spring-security/doc/xdocs/faq.html

<!--
 * ========================================================================
 * 
 * Copyright 2004 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * 
 * ========================================================================
-->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Frequently Asked Questions (FAQ) on Acegi Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>

<body>
  <h1>Frequently Asked Questions</h1>
  
  <h2>How do you pronounce "Acegi"?</h2>
  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.</p>

  <h2>Is it called "Acegi" or "Acegi Security"?</h2>
  <p>It's official name is <i>Acegi Security System for Spring</i>,
	although we're happy for it to be abbreviated to
	<i>Acegi Security</i>. Please don't just call it <i>Acegi</i>, though,
	as that gets confused with the name of the company that maintains Acegi
	Security.</p>

  <h2>Why catches 80% of users reporting problems?</h2>
  <p>80% of support questions are because people have not defined
	the necessary filters in <code>web.xml</code>, or the filters are being
	mapped in the incorrect order. Check the 
	<a href="reference.html">Reference Guide</a>, which
	has a specific section on filter ordering.</p>
  
  <h2>I'm sure my filters are ordered correctly. What else could be wrong?</h2>
  <p>The next most common source of problems step from custom
	<code>AuthenticationDao</code> implementations that simply don't properly
	implement the interface. For example, they return <code>null</code> instead
	of the user not found exception, or fail to add in the
	<code>GrantedAuthority[]</code>s. We suggest you write the
	<code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
	to the log and check it looks correct.</p>

  <h2>How do I store custom properties, like a user's email address?</h2>
  <p>In most cases write an <code>AuthenticationDao</code> which returns
	a subclass of <code>User</code>. Alternatively, write your own
	<code>UserDetails</code> implementation from scratch and return that.</p>

  <h2>I need some help. What files should I post?</h2>
  <p>The most important things to post with any support requests on the
	<a href="http://forum.springframework.org">Spring Forums</a> are your
	<code>web.xml</code>, <code>applicationContext.xml</code> (or whichever
	XML loads the security-related beans) as well as any custom
	<code>AuthenticationDao</code> you might be using. For really odd problems,
	also switch on debug-level logging and include the resulting log.</p>

  <h2>How do I switch on debug-level logging?</h2>
  <p>Acegi Security uses Commons Logging, just as Spring does. So you use the
	same approach as you'd use for Spring. Most people output to Log4J, so
	the following <code>log4j.properties</code> would work:</p>
	
	<pre>
		log4j.rootCategory=WARN, stdout
		
		log4j.appender.stdout=org.apache.log4j.ConsoleAppender
		log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
		log4j.appender.stdout.layout.ConversionPattern=%d %p %c - %m%n
		
		log4j.category.net.sf.acegisecurity=DEBUG</pre>

  <h2>Why doesn't Acegi Security use JAAS?</h2>
  <p>Acegi Security targets <i>enterprise applications</i>, which are typically
	multi-user, data-oriented applications that are important to
	the core business. Acegi Security was designed to provide a portable and effective
	security framework for this target application type. It was not designed for securing
	limited privilege runtime environments, such as web browser applets.</p>
	
	<p>We did consider JAAS when designing Acegi Security, but it simply
	wasn't suitable for our purpose. We needed to avoid complex JRE configurations,
	we needed container portability, and we wanted maximum leveraging of the Spring IoC
	container. Particularly as limited privilege runtime environments were not
	an actual requirement, this lead to the natural design of Acegi Security as
	it exists today.</p>
	
	<p>Acegi Security already provides some JAAS integration. It can today authenticate
	via delegation to a JAAS login module. This means it offers the same level of JAAS
	integration as many web containers. Indeed the container adapter model supported by
	Acegi Security allows Acegi Security and container-managed security to happily
	co-exist and benefit from each other. Any debate about Acegi Security and JAAS
	should therefore centre on the authorisation issue. An evaluation of major
	containers and security frameworks would reveal that Acegi Security is by no
	means unusual in not using JAAS for authorisation.</p>
	
	<p>There are many examples of open source applications being preferred to
	official standards. A few that come to mind in the Java community include
	using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans),
	Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker
	(instead of JSP). It's important to recognise that many open source projects do
	develop into de facto standards, and in doing so play a legitimate and beneficial
	role in the software development profession.</p>

  <h2>Do you welcome contributions?</h2>
  <p>Yes. If you've written something and it works well, please feel free to share it.
	Simply email the contribution to the 
	<a href="mail-lists.html">acegisecurity-developers</a> list. If you haven't yet
	written the contribution, we encourage you to send your thoughts to the same 
	list so that you can receive some initial design feedback.</p>
	
	<p>For a contribution to be used, it must have appropriate unit test coverage and
	detailed JavaDocs. It will ideally have some comments for the Reference Guide
	as well (this can be sent in word processor or HTML format if desired). This
	helps ensure the contribution maintains the same quality as the remainder of
	the project.</p>
	
	<p>We also welcome documentation improvements, unit tests, illustrations,
	people supporting the user community (especially on the forums), design ideas,
	articles, blog entries, presentations and alike. If you're looking for something
	to do, you can always email the
	<a href="mail-lists.html">acegisecurity-developers</a> list and we'll be
	pleased to suggest something. :-)</p>

</body>
</html>