Startseite Erkunden Hilfe
Registrieren Anmelden
github
/
spring-security
Mirror von https://github.com/spring-projects/spring-security
2
0
Fork 0
Dateien Issues 0 Wiki
Struktur: 1ef3c87bf2
Branches Tags
spring-security
/
doc
/
xdocs
/
suggested.html

suggested.html 8.7 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142 
  1. <!--
    2. 

  2.  * ========================================================================
    3. 

  3.  * 
    4. 

  4.  * Copyright 2004 Acegi Technology Pty Limited
    5. 

  5.  *
    6. 

  6.  * Licensed under the Apache License, Version 2.0 (the "License");
    7. 

  7.  * you may not use this file except in compliance with the License.
    8. 

  8.  * You may obtain a copy of the License at
    9. 

  9.  *
    10. 

  10.  *     http://www.apache.org/licenses/LICENSE-2.0
    11. 

  11.  *
    12. 

  12.  * Unless required by applicable law or agreed to in writing, software
    13. 

  13.  * distributed under the License is distributed on an "AS IS" BASIS,
    14. 

  14.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    15. 

  15.  * See the License for the specific language governing permissions and
    16. 

  16.  * limitations under the License.
    17. 

  17.  * 
    18. 

  18.  * ========================================================================
    19. 

  19. -->
    20. 

  20. 

  21. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    22. 

  22. <html xmlns="http://www.w3.org/1999/xhtml">
    23. 

  23. 

  24. <head>
    25. 

  25. <title>Acegi Security Suggested Steps</title>
    26. 

  26. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    27. 

  27. </head>
    28. 

  28. 

  29. <body>
    30. 

  30.   <h1>Suggested Steps</h1>
    31. 

  31.   <p>Presented below are the steps we encourage you to take in order to gain the most
    32. 

  32.   out of Acegi Security in a realistic timeframe.
    33. 

  33.   <ol>
    34. 

  34.     <li>Your first step is to ensure you're able to actually build Acegi Security. This is
    35. 

  35. 	because if you encounter any problems the first thing we'll probably suggest you do is
    36. 

  36. 	upgrade to the latest CVS HEAD. It also means you can try things out if you get stuck,
    37. 

  37. 	such as adding even more logging messages to the actual Acegi Security core code.
    38. 

  38. 	The good news is building is actually very easy, and
    39. 

  39. 	we've gone to a lot of trouble to document what is involved. If you have a working Maven
    40. 

  40. 	installation, it <i>should</i> be as simple as two commands. Have a look on the
    41. 

  41. 	<a href="building.html">Building with Maven</a> page, and follow the
    42. 

  42. 	"Checking Out from CVS", "Installing commons-attributes-plugin", and 
    43. 

  43. 	"Building All JARs" steps. Of course, you can safely skip
    44. 

  44. 	this step if you don't have time.<br><br>
    45. 

  45. 	
    46. 

  46. 	Estimated time: 30 minutes - 2 hours.<br><br>
    47. 

  47. 	</li>
    48. 

  48. 	
    49. 

  49. 	<li>Next up gain a proper understanding of how the Contacts Sample application works.
    50. 

  50. 	This will probably involve deploying <code>acegi-security-sample-contacts-filter.war</code>.<br><br>
    51. 

  51. 	
    52. 

  52. 	The actual <a target="_blank" class="newWindow" href="multiproject/acegi-security-sample-contacts/xref/index.html">java code</a>
    53. 

  53. 	is a completely standard Spring application, except <code>ContactManagerBackend</code>
    54. 

  54. 	which shows how we create and delete ACL permissions. The rest of the Java code has no
    55. 

  55. 	security awareness, with all security services being declared in the XML files
    56. 

  56. 	(don't worry, there aren't any new XML formats to learn: they're all standard Spring IoC container
    57. 

  57. 	declarations or the stock-standard <code>web.xml</code>). The main
    58. 

  58. 	XML files to review are
    59. 

  59. 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml?view=auto">applicationContext-acegi-security.xml</a> (from the filter webapp),
    60. 

  60. 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorisation.xml?view=auto">applicationContext-common-authorisation.xml</a>,
    61. 

  61. 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-business.xml?view=auto">applicationContext-common-business.xml</a> (just note we add <code>contactManagerSecurity</code> to the services layer target bean), and
    62. 

  62. 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml?view=auto">web.xml</a> (from the filter webapp).
    63. 

  63. 	The XML definitions are comprehensively discussed in the
    64. 

  64. 	<a href="reference.html">Reference Guide</a>.
    65. 

  65. 	<br><br>
    66. 

  66. 		
    67. 

  67. 	To gain the most from reviewing these XML files, we suggest you start by understanding how
    68. 

  68. 	authentication takes place. There's not much point knowing all about authorisation until authentication is
    69. 

  69. 	really clear, especially the interaction between the <code>ContextHolder</code>, the
    70. 

  70. 	authentication mechanism (such as <code>AuthenticationProcessingFilter</code>), the
    71. 

  71. 	authentication commencement process (specifically <code>SecurityEnforcementFilter</code> and
    72. 

  72. 	say <code>AuthenticationProcessingFilterEntryPoint</code>), and the system that manages authentication
    73. 

  73. 	data between invocations (say <code>HttpSessionIntegrationFilter</code>). You don't have to
    74. 

  74. 	know every detail, just basically what they do and the key differences (again, the
    75. 

  75. 	reference guide should help considerably, as there are diagrams etc).
    76. 

  76. 	<br><br>	
    77. 

  77. 		
    78. 

  78. 	Once you understand authentication in the contacts Sample application, look at how authorisation
    79. 

  79. 	is handled. Start with <code>FilterSecurityInterceptor</code>'s role and how its
    80. 

  80. 	regular expression or Ant paths protect URIs. Next up explore how <code>RoleVoter</code>
    81. 

  81. 	works in our sample application with the <code>FilterSecurityInterceptor</code> and
    82. 

  82. 	<code>MethodSecurityInterceptor</code>. Finally, review what the
    83. 

  83. 	<code>BasicAclEntryVoter</code> does in our sample application, in terms of protecting
    84. 

  84. 	domain objects from method invocations the principal does not have permission to.
    85. 

  85. 	
    86. 

  86. 	<br><br>Lastly, get an understanding of how the <code>AfterInvocationProviderManager</code>
    87. 

  87. 	is being used to stop domain objects being returned to which the principal has no
    88. 

  88. 	permission, and to filter <code>Collection</code>s so they don't contain domain objects to
    89. 

  89. 	which the principal has no permission. By all means comment out parts of the Spring IoC XML
    90. 

  90. 	and see the effect. For example, comment out the <code>AfterInvocationProviderManager</code> (of course, remove its reference
    91. 

  91. 	in the <code>MethodSecurityInterceptor</code>) and see how all of the contacts get returned.
    92. 

  92. 	<br><br>
    93. 

  93. 	
    94. 

  94. 	Estimated time: 1-2 days.<br><br>
    95. 

  95. 	</li>
    96. 

  96. 	
    97. 

  97. 	<li>By now you will have a good grasp on how Acegi Security works, and all that is left to
    98. 

  98. 	do is design your own application's implementation. The way we suggested you explore the Contacts Sample
    99. 

  99. 	is the same way we suggest you implement security in your own application: start with authentication,
    100. 

  100. 	then add basic web request URI security. Follow it with the standard role voter to protect
    101. 

  101. 	method invocations. Finally, and only if your application actually needs it, introduce
    102. 

  102. 	domain object security with the <code>BasicAclEntryVoter</code> and 
    103. 

  103. 	<code>AfterInvocationProviderManager</code>.
    104. 

  104. 	<br><br>
    105. 

  105. 		
    106. 

  106. 	We do not encourage you to use CAS, container adapters, BASIC authentication, transparent
    107. 

  107. 	RMI invocation, run-as replacement, rich client integration or any of the other interesting features
    108. 

  108. 	of Acegi Security until you've got a "bare bones" installation working with <code>DaoAuthenticationProvider</code>,
    109. 

  109. 	one of Acegi Security's <code>AuthenticationDao</code>s (or your own), and your basic
    110. 

  110. 	authorisation configuration. Like anything, start with something simple and build on it
    111. 

  111. 	(this would be the opposite advice if you were building your own security framework,
    112. 

  112. 	where you would need to cross the highest and most difficult bridges first, to check they
    113. 

  113. 	are actually possible).<br><br>
    114. 

  114. 	
    115. 

  115. 	If you've followed the steps above, and refer back to the 
    116. 

  116. 	<a href="reference.html">Reference Guide</a>, 
    117. 

  117. 	<a href="http://www.springframework.org">forums</a>, and 
    118. 

  118. 	<a href="faq.html">FAQ</a>
    119. 

  119. 	for help, you'll find it pretty easy to implement Acegi Security in your application.
    120. 

  120. 	Most importantly, you'll be using a security framework that offers you complete container
    121. 

  121. 	portability, flexibility, and community support - without needing to write and maintain your
    122. 

  122. 	own code.<br><br>
    123. 

  123. 	
    124. 

  124. 	Estimated time: 1-5 days.<br><br>
    125. 

  125. 	</br>
    126. 

  126. 	</li>
    127. 

  127. 	
    128. 

  128.   </ol>
    129. 

  129.   
    130. 

  130.   <p>Please note the time estimates are just that: estimates. They will vary considerably depending
    131. 

  131.   on how much experience you have, particularly with Java and Spring. They will also vary depending
    132. 

  132.   on how complex your intended security-enabled application will be. Some people need to push the domain
    133. 

  133.   object instance access control list capabilities to the maximum, whilst others don't even need anything
    134. 

  134.   beyond web request URI security. The good thing is Acegi Security will either directly support your future
    135. 

  135.   needs, or provide a clearly-defined extension point for addressing them.
    136. 

  136.   
    137. 

  137.   <p>
    138. 

  138.   We welcome your feedback about how long it has actually taken you to complete each step, so we
    139. 

  139.   can update this page and help new users better assess their project timetables in the future.
    140. 

  140.   Any other tips on what you found helpful in learning Acegi Security are also very welcome.
    141. 

  141. </body>
    142. 

  142. </html>
    143.