Suggested Steps

Presented below are the steps we encourage you to take in order to gain the most out of Acegi Security in a realistic timeframe.

1. First of all, deploy the "Tutorial Sample", which is included in the main distribution ZIP file. The sample doesn't do a great deal, but it does give you a template that can be quickly and easily used to integrate into your own project.
   
   Estimated time: 30 minutes.
   
   
2. Next, follow the Petclinic tutorial, which covers how to add Acegi Security to the commonly-used Petclinic sample application that ships with Spring. This will give you a hands-on approach to integrating Acegi Security into your own application.
   
   Estimated time: 1 hour.
   
   
3. Next, review the Reference Guide, and in particular Part I. It has been designed to give you a solid overview. Go through the beans defined in the "Tutorial Sample" and understand their main purpose within the overall framework. Once you understand this, you'll have no difficulty moving on to more complex examples. You can also experiment in the Petclinic tutorial that you implemented in the last step.
   
   Estimated time: 1 day.
   
   
4. If you have relatively simple security needs, you can probably start to integrate Acegi Security into your application at this point. Just use the "Tutorial Sample" as your basis (now that you understand how it works). Those with more complicated requirements should review the "Contacts Sample" application. This will probably involve deploying acegi-security-sample-contacts-filter.war, which is also included in the release ZIP file.
   
   The purpose of understanding the "Contacts Sample" is to get a better feel for how method security is implemented, particularly with domain object access control lists. This will really round-out the rest of the framework for you.
   
   The actual java code is a completely standard Spring application, except ContactManagerBackend which shows how we create and delete ACL permissions. The rest of the Java code has no security awareness, with all security services being declared in the XML files (don't worry, there aren't any new XML formats to learn: they're all standard Spring IoC container declarations or the stock-standard web.xml). The main XML files to review are applicationContext-acegi-security.xml (from the filter webapp), applicationContext-common-authorization.xml, applicationContext-common-business.xml (just note we add contactManagerSecurity to the services layer target bean), and web.xml (from the filter webapp). The XML definitions are comprehensively discussed in the Reference Guide.
   
   Please note the release ZIP files do not include the sample application Java source code. You will need to download from SVN if you would like to access the Java sources.
   
   Estimated time: 1-2 days.
   
   
5. By now you will have a good grasp on how Acegi Security works, and all that is left to do is design your own application's implementation.
   
   We strongly recommend that you start your actual integration with the "Tutorial Sample". Don't start by integrating with the "Contacts Sample", even if you have complex needs. Most people reporting problems on the forums do so because of a configuration problem, as they're trying to make far too many changes at once without really knowing what they're doing. Instead, make changes one at a time, starting from the bare bones configuration provided by the "Tutorial Sample".
   
   If you've followed the steps above, and refer back to the Reference Guide, forums, and FAQ for help, you'll find it pretty easy to implement Acegi Security in your application. Most importantly, you'll be using a security framework that offers you complete container portability, flexibility, and community support - without needing to write and maintain your own code.
   
   Estimated time: 1-5 days.
   
   
   

Please note the time estimates are just that: estimates. They will vary considerably depending on how much experience you have, particularly with Java and Spring. They will also vary depending on how complex your intended security-enabled application will be. Some people need to push the domain object instance access control list capabilities to the maximum, whilst others don't even need anything beyond web request security. The good thing is Acegi Security will either directly support your future needs, or provide a clearly-defined extension point for addressing them.

We welcome your feedback about how long it has actually taken you to complete each step, so we can update this page and help new users better assess their project timetables in the future. Any other tips on what you found helpful in learning Acegi Security are also very welcome.