknown target environment.<br><br></li>
+		<li><b>Web request security:</b> The servlet specification provides an
+			approach to secure your request URIs. However, these URIs can only be
+			expressed in the servlet specification's own limited URI path format.
+			Acegi Security provides a far more comprehensive approach. For instance,
+			you can use Ant paths or regular expressions, you can consider parts of the
+			URI other than simply the requested page (eg you can consider request
+			parameters), and you can implement your own runtime source of configuration
+			data. This means your web request security can be dynamically changed during
+			the actual execution of your webapp.<br><br></li>
+		<li><b>Service layer and domain object security:</b> The absence of support 
+			in the servlet specification for services layer security or domain object 
+			instance security represent serious limitations for multi-tiered 
+			applications. Typically developers either ignore these requirements, or
+			implement security logic within their MVC controller code (or even worse,
+			inside the views). There are serious disadvantages with this approach:<br><br>
+				<ol>
+					<li><i>Separation of concerns:</i> Authorization is a 
+						crosscutting concern and should be implemented as such. 
+						MVC controllers or views implementing authorization code 
+						makes it more difficult to test both the controller and 
+						authorization logic, more difficult to debug, and will 
+						often lead to code duplication.</li>
+					<li><i>Support for rich clients and web services:</i> If an 
+						additional client type must ultimately be supported, any 
+						authorization code embedded within the web layer is 
+						non-reusable. It should be considered that Spring remoting 
+						exporters only export service layer beans (not MVC 
+						controllers). As such authorization logic needs to be 
+						located in the services layer to support a multitude of 
+						client types.</li>
+					<li><i>Layering issues:</i> An MVC controller or view is simply 
+						the incorrect architectural layer to implement authorization 
+						decisions concerning services layer methods or domain object 
+						instances. Whilst the Principal may be passed to the services 
+						layer to enable it to make the authorization decision, doing 
+						so would introduce an additional argument on every services 
+						layer method. A more elegant approach is to use a ThreadLocal 
+						to hold the Principal, although this would likely increase 
+						development time to a point where it would become more e
+						conomical (on a cost-benefit basis) to simply use a dedicated 
+						security framework.</li>
+					<li><i>Authorisation code quality:</i> It is often said of web 
+						frameworks that they "make it easier to do the right things, 
+						and harder to do the wrong things". Security frameworks are 
+						the same, because they are designed in an abstract manner for 
+						a wide range of purposes. Writing your own authorization code 
+						from scratch does not provide the "design check" a framework 
+						would offer, and in-house authorization code will typically 
+						lack the improvements that emerge from widespread deployment, 
+						peer review and new versions.
+				</ol>
+				</li>
+	</ol>
+	For simple applications, servlet specification may just be enough.
+	Although when considered within the context of web container portability, 
+	configuration requirements, limited web request security flexibility, and 
+	non-existent services layer and domain object instance security, it becomes 
+	clear why developers often look to alternative solutions.
+	</p>
+
   <h2>How do you pronounce "Acegi"?</h2>
-  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.</p>
+  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.
+	Acegi isn't an acronym, name of a Greek God or anything similarly
+	impressive - it's just letters #1, #3, #5, #7 and #9 of the alphabet.</p>
 
   <h2>Is it called "Acegi" or "Acegi Security"?</h2>
   <p>It's official name is <i>Acegi Security System for Spring</i>,
@@ -39,7 +136,7 @@
 	as that gets confused with the name of the company that maintains Acegi
 	Security.</p>
 
-  <h2>Why catches 80% of users reporting problems?</h2>
+  <h2>What catches 80% of users reporting problems?</h2>
   <p>80% of support questions are because people have not defined
 	the necessary filters in <code>web.xml</code>, or the filters are being
 	mapped in the incorrect order. Check the 
@@ -55,11 +152,6 @@
 	<code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
 	to the log and check it looks correct.</p>
 
-  <h2>How do I store custom properties, like a user's email address?</h2>
-  <p>In most cases write an <code>AuthenticationDao</code> which returns
-	a subclass of <code>User</code>. Alternatively, write your own
-	<code>UserDetails</code> implementation from scratch and return that.</p>
-
   <h2>I need some help. What files should I post?</h2>
   <p>The most important things to post with any support requests on the
 	<a href="http://forum.springframework.org">Spring Forums</a> are your
@@ -82,6 +174,11 @@
 		
 		log4j.category.net.sf.acegisecurity=DEBUG</pre>
 
+  <h2>How do I store custom properties, like a user's email address?</h2>
+  <p>In most cases write an <code>AuthenticationDao</code> which returns
+	a subclass of <code>User</code>. Alternatively, write your own
+	<code>UserDetails</code> implementation from scratch and return that.</p>
+
   <h2>Why doesn't Acegi Security use JAAS?</h2>
   <p>Acegi Security targets <i>enterprise applications</i>, which are typically
 	multi-user, data-oriented applications that are important to

doc/xdocs/index.html

@@ -25,10 +25,8 @@
         href="http://apr.apache.org/versioning.html">Apache APR Project 
         Versioning Guidelines</A> so you can identify backward 
         compatibility.<BR><BR>
-        <LI><B>Easy to use:</B> View our samples/quick-start directory for XML 
-        you can simply copy and paste into applicationContext.xml and web.xml. 
-        From there it's easy to customise Acegi Security to your unique security 
-        needs.<BR><BR>
+        <LI><B>Fast results:</B> View our <a href="suggested.html">Suggested Steps</a>
+        for the fastest way to develop complex, security-compliant applications.<BR><BR>
         <LI><B>Enterprise-wide single sign on:</B> Using Yale University's open 
         source <A href="http://www.yale.edu/tp/auth/">Central Authentication 
         Service</A> (CAS), the Acegi Security System for Spring can participate 
@@ -61,6 +59,11 @@
         parameter on method being invoked....). This package gives you this 
         flexibility without adding security code to your Spring business 
         objects.<BR><BR>
+        <LI><B>After invocation security:</B> Acegi Security can not only protect
+		methods from being invoked in the first place, but it can also
+		deal with the Objects returned from the methods. Included implementations 
+		of after invocation security can throw an exception or mutate the returned
+		object based on ACLs.<BR><BR>
         <LI><B>Secures your HTTP requests as well:</B> In addition to securing 
         your beans, the project also secures your HTTP requests. No longer is it 
         necessary to rely on web.xml security constraints. Best of all, your 
@@ -81,7 +84,8 @@
         BASIC authentication requests as per RFC 1945.<BR><BR>
         <LI><B>Convenient security taglib:</B> Your JSP files can use our taglib 
         to ensure that protected content like links and messages are only 
-        displayed to users holding the appropriate granted authorities.<BR><BR>
+        displayed to users holding the appropriate granted authorities. The taglib
+		also fully integrates with Acegi Security's ACL services.<BR><BR>
         <LI><B>Application context or attribute-based configuration:</B> You 
         select the method used to configure your security environment. The 
         project supports configuration via Spring application contexts as well 
@@ -93,15 +97,15 @@
         anywhere you like.<BR><BR>
         <LI><B>Event support:</B> Building upon Spring's 
         <CODE>ApplicationEvent</CODE> services, you can write your own listeners 
-        for login, invalid password and account disabled events. This enables 
-        you to implement account lockout and audit log systems, with complete 
-        decoupling from Acegi Security code.<BR><BR>
+        for authentication-related events, along with authorisation-related events.
+		This enables you to implement account lockout and audit log systems, with
+		complete decoupling from Acegi Security code.<BR><BR>
         <LI><B>Easy integration with existing databases:</B> Our implementations 
         have been designed to make it very easy to use your existing 
-        authentication schema and data (without modification).<BR><BR>
-        <LI><B>Caching:</B> Use our <A 
-        href="http://ehcache.sourceforge.net/">EHCACHE</A> wrapper to cache your 
-        authentication information, or plug in your own cache implementation. 
+        authentication schema and data (without modification). Of course,
+		you can also provide your own Data Access Object if you wish.<BR><BR>
+        <LI><B>Caching:</B> Acegi Security integrates with Spring's <A 
+        href="http://ehcache.sourceforge.net/">EHCACHE</A> factory. 
         This flexibility means your database (or other authentication 
         repository) is not repeatedly queried for authentication 
         information.<BR><BR>
@@ -127,13 +131,18 @@
         request or bean invocation. This enables you to build public-facing 
         object tiers with different security configurations than your backend 
         objects.<BR><BR>
+        <LI><B>Transparent security propagation:</B> Acegi Security can automatically
+		transfer its core authentication information from one machine to another,
+		using a variety of protocols including RMI and Spring's HttpInvoker.<BR><BR>
+        <LI><B>Compatible with HttpServletRequest.getRemoteUser():</B> Even though
+		Acegi Security can deliver authentication using a range of pluggable mechanisms
+		(most of which require no web container configuration), we allow you to access
+		the resulting Authentication object via the getRemoteUser() method.<BR><BR>
         <LI><B>Unit tests:</B> A must-have of any quality security project, unit 
-        tests are included. Clover coverage is currently 98.3%.<BR><BR>
-        <LI><B>Container integration tests:</B> To ensure the security project 
-        properly operates with major container versions, we provide an 
-        integration test system that deploys those containers from scratch and 
-        fully tests our sample web application from the perspective of a HTTP 
-        client.<BR><BR>
+        tests are included. Our unit test coverage is very high, as shown in the
+		<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<BR><BR>
+        <LI><B>Built by Maven:</B> This assists you in effectively reusing the Acegi
+		Security artifacts in your own Maven-based projects.<BR><BR>
         <LI><B>Supports your own unit tests:</B> We provide a number of classes 
         that assist with your own unit testing of secured business objects. For 
         example, you can change the authentication identity and its associated 
@@ -143,7 +152,8 @@
         and code quality improvements that emerge from peer review.<BR><BR>
         <LI><B>Thorough documentation:</B> All APIs are fully documented using 
         JavaDoc, with a 40+ page reference guide providing an easy-to-follow 
-        introduction.<BR><BR>
+        introduction. More documentation is provided on this web site, as
+		shown in the left hand navigation sidebar.<BR><BR>
         <LI><B>Apache license.</B><BR><BR></LI></UL><BR><B>
       <HR>
 

doc/xdocs/navigation.xml

@@ -30,14 +30,14 @@
     <menu name="Overview">
       <item name="Home" href="index.html"/>
       <item name="Building with Maven" href="building.html"/>
-      <item name="Downloads" href="downloads.html"/>
+      <item name="Downloads" href="http://sourceforge.net/project/showfiles.php?group_id=104215"/>
     </menu>
 
     <menu name="Documentation">
       <item name="Suggested Steps" href="suggested.html"/>
       <item name="Reference Guide" href="reference.html"/>
       <item name="Sample SQL Schema" href="dbinit.txt"/>
-      <item name="Frequently Asked Questions" href="faq.html"/>
+      <item name="FAQ" href="faq.html"/>
       <item name="External Web Articles" href="articles.html"/>
       <item name="Upgrading to 0.7.0" href="upgrade/upgrade-06-070.html"/>
       <item name="Upgrading to 0.6" href="upgrade/upgrade-05-06.html"/>
@@ -46,13 +46,12 @@
     </menu>
 
     <menu name="Projects">
-      <item name="Core" href="multiproject/acegi-security/index.html"/>
-      <item name="CAS" href="multiproject/acegi-security-cas/index.html"/>
-      <item name="Catalina" href="multiproject/acegi-security-catalina/index.html"/>
-      <item name="JBoss" href="multiproject/acegi-security-jboss/index.html"/>
-      <item name="Jetty" href="multiproject/acegi-security-jetty/index.html"/>
-      <item name="Resin" href="multiproject/acegi-security-resin/index.html"/>
-      <item name="Subproject Index" href="projects-overview.html"/>
+      <item name="Core Framework" href="multiproject/acegi-security/index.html"/>
+      <item name="CAS Adapter" href="multiproject/acegi-security-cas/index.html"/>
+      <item name="Catalina Adapter" href="multiproject/acegi-security-catalina/index.html"/>
+      <item name="JBoss Adapter" href="multiproject/acegi-security-jboss/index.html"/>
+      <item name="Jetty Adapter" href="multiproject/acegi-security-jetty/index.html"/>
+      <item name="Resin Adapter" href="multiproject/acegi-security-resin/index.html"/>
     </menu>
 
     <menu name="Samples">

doc/xdocs/suggested.html

@@ -56,7 +56,7 @@
 	declarations or the stock-standard <code>web.xml</code>). The main
 	XML files to review are
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml?view=auto">applicationContext-acegi-security.xml</a> (from the filter webapp),
-	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorization.xml?view=auto">applicationContext-common-authorization.xml</a>,
+	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorisation.xml?view=auto">applicationContext-common-authorisation.xml</a>,
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-business.xml?view=auto">applicationContext-common-business.xml</a> (just note we add <code>contactManagerSecurity</code> to the services layer target bean), and
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml?view=auto">web.xml</a> (from the filter webapp).
 	The XML definitions are comprehensively discussed in the
@@ -64,7 +64,7 @@
 	<br><br>
 		
 	To gain the most from reviewing these XML files, we suggest you start by understanding how
-	authentication takes place. There's not much point knowing all about authorization until authentication is
+	authentication takes place. There's not much point knowing all about authorisation until authentication is
 	really clear, especially the interaction between the <code>ContextHolder</code>, the
 	authentication mechanism (such as <code>AuthenticationProcessingFilter</code>), the
 	authentication commencement process (specifically <code>SecurityEnforcementFilter</code> and
@@ -111,7 +111,10 @@
 	where you would need to cross the highest and most difficult bridges first, to check they
 	are actually possible).<br><br>
 	
-	If you've followed the steps above, and refer back to the reference guide, forums, and FAQ
+	If you've followed the steps above, and refer back to the 
+	<a href="reference.html">Reference Guide</a>, 
+	<a href="http://www.springframework.org">forums</a>, and 
+	<a href="faq.html">FAQ</a>
 	for help, you'll find it pretty easy to implement Acegi Security in your application.
 	Most importantly, you'll be using a security framework that offers you complete container
 	portability, flexibility, and community support - without needing to write and maintain your