| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322 | <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN""http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"><!-- * ======================================================================== *  * Copyright 2004 Acegi Technology Pty Limited * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * *     http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. *  * ========================================================================--><book>  <bookinfo>    <title>Acegi Security</title>    <subtitle>Reference Documentation</subtitle>    <releaseinfo>1.0.3</releaseinfo>    <authorgroup>      <author>        <firstname>Ben</firstname>        <surname>Alex</surname>      </author>    </authorgroup>  </bookinfo>  <toc></toc>  <preface id="preface">    <title>Preface</title>    <para>Acegi Security provides a comprehensive security solution for    J2EE-based enterprise software applications. As you will discover as you    venture through this reference guide, we have tried to provide you a    useful and highly configurable security system.</para>    <para>Security is an ever-moving target, and it's important to pursue a    comprehensive, system-wide approach. In security circles we encourage you    to adopt "layers of security", so that each layer tries to be as secure as    possible in its own right, with successive layers providing additional    security. The "tighter" the security of each layer, the more robust and    safe your application will be. At the bottom level you'll need to deal    with issues such as transport security and system identification, in order    to mitigate man-in-the-middle attacks. Next you'll generally utilise    firewalls, perhaps with VPNs or IP security to ensure only authorised    systems can attempt to connect. In corporate environments you may deploy a    DMZ to separate public-facing servers from backend database and    application servers. Your operating system will also play a critical part,    addressing issues such as running processes as non-privileged users and    maximising file system security. An operating system will usually also be    configured with its own firewall. Hopefully somewhere along the way you'll    be trying to prevent denial of service and brute force attacks against the    system. An intrusion detection system will also be especially useful for    monitoring and responding to attacks, with such systems able to take    protective action such as blocking offending TCP/IP addresses in    real-time. Moving to the higher layers, your Java Virtual Machine will    hopefully be configured to minimize the permissions granted to different    Java types, and then your application will add its own problem    domain-specific security configuration. Acegi Security makes this latter    area - application security - much easier.</para>    <para>Of course, you will need to properly address all security layers    mentioned above, together with managerial factors that encompass every    layer. A non-exhaustive list of such managerial factors would include    security bulletin monitoring, patching, personnel vetting, audits, change    control, engineering management systems, data backup, disaster recovery,    performance benchmarking, load monitoring, centralised logging, incident    response procedures etc.</para>    <para>With Acegi Security being focused on helping you with the enterprise    application security layer, you will find that there are as many different    requirements as there are business problem domains. A banking application    has different needs from an ecommerce application. An ecommerce    application has different needs from a corporate sales force automation    tool. These custom requirements make application security interesting,    challenging and rewarding.</para>    <para>This reference guide has been largely restructured for the 1.0.0    release of Acegi Security. Please read Part I, <link    linkend="overall-architecture">Overall Architecture</link>, in its    entirety. The remaining parts of the reference guide are structured in a    more traditional reference style, designed to be read on an as-required    basis.</para>    <para>We hope that you find this reference guide useful, and we welcome    your feedback and <link linkend="jira">suggestions</link>.</para>    <para>Finally, welcome to the Acegi Security <link    linkend="community">community</link>.</para>  </preface>  <part id="overall-architecture">    <title>Overall Architecture</title>    <partintro>      <para>Like most software, Acegi Security has certain central interfaces,      classes and conceptual abstractions that are commonly used throughout      the framework. In this part of the reference guide we will introduce      Acegi Security, before examining these central elements that are      necessary to successfully planning and executing an Acegi Security      integration.</para>    </partintro>    <chapter id="introduction">      <title>Introduction</title>      <sect1 id="what-is-acegi-security">        <title>What is Acegi Security?</title>        <para>Acegi Security provides comprehensive security services for        J2EE-based enterprise software applications. There is a particular        emphasis on supporting projects built using The Spring Framework,        which is the leading J2EE solution for enterprise software        development. If you're not using Spring for developing enterprise        applications, we warmly encourage you to take a closer look at it.        Some familiarity with Spring - and in particular dependency injection        principles - will help you get up to speed with Acegi Security more        easily.</para>        <para>People use Acegi Security for many reasons, but most are drawn        to the project after finding the security features of J2EE's Servlet        Specification or EJB Specification lack the depth required for typical        enterprise application scenarios. Whilst mentioning these standards,        it's important to recognise that they are not portable at a WAR or EAR        level. Therefore, if you switch server environments, it is typically a        lot of work to reconfigure your application's security in the new        target environment. Using Acegi Security overcomes these problems, and        also brings you dozens of other useful, entirely customisable security        features.</para>        <para>As you probably know, security comprises two major operations.        The first is known as "authentication", which is the process of        establishing a principal is who they claim to be. A "principal"        generally means a user, device or some other system which can perform        an action in your application. "Authorization" refers to the process        of deciding whether a principal is allowed to perform an action in        your application. To arrive at the point where an authorization        decision is needed, the identity of the principal has already been        established by the authentication process. These concepts are common,        and not at all specific to Acegi Security.</para>        <para>At an authentication level, Acegi Security supports a wide range        of authentication models. Most of these authentication models are        either provided by third parties, or are developed by relevant        standards bodies such as the Internet Engineering Task Force. In        addition, Acegi Security provides its own set of authentication        features. Specifically, Acegi Security currently supports        authentication with all of these technologies:</para>        <itemizedlist spacing="compact">          <listitem>            <para>HTTP BASIC authentication headers (an IEFT RFC-based            standard)</para>          </listitem>          <listitem>            <para>HTTP Digest authentication headers (an IEFT RFC-based            standard)</para>          </listitem>          <listitem>            <para>HTTP X.509 client certificate exchange (an IEFT RFC-based            standard)</para>          </listitem>          <listitem>            <para>LDAP (a very common approach to cross-platform            authentication needs, especially in large environments)</para>          </listitem>          <listitem>            <para>Form-based authentication (for simple user interface            needs)</para>          </listitem>          <listitem>            <para>Computer Associates Siteminder</para>          </listitem>          <listitem>            <para>JA-SIG Central Authentication Service (otherwise known as            CAS, which is a popular open source single sign on system)</para>          </listitem>          <listitem>            <para>Transparent authentication context propagation for Remote            Method Invocation (RMI) and HttpInvoker (a Spring remoting            protocol)</para>          </listitem>          <listitem>            <para>Automatic "remember-me" authentication (so you can tick a            box to avoid re-authentication for a predetermined period of            time)</para>          </listitem>          <listitem>            <para>Anonymous authentication (allowing every call to            automatically assume a particular security identity)</para>          </listitem>          <listitem>            <para>Run-as authentication (which is useful if one call should            proceed with a different security identity)</para>          </listitem>          <listitem>            <para>Java Authentication and Authorization Service (JAAS)</para>          </listitem>          <listitem>            <para>Container integration with JBoss, Jetty, Resin and Tomcat            (so you can still use Container Manager Authentication if            desired)</para>          </listitem>          <listitem>            <para>Your own authentication systems (see below)</para>          </listitem>        </itemizedlist>        <para>Many independent software vendors (ISVs) adopt Acegi Security        because of this rich choice of authentication models. Doing so allows        them to quickly integrate their solutions with whatever their end        clients need, without undertaking a lot of engineering or requiring        the client to change their environment. If none of the above        authentication mechanisms suit your needs, Acegi Security is an open        platform and it is quite simple to write your own authentication        mechanism. Many corporate users of Acegi Security need to integrate        with "legacy" systems that don't follow any particular security        standards, and Acegi Security is happy to "play nicely" with such        systems.</para>        <para>Sometimes the mere process of authentication isn't enough.        Sometimes you need to also differentiate security based on the way a        principal is interacting with your application. For example, you might        want to ensure requests only arrive over HTTPS, in order to protect        passwords from eavesdropping or end users from man-in-the-middle        attacks. Or, you might want to ensure that an actual human being is        making the requests and not some robot or other automated process.        This is especially helpful to protect password recovery processes from        brute force attacks, or simply to make it harder for people to        duplicate your application's key content. To help you achieve these        goals, Acegi Security fully supports automatic "channel security",        together with JCaptcha integration for human user detection.</para>        <para>Irrespective of how authentication was undertaken, Acegi        Security provides a deep set of authorization capabilities. There are        three main areas of interest in respect of authorization, these being        authorizing web requests, authorizing methods can be invoked, and        authorizing access to individual domain object instances. To help you        understand the differences, consider the authorization capabilities        found in the Servlet Specification web pattern security, EJB Container        Managed Security and file system security respectively. Acegi Security        provides deep capabilities in all of these important areas, which        we'll explore later in this reference guide.</para>      </sect1>      <sect1 id="history">        <title>History</title>        <para>Acegi Security began in late 2003, when a question was posed on        the Spring Developers' mailing list asking whether there had been any        consideration given to a Spring-based security implementation. At the        time the Spring community was relatively small (especially by today's        size!), and indeed Spring itself had only existed as a SourceForge        project from early 2003. The response to the question was that it was        a worthwhile area, although a lack of time currently prevented its        exploration.</para>        <para>With that in mind, a simple security implementation was built        and not released. A few weeks later another member of the Spring        community inquired about security, and at the time this code was        offered to them. Several other requests followed, and by January 2004        around twenty people were using the code. These pioneering users were        joined by others who suggested a SourceForge project was in order,        which was duly established in March 2004.</para>        <para>In those early days, the project didn't have any of its own        authentication modules. Container Managed Security was relied upon for        the authentication process, with Acegi Security instead focusing on        authorization. This was suitable at first, but as more and more users        requested additional container support, the fundamental limitation of        container-specific authentication realm interfaces was experienced.        There was also a related issue of adding new JARs to the container's        classpath, which was a common source of end user confusion and        misconfiguration.</para>        <para>Acegi Security-specific authentication services were        subsequently introduced. Around a year later, the Acegi Security        became an official Spring Framework subproject. The 1.0.0 final        release was published in May 2006 - after more than two and a half        years of active use in numerous production software projects and many        hundreds of improvements and community contributions.</para>        <para>Today Acegi Security enjoys a strong and active open source        community. There are thousands of messages about Acegi Security on the        support forums. Fourteen developers work on the code itself, with an        active community who also regularly share patches and support their        peers.</para>      </sect1>      <sect1 id="release-numbering">        <title>Release Numbering</title>        <para>It is useful to understand how Acegi Security release numbers        work, as it will help you identify the effort (or lack thereof)        involved in migrating to future releases of the project. Officially,        we use the Apache Portable Runtime Project versioning guidelines,        which can be viewed at        <literal>http://apr.apache.org/versioning.html</literal>. We quote the        introduction contained on that page for your convenience:</para>        <para><quote>Versions are denoted using a standard triplet of        integers: MAJOR.MINOR.PATCH. The basic intent is that MAJOR versions        are incompatible, large-scale upgrades of the API. MINOR versions        retain source and binary compatibility with older minor versions, and        changes in the PATCH level are perfectly compatible, forwards and        backwards.</quote></para>      </sect1>    </chapter>    <chapter id="technical-overview">      <title>Technical Overview</title>      <sect1 id="runtime-environment">        <title>Runtime Environment</title>        <para>Acegi Security is written to execute within a standard Java 1.3        Runtime Environment. It also supports Java 5.0, although the Java        types which are specific to this release are packaged in a separate        package with the suffix "tiger" in their JAR filename. As Acegi        Security aims to operate in a self-contained manner, there is no need        to place any special configuration files into your Java Runtime        Environment. In particular, there is no need to configure a special        Java Authentication and Authorization Service (JAAS) policy file or        place Acegi Security into common classpath locations.</para>        <para>Similarly, if you are using an EJB Container or Servlet        Container there is no need to put any special configuration files        anywhere, nor include Acegi Security in a server classloader.</para>        <para>This above design offers maximum deployment time flexibility, as        you can simply copy your target artifact (be it a JAR, WAR or EAR)        from one system to another and it will immediately work.</para>      </sect1>      <sect1 id="shared-components">        <title>Shared Components</title>        <para>Let's explore some of the most important shared components in        Acegi Security. Components are considered "shared" if they are central        to the framework and the framework cannot operate without them. These        Java types represent the building blocks of the remaining system, so        it's important to understand that they're there, even if you don't        need to directly interact with them.</para>        <para>The most fundamental object is        <literal>SecurityContextHolder</literal>. This is where we store        details of the present security context of the application, which        includes details of the principal currently using the application. By        default the <literal>SecurityContextHolder</literal> uses a        <literal>ThreadLocal</literal> to store these details, which means        that the security context is always available to methods in the same        thread of execution, even if the security context is not explicitly        passed around as an argument those methods. Using a        <literal>ThreadLocal</literal> in this way is quite safe if care is        taken to clear the thread after the present principal's request is        processed. Of course, Acegi Security takes care of for you        automatically so there is no need to worry about it.</para>        <para>Some applications aren't entirely suitable for using a        <literal>ThreadLocal</literal>, because of the specific way they work        with threads. For example, a Swing client might want all threads in a        Java Virtual Machine to use the same security context. For this        situation you would use the        <literal>SecurityContextHolder.MODE_GLOBAL</literal>. Other        applications might want to have threads spawned by the secure thread        also assume the same security identity. This is achieved by using        <literal>SecurityContextHolder.MODE_INHERITABLETHREADLOCAL</literal>.        You can change the mode from the default        <literal>SecurityContextHolder.MODE_THREADLOCAL</literal> in two ways.        The first is to set a system property. Alternatively, call a static        method on <literal>SecurityContextHolder</literal>. Most applications        won't need to change from the default, but if you do, take a look at        the JavaDocs for <literal>SecurityContextHolder</literal> to learn        more.</para>        <para>Inside the <literal>SecurityContextHolder</literal> we store        details of the principal currently interacting with the application.        Acegi Security uses an <literal>Authentication</literal> object to        represent this information. Whilst you won't normally need to create        an <literal>Authentication</literal> object yourself, it is fairly        common for users to query the <literal>Authentication</literal>        object. You can use the following code block - from anywhere in your        application - to do this:</para>        <programlisting>Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();if (obj instanceof UserDetails) {  String username = ((UserDetails)obj).getUsername();} else {  String username = obj.toString();}</programlisting>        <para>The above code introduces a number of interesting relationships        and key objects. First, you will notice that there is an intermediate        object between <literal>SecurityContextHolder</literal> and        <literal>Authentication</literal>. The        <literal>SecurityContextHolder.getContext()</literal> method is        actually returning a <literal>SecurityContext</literal>. Acegi        Security uses a few different <literal>SecurityContext</literal>        implementations, such as if we need to store special information        related to a request that is not principal-specific. A good example of        this is our JCaptcha integration, which needs to know whether the        current request came from a human user or not. Because such a decision        has nothing at all to do with the principal the request may or may not        be authenticated as, we store it in the        <literal>SecurityContext</literal>.</para>        <para>Another item to note from the above code fragment is that you        can obtain a principal from the <literal>Authentication</literal>        object. The principal is just an <literal>Object</literal>. Most of        the time this can be cast into a <literal>UserDetails</literal>        object. <literal>UserDetails</literal> is a central interface in Acegi        Security. It represents a principal, but in an extensible and        application-specific way. Think of <literal>UserDetails</literal> as        the adapter between your own user database and what Acegi Security        needs inside the <literal>SecurityContextHolder</literal>. Being a        representation of something from your own user database, quite often        you will cast the <literal>UserDetails</literal> to the original        object that your application provided, so you can call        business-specific methods (like <literal>getEmail()</literal>,        <literal>getEmployeeNumber()</literal> and so on).</para>        <para>By now you're probably wondering, so when do I provide a        <literal>UserDetails</literal> object? How do I do that? I thought you        said this thing was declarative and I didn't need to write any Java        code - what gives? The short answer is that there is a special        interface called <literal>UserDetailsService</literal>. The only        method on this interface accepts a <literal>String</literal>-based        username argument and returns a <literal>UserDetails</literal>. Most        authentication providers that ship with Acegi Security delegate to a        <literal>UserDetailsService</literal> as part of the authentication        process. The <literal>UserDetailsService</literal> is used to build        the <literal>Authentication</literal> object that is stored in the        <literal>SecurityContextHolder</literal>. The good news is that we        provide a number of <literal>UserDetailsService</literal>        implementations, including one that uses an in-memory map and another        that uses JDBC. Most users tends to write their own, though, with such        implementations often simply sitting on top of an existing Data Access        Object (DAO) that represents their employees, customers, or other        users of the enterprise application. Remember the advantage that        whatever your UserDetailsService returns can always be obtained from        the <literal>SecurityContextHolder</literal>, as per the above code        fragment.</para>        <para>Besides the principal, another important method provided by        <literal>Authentication</literal> is        <literal>getAuthorities(</literal>). This method provides an array of        <literal>GrantedAuthority</literal> objects. A        <literal>GrantedAuthority</literal> is, not surprisingly, an authority        that is granted to the principal. Such authorities are usually        "roles", such as <literal>ROLE_ADMINISTRATOR</literal> or        <literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on        configured for web authorization, method authorization and domain        object authorization. Other parts of Acegi Security are capable of        interpreting these authorities, and expect them to be present. You        will usually return <literal>GrantedAuthority</literal> objects from        the <literal>UserDetailsService</literal>.</para>        <para>Usually the <literal>GrantedAuthority</literal> objects are        application-wide permissions. They are not specific to a given domain        object. Thus, you wouldn't likely have a        <literal>GrantedAuthority</literal> to represent a permission to        <literal>Employee</literal> object number 54, because if there are        thousands of such authorities you would quickly run out of memory (or,        at the very least, cause the application to take a long time to        authenticate a user). Of course, Acegi Security is expressly designed        to handle this common requirement, but you'd instead use the project's        domain object security capabilities for this purpose.</para>        <para>Last but not least, sometimes you will need to store the        <literal>SecurityContext</literal> between HTTP requests. Other times        the principal will re-authenticate on every request, although most of        the time it will be stored. The        <literal>HttpSessionContextIntegrationFilter</literal> is responsible        for storing a <literal>SecurityContext</literal> between HTTP        requests. As suggested by the name of the class, the        <literal>HttpSession</literal> is used to store this information. You        should never interact directly with the <literal>HttpSession</literal>        for security purposes. There is simply no justification for doing so -        always use the <literal>SecurityContextHolder</literal>        instead.</para>        <para>Just to recap, the major building blocks of Acegi Security        are:</para>        <itemizedlist spacing="compact">          <listitem>            <para><literal>SecurityContextHolder</literal>, to provide any            type access to the <literal>SecurityContext</literal>.</para>          </listitem>          <listitem>            <para><literal>SecurityContext</literal>, to hold the            <literal>Authentication</literal> and possibly request-specific            security information.</para>          </listitem>          <listitem>            <para><literal>HttpSessionContextIntegrationFilter</literal>, to            store the <literal>SecurityContext</literal> in the            <literal>HttpSession</literal> between web requests.</para>          </listitem>          <listitem>            <para><literal>Authentication</literal>, to represent the            principal in an Acegi Security-specific manner.</para>          </listitem>          <listitem>            <para><literal>GrantedAuthority</literal>, to reflect the            application-wide permissions granted to a principal.</para>          </listitem>          <listitem>            <para><literal>UserDetails</literal>, to provide the necessary            information to build an Authentication object from your            application's DAOs.</para>          </listitem>          <listitem>            <para><literal>UserDetailsService</literal>, to create a            <literal>UserDetails</literal> when passed in a            <literal>String</literal>-based username (or certificate ID or            alike).</para>          </listitem>        </itemizedlist>        <para>Now that you've gained an understanding of these repeatedly-used        components, let's take a closer look at the process of        authentication.</para>      </sect1>      <sect1 id="common-authentication">        <title>Authentication</title>        <para>As mentioned in the beginning of this reference guide, Acegi        Security can participate in many different authentication        environments. Whilst we recommend people use Acegi Security for        authentication and not integrate with existing Container Managed        Authentication, it is nevertheless supported - as is integrating with        your own proprietary authentication system. Let's first explore        authentication from the perspective of Acegi Security managing web        security entirely on its own, which is illustrative of the most        complex and most common situation.</para>        <para>Consider a typical web application's authentication        process:</para>        <orderedlist>          <listitem>            <para>You visit the home page, and click on a link.</para>          </listitem>          <listitem>            <para>A request goes to the server, and the server decides that            you've asked for a protected resource.</para>          </listitem>          <listitem>            <para>As you're not presently authenticated, the server sends back            a response indicating that you must authenticate. The response            will either be a HTTP response code, or a redirect to a particular            web page.</para>          </listitem>          <listitem>            <para>Depending on the authentication mechanism, your browser will            either redirect to the specific web page so that you can fill out            the form, or the browser will somehow retrieve your identity (eg a            BASIC authentication dialogue box, a cookie, a X509 certificate            etc).</para>          </listitem>          <listitem>            <para>The browser will send back a response to the server. This            will either be a HTTP POST containing the contents of the form            that you filled out, or a HTTP header containing your            authentication details.</para>          </listitem>          <listitem>            <para>Next the server will decide whether or not the presented            credentials are valid. If they're valid, the next step will            happen. If they're invalid, usually your browser will be asked to            try again (so you return to step two above).</para>          </listitem>          <listitem>            <para>The original request that you made to cause the            authentication process will be retried. Hopefully you've            authenticated with sufficient granted authorities to access the            protected resource. If you have sufficient access, the request            will be successful. Otherwise, you'll receive back a HTTP error            code 403, which means "forbidden".</para>          </listitem>        </orderedlist>        <para>Acegi Security has distinct classes responsible for most of the        steps described above. The main participants (in the order that they        are used) are the <literal>ExceptionTranslationFilter</literal>, an        <literal>AuthenticationEntryPoint</literal>, an authentication        mechanism, and an <literal>AuthenticationProvider</literal>.</para>        <para><literal>ExceptionTranslationFilter</literal> is an Acegi        Security filter that has responsibility for detecting any Acegi        Security exceptions that are thrown. Such exceptions will generally be        thrown by an <literal>AbstractSecurityInterceptor</literal>, which is        the main provider of authorization services. We will discuss        <literal>AbstractSecurityInterceptor</literal> in the next section,        but for now we just need to know that it produces Java exceptions and        knows nothing about HTTP or how to go about authenticating a        principal. Instead the <literal>ExceptionTranslationFilter</literal>        offers this service, with specific responsibility for either returning        error code 403 (if the principal has been authenticated and therefore        simply lacks sufficient access - as per step seven above), or        launching an <literal>AuthenticationEntryPoint</literal> (if the        principal has not been authenticated and therefore we need to go        commence step three).</para>        <para>The <literal>AuthenticationEntryPoint</literal> is responsible        for step three in the above list. As you can imagine, each web        application will have a default authentication strategy (well, this        can be configured like nearly everything else in Acegi Security, but        let's keep it simple for now). Each major authentication system will        have its own <literal>AuthenticationEntryPoint</literal>        implementation, which takes actions such as described in step        three.</para>        <para>After your browser decides to submit your authentication        credentials (either as a HTTP form post or HTTP header) there needs to        be something on the server that "collects" these authentication        details. By now we're at step six in the above list. In Acegi Security        was have a special name for the function of collecting authentication        details from a user agent (usually a web browser), and that name is        "authentication mechanism". After the authentication details are        collected from the user agent, an "<literal>Authentication</literal>        request" object is built and then presented to an        AuthenticationProvider.</para>        <para>The last played in the Acegi Security authentication process is        an <literal>AuthenticationProvider</literal>. Quite simply, it is        responsible for taking an <literal>Authentication</literal> request        object and deciding whether or not it is valid. The provider will        either throw an exception, or return a fully populated        <literal>Authentication</literal> object. Remember our good friends,        <literal>UserDetails</literal> and        <literal>UserDetailsService</literal>? If not, head back to the        previous section and refresh your memory. Most        <literal>AuthenticationProvider</literal>s will ask a        <literal>UserDetailsService</literal> to provide a        <literal>UserDetails</literal> object. As mentioned earlier, most        application will provide their own        <literal>UserDetailsService</literal>, although some will be able to        use the JDBC or in-memory implementation that ships with Acegi        Security. The resultant <literal>UserDetails</literal> object - and        particularly the <literal>GrantedAuthority[]</literal>s contained        within the <literal>UserDetails</literal> object - will be used when        building the fully populated <literal>Authentication</literal>        object.</para>        <para>After the authentication mechanism receives back the        fully-populated <literal>Authentication</literal> object, it will deem        the request valid, put the <literal>Authentication</literal> into the        <literal>SecurityContextHolder</literal>, and cause the original        request to be retried (step seven above). If, on the other hand, the        <literal>AuthenticationProvider</literal> rejected the request, the        authentication mechanism will ask the user agent to retry (step two        above).</para>        <para>Whilst this describes the typical authentication workflow, the        good news is that Acegi Security doesn't mind how you put an        <literal>Authentication</literal> inside the        <literal>SecurityContextHolder</literal>. The only critical        requirement is that the <literal>SecurityContextHolder</literal>        contains an <literal>Authentication</literal> that represents a        principal before the <literal>AbstractSecurityInterceptor</literal>        needs to authorize a request.</para>        <para>You can (and many users do) write their own filters or MVC        controllers to provide interoperability with authentication systems        that are not based on Acegi Security. For example, you might be using        Container Managed Authentication which makes the current user        available from a ThreadLocal or JNDI location. Or you might work for a        company that has a legacy proprietary authentication system, which is        a corporate "standard" over which you have little control. In such        situations it's quite easy to get Acegi Security to work, and still        provide authorization capabilities. All you need to do is write a        filter (or equivalent) that reads the third-party user information        from a location, build an Acegi Security-specific Authentication        object, and put it onto the SecurityContextHolder. It's quite easy to        do this, and a fully-supported integration approach.</para>      </sect1>      <sect1 id="secure-objects">        <title>Secure Objects</title>        <para>If you're familiar with AOP, you'd be aware there are different        types of advice available: before, after, throws and around. An around        advice is very useful, because an advisor can elect whether or not to        proceed with a method invocation, whether or not to modify the        response, and whether or not to throw an exception. Acegi Security        provides an around advice for method invocations as well as web        requests. We achieve an around advice for method invocations using AOP        Alliance, and we achieve an around advice for web requests using a        standard Filter.</para>        <para>For those not familiar with AOP, the key point to understand is        that Acegi Security can help you protect method invocations as well as        web requests. Most people are interested in securing method        invocations on their services layer. This is because the services        layer is where most business logic resides in current-generation J2EE        applications (for clarification, the author disapproves of this design        and instead advocates properly encapsulated domain objects together        with the DTO, assembly, facade and transparent persistence patterns,        but as anemic domain objects is the present mainstream approach, we'll        talk about it here). If you just need to secure method invocations to        the services layer, using the Spring's standard AOP platform        (otherwise known as AOP Alliance) will be adequate. If you need to        secure domain objects directly, you will likely find that AspectJ is        worth considering.</para>        <para>You can elect to perform method authorization using AspectJ or        AOP Alliance, or you can elect to perform web request authorization        using filters. You can use zero, one, two or three of these approaches        together. The mainstream usage is to perform some web request        authorization, coupled with some AOP Alliance method invocation        authorization on the services layer.</para>        <para>Acegi Security uses the term "secure object" to refer to any        object that can have security applies to it. Each secure object        supported by Acegi Security has its own class, which is a subclass of        <literal>AbstractSecurityInterceptor</literal>. Importantly, by the        time the <literal>AbstractSecurityInterceptor</literal> is run, the        <literal>SecurityContextHolder</literal> will contain a valid        <literal>Authentication</literal> if the principal has been        authenticated.</para>        <para>The <literal>AbstractSecurityInterceptor</literal> provides a        consistent workflow for handling secure object requests. This workflow        includes looking up the "configuration attributes" associated with the        present request. A "configuration attribute" can be thought of as a        String that has special meaning to the classes used by        <literal>AbstractSecurityInterceptor</literal>. They're normally        configured against your AbstractSecurityInterceptor using XML. Anyway,        the <literal>AbstractSecurityInterceptor</literal> will ask an        <literal>AccessDecisionManager</literal> "here's the configuration        attributes, here's the current <literal>Authentication</literal>        object, and here's details of the current request - is this particular        principal allowed to perform this particular operation?".</para>        <para>Assuming <literal>AccessDecisionManager</literal> decides to        allow the request, the <literal>AbstractSecurityInterceptor</literal>        will normally just proceed with the request. Having said that, on rare        occasions users may want to replace the        <literal>Authentication</literal> inside the        <literal>SecurityContext</literal> with a different        <literal>Authentication</literal>, which is handled by the        <literal>AccessDecisionManager</literal> calling a        <literal>RunAsManager</literal>. This might be useful in reasonably        unusual situations, such as if a services layer method needs to call a        remote system and present a different identity. Because Acegi Security        automatically propagates security identity from one server to another        (assuming you're using a properly-configured RMI or HttpInvoker        remoting protocol client), this may be useful.</para>        <para>Following the secure object proceeding and then returning -        which may mean a method invocation completing or a filter chain        proceeding - the <literal>AbstractSecurityInterceptor</literal> gets        one final chance to handle the invocation. At this stage the        <literal>AbstractSecurityInterceptor</literal> is interested in        possibly modifying the return object. We might want this to happen        because an authorization decision couldn't be made "on the way in" to        a secure object invocation. Being highly pluggable,        <literal>AbstractSecurityInterceptor</literal> will pass control to an        <literal>AfterInvocationManager</literal> to actually modify the        object if needed. This class even can entirely replace the object, or        throw an exception, or not change it in any way.</para>        <para>Because <literal>AbstractSecurityInterceptor</literal> is the        central template class, it seems fitting that the first figure should        be devoted to it.</para>        <para><mediaobject>            <imageobject role="html">              <imagedata align="center"                         fileref="images/SecurityInterception.gif"                         format="GIF" />            </imageobject>            <caption>              <para>Figure 1: The key "secure object" model</para>            </caption>          </mediaobject></para>        <para>Only developers contemplating an entirely new way of        intercepting and authorizing requests would need to use secure objects        directly. For example, it would be possible to build a new secure        object to secure calls to a messaging system. Anything that requires        security and also provides a way of intercepting a call (like the AOP        around advice semantics) is capable of being made into a secure        object. Having said that, most Spring applications will simply use the        three currently supported secure object types (AOP Alliance        <literal>MethodInvocation</literal>, AspectJ        <literal>JoinPoint</literal> and web request        <literal>FilterInterceptor</literal>) with complete        transparency.</para>      </sect1>      <sect1 id="common-conclusion">        <title>Conclusion</title>        <para>Congratulations! You have enough of a high-level picture of        Acegi Security to embark on your project. We've explored the shared        components, how authentication works, and reviewed the common        authorization concept of a "secure object". Everything that follows in        this reference guide may or may not apply to your particular needs,        and can be read in any order.</para>      </sect1>    </chapter>    <chapter id="supporting-infrastructure">      <title>Supporting Infrastructure</title>      <para>This chapter introduces some of the supplementary and supporting      infrastructure used by Acegi Security. If a capability is not directly      related to security, yet included in the Acegi Security project, we will      discuss it in this chapter.</para>      <sect1 id="localization">        <title>Localization</title>        <para>Acegi Security supports localization of exception messages that        end users are likely to see. If your application is designed for        English users, you don't need to do anything as by default all Acegi        Security messages are in English. If you need to support other        locales, everything you need to know is contained in this        section.</para>        <para>All exception messages can be localized, including messages        related to authentication failures and access being denied        (authorization failures). Exceptions and logging that is focused on        developers or system deployers (including incorrect attributes,        interface contract violations, using incorrect constructors, startup        time validation, debug-level logging) etc are not localized and        instead are hard-coded in English within Acegi Security's code.</para>        <para>Shipping in the <literal>acegi-security-xx.jar</literal> you        will find an <literal>org.acegisecurity</literal> package that in turn        contains a <literal>messages.properties</literal> file. This should be        referred to by your <literal>ApplicationContext</literal>, as Acegi        Security classes implement Spring's        <literal>MessageSourceAware</literal> interface and expect the message        resolver to be dependency injected at application context startup        time. Usually all you need to do is register a bean inside your        application context to refer to the messages. An example is shown        below:</para>        <para><programlisting><bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">  <property name="basename"><value>org/acegisecurity/messages</value></property></bean>        </programlisting></para>        <para>The <literal>messages.properties</literal> is named in        accordance with standard resource bundles and represents the default        language supported by Acegi Securtiy messages. This default file is in        English. If you do not register a message source, Acegi Security will        still work correctly and fallback to hard-coded English versions of        the messages.</para>        <para>If you wish to customize the        <literal>messages.properties</literal> file, or support other        languages, you should copy the file, rename it accordingly, and        register it inside the above bean definition. There are not a large        number of message keys inside this file, so localization should not be        considered a major initiative. If you do perform localization of this        file, please consider sharing your work with the community by logging        a JIRA task and attaching your appropriately-named localized version        of <literal>messages.properties</literal>.</para>        <para>Rounding out the discussion on localization is the Spring        <literal>ThreadLocal</literal> known as        <literal>org.springframework.context.i18n.LocaleContextHolder</literal>.        You should set the <literal>LocaleContextHolder</literal> to represent        the preferred <literal>Locale</literal> of each user. Acegi Security        will attempt to locate a message from the message source using the        <literal>Locale</literal> obtained from this        <literal>ThreadLocal</literal>. Please refer to Spring documentation        for further details on using <literal>LocaleContextHolder</literal>        and the helper classes that can automatically set it for you (eg        <literal>AcceptHeaderLocaleResolver</literal>,        <literal>CookieLocaleResolver</literal>,        <literal>FixedLocaleResolver</literal>,        <literal>SessionLocaleResolver</literal> etc)</para>      </sect1>      <sect1 id="filters">        <title>Filters</title>        <para>Acegi Security uses many filters, as referred to throughout the        remainder of this reference guide. You have a choice in how these        filters are added to your web application, in that you can use either        <literal>FilterToBeanProxy</literal> or        <literal>FilterChainProxy</literal>. We'll look at both below.</para>        <para>Most filters are configured using the        <literal>FilterToBeanProxy</literal>. An example configuration from        <literal>web.xml</literal> follows:</para>        <para><programlisting><filter>  <filter-name>Acegi HTTP Request Security Filter</filter-name>  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>  <init-param>    <param-name>targetClass</param-name>    <param-value>org.acegisecurity.ClassThatImplementsFilter</param-value>  </init-param></filter></programlisting></para>        <para>Notice that the filter in <literal>web.xml</literal> is actually        a <literal>FilterToBeanProxy</literal>, and not the filter that will        actually implement the logic of the filter. What        <literal>FilterToBeanProxy</literal> does is delegate the        <literal>Filter</literal>'s methods through to a bean which is        obtained from the Spring application context. This enables the bean to        benefit from the Spring application context lifecycle support and        configuration flexibility. The bean must implement        <literal>javax.servlet.Filter</literal>.</para>        <para>The <literal>FilterToBeanProxy</literal> only requires a single        initialization parameter, <literal>targetClass</literal> or        <literal>targetBean</literal>. The <literal>targetClass</literal>        parameter locates the first object in the application context of the        specified class, whilst <literal>targetBean</literal> locates the        object by bean name. Like standard Spring web applications, the        <literal>FilterToBeanProxy</literal> accesses the application context        via<literal>        WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>,        so you should configure a <literal>ContextLoaderListener</literal> in        <literal>web.xml</literal>.</para>        <para>There is a lifecycle issue to consider when hosting        <literal>Filter</literal>s in an IoC container instead of a servlet        container. Specifically, which container should be responsible for        calling the <literal>Filter</literal>'s "startup" and "shutdown"        methods? It is noted that the order of initialization and destruction        of a <literal>Filter</literal> can vary by servlet container, and this        can cause problems if one <literal>Filter</literal> depends on        configuration settings established by an earlier initialized        <literal>Filter</literal>. The Spring IoC container on the other hand        has more comprehensive lifecycle/IoC interfaces (such as        <literal>InitializingBean</literal>,        <literal>DisposableBean</literal>, <literal>BeanNameAware</literal>,        <literal>ApplicationContextAware</literal> and many others) as well as        a well-understood interface contract, predictable method invocation        ordering, autowiring support, and even options to avoid implementing        Spring interfaces (eg the <literal>destroy-method</literal> attribute        in Spring XML). For this reason we recommend the use of Spring        lifecycle services instead of servlet container lifecycle services        wherever possible. By default <literal>FilterToBeanProxy</literal>        will not delegate <literal>init(FilterConfig)</literal> and        <literal>destroy()</literal> methods through to the proxied bean. If        you do require such invocations to be delegated, set the        <literal>lifecycle</literal> initialization parameter to        <literal>servlet-container-managed</literal>.</para>        <para>Rather than using <literal>FilterToBeanProxy</literal>, we        strongly recommend to use <literal>FilterChainProxy</literal> instead.        Whilst <literal>FilterToBeanProxy</literal> is a very useful class,        the problem is that the lines of code required for        <literal><filter></literal> and        <literal><filter-mapping></literal> entries in        <literal>web.xml</literal> explodes when using more than a few        filters. To overcome this issue, Acegi Security provides a        <literal>FilterChainProxy</literal> class. It is wired using a        <literal>FilterToBeanProxy</literal> (just like in the example above),        but the target class is        <literal>org.acegisecurity.util.FilterChainProxy</literal>. The filter        chain is then declared in the application context, using code such as        this:</para>        <para><programlisting><bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">  <property name="filterInvocationDefinitionSource">    <value>      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON      PATTERN_TYPE_APACHE_ANT      /webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor      /**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor    </value>  </property></bean>        </programlisting></para>        <para>You may notice similarities with the way        <literal>FilterSecurityInterceptor</literal> is declared. Both regular        expressions and Ant Paths are supported, and the most specific URIs        appear first. At runtime the <literal>FilterChainProxy</literal> will        locate the first URI pattern that matches the current web request.        Each of the corresponding configuration attributes represent the name        of a bean defined in the application context. The filters will then be        invoked in the order they are specified, with standard        <literal>FilterChain</literal> behaviour being respected (a        <literal>Filter</literal> can elect not to proceed with the chain if        it wishes to end processing).</para>        <para>As you can see, <literal>FilterChainProxy</literal> requires the        duplication of filter names for different request patterns (in the        above example, <literal>exceptionTranslationFilter</literal> and        <literal>filterSecurityInterceptor</literal> are duplicated). This        design decision was made to enable <literal>FilterChainProxy</literal>        to specify different <literal>Filter</literal> invocation orders for        different URI patterns, and also to improve both the expressiveness        (in terms of regular expressions, Ant Paths, and any custom        <literal>FilterInvocationDefinitionSource</literal> implementations)        and clarity of which <literal>Filter</literal>s should be        invoked.</para>        <para>You may have noticed we have declared two        <literal>HttpSessionContextIntegrationFilter</literal>s in the filter        chain (<literal>ASC</literal> is short for        <literal>allowSessionCreation</literal>, a property of        <literal>HttpSessionContextIntegrationFilter</literal>). As web        services will never present a <literal>jsessionid</literal> on future        requests, creating <literal>HttpSession</literal>s for such user        agents would be wasteful. If you had a high-volume application which        required maximum scalability, we recommend you use the approach shown        above. For smaller applications, using a single        <literal>HttpSessionContextIntegrationFilter</literal> (with its        default <literal>allowSessionCreation</literal> as        <literal>true</literal>) would likely be sufficient.</para>        <para>In relation to lifecycle issues, the        <literal>FilterChainProxy</literal> will always delegate        <literal>init(FilterConfig)</literal> and <literal>destroy()</literal>        methods through to the underlaying <literal>Filter</literal>s if such        methods are called against <literal>FilterChainProxy</literal> itself.        In this case, <literal>FilterChainProxy</literal> guarantees to only        initialize and destroy each <literal>Filter</literal> once,        irrespective of how many times it is declared by the        <literal>FilterInvocationDefinitionSource</literal>. You control the        overall choice as to whether these methods are called or not via the        <literal>lifecycle</literal> initialization parameter of the        <literal>FilterToBeanProxy</literal> that proxies        <literal>FilterChainProxy</literal>. As discussed above, by default        any servlet container lifecycle invocations are not delegated through        to <literal>FilterChainProxy</literal>.</para>        <para>The order that filters are defined in <literal>web.xml</literal>        is very important. Irrespective of which filters you are actually        using, the order of the <literal><filter-mapping></literal>s        should be as follows:</para>        <orderedlist>          <listitem>            <para><literal>ChannelProcessingFilter</literal>, because it might            need to redirect to a different protocol</para>          </listitem>          <listitem>            <para><literal>ConcurrentSessionFilter</literal>, because it            doesn't use any <literal>SecurityContextHolder</literal>            functionality but needs to update the            <literal>SessionRegistry</literal> to reflect ongoing requests            from the principal</para>          </listitem>          <listitem>            <para><literal>HttpSessionContextIntegrationFilter</literal>, so a            <literal>SecurityContext</literal> can be setup in the            <literal>SecurityContextHolder</literal> at the beginning of a web            request, and any changes to the <literal>SecurityContext</literal>            can be copied to the <literal>HttpSession</literal> when the web            request ends (ready for use with the next web request)</para>          </listitem>          <listitem>            <para>Authentication processing mechanisms -            <literal>AuthenticationProcessingFilter</literal>,            <literal>CasProcessingFilter</literal>,            <literal>BasicProcessingFilter, HttpRequestIntegrationFilter,            JbossIntegrationFilter</literal> etc - so that the            <literal>SecurityContextHolder</literal> can be modified to            contain a valid <literal>Authentication</literal> request            token</para>          </listitem>          <listitem>            <para>The            <literal>SecurityContextHolderAwareRequestFilter</literal>, if you            are using it to install an Acegi Security aware            <literal>HttpServletRequestWrapper</literal> into your servlet            container</para>          </listitem>          <listitem>            <para><literal>RememberMeProcessingFilter</literal>, so that if no            earlier authentication processing mechanism updated the            <literal>SecurityContextHolder</literal>, and the request presents            a cookie that enables remember-me services to take place, a            suitable remembered            <literal><literal>Authentication</literal></literal> object will            be put there</para>          </listitem>          <listitem>            <para><literal>AnonymousProcessingFilter</literal>, so that if no            earlier authentication processing mechanism updated the            <literal>SecurityContextHolder</literal>, an anonymous            <literal>Authentication</literal> object will be put there</para>          </listitem>          <listitem>            <para><literal>ExceptionTranslationFilter</literal>, to catch any            Acegi Security exceptions so that either a HTTP error response can            be returned or an appropriate            <literal>AuthenticationEntryPoint</literal> can be launched</para>          </listitem>          <listitem>            <para><literal>FilterSecurityInterceptor</literal>, to protect web            URIs</para>          </listitem>        </orderedlist>        <para>All of the above filters use        <literal>FilterToBeanProxy</literal> or        <literal>FilterChainProxy</literal>. It is recommended that a single        <literal>FilterToBeanProxy</literal> proxy through to a single        <literal>FilterChainProxy</literal> for each application, with that        <literal>FilterChainProxy</literal> defining all of Acegi Security        <literal>Filter</literal>s.</para>        <para>If you're using SiteMesh, ensure Acegi Security filters execute        before the SiteMesh filters are called. This enables the        <literal>SecurityContextHolder</literal> to be populated in time for        use by SiteMesh decorators</para>      </sect1>    </chapter>    <chapter id="channel-security">      <title>Channel Security</title>      <sect1 id="channel-security-overview">        <title>Overview</title>        <para>In addition to coordinating the authentication and authorization        requirements of your application, Acegi Security is also able to        ensure unauthenticated web requests have certain properties. These        properties may include being of a particular transport type, having a        particular <literal>HttpSession</literal> attribute set and so on. The        most common requirement is for your web requests to be received using        a particular transport protocol, such as HTTPS.</para>        <para>An important issue in considering transport security is that of        session hijacking. Your web container manages a        <literal>HttpSession</literal> by reference to a        <literal>jsessionid</literal> that is sent to user agents either via a        cookie or URL rewriting. If the <literal>jsessionid</literal> is ever        sent over HTTP, there is a possibility that session identifier can be        intercepted and used to impersonate the user after they complete the        authentication process. This is because most web containers maintain        the same session identifier for a given user, even after they switch        from HTTP to HTTPS pages.</para>        <para>If session hijacking is considered too significant a risk for        your particular application, the only option is to use HTTPS for every        request. This means the <literal>jsessionid</literal> is never sent        across an insecure channel. You will need to ensure your        <literal>web.xml</literal>-defined        <literal><welcome-file></literal> points to a HTTPS location,        and the application never directs the user to a HTTP location. Acegi        Security provides a solution to assist with the latter.</para>      </sect1>      <sect1 id="channel-security-config">        <title>Configuration</title>        <para>To utilise Acegi Security's channel security services, add the        following lines to <literal>web.xml</literal>:</para>        <para><programlisting><filter>  <filter-name>Acegi Channel Processing Filter</filter-name>  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>  <init-param>    <param-name>targetClass</param-name>    <param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value>  </init-param></filter><filter-mapping>  <filter-name>Acegi Channel Processing Filter</filter-name>  <url-pattern>/*</url-pattern></filter-mapping>        </programlisting></para>        <para>As usual when running <literal>FilterToBeanProxy</literal>, you        will also need to configure the filter in your application        context:</para>        <para><programlisting><bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">  <property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>  <property name="filterInvocationDefinitionSource">    <value>      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON      \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL      \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL      \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL	      \A.*\Z=REQUIRES_INSECURE_CHANNEL    </value>  </property></bean><bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">  <property name="channelProcessors">    <list>      <ref bean="secureChannelProcessor"/>      <ref bean="insecureChannelProcessor"/>    </list>  </property></bean><bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/><bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>        </programlisting></para>        <para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant        style paths are also supported by the        <literal>ChannelProcessingFilter</literal>.</para>        <para>The <literal>ChannelProcessingFilter</literal> operates by        filtering all web requests and determining the configuration        attributes that apply. It then delegates to the        <literal>ChannelDecisionManager</literal>. The default implementation,        <literal>ChannelDecisionManagerImpl</literal>, should suffice in most        cases. It simply delegates through the list of configured        <literal>ChannelProcessor</literal> instances. A        <literal>ChannelProcessor</literal> will review the request, and if it        is unhappy with the request (eg it was received across the incorrect        transport protocol), it will perform a redirect, throw an exception or        take whatever other action is appropriate.</para>        <para>Included with Acegi Security are two concrete        <literal>ChannelProcessor</literal> implementations:        <literal>SecureChannelProcessor</literal> ensures requests with a        configuration attribute of <literal>REQUIRES_SECURE_CHANNEL</literal>        are received over HTTPS, whilst        <literal>InsecureChannelProcessor</literal> ensures requests with a        configuration attribute of        <literal>REQUIRES_INSECURE_CHANNEL</literal> are received over HTTP.        Both implementations delegate to a        <literal>ChannelEntryPoint</literal> if the required transport        protocol is not used. The two <literal>ChannelEntryPoint</literal>        implementations included with Acegi Security simply redirect the        request to HTTP and HTTPS as appropriate. Appropriate defaults are        assigned to the <literal>ChannelProcessor</literal> implementations        for the configuration attribute keywords they respond to and the        <literal>ChannelEntryPoint</literal> they delegate to, although you        have the ability to override these using the application        context.</para>        <para>Note that the redirections are absolute (eg        <literal>http://www.company.com:8080/app/page</literal>), not relative        (eg <literal>/app/page</literal>). During testing it was discovered        that Internet Explorer 6 Service Pack 1 has a bug whereby it does not        respond correctly to a redirection instruction which also changes the        port to use. Accordingly, absolute URLs are used in conjunction with        bug detection logic in the <literal>PortResolverImpl</literal> that is        wired up by default to many Acegi Security beans. Please refer to the        JavaDocs for <literal>PortResolverImpl</literal> for further        details.</para>        <para>You should note that using a secure channel is recommended if        usernames and passwords are to be kept secure during the login        process. If you do decide to use        <literal>ChannelProcessingFilter</literal> with form-based login,        please ensure that your login page is set to        <literal>REQUIRES_SECURE_CHANNEL</literal>, and that the        <literal>AuthenticationProcessingFilterEntryPoint.forceHttps</literal>        property is <literal>true</literal>.</para>      </sect1>      <sect1 id="channel-security-conclusion">        <title>Conclusion</title>        <para>Once configured, using the channel security filter is very easy.        Simply request pages without regard to the protocol (ie HTTP or HTTPS)        or port (eg 80, 8080, 443, 8443 etc). Obviously you'll still need a        way of making the initial request (probably via the        <literal>web.xml</literal> <literal><welcome-file></literal> or        a well-known home page URL), but once this is done the filter will        perform redirects as defined by your application context.</para>        <para>You can also add your own <literal>ChannelProcessor</literal>        implementations to the <literal>ChannelDecisionManagerImpl</literal>.        For example, you might set a <literal>HttpSession</literal> attribute        when a human user is detected via a "enter the contents of this        graphic" procedure. Your <literal>ChannelProcessor</literal> would        respond to say <literal>REQUIRES_HUMAN_USER</literal> configuration        attributes and redirect to an appropriate entry point to start the        human user validation process if the <literal>HttpSession</literal>        attribute is not currently set.</para>        <para>To decide whether a security check belongs in a        <literal>ChannelProcessor</literal> or an        <literal>AccessDecisionVoter</literal>, remember that the former is        designed to handle unauthenticated requests, whilst the latter is        designed to handle authenticated requests. The latter therefore has        access to the granted authorities of the authenticated principal. In        addition, problems detected by a <literal>ChannelProcessor</literal>        will generally cause a HTTP/HTTPS redirection so its requirements can        be met, whilst problems detected by an        <literal>AccessDecisionVoter</literal> will ultimately result in an        <literal>AccessDeniedException</literal> (depending on the governing        <literal>AccessDecisionManager</literal>).</para>      </sect1>    </chapter>    <chapter id="taglib">      <title>Tag Libraries</title>      <sect1 id="taglib-overview">        <title>Overview</title>        <para>Acegi Security comes bundled with several JSP tag libraries that        eases JSP writing. The tag libraries are known as        <literal>authz</literal> and provide a range of different        services.</para>      </sect1>      <sect1 id="taglib-config">        <title>Configuration</title>        <para>All taglib classes are included in the core        <literal>acegi-security-xx.jar</literal> file, with the        <literal>authz.tld</literal> located in the JAR's        <literal>META-INF</literal> directory. This means for JSP 1.2+ web        containers you can simply include the JAR in the WAR's        <literal>WEB-INF/lib</literal> directory and it will be available. If        you're using a JSP 1.1 container, you'll need to declare the JSP        taglib in your <literal>web.xml file</literal>, and include        <literal>authz.tld</literal> in the <literal>WEB-INF/lib</literal>        directory. The following fragment is added to        <literal>web.xml</literal>:</para>        <para><programlisting><taglib>  <taglib-uri>http://acegisecurity.org/authz</taglib-uri>  <taglib-location>/WEB-INF/authz.tld</taglib-location></taglib>       </programlisting></para>      </sect1>      <sect1 id="taglib-usage">        <title>Usage</title>        <para>Now that you've configured the tag libraries, refer to the        individual reference guide sections for details on how to use        them.</para>      </sect1>    </chapter>  </part>  <part id="authentication">    <title>Authentication</title>    <partintro>      <para>In this part of the reference guide we will examine individual      authentication mechanisms and their corresponding      <literal>AuthenticationProvider</literal>s. We'll also look at how to      configure authentication more generally, including if you have several      authentication approaches that need to be chained together.</para>    </partintro>    <chapter id="authentication-common-auth-services">      <title>Common Authentication Services</title>      <sect1 id="mechanisms-providers-entry-points">        <title>Mechanisms, Providers and Entry Points</title>        <para>If you're using Acegi Security-provided authentication        approaches, you'll usually need to configure a web filter, together        with an <literal>AuthenticationProvider</literal> and        <literal>AuthenticationEntryPoint</literal>. In this section we are        going to explore an example application that needs to support both        form-based authentication (ie so a nice HTML page is presented to a        user for them to login) plus BASIC authentication (ie so a web service        or similar can access protected resources).</para>        <para>In the web.xml, this application will need a single Acegi        Security filter in order to use the FilterChainProxy. Nearly every        Acegi Security application will have such an entry, and it looks like        this:</para>        <para><programlisting><filter>  <filter-name>Acegi Filter Chain Proxy</filter-name>  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>  <init-param>    <param-name>targetClass</param-name>    <param-value>org.acegisecurity.util.FilterChainProxy</param-value>  </init-param></filter><filter-mapping>  <filter-name>Acegi Filter Chain Proxy</filter-name>  <url-pattern>/*</url-pattern></filter-mapping></programlisting></para>        <para>The above declarations will cause every web request to be passed        through to Acegi Security's FilterChainProxy. As explained in the        filters section of this reference guide, the FilterChainProxy is a        generally-useful class that enables web requests to be passed to        different filters based on the URL patterns. Those delegated filters        are managed inside the application context, so they can benefit from        dependency injection. Let's have a look at what the FilterChainProxy        bean definition would look like inside your application        context:</para>        <para><programlisting><bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">  <property name="filterInvocationDefinitionSource">    <value>      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON      PATTERN_TYPE_APACHE_ANT      /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,switchUserProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor    </value>  </property></bean></programlisting></para>        <para>Internally Acegi Security will use a        <literal>PropertyEditor</literal> to convert the string presented in        the above XML fragment into a        <literal>FilterInvocationDefinitionSource</literal> object. What's        important to note at this stage is that a series of filters will be        run - in the order specified by the declaration - and each of those        filters are actually the <literal><bean id></literal> of another        bean inside the application context. So, in our case some extra beans        will also appear in the application context, and they'll be named        <literal>httpSessionContextIntegrationFilter</literal>,        <literal>logoutFilter</literal> and so on. The order that the filters        should appear is discussed in the filters section of the reference        guide - although they are correct in the above example.</para>        <para>In our example we have the        <literal>AuthenticationProcessingFilter</literal> and        <literal>BasicProcessingFilter</literal> being used. These are the        "authentication mechanisms" that respond to form-based authentication        and BASIC HTTP header-based authentication respectively (we discussed        the role of authentication mechanisms earlier in this reference        guide). If you weren't using form or BASIC authentication, neither of        these beans would be defined. You'd instead define filters applicable        to your desired authentication environment, such as        <literal>DigestProcessingFilter</literal> or        <literal>CasProcessingFilter</literal>. Refer to the individual        chapters of this part of the reference guide to learn how to configure        each of these authentication mechanisms.</para>        <para>Recall that        <literal>HttpSessionContextIntegrationFilter</literal> keeps the        contents of the <literal>SecurityContext</literal> between invocations        inside a HTTP session. This means the authentication mechanisms are        only used once, being when the principal initially tries to        authenticate. The rest of the time the authentication mechanisms sit        there and silently pass the request through to the next filter in the        chain. That is a practical requirement due to the fact that few        authentication approaches present credentials on each and every call        (BASIC authentication being a notable exception), but what happens if        a principal's account gets cancelled or disabled or otherwise changed        (eg an increase or decrease in <literal>GrantedAuthority[]</literal>s)        after the initial authentication step? Let's look at how that is        handled now.</para>        <para>The major authorization provider for secure objects has        previously been introduced as        <literal>AbstractSecurityInterceptor</literal>. This class needs to        have access to an <literal>AuthenticationManager</literal>. It also        has configurable settings to indicate whether an        <literal>Authentication</literal> object should be re-authenticated on        each secure object invocation. By default it just accepts any        <literal>Authentication</literal> inside the        <literal>SecurityContextHolder</literal> is authenticated if        <literal>Authentication.isAuthenticated()</literal> returns true. This        is great for performance, but not ideal if you want to ensure        up-to-the-moment authentication validity. For such cases you'll        probably want to set the        <literal>AbstractSecurityInterceptor.alwaysReauthenticate</literal>        property to true.</para>        <para>You might be asking yourself, "what's this        <literal>AuthenticationManager</literal>?". We haven't explored it        before, but we have discussed the concept of an        <literal>AuthenticationProvider</literal>. Quite simply, an        AuthenticationManager is responsible for passing requests through a        chain of AuthenticationProviders. It's a little like the filter chain        we discussed earlier, although there are some differences. There is        only one AuthenticationManager implementation shipped with Acegi        Security, so let's look at how it's configured for the example we're        using in this chapter:</para>        <para><programlisting><bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">  <property name="providers">    <list>      <ref local="daoAuthenticationProvider"/>      <ref local="anonymousAuthenticationProvider"/>      <ref local="rememberMeAuthenticationProvider"/>    </list>  </property></bean></programlisting></para>        <para>It's probably worth mentioning at this point that your        authentication mechanisms (which are usually filters) are also        injected with a reference to the        <literal>AuthenticationManager</literal>. So both        <literal>AbstractSecurityInterceptor</literal> as well as the        authentication mechanisms will use the above        <literal>ProviderManager</literal> to poll a list of        <literal>AuthenticationProvider</literal>s.</para>        <para>In our example we have three providers. They are tried in the        order shown (which is implied by the use of a <literal>List</literal>        instead of a <literal>Set</literal>), with each provider able to        attempt authentication, or skip authentication by simply returning        <literal>null</literal>. If all implementations return null, the        <literal>ProviderManager</literal> will throw a suitable exception. If        you're interested in learning more about chaining providers, please        refer to the <literal>ProviderManager</literal> JavaDocs.</para>        <para>The providers to use will sometimes be interchangeable with the        authentication mechanisms, whilst at other times they will depend on a        specific authentication mechanism. For example, the        <literal>DaoAuthenticationProvider</literal> just needs a string-based        username and password. Various authentication mechanisms result in the        collection of a string-based username and password, including (but not        limited to) BASIC and form authentication. Equally, some        authentication mechanisms create an authentication request object        which can only be interpreted by a single type of        <literal>AuthenticationProvider</literal>. An example of this        one-to-one mapping would be JA-SIG CAS, which uses the notion of a        service ticket which can therefore only be authenticated by        <literal>CasAuthenticationProvider</literal>. A further example of a        one-to-one mapping would be the LDAP authentication mechanism, which        can only be processed an the        <literal>LdapAuthenticationProvider</literal>. The specifics of such        relationships are detailed in the JavaDocs for each class, plus the        authentication approach-specific chapters of this reference guide. You        need not be terribly concerned about this implementation detail,        because if you forget to register a suitable provider, you'll simply        receive a <literal>ProviderNotFoundException</literal> when an attempt        to authenticate is made.</para>        <para>After configuring the correct authentication mechanisms in the        <literal>FilterChainProxy</literal>, and ensuring that a corresponding        <literal>AuthenticationProvider</literal> is registered in the        <literal>ProviderManager</literal>, your last step is to configure an        <literal>AuthenticationEntryPoint</literal>. Recall that earlier we        discussed the role of <literal>ExceptionTranslationFilter</literal>,        which is used when HTTP-based requests should receive back a HTTP        header or HTTP redirect in order to start authentication. Continuing        on with our earlier example:</para>        <para><programlisting><bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">  <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>  <property name="accessDeniedHandler">    <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">      <property name="errorPage" value="/accessDenied.jsp"/>    </bean>  </property></bean><bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">  <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>  <property name="forceHttps"><value>false</value></property></bean></programlisting></para>        <para>Notice that the <literal>ExceptionTranslationFilter</literal>        requires two collaborators. The first,        <literal>AccessDeniedHandlerImpl</literal>, uses a        <literal>RequestDispatcher</literal> forward to display the specified        access denied error page. We use a forward so that the        <literal>SecurityContextHolder</literal> still contains details of the        principal, which may be useful for display to the user (in old        releases of Acegi Security we relied upon the servlet container to        handle a 403 error message, which lacked this useful contextual        information). <literal>AccessDeniedHandlerImpl</literal> will also set        the HTTP header to 403, which is the official error code to indicate        access denied. In the case of the        <literal>AuthentionEntryPoint</literal>, here we're setting what        action we would like taken when an unauthenticated principal attempts        to perform a protected operation. Because in our example we're going        to be using form-based authentication, we specify        <literal>AuthenticationProcessinFilterEntryPoint</literal> and the URL        of the login page. Your application will usually only have one entry        point, and most authentication approaches define their own specific        <literal>AuthenticationEntryPoint</literal>. Details of which entry        point to use for each authentication approach is discussed in the        authentication approach-specific chapters of this reference        guide.</para>      </sect1>      <sect1 id="userdetails-and-associated-types">        <title>UserDetails and Associated Types</title>        <para>As mentioned in the first part of the reference guide, most        authentication providers take advantage of the        <literal>UserDetails</literal> and        <literal>UserDetailsService</literal> interfaces. The contract for        this latter interface consists of a single method:</para>        <para><programlisting>public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException;</programlisting></para>        <para>The returned <literal>UserDetails</literal> is an interface that        provides getters that guarantee non-null provision of basic        authentication information such as the username, password, granted        authorities and whether the user is enabled or disabled. Most        authentication providers will use a        <literal>UserDetailsService</literal>, even if the username and        password are not actually used as part of the authentication decision.        Generally such provider will be using the returned        <literal>UserDetails</literal> object just for its        <literal>GrantedAuthority[]</literal> information, because some other        system (like LDAP or X509 or CAS etc) has undertaken the        responsibility of actually validating the credentials.</para>        <para>A single concrete implementation of        <literal>UserDetails</literal> is provided with Acegi Security, being        the <literal>User</literal> class. Acegi Security users will need to        decide when writing their <literal>UserDetailsService</literal> what        concrete <literal>UserDetails</literal> class to return. In most cases        <literal>User</literal> will be used directly or subclassed, although        special circumstances (such as object relational mappers) may require        users to write their own <literal>UserDetails</literal> implementation        from scratch. This is not such an unusual situation, and users should        not hesitate to simply return their normal domain object that        represents a user of the system. This is especially common given that        <literal>UserDetails</literal> is often used to store additional        principal-related properties (such as their telephone number and email        address), so that they can be easily used by web views.</para>        <para>Given <literal>UserDetailsService</literal> is so simple to        implement, it should be easy for users to retrieve authentication        information using a persistence strategy of their choice. Having said        that, Acegi Security does include a couple of useful base        implementations, which we'll look at below.</para>        <sect2 id="in-memory-service">          <title>In-Memory Authentication</title>          <para>Whilst it is easy to use create a custom          <literal>UserDetailsService</literal> implementation that extracts          information from a persistence engine of choice, many applications          do not require such complexity. This is particularly true if you're          undertaking a rapid prototype or just starting integrating Acegi          Security, when you don't really want to spend time configuring          databases or writing <literal>UserDetailsService</literal>          implementations. For this sort of situation, a simple option is to          configure the <literal>InMemoryDaoImpl</literal>          implementation:</para>          <para><programlisting><bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">  <property name="userMap">    <value>      marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR      dianne=emu,ROLE_TELLER      scott=wombat,ROLE_TELLER      peter=opal,disabled,ROLE_TELLER    </value>  </property></bean>        </programlisting></para>          <para>In the above example, the <literal>userMap</literal> property          contains each of the usernames, passwords, a list of granted          authorities and an optional enabled/disabled keyword. Commas are          used to delimit each token. The username must appear to the left of          the equals sign, and the password must be the first token to the          right of the equals sign. The <literal>enabled</literal> and          <literal>disabled</literal> keywords (case insensitive) may appear          in the second or any subsequent token. Any remaining tokens are          treated as granted authorities, which are created as          <literal>GrantedAuthorityImpl</literal> objects (this is just for          your reference - most application don't need custom          <literal>GrantedAuthority</literal> implementations, so using the          default implementation in this manner is just fine). Note that if a          user has no password and/or no granted authorities, the user will          not be created in the in-memory authentication repository.</para>          <para><literal>InMemoryDaoImpl</literal> also offers a          <literal>setUserProperties(Properties)</literal> method, which          allows you to externalise the          <literal>java.util.Properties</literal> in another Spring configured          bean or an external properties file. You might like to use Spring's          <literal>PropertiesFactoryBean</literal>, which is useful for          loading such external properties files. This setter might prove          useful for simple applications that have a larger number of users,          or deployment-time configuration changes, but do not wish to use a          full database for handling authentication details.</para>        </sect2>        <sect2 id="jdbc-service">          <title>JDBC Authentication</title>          <para>Acegi Security also includes a          <literal>UserDetailsService</literal> that can obtain authentication          information from a JDBC data source. Internally Spring JDBC is used,          so it avoids the complexity of a fully-featured object relational          mapper (ORM) just to store user details. If your application does          use an ORM tool, you might prefer to write a custom          <literal>UserDetailsService</literal> to reuse the mapping files          you've probably already created. Returning to          <literal>JdbcDaoImpl</literal>, an example configuration is shown          below:</para>          <para><programlisting><bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">  <property name="driverClassName"><value>org.hsqldb.jdbcDriver</value></property>  <property name="url"><value>jdbc:hsqldb:hsql://localhost:9001</value></property>  <property name="username"><value>sa</value></property>  <property name="password"><value></value></property></bean><bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">  <property name="dataSource"><ref bean="dataSource"/></property></bean>        </programlisting></para>          <para>You can use different relational database management systems          by modifying the <literal>DriverManagerDataSource</literal> shown          above. You can also use a global data source obtained from JNDI, as          per normal Spring options. Irrespective of the database used and how          a <literal>DataSource</literal> is obtained, a standard schema must          be used as indicated in <literal>dbinit.txt</literal>. You can          download this file from the Acegi Security web site.</para>          <para>If you default schema is unsuitable for your needs,          <literal>JdbcDaoImpl</literal> provides two properties that allow          customisation of the SQL statements. You may also subclass the          <literal>JdbcDaoImpl</literal> if further customisation is          necessary. Please refer to the JavaDocs for details, although please          note that the class is not intended for complex custom subclasses.          If you have complex needs (such as a special schema or would like a          certain <literal>UserDetails</literal> implementation returned),          you'd be better off writing your own          <literal>UserDetailsService</literal>. The base implementation          provided with Acegi Security is intended for typical situations, and          does not offer infinite configuration flexibility.</para>        </sect2>      </sect1>      <sect1 id="concurrent-sessions">        <title>Concurrent Session Handling</title>        <para>Acegi Security is able to prevent a principal from concurrently        authenticating to the same application more than a specified number of        times. Many ISVs take advantage of this to enforce licensing, whilst        network administrators like this feature because it helps prevent        people from sharing login names. You can, for example, stop user        "Batman" from logging onto the web application from two different        sessions.</para>        <para>To use concurrent session support, you'll need to add the        following to <literal>web.xml</literal>:</para>        <para><programlisting><listener>  <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class></listener>        </programlisting></para>        <para>In addition, you will need to add the        <literal>org.acegisecurity.concurrent.ConcurrentSessionFilter</literal>        to your <literal>FilterChainProxy</literal>. The        ConcurrentSessionFilter requires two properties,        <literal>sessionRegistry</literal>, which generally points to an        instance of <literal>SessionRegistryImpl</literal>, and        <literal>expiredUrl</literal>, which points to the page to display        when a session has expired.</para>        <para>The <literal>web.xml</literal>        <literal>HttpSessionEventPublisher</literal> causes an        <literal>ApplicationEvent</literal> to be published to the Spring        <literal>ApplicationContext</literal> every time a        <literal>HttpSession</literal> commences or terminates. This is        critical, as it allows the <literal>SessionRegistryImpl</literal> to        be notified when a session ends.</para>        <para>You will also need to wire up the        <literal>ConcurrentSessionControllerImpl</literal> and refer to it        from your <literal>ProviderManager</literal> bean:</para>        <para><programlisting><bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">  <property name="providers">    <!-- your providers go here -->  </property>  <property name="sessionController"><ref bean="concurrentSessionController"/></property></bean><bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">  <property name="maximumSessions"><value>1</value></property>  <property name="sessionRegistry"><ref local="sessionRegistry"/></property></bean><bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/></programlisting></para>      </sect1>      <sect1 id="authentication-taglibs">        <title>Authentication Tag Libraries</title>        <para><literal>AuthenticationTag</literal> is used to simply output a        property of the current principal's        <literal>Authentication.getPrincipal()</literal> object to the web        page.</para>        <para>The following JSP fragment illustrates how to use the        <literal>AuthenticationTag</literal>:</para>        <para><programlisting><authz:authentication operation="username"/></programlisting></para>        <para>This tag would cause the principal's name to be output. Here we        are assuming the <literal>Authentication.getPrincipal()</literal> is a        <literal>UserDetails</literal> object, which is generally the case        when using the typical        <literal>DaoAuthenticationProvider</literal>.</para>      </sect1>    </chapter>    <chapter id="dao-provider">      <title>DAO Authentication Provider</title>      <sect1 id="dao-provider-overview">        <title>Overview</title>        <para>Acegi Security includes a production-quality        <literal>AuthenticationProvider</literal> implementation called        <literal>DaoAuthenticationProvider</literal>. This authentication        provider is compatible with all of the authentication mechanisms that        generate a <literal>UsernamePasswordAuthenticationToken</literal>, and        is probably the most commonly used provider in the framework. Like        most of the other authentication providers, the        DaoAuthenticationProvider leverages a UserDetailsService in order to        lookup the username, password and GrantedAuthority[]s. Unlike most of        the other authentication providers that leverage UserDetailsService,        this authentication provider actually requires the password to be        presented, and the provider will actually evaluate the validity or        otherwise of the password presented in an authentication request        object.</para>      </sect1>      <sect1 id="dao-provider-config">        <title>Configuration</title>        <para>Aside from adding DaoAuthenticationProvider to your        ProviderManager list (as discussed at the start of this part of the        reference guide), and ensuring a suitable authentication mechanism is        configured to present a UsernamePasswordAuthenticationToken, the        configuration of the provider itself is rather simple:</para>        <para><programlisting><bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">  <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>  <property name="saltSource"><ref bean="saltSource"/></property>  <property name="passwordEncoder"><ref bean="passwordEncoder"/></property></bean>        </programlisting></para>        <para>The <literal>PasswordEncoder</literal> and        <literal>SaltSource</literal> are optional. A        <literal>PasswordEncoder</literal> provides encoding and decoding of        passwords presented in the <literal>UserDetails</literal> object that        is returned from the configured <literal>UserDetailsService</literal>.        A <literal>SaltSource</literal> enables the passwords to be populated        with a "salt", which enhances the security of the passwords in the        authentication repository. <literal>PasswordEncoder</literal>        implementations are provided with Acegi Security covering MD5, SHA and        cleartext encodings. Two <literal>SaltSource</literal> implementations        are also provided: <literal>SystemWideSaltSource</literal> which        encodes all passwords with the same salt, and        <literal>ReflectionSaltSource</literal>, which inspects a given        property of the returned <literal>UserDetails</literal> object to        obtain the salt. Please refer to the JavaDocs for further details on        these optional features.</para>        <para>In addition to the properties above, the        <literal>DaoAuthenticationProvider</literal> supports optional caching        of <literal>UserDetails</literal> objects. The        <literal>UserCache</literal> interface enables the        <literal>DaoAuthenticationProvider</literal> to place a        <literal>UserDetails</literal> object into the cache, and retrieve it        from the cache upon subsequent authentication attempts for the same        username. By default the <literal>DaoAuthenticationProvider</literal>        uses the <literal>NullUserCache</literal>, which performs no caching.        A usable caching implementation is also provided,        <literal>EhCacheBasedUserCache</literal>, which is configured as        follows:</para>        <para><programlisting><bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">  <property name="userDetailsService"><ref bean="userDetailsService"/></property>  <property name="userCache"><ref bean="userCache"/></property></bean><bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">  <property name="configLocation">    <value>classpath:/ehcache-failsafe.xml</value>  </property></bean>    <bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">  <property name="cacheManager">    <ref local="cacheManager"/>  </property>  <property name="cacheName">    <value>userCache</value>  </property></bean>   <bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">  <property name="cache"><ref local="userCacheBackend"/></property></bean>        </programlisting></para>        <para>All Acegi Security EH-CACHE implementations (including        <literal>EhCacheBasedUserCache</literal>) require an EH-CACHE        <literal>Cache</literal> object. The <literal>Cache</literal> object        can be obtained from wherever you like, although we recommend you use        Spring's factory classes as shown in the above configuration. If using        Spring's factory classes, please refer to the Spring documentation for        further details on how to optimise the cache storage location, memory        usage, eviction policies, timeouts etc.</para>        <para>A design decision was made not to support account locking in the        <literal>DaoAuthenticationProvider</literal>, as doing so would have        increased the complexity of the <literal>UserDetailsService</literal>        interface. For instance, a method would be required to increase the        count of unsuccessful authentication attempts. Such functionality        could be easily provided by leveraging the application event        publishing features discussed below.</para>        <para><literal>DaoAuthenticationProvider</literal> returns an        <literal>Authentication</literal> object which in turn has its        <literal>principal</literal> property set. The principal will be        either a <literal>String</literal> (which is essentially the username)        or a <literal>UserDetails</literal> object (which was looked up from        the <literal>UserDetailsService</literal>). By default the        <literal>UserDetails</literal> is returned, as this enables        applications to add extra properties potentially of use in        applications, such as the user's full name, email address etc. If        using container adapters, or if your applications were written to        operate with <literal>String</literal>s (as was the case for releases        prior to Acegi Security 0.6), you should set the        <literal>DaoAuthenticationProvider.forcePrincipalAsString</literal>        property to <literal>true</literal> in your application context</para>      </sect1>    </chapter>    <chapter id="jaas">      <title>Java Authentication and Authorization Service (JAAS)      Provider</title>      <sect1 id="jaas-overview">        <title>Overview</title>        <para>Acegi Security provides a package able to delegate        authentication requests to the Java Authentication and Authorization        Service (JAAS). This package is discussed in detail below.</para>        <para>Central to JAAS operation are login configuration files. To        learn more about JAAS login configuration files, consult the JAAS        reference documentation available from Sun Microsystems. We expect you        to have a basic understanding of JAAS and its login configuration file        syntax in order to understand this section.</para>      </sect1>      <sect1 id="jaas-config">        <title>Configuration</title>        <para>The <literal>JaasAuthenticationProvider</literal> attempts to        authenticate a user’s principal and credentials through JAAS.</para>        <para>Let’s assume we have a JAAS login configuration file,        <literal>/WEB-INF/login.conf</literal>, with the following        contents:</para>        <para><programlisting>JAASTest {  sample.SampleLoginModule required;};</programlisting></para>        <para>Like all Acegi Security beans, the        <literal>JaasAuthenticationProvider</literal> is configured via the        application context. The following definitions would correspond to the        above JAAS login configuration file:</para>        <para><programlisting><bean id="jaasAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider">  <property name="loginConfig">    <value>/WEB-INF/login.conf</value>  </property>  <property name="loginContextName">    <value>JAASTest</value>  </property>  <property name="callbackHandlers">    <list>      <bean class="org.acegisecurity.providers.jaas.JaasNameCallbackHandler"/>      <bean class="org.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/>    </list>  </property>  <property name="authorityGranters">    <list>      <bean class="org.acegisecurity.providers.jaas.TestAuthorityGranter"/>    </list>  </property></bean>          </programlisting></para>        <para>The <literal>CallbackHandler</literal>s and        <literal>AuthorityGranter</literal>s are discussed below.</para>        <sect2 id="jaas-callbackhandler">          <title id="jaas-callback-handler">JAAS CallbackHandler</title>          <para>Most JAAS <literal>LoginModule</literal>s require a callback          of some sort. These callbacks are usually used to obtain the          username and password from the user.</para>          <para>In an Acegi Security deployment, Acegi Security is responsible          for this user interaction (via the authentication mechanism). Thus,          by the time the authentication request is delegated through to JAAS,          Acegi Security's authentication mechanism will already have          fully-populated an <literal>Authentication</literal> object          containing all the information required by the JAAS          <literal>LoginModule</literal>.</para>          <para>Therefore, the JAAS package for Acegi Security provides two          default callback handlers,          <literal>JaasNameCallbackHandler</literal> and          <literal>JaasPasswordCallbackHandler</literal>. Each of these          callback handlers implement          <literal>JaasAuthenticationCallbackHandler</literal>. In most cases          these callback handlers can simply be used without understanding the          internal mechanics.</para>          <para>For those needing full control over the callback behavior,          internally <literal>JaasAutheticationProvider</literal> wraps these          <literal>JaasAuthenticationCallbackHandler</literal>s with an          <literal>InternalCallbackHandler</literal>. The          <literal>InternalCallbackHandler</literal> is the class that          actually implements JAAS’ normal <literal>CallbackHandler</literal>          interface. Any time that the JAAS <literal>LoginModule</literal> is          used, it is passed a list of application context configured          <literal>InternalCallbackHandler</literal>s. If the          <literal>LoginModule</literal> requests a callback against the          <literal>InternalCallbackHandler</literal>s, the callback is in-turn          passed to the <literal>JaasAuthenticationCallbackHandler</literal>s          being wrapped.</para>        </sect2>        <sect2 id="jaas-authoritygranter">          <title id="jaas-authority-granter">JAAS AuthorityGranter</title>          <para>JAAS works with principals. Even "roles" are represented as          principals in JAAS. Acegi Security, on the other hand, works with          <literal>Authentication</literal> objects. Each          <literal>Authentication</literal> object contains a single          principal, and multiple <literal>GrantedAuthority</literal>[]s. To          facilitate mapping between these different concepts, Acegi          Security's JAAS package includes an          <literal>AuthorityGranter</literal> interface.</para>          <para>An <literal>AuthorityGranter</literal> is responsible for          inspecting a JAAS principal and returning a          <literal>String</literal>. The          <literal>JaasAuthenticationProvider</literal> then creates a          <literal>JaasGrantedAuthority</literal> (which implements Acegi          Security’s <literal>GrantedAuthority</literal> interface) containing          both the <literal>AuthorityGranter</literal>-returned          <literal>String</literal> and the JAAS principal that the          <literal>AuthorityGranter</literal> was passed. The          <literal>JaasAuthenticationProvider</literal> obtains the JAAS          principals by firstly successfully authenticating the user’s          credentials using the JAAS <literal>LoginModule</literal>, and then          accessing the <literal>LoginContext</literal> it returns. A call to          <literal>LoginContext.getSubject().getPrincipals()</literal> is          made, with each resulting principal passed to each          <literal>AuthorityGranter</literal> defined against the          <literal>JaasAuthenticationProvider.setAuthorityGranters(List)</literal>          property.</para>          <para>Acegi Security does not include any production          <literal>AuthorityGranter</literal>s given that every JAAS principal          has an implementation-specific meaning. However, there is a          <literal>TestAuthorityGranter</literal> in the unit tests that          demonstrates a simple <literal>AuthorityGranter</literal>          implementation.</para>        </sect2>      </sect1>    </chapter>    <chapter id="siteminder">      <title>Siteminder Authentication Mechanism</title>      <sect1 id="siteminder-overview">        <title>Overview</title>        <para>Siteminder is a commercial single sign on solution by Computer        Associates.</para>        <para>Acegi Security provides a filter,        <literal>SiteminderAuthenticationProcessingFilter</literal> and        provider, <literal>SiteminderAuthenticationProvider</literal> that can        be used to process requests that have been pre-authenticated by        Siteminder. This filter assumes that you're using Siteminder for        <emphasis>authentication</emphasis>, and that you're using Acegi        Security for <emphasis>authorization</emphasis>. The use of Siteminder        for <emphasis>authorization</emphasis> is not yet directly supported        by Acegi Security.</para>        <para>When using Siteminder, an agent is setup on your web server to        intercept a principal's first call to your application. The agent        redirects the web request to a single sign-on login page, and once        authenticated, your application receives the request. Inside the HTTP        request is a header - such as <literal>SM_USER</literal> - which        identifies the authenticated principal (please refer to your        organization's "single sign-on" group for header details in your        particular configuration).</para>      </sect1>      <sect1 id="siteminder-config">        <title>Configuration</title>        <para>The first step in setting up Acegi Security's Siteminder support        is to define the authentication mechanism that will inspect the HTTP        header discussed earlier. It will be responsible for generating a        <literal>UsernamePasswordAuthenticationToken</literal> that is later        sent to the <literal>SiteminderAuthenticationProvider</literal>. Let's        look at an example:</para>        <para><programlisting><bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.SiteminderAuthenticationProcessingFilter">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>  <property name="defaultTargetUrl"><value>/security.do?method=getMainMenu</value></property>  <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>  <property name="siteminderUsernameHeaderKey"><value>SM_USER</value></property>  <property name="formUsernameParameterKey"><value>j_username</value></property></bean></programlisting></para>        <para>In our example above, the bean is being provided an        <literal>AuthenticationManager</literal>, as is normally needed by        authentication mechanisms. Several URLs are also specified, with the        values being self-explanatory. It's important to also specify the HTTP        header that Acegi Security should inspect. If you additionally want to        support form-based authentication (i.e. in your development        environment where Siteminder is not installed), specify the form's        username parameter as well - just don't do this in production!</para>        <para>Note that you'll need a        <literal><literal>SiteminderAuthenticationProvider</literal></literal>        configured against your <literal>ProviderManager</literal> in order to        use the Siteminder authentication mechanism. Normally an        <literal>AuthenticationProvider</literal> expects the password        property to match what it retrieves from the        <literal>UserDetailsSource</literal>, but in this case, authentication        has already been handled by Siteminder, so password property is not        even relevant. This may sound like a security weakness, but remember        that users have to authenticate with Siteminder before your        application ever receives the requests, so the purpose of your custom        <literal>UserDetailsService</literal> should simply be to build the        complete <literal>Authentication</literal> object (ie with suitable        <literal>GrantedAuthority[]</literal>s).</para>        <para>Advanced tip and word to the wise: If you additionally want to        support form-based authentication in your development environment        (where Siteminder is typically not installed), specify the form's        username parameter as well. Just don't do this in production!</para>      </sect1>    </chapter>    <chapter id="runas">      <title>Run-As Authentication Replacement</title>      <sect1 id="runas-overview">        <title>Overview</title>        <para>The <literal>AbstractSecurityInterceptor</literal> is able to        temporarily replace the <literal>Authentication</literal> object in        the <literal>SecurityContext</literal> and        <literal>SecurityContextHolder</literal> during the secure object        callback phase. This only occurs if the original        <literal>Authentication</literal> object was successfully processed by        the <literal>AuthenticationManager</literal> and        <literal>AccessDecisionManager</literal>. The        <literal>RunAsManager</literal> will indicate the replacement        <literal>Authentication</literal> object, if any, that should be used        during the <literal>SecurityInterceptorCallback</literal>.</para>        <para>By temporarily replacing the <literal>Authentication</literal>        object during the secure object callback phase, the secured invocation        will be able to call other objects which require different        authentication and authorization credentials. It will also be able to        perform any internal security checks for specific        <literal>GrantedAuthority</literal> objects. Because Acegi Security        provides a number of helper classes that automatically configure        remoting protocols based on the contents of the        <literal>SecurityContextHolder</literal>, these run-as replacements        are particularly useful when calling remote web services</para>      </sect1>      <sect1 id="runas-config">        <title>Configuration</title>        <para>A <literal>RunAsManager</literal> interface is provided by Acegi        Security:</para>        <para><programlisting>public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);public boolean supports(ConfigAttribute attribute);public boolean supports(Class clazz);</programlisting></para>        <para>The first method returns the <literal>Authentication</literal>        object that should replace the existing        <literal>Authentication</literal> object for the duration of the        method invocation. If the method returns <literal>null</literal>, it        indicates no replacement should be made. The second method is used by        the <literal>AbstractSecurityInterceptor</literal> as part of its        startup validation of configuration attributes. The        <literal>supports(Class)</literal> method is called by a security        interceptor implementation to ensure the configured        <literal>RunAsManager</literal> supports the type of secure object        that the security interceptor will present.</para>        <para>One concrete implementation of a <literal>RunAsManager</literal>        is provided with Acegi Security. The        <literal>RunAsManagerImpl</literal> class returns a replacement        <literal>RunAsUserToken</literal> if any        <literal>ConfigAttribute</literal> starts with        <literal>RUN_AS_</literal>. If any such        <literal>ConfigAttribute</literal> is found, the replacement        <literal>RunAsUserToken</literal> will contain the same principal,        credentials and granted authorities as the original        <literal>Authentication</literal> object, along with a new        <literal>GrantedAuthorityImpl</literal> for each        <literal>RUN_AS_</literal> <literal>ConfigAttribute</literal>. Each        new <literal>GrantedAuthorityImpl</literal> will be prefixed with        <literal>ROLE_</literal>, followed by the <literal>RUN_AS</literal>        <literal>ConfigAttribute</literal>. For example, a        <literal>RUN_AS_SERVER</literal> will result in the replacement        <literal>RunAsUserToken</literal> containing a        <literal>ROLE_RUN_AS_SERVER</literal> granted authority.</para>        <para>The replacement <literal>RunAsUserToken</literal> is just like        any other <literal>Authentication</literal> object. It needs to be        authenticated by the <literal>AuthenticationManager</literal>,        probably via delegation to a suitable        <literal>AuthenticationProvider</literal>. The        <literal>RunAsImplAuthenticationProvider</literal> performs such        authentication. It simply accepts as valid any        <literal>RunAsUserToken</literal> presented.</para>        <para>To ensure malicious code does not create a        <literal>RunAsUserToken</literal> and present it for guaranteed        acceptance by the <literal>RunAsImplAuthenticationProvider</literal>,        the hash of a key is stored in all generated tokens. The        <literal>RunAsManagerImpl</literal> and        <literal>RunAsImplAuthenticationProvider</literal> is created in the        bean context with the same key:</para>        <para><programlisting><bean id="runAsManager" class="org.acegisecurity.runas.RunAsManagerImpl">  <property name="key"><value>my_run_as_password</value></property></bean><bean id="runAsAuthenticationProvider" class="org.acegisecurity.runas.RunAsImplAuthenticationProvider">  <property name="key"><value>my_run_as_password</value></property></bean>        </programlisting></para>        <para>By using the same key, each <literal>RunAsUserToken</literal>        can be validated it was created by an approved        <literal>RunAsManagerImpl</literal>. The        <literal>RunAsUserToken</literal> is immutable after creation for        security reasons</para>      </sect1>    </chapter>    <chapter id="form">      <title>Form Authentication Mechanism</title>      <sect1 id="form-overview">        <title>Overview</title>        <para>HTTP Form Authentication involves using the        <literal>AuthenticationProcessingFilter</literal> to process a login        form. This is the most common way that application authenticate end        users. Form-based authentication is entirely compatible with the DAO        and JAAS authentication providers.</para>      </sect1>      <sect1 id="form-config">        <title>Configuration</title>        <para>The login form simply contains <literal>j_username</literal> and        <literal>j_password</literal> input fields, and posts to a URL that is        monitored by the filter (by default        <literal>j_acegi_security_check</literal>). The filter is defined in        <literal>web.xml</literal> behind a        <literal>FilterToBeanProxy</literal> as follows:</para>        <para><programlisting><filter>  <filter-name>Acegi Authentication Processing Filter</filter-name>  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>  <init-param>    <param-name>targetClass</param-name>    <param-value>org.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>  </init-param></filter><filter-mapping>  <filter-name>Acegi Authentication Processing Filter</filter-name>  <url-pattern>/*</url-pattern></filter-mapping></programlisting></para>        <para>For a discussion of <literal>FilterToBeanProxy</literal>, please        refer to the Filters section. The application context will need to        define the <literal>AuthenticationProcessingFilter</literal>:</para>        <para><programlisting><bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>  <property name="defaultTargetUrl"><value>/</value></property>  <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property></bean>        </programlisting></para>        <para>The configured <literal>AuthenticationManager</literal>        processes each authentication request. If authentication fails, the        browser will be redirected to the        <literal>authenticationFailureUrl</literal>. The        <literal>AuthenticationException</literal> will be placed into the        <literal>HttpSession</literal> attribute indicated by        <literal>AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY</literal>,        enabling a reason to be provided to the user on the error page.</para>        <para>If authentication is successful, the resulting        <literal>Authentication</literal> object will be placed into the        <literal>SecurityContextHolder</literal>.</para>        <para>Once the <literal>SecurityContextHolder</literal> has been        updated, the browser will need to be redirected to the target URL. The        target URL is usually indicated by the <literal>HttpSession</literal>        attribute specified by        <literal>AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY</literal>.        This attribute is automatically set by the        <literal>ExceptionTranslationFilter</literal> when an        <literal>AuthenticationException</literal> occurs, so that after login        is completed the user can return to what they were trying to access.        If for some reason the <literal>HttpSession</literal> does not        indicate the target URL, the browser will be redirected to the        <literal>defaultTargetUrl</literal> property.</para>      </sect1>    </chapter>    <chapter id="basic">      <title>BASIC Authentication Mechanism</title>      <sect1 id="basic-overview">        <title>Overview</title>        <para>Acegi Security provides a        <literal>BasicProcessingFilter</literal> which is capable of        processing basic authentication credentials presented in HTTP headers.        This can be used for authenticating calls made by Spring remoting        protocols (such as Hessian and Burlap), as well as normal user agents        (such as Internet Explorer and Navigator). The standard governing HTTP        Basic Authentication is defined by RFC 1945, Section 11, and the        <literal>BasicProcessingFilter</literal> conforms with this RFC. Basic        Authentication is an attractive approach to authentication, because it        is very widely deployed in user agents and implementation is extremely        simple (it's just a Base64 encoding of the username:password,        specified in a HTTP header).</para>      </sect1>      <sect1 id="basic-config">        <title>Configuration</title>        <para>To implement HTTP Basic Authentication, it is necessary to        define <literal>BasicProcessingFilter</literal> in the filter chain.        The application context will need to define the        <literal>BasicProcessingFilter</literal> and its required        collaborator:</para>        <para><programlisting><bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property></bean><bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">  <property name="realmName"><value>Name Of Your Realm</value></property></bean>        </programlisting></para>        <para>The configured <literal>AuthenticationManager</literal>        processes each authentication request. If authentication fails, the        configured <literal>AuthenticationEntryPoint</literal> will be used to        retry the authentication process. Usually you will use the        <literal>BasicProcessingFilterEntryPoint</literal>, which returns a        401 response with a suitable header to retry HTTP Basic        authentication. If authentication is successful, the resulting        <literal>Authentication</literal> object will be placed into the        <literal>SecurityContextHolder</literal>.</para>        <para>If the authentication event was successful, or authentication        was not attempted because the HTTP header did not contain a supported        authentication request, the filter chain will continue as normal. The        only time the filter chain will be interrupted is if authentication        fails and the <literal>AuthenticationEntryPoint</literal> is called,        as discussed in the previous paragraph</para>      </sect1>    </chapter>    <chapter id="digest">      <title>Digest Authentication</title>      <sect1 id="digest-overview">        <title>Overview</title>        <para>Acegi Security provides a        <literal>DigestProcessingFilter</literal> which is capable of        processing digest authentication credentials presented in HTTP        headers. Digest Authentication attempts to solve many of the        weaknesses of Basic authentication, specifically by ensuring        credentials are never sent in clear text across the wire. Many user        agents support Digest Authentication, including FireFox and Internet        Explorer. The standard governing HTTP Digest Authentication is defined        by RFC 2617, which updates an earlier version of the Digest        Authentication standard prescribed by RFC 2069. Most user agents        implement RFC 2617. Acegi Security        <literal>DigestProcessingFilter</literal> is compatible with the        "<literal>auth</literal>" quality of protection        (<literal>qop</literal>) prescribed by RFC 2617, which also provides        backward compatibility with RFC 2069. Digest Authentication is a        highly attractive option if you need to use unencrypted HTTP (ie no        TLS/HTTPS) and wish to maximise security of the authentication        process. Indeed Digest Authentication is a mandatory requirement for        the WebDAV protocol, as noted by RFC 2518 Section 17.1, so we should        expect to see it increasingly deployed and replacing Basic        Authentication.</para>        <para>Digest Authentication is definitely the most secure choice        between Form Authentication, Basic Authentication and Digest        Authentication, although extra security also means more complex user        agent implementations. Central to Digest Authentication is a "nonce".        This is a value the server generates. Acegi Security's nonce adopts        the following format:</para>        <para><programlisting>base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))expirationTime:   The date and time when the nonce expires, expressed in millisecondskey:              A private key to prevent modification of the nonce token</programlisting></para>        <para>The <literal>DigestProcessingFilterEntryPoint</literal> has a        property specifying the <literal>key</literal> used for generating the        nonce tokens, along with a <literal>nonceValiditySeconds</literal>        property for determining the expiration time (default 300, which        equals five minutes). Whist ever the nonce is valid, the digest is        computed by concatenating various strings including the username,        password, nonce, URI being requested, a client-generated nonce (merely        a random value which the user agent generates each request), the realm        name etc, then performing an MD5 hash. Both the server and user agent        perform this digest computation, resulting in different hash codes if        they disagree on an included value (eg password). In Acegi Security        implementation, if the server-generated nonce has merely expired (but        the digest was otherwise valid), the        <literal>DigestProcessingFilterEntryPoint</literal> will send a        <literal>"stale=true"</literal> header. This tells the user agent        there is no need to disturb the user (as the password and username etc        is correct), but simply to try again using a new nonce.</para>        <para>An appropriate value for        <literal>DigestProcessingFilterEntryPoint</literal>'s        <literal>nonceValiditySeconds</literal> parameter will depend on your        application. Extremely secure applications should note that an        intercepted authentication header can be used to impersonate the        principal until the <literal>expirationTime</literal> contained in the        nonce is reached. This is the key principle when selecting an        appropriate setting, but it would be unusual for immensely secure        applications to not be running over TLS/HTTPS in the first        instance.</para>        <para>Because of the more complex implementation of Digest        Authentication, there are often user agent issues. For example,        Internet Explorer fails to present an "<literal>opaque</literal>"        token on subsequent requests in the same session. Acegi Security        filters therefore encapsulate all state information into the        "<literal>nonce</literal>" token instead. In our testing, Acegi        Security implementation works reliably with FireFox and Internet        Explorer, correctly handling nonce timeouts etc.</para>      </sect1>      <sect1 id="digest-config">        <title>Configuration</title>        <para>Now that we've reviewed the theory, let's see how to use it. To        implement HTTP Digest Authentication, it is necessary to define        <literal>DigestProcessingFilter</literal> in the fitler chain. The        application context will need to define the        <literal>DigestProcessingFilter</literal> and its required        collaborators:</para>        <para><programlisting><bean id="digestProcessingFilter" class="org.acegisecurity.ui.digestauth.DigestProcessingFilter">  <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>  <property name="authenticationEntryPoint"><ref local="digestProcessingFilterEntryPoint"/></property>  <property name="userCache"><ref local="userCache"/></property></bean><bean id="digestProcessingFilterEntryPoint" class="org.acegisecurity.ui.digestauth.DigestProcessingFilterEntryPoint">  <property name="realmName"><value>Contacts Realm via Digest Authentication</value></property>  <property name="key"><value>acegi</value></property>  <property name="nonceValiditySeconds"><value>10</value></property></bean>        </programlisting></para>        <para>The configured <literal>UserDetailsService</literal> is needed        because <literal>DigestProcessingFilter</literal> must have direct        access to the clear text password of a user. Digest Authentication        will NOT work if you are using encoded passwords in your DAO. The DAO        collaborator, along with the <literal>UserCache</literal>, are        typically shared directly with a        <literal>DaoAuthenticationProvider</literal>. The        <literal>authenticationEntryPoint</literal> property must be        <literal>DigestProcessingFilterEntryPoint</literal>, so that        <literal>DigestProcessingFilter</literal> can obtain the correct        <literal>realmName</literal> and <literal>key</literal> for digest        calculations.</para>        <para>Like <literal>BasicAuthenticationFilter</literal>, if        authentication is successful an <literal>Authentication</literal>        request token will be placed into the        <literal>SecurityContextHolder</literal>. If the authentication event        was successful, or authentication was not attempted because the HTTP        header did not contain a Digest Authentication request, the filter        chain will continue as normal. The only time the filter chain will be        interrupted is if authentication fails and the        <literal>AuthenticationEntryPoint</literal> is called, as discussed in        the previous paragraph.</para>        <para>Digest Authentication's RFC offers a range of additional        features to further increase security. For example, the nonce can be        changed on every request. Despite this, Acegi Security implementation        was designed to minimise the complexity of the implementation (and the        doubtless user agent incompatibilities that would emerge), and avoid        needing to store server-side state. You are invited to review RFC 2617        if you wish to explore these features in more detail. As far as we are        aware, Acegi Security implementation does comply with the minimum        standards of this RFC.</para>      </sect1>    </chapter>    <chapter id="anonymous">      <title>Anonymous Authentication</title>      <sect1 id="anonymous-overview">        <title>Overview</title>        <para>Particularly in the case of web request URI security, sometimes        it is more convenient to assign configuration attributes against every        possible secure object invocation. Put differently, sometimes it is        nice to say <literal>ROLE_SOMETHING</literal> is required by default        and only allow certain exceptions to this rule, such as for login,        logout and home pages of an application. There are also other        situations where anonymous authentication would be desired, such as        when an auditing interceptor queries the        <literal>SecurityContextHolder</literal> to identify which principal        was responsible for a given operation. Such classes can be authored        with more robustness if they know the        <literal>SecurityContextHolder</literal> always contains an        <literal>Authentication</literal> object, and never        <literal>null</literal>.</para>      </sect1>      <sect1 id="anonymous-config">        <title>Configuration</title>        <para>Acegi Security provides three classes that together provide an        anonymous authentication feature.        <literal>AnonymousAuthenticationToken</literal> is an implementation        of <literal>Authentication</literal>, and stores the        <literal>GrantedAuthority</literal>[]s which apply to the anonymous        principal. There is a corresponding        <literal>AnonymousAuthenticationProvider</literal>, which is chained        into the <literal>ProviderManager</literal> so that        <literal>AnonymousAuthenticationTokens</literal> are accepted.        Finally, there is an AnonymousProcessingFilter, which is chained after        the normal authentication mechanisms and automatically add an        <literal>AnonymousAuthenticationToken</literal> to the        <literal>SecurityContextHolder</literal> if there is no existing        <literal>Authentication</literal> held there. The definition of the        filter and authentication provider appears as follows:</para>        <para><programlisting><bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">  <property name="key"><value>foobar</value></property>  <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property></bean><bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">  <property name="key"><value>foobar</value></property></bean>        </programlisting></para>        <para>The <literal>key</literal> is shared between the filter and        authentication provider, so that tokens created by the former are        accepted by the latter. The <literal>userAttribute</literal> is        expressed in the form of        <literal>usernameInTheAuthenticationToken,grantedAuthority[,grantedAuthority]</literal>.        This is the same syntax as used after the equals sign for        <literal>InMemoryDaoImpl</literal>'s <literal>userMap</literal>        property.</para>        <para>As explained earlier, the benefit of anonymous authentication is        that all URI patterns can have security applied to them. For        example:</para>        <para><programlisting><bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>  <property name="objectDefinitionSource">    <value>      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON      PATTERN_TYPE_APACHE_ANT      /index.jsp=ROLE_ANONYMOUS,ROLE_USER      /hello.htm=ROLE_ANONYMOUS,ROLE_USER      /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER      /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER      /**=ROLE_USER    </value>  </property></bean>        </programlisting>Rounding out the anonymous authentication discussion        is the <literal>AuthenticationTrustResolver</literal> interface, with        its corresponding <literal>AuthenticationTrustResolverImpl</literal>        implementation. This interface provides an        <literal>isAnonymous(Authentication)</literal> method, which allows        interested classes to take into account this special type of        authentication status. The        <literal>ExceptionTranslationFilter</literal> uses this interface in        processing <literal>AccessDeniedException</literal>s. If an        <literal>AccessDeniedException</literal> is thrown, and the        authentication is of an anonymous type, instead of throwing a 403        (forbidden) response, the filter will instead commence the        <literal>AuthenticationEntryPoint</literal> so the principal can        authenticate properly. This is a necessary distinction, otherwise        principals would always be deemed "authenticated" and never be given        an opportunity to login via form, basic, digest or some other normal        authentication mechanism</para>      </sect1>    </chapter>    <chapter id="remember-me">      <title>Remember-Me Authentication</title>      <sect1 id="remember-me-overview">        <title>Overview</title>        <para>Remember-me authentication refers to web sites being able to        remember the identity of a principal between sessions. This is        typically accomplished by sending a cookie to the browser, with the        cookie being detected during future sessions and causing automated        login to take place. Acegi Security provides the necessary hooks so        that such operations can take place, along with providing a concrete        implementation that uses hashing to preserve the security of        cookie-based tokens.</para>      </sect1>      <sect1 id="remember-me-config">        <title>Configuration</title>        <para>Remember-me authentication is not used with basic        authentication, given it is often not used with        <literal>HttpSession</literal>s. Remember-me is used with        <literal>AuthenticationProcessingFilter</literal>, and is implemented        via hooks in the <literal>AbstractProcessingFilter</literal>        superclass. The hooks will invoke a concrete        <literal>RememberMeServices</literal> at the appropriate times. The        interface looks like this:</para>        <para><programlisting>public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);public void loginFail(HttpServletRequest request, HttpServletResponse response);public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);</programlisting></para>        <para>Please refer to JavaDocs for a fuller discussion on what the        methods do, although note at this stage        <literal>AbstractProcessingFilter</literal> only calls the        <literal>loginFail()</literal> and <literal>loginSuccess()</literal>        methods. The <literal>autoLogin()</literal> method is called by        <literal>RememberMeProcessingFilter</literal> whenever the        <literal>SecurityContextHolder</literal> does not contain an        <literal>Authentication</literal>. This interface therefore provides        the underlaying remember-me implementation with sufficient        notification of authentication-related events, and delegates to the        implementation whenever a candidate web request might contain a cookie        and wish to be remembered.</para>        <para>This design allows any number of remember-me implementation        strategies. In the interests of simplicity and avoiding the need for        DAO implementations that specify write and create methods, Acegi        Security's only concrete implementation,        <literal>TokenBasedRememberMeServices</literal>, uses hashing to        achieve a useful remember-me strategy. In essence a cookie is sent to        the browser upon successful interactive authentication, with that        cookie being composed as follows:</para>        <para><programlisting>base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))username:         As identifiable to TokenBasedRememberMeServices.getUserDetailsService()password:         That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()expirationTime:   The date and time when the remember-me token expires, expressed in millisecondskey:              A private key to prevent modification of the remember-me token</programlisting></para>        <para>As such the remember-me token is valid only for the period        specified, and provided that the username, password and key does not        change. Notably, this has a potential security issue in that a        captured remember-me token will be usable from any user agent until        such time as the token expires. This is the same issue as with digest        authentication. If a principal is aware a token has been captured,        they can easily change their password and immediately invalidate all        remember-me tokens on issue. However, if more significant security is        needed a rolling token approach should be used (this would require a        database) or remember-me services should simply not be used.</para>        <para><literal>TokenBasedRememberMeServices</literal> generates a        <literal>RememberMeAuthenticationToken</literal>, which is processed        by <literal>RememberMeAuthenticationProvider</literal>. A        <literal>key</literal> is shared between this authentication provider        and the <literal>TokenBasedRememberMeServices</literal>. In addition,        <literal>TokenBasedRememberMeServices</literal> requires A        UserDetailsService from which it can retrieve the username and        password for signature comparison purposes, and generate the        <literal>RememberMeAuthenticationToken</literal> to contain the        correct <literal>GrantedAuthority</literal>[]s. Some sort of logout        command should be provided by the application (typically via a JSP)        that invalidates the cookie upon user request. See the Contacts Sample        application's <literal>logout.jsp</literal> for an example.</para>        <para>The beans required in an application context to enable        remember-me services are as follows:</para>        <para><programlisting><bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">  <property name="rememberMeServices"><ref local="rememberMeServices"/></property></bean><bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">  <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>  <property name="key"><value>springRocks</value></property></bean>   <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">  <property name="key"><value>springRocks</value></property></bean>        </programlisting>Don't forget to add your        <literal>RememberMeServices</literal> implementation to your        <literal>AuthenticationProcessingFilter.setRememberMeServices()</literal>        property, include the        <literal>RememberMeAuthenticationProvider</literal> in your        <literal>AuthenticationManager.setProviders()</literal> list, and add        a call to <literal>RememberMeProcessingFilter</literal> into your        <literal>FilterChainProxy</literal> (typically immediately after your        <literal>AuthenticationProcessingFilter</literal>)</para>      </sect1>    </chapter>    <chapter id="x509">      <title>X509 Authentication</title>      <sect1 id="x509-overview">        <title>Overview</title>        <para>The most common use of X509 certificate authentication is in        verifying the identity of a server when using SSL, most commonly when        using HTTPS from a browser. The browser will automatically check that        the certificate presented by a server has been issued (ie digitally        signed) by one of a list of trusted certificate authorities which it        maintains.</para>        <para>You can also use SSL with <quote>mutual authentication</quote>;        the server will then request a valid certificate from the client as        part of the SSL handshake. The server will authenticate the client by        checking that it's certificate is signed by an acceptable authority.        If a valid certificate has been provided, it can be obtained through        the servlet API in an application. Acegi Security X509 module extracts        the certificate using a filter and passes it to the configured X509        authentication provider to allow any additional application-specific        checks to be applied. It also maps the certificate to an application        user and loads that user's set of granted authorities for use with the        standard Acegi Security infrastructure.</para>        <para>You should be familiar with using certificates and setting up        client authentication for your servlet container before attempting to        use it with Acegi Security. Most of the work is in creating and        installing suitable certificates and keys. For example, if you're        using Tomcat then read the instructions here <ulink        url="http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html"></ulink>.        It's important that you get this working before trying it out with        Acegi Security</para>      </sect1>      <sect1 id="x509-with-acegi">        <title>Using X509 with Acegi Security</title>        <para>With X509 authentication, there is no explicit login procedure        so the implementation is relatively simple; there is no need to        redirect requests in order to interact with the user. As a result,        some of the classes behave slightly differently from their equivalents        in other packages. For example, the default <quote>entry point</quote>        class, which is normally responsible for starting the authentication        process, is only invoked if the certificate is rejected and it always        returns an error to the user. With a suitable bean configuration, the        normal sequence of events is as follows <orderedlist>            <listitem>              <para>The <classname>X509ProcessingFilter</classname> extracts              the certificate from the request and uses it as the credentials              for an authentication request. The generated authentication              request is an <classname>X509AuthenticationToken</classname>.              The request is passed to the authentication manager.</para>            </listitem>            <listitem>              <para>The <classname>X509AuthenticationProvider</classname>              receives the token. Its main concern is to obtain the user              information (in particular the user's granted authorities) that              matches the certificate. It delegates this responsibility to an              <interfacename>X509AuthoritiesPopulator</interfacename>.</para>            </listitem>            <listitem>              <para>The populator's single method,              <methodname>getUserDetails(X509Certificate              userCertificate)</methodname> is invoked. Implementations should              return a <classname>UserDetails</classname> instance containing              the array of <classname>GrantedAuthority</classname> objects for              the user. This method can also choose to reject the certificate              (for example if it doesn't contain a matching user name). In              such cases it should throw a              <exceptionname>BadCredentialsException</exceptionname>. A              DAO-based implementation,              <classname>DaoX509AuthoritiesPopulator</classname>, is provided              which extracts the user's name from the subject <quote>common              name</quote> (CN) in the certificate. It also allows you to set              your own regular expression to match a different part of the              subject's distinguished name. A UserDetailsService is used to              load the user information.<!-- TODO: Give email matching as an example --></para>            </listitem>            <listitem>              <para>If everything has gone smoothly then there should be a              valid <classname>Authentication</classname> object in the secure              context and the invocation will procede as normal. If no              certificate was found, or the certificate was rejected, then the              <classname>ExceptionTranslationFilter</classname> will invoke              the <classname>X509ProcessingFilterEntryPoint</classname> which              returns a 403 error (forbidden) to the user.</para>            </listitem>          </orderedlist></para>      </sect1>      <sect1 id="x509-config">        <title>Configuration</title>        <para>There is a version of the <link        linkend="contacts-sample">Contacts Sample Application</link> which        uses X509. Copy the beans and filter setup from this as a starting        point for configuring your own application. A set of example        certificates is also included which you can use to configure your        server. These are <itemizedlist>            <listitem>              <para><filename>marissa.p12</filename>: A PKCS12 format file              containing the client key and certificate. These should be              installed in your browser. It maps to the user              <quote>marissa</quote> in the application.</para>            </listitem>            <listitem>              <para><filename>server.p12</filename>: The server certificate              and key for HTTPS connections.</para>            </listitem>            <listitem>              <para><filename>ca.jks</filename>: A Java keystore containing              the certificate for the authority which issued marissa's              certificate. This will be used by the container to validate              client certificates.</para>            </listitem>          </itemizedlist> For JBoss 3.2.7 (with Tomcat 5.0), the SSL        configuration in the <filename>server.xml</filename> file looks like        this <programlisting><!-- SSL/TLS Connector configuration --><Connector port="8443" address="${jboss.bind.address}"  maxThreads="100" minSpareThreads="5" maxSpareThreads="15"  scheme="https" secure="true"  sslProtocol = "TLS"  clientAuth="true" keystoreFile="${jboss.server.home.dir}/conf/server.p12"  keystoreType="PKCS12" keystorePass="password"  truststoreFile="${jboss.server.home.dir}/conf/ca.jks"  truststoreType="JKS" truststorePass="password"/>        </programlisting><parameter>clientAuth</parameter> can also be set to        <parameter>want</parameter> if you still want SSL connections to        succeed even if the client doesn't provide a certificate. Obviously        these clients won't be able to access any objects secured by Acegi        Security (unless you use a non-X509 authentication mechanism, such as        BASIC authentication, to authenticate the user)</para>      </sect1>    </chapter>    <chapter id="ldap">      <title>LDAP Authentication</title>      <sect1 id="ldap-overview">        <title>Overview</title>        <para>LDAP is often used by organizations as a central repository for        user information and as an authentication service. It can also be used        to store the role information for application users.</para>        <para>There are many different scenarios for how an LDAP server may be        configured so Acegi LDAP provider is fully configurable. It uses        separate strategy interfaces for authentication and role retrieval and        provides default implementations which can be configured to handle a        wide range of situations.</para>        <para>You should be familiar with LDAP before trying to use it with        Acegi. The following link provides a good introduction to the concepts        involved and a guide to setting up a directory using the free LDAP        server OpenLDAP: <ulink        url="http://www.zytrax.com/books/ldap/"></ulink>. Some familiarity        with the JNDI APIs used to access LDAP from Java may also be useful.        We don't use any third-party LDAP libraries (Mozilla/Netscape, JLDAP        etc.) in the LDAP provider.</para>      </sect1>      <sect1 id="ldap-with-acegi">        <title>Using LDAP with Acegi Security</title>        <para>The main LDAP provider class is        <classname>org.acegisecurity.providers.ldap.LdapAuthenticationProvider</classname>.        This bean doesn't actually do much itself other than implement the        <methodname>retrieveUser</methodname> method required by its base        class,        <classname>AbstractUserDetailsAuthenticationProvider</classname>. It        delegates the work to two other beans, an        <interfacename>LdapAuthenticator</interfacename> and an        <interfacename>LdapAuthoritiesPopulator</interfacename> which are        responsible for authenticating the user and retrieving the user's set        of <interfacename>GrantedAuthority</interfacename>s        respectively.</para>        <sect2 id="ldap-ldap-authenticators">          <title>LdapAuthenticator Implementations</title>          <para>The authenticator is also responsible for retrieving any          required user attributes. This is because the permissions on the          attributes may depend on the type of authentication being used. For          example, if binding as the user, it may be necessary to read them          with the user's own permissions.</para>          <para>There are currently two authentication strategies supplied          with Acegi Security: <itemizedlist>              <listitem>                <para>Authentication directly to the LDAP server ("bind"                authentication).</para>              </listitem>              <listitem>                <para>Password comparison, where the password supplied by the                user is compared with the one stored in the repository. This                can either be done by retrieving the value of the password                attribute and checking it locally or by performing an LDAP                "compare" operation, where the supplied password is passed to                the server for comparison and the real password value is never                retrieved.</para>              </listitem>            </itemizedlist></para>          <sect3 id="ldap-ldap-authenticators-common">            <title>Common Functionality</title>            <para>Before it is possible to authenticate a user (by either            strategy), the distinguished name (DN) has to be obtained from the            login name supplied to the application. This can be done either by            simple pattern-matching (by setting the            <property>setUserDnPatterns</property> array property) or by            setting the <property>userSearch</property> property. For the DN            pattern-matching approach, a standard Java pattern format is used,            and the login name will be substituted for the parameter            <parameter>{0}</parameter>. The pattern should be relative to the            DN that the configured            <interfacename>InitialDirContextFactory</interfacename> will bind            to (see the section on <link            linkend="ldap-dircontextfactory">connecting to the LDAP            server</link> for more information on this). For example, if you            are using an LDAP server specified by the URL            <literal>ldap://monkeymachine.co.uk/dc=acegisecurity,dc=org</literal>,            and have a pattern <literal>uid={0},ou=greatapes</literal>, then a            login name of "gorilla" will map to a DN            <literal>uid=gorilla,ou=greatapes,dc=acegisecurity,dc=org</literal>.            Each configured DN pattern will be tried in turn until a match is            found. For information on using a search, see the section on <link            linkend="ldap-searchobjects">search objects</link> below. A            combination of the two approaches can also be used - the patterns            will be checked first and if no matching DN is found, the search            will be used.</para>          </sect3>          <sect3 id="ldap-ldap-authenticators-bind">            <title>BindAuthenticator</title>            <para>The class            <classname>org.acegisecurity.providers.ldap.authenticator.BindAuthenticator</classname>            implements the bind authentication strategy. It simply attempts to            bind as the user.</para>          </sect3>          <sect3 id="ldap-ldap-authenticators-password">            <title>PasswordComparisonAuthenticator</title>            <para>The class            <classname>org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticator</classname>            implements the password comparison authentication strategy.</para>          </sect3>          <sect3 id="ldap-ldap-authenticators-active-directory">            <title>Active Directory Authentication</title>            <para>In addition to standard LDAP authentication (binding with a            DN), Active Directory has its own non-standard syntax for user            authentication.</para>          </sect3>        </sect2>        <sect2 id="ldap-dircontextfactory">          <title>Connecting to the LDAP Server</title>          <para>The beans discussed above have to be able to connect to the          server. They both have to be supplied with an          <interfacename>InitialDirContextFactory</interfacename> instance.          Unless you have special requirements, this will usually be a          <classname>DefaultInitialDirContextFactory</classname> bean, which          can be configured with the URL of your LDAP server and optionally          with the username and password of a "manager" user which will be          used by default when binding to the server (instead of binding          anonymously). It currently supports "simple" LDAP          authentication.</para>          <para><classname>DefaultInitialDirContextFactory</classname> uses          Sun's JNDI LDAP implementation by default (the one that comes with          the JDK). It also supports the built in connection pooling offered          by Sun's provider. Connections which are obtained either anonymously          or with the "manager" user's identity will be pooled automatically.          Connections obtained with a specific user's identity will not be          pooled. Connection pooling can be disabled completely by setting the          <property>useConnectionPool</property> property to false.</para>          <para>See the <ulink          url="http://acegisecurity.org/multiproject/acegi-security/xref/org/acegisecurity/providers/ldap/DefaultInitialDirContextFactory.html">class          Javadoc and source</ulink> for more information on this bean and its          properties.</para>        </sect2>        <sect2 id="ldap-searchobjects">          <title>LDAP Search Objects</title>          <para>Often more a more complicated strategy than simple DN-matching          is required to locate a user entry in the directory. This can be          encapsulated in an <interfacename>LdapUserSearch</interfacename>          instance which can be supplied to the authenticator implementations,          for example, to allow them to locate a user. The supplied          implementation is          <classname>FilterBasedLdapUserSearch</classname>.</para>          <sect3 id="ldap-searchobjects-filter">            <title            id="ldap-searchobjects-filter-based"><classname>FilterBasedLdapUserSearch</classname></title>            <para>This bean uses an LDAP filter to match the user object in            the directory. The process is explained in the Javadoc for the            corresponding search method on the <ulink            url="http://java.sun.com/j2se/1.4.2/docs/api/javax/naming/directory/DirContext.html#search(javax.naming.Name,%20java.lang.String,%20java.lang.Object[],%20javax.naming.directory.SearchControls)">JDK            DirContext class</ulink>. As explained there, the search filter            can be supplied with parameters. For this class, the only valid            parameter is <parameter>{0}</parameter> which will be replaced            with the user's login name.</para>          </sect3>        </sect2>      </sect1>      <sect1 id="ldap-config">        <title>Configuration</title>        <para>There is a version of the <link        linkend="contacts-sample">Contacts Sample Application</link> which        uses LDAP. You can copy the beans and filter setup from this as a        starting point for configuring your own application.</para>        <para>A typical configuration, using some of the beans we've discussed        above, might look like this: <programlisting>    <bean id="initialDirContextFactory"             class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">      <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>      <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>      <property name="managerPassword"><value>password</value></property>    </bean>    <bean id="userSearch"            class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch">      <constructor-arg index="0">        <value></value>      </constructor-arg>      <constructor-arg index="1">        <value>(uid={0})</value>      </constructor-arg>      <constructor-arg index="2">        <ref local="initialDirContextFactory" />      </constructor-arg>                  <property name="searchSubtree">        <value>true</value>      </property>                </bean>                            <bean id="ldapAuthProvider"             class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">      <constructor-arg>        <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">           <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>           <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>        </bean>      </constructor-arg>      <constructor-arg>        <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">           <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>           <constructor-arg><value>ou=groups</value></constructor-arg>           <property name="groupRoleAttribute"><value>ou</value></property>        </bean>      </constructor-arg>    </bean>            </programlisting> This would set up the provider to access an LDAP        server with URL        <literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>.        Authentication will be performed by attempting to bind with the DN        <literal>uid=<user-login-name>,ou=people,dc=acegisecurity,dc=org</literal>.        After successful authentication, roles will be assigned to the user by        searching under the DN        <literal>ou=groups,dc=acegisecurity,dc=org</literal> with the default        filter <literal>(member=<user's-DN>)</literal>. The role name        will be taken from the <quote>ou</quote> attribute of each        match.</para>        <para>We've also included the configuration for a user search object,        which uses the filter        <literal>(uid=<user-login-name>)</literal>. This could be used        instead of the DN-pattern (or in addition to it), by setting the        authenticator's <property>userSearch</property> property. The        authenticator would then call the search object to obtain the correct        user's DN before attempting to bind as this user.</para>      </sect1>    </chapter>    <chapter id="cas">      <title>CAS Authentication</title>      <sect1 id="cas-overview">        <title>Overview</title>        <para>JA-SIG produces an enterprise-wide single sign on system known        as CAS. Unlike other initiatives, JA-SIG's Central Authentication        Service is open source, widely used, simple to understand, platform        independent, and supports proxy capabilities. Acegi Security fully        supports CAS, and provides an easy migration path from        single-application deployments of Acegi Security through to        multiple-application deployments secured by an enterprise-wide CAS        server.</para>        <para>You can learn more about CAS at        <literal>http://www.ja-sig.org/products/cas/</literal>. You will need        to visit this URL to download the CAS Server files. Whilst Acegi        Security includes two CAS libraries in the "-with-dependencies" ZIP        file, you will still need the CAS Java Server Pages and        <literal>web.xml</literal> to customise and deploy your CAS        server.</para>      </sect1>      <sect1 id="cas-how-it-works">        <title>How CAS Works</title>        <para>Whilst the CAS web site above contains two documents that detail        the architecture of CAS, we present the general overview again here        within the context of Acegi Security. The following refers to both CAS        2.0 (produced by Yale) and CAS 3.0 (produced by JA-SIG), being the        versions of CAS that Acegi Security supports.</para>        <para>Somewhere in your enterprise you will need to setup a CAS        server. The CAS server is simply a standard WAR file, so there isn't        anything difficult about setting up your server. Inside the WAR file        you will customise the login and other single sign on pages displayed        to users.</para>        <para>If you are deploying CAS 2.0, you will also need to specify in        the web.xml a <literal>PasswordHandler</literal>. The        <literal>PasswordHandler</literal> has a simple method that returns a        boolean as to whether a given username and password is valid. Your        <literal>PasswordHandler</literal> implementation will need to link        into some type of backend authentication repository, such as an LDAP        server or database.</para>        <para>If you are already running an existing CAS 2.0 server instance,        you will have already established a        <literal>PasswordHandler</literal>. If you do not already have a        <literal>PasswordHandler</literal>, you might prefer to use Acegi        Security <literal>CasPasswordHandler</literal> class. This class        delegates through to the standard Acegi Security        <literal>AuthenticationManager</literal>, enabling you to use a        security configuration you might already have in place. You do not        need to use the <literal>CasPasswordHandler</literal> class on your        CAS server if you do not wish. Acegi Security will function as a CAS        client successfully irrespective of the        <literal>PasswordHandler</literal> you've chosen for your CAS        server.</para>        <para>If you are deploying CAS 3.0, you will also need to specify an        <literal>AuthenticationHandler</literal> in the        deployerConfigContext.xml included with CAS. The        <literal>AuthenticationHandler</literal> has a simple method that        returns a boolean as to whether a given set of Credentials is valid.        Your <literal>AuthenticationHandler</literal> implementation will need        to link into some type of backend authentication repository, such as        an LDAP server or database. CAS itself includes numerous        <literal>AuthenticationHandler</literal>s out of the box to assist        with this.</para>        <para>If you are already running an existing CAS 3.0 server instance,        you will have already established an        <literal>AuthenticationHandler</literal>. If you do not already have        an <literal>AuthenticationHandler</literal>, you might prefer to use        Acegi Security <literal>CasAuthenticationHandler</literal> class. This        class delegates through to the standard Acegi Security        <literal>AuthenticationManager</literal>, enabling you to use a        security configuration you might already have in place. You do not        need to use the <literal>CasAuthenticationHandler</literal> class on        your CAS server if you do not wish. Acegi Security will function as a        CAS client successfully irrespective of the        <literal>AuthenticationHandler</literal> you've chosen for your CAS        server.</para>        <para>Apart from the CAS server itself, the other key player is of        course the secure web applications deployed throughout your        enterprise. These web applications are known as "services". There are        two types of services: standard services and proxy services. A proxy        service is able to request resources from other services on behalf of        the user. This will be explained more fully later.</para>        <para>Services can be developed in a large variety of languages, due        to CAS 2.0's very light XML-based protocol. The JA-SIG CAS home page        contains a clients archive which demonstrates CAS clients in Java,        Active Server Pages, Perl, Python and others. Naturally, Java support        is very strong given the CAS server is written in Java. You do not        need to use any of CAS' client classes in applications secured by        Acegi Security. This is handled transparently for you.</para>        <para>The basic interaction between a web browser, CAS server and an        Acegi Security for System Spring secured service is as follows:</para>        <orderedlist>          <listitem>            <para>The web user is browsing the service's public pages. CAS or            Acegi Security is not involved.</para>          </listitem>          <listitem>            <para>The user eventually requests a page that is either secure or            one of the beans it uses is secure. Acegi Security's            <literal>ExceptionTranslationFilter</literal> will detect the            <literal>AuthenticationException</literal>.</para>          </listitem>          <listitem>            <para>Because the user's <literal>Authentication</literal> object            (or lack thereof) caused an            <literal>AuthenticationException</literal>, the            <literal>ExceptionTranslationFilter</literal> will call the            configured <literal>AuthenticationEntryPoint</literal>. If using            CAS, this will be the            <literal>CasProcessingFilterEntryPoint</literal> class.</para>          </listitem>          <listitem>            <para>The <literal>CasProcessingFilterEntry</literal> point will            redirect the user's browser to the CAS server. It will also            indicate a <literal>service</literal> parameter, which is the            callback URL for Acegi Security service. For example, the URL to            which the browser is redirected might be            <literal>https://my.company.com/cas/login?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Fj_acegi_cas_security_check</literal>.</para>          </listitem>          <listitem>            <para>After the user's browser redirects to CAS, they will be            prompted for their username and password. If the user presents a            session cookie which indicates they've previously logged on, they            will not be prompted to login again (there is an exception to this            procedure, which we'll cover later). CAS will use the            <literal>PasswordHandler</literal> (or            <literal>AuthenticationHandler</literal> if using CAS 3.0)            discussed above to decide whether the username and password is            valid.</para>          </listitem>          <listitem>            <para>Upon successful login, CAS will redirect the user's browser            back to the original service. It will also include a            <literal>ticket</literal> parameter, which is an opaque string            representing the "service ticket". Continuing our earlier example,            the URL the browser is redirected to might be            <literal>https://server3.company.com/webapp/j_acegi_cas_security_check?ticket=ST-0-ER94xMJmn6pha35CQRoZ</literal>.</para>          </listitem>          <listitem>            <para>Back in the service web application, the            <literal>CasProcessingFilter</literal> is always listening for            requests to <literal>/j_acegi_cas_security_check</literal> (this            is configurable, but we'll use the defaults in this introduction).            The processing filter will construct a            <literal>UsernamePasswordAuthenticationToken</literal>            representing the service ticket. The principal will be equal to            <literal>CasProcessingFilter.CAS_STATEFUL_IDENTIFIER</literal>,            whilst the credentials will be the service ticket opaque value.            This authentication request will then be handed to the configured            <literal>AuthenticationManager</literal>.</para>          </listitem>          <listitem>            <para>The <literal>AuthenticationManager</literal> implementation            will be the <literal>ProviderManager</literal>, which is in turn            configured with the <literal>CasAuthenticationProvider</literal>.            The <literal>CasAuthenticationProvider</literal> only responds to            <literal>UsernamePasswordAuthenticationToken</literal>s containing            the CAS-specific principal (such as            <literal>CasProcessingFilter.CAS_STATEFUL_IDENTIFIER</literal>)            and <literal>CasAuthenticationToken</literal>s (discussed            later).</para>          </listitem>          <listitem>            <para><literal>CasAuthenticationProvider</literal> will validate            the service ticket using a <literal>TicketValidator</literal>            implementation. Acegi Security includes one implementation, the            <literal>CasProxyTicketValidator</literal>. This implementation a            ticket validation class included in the CAS client library. The            <literal>CasProxyTicketValidator</literal> makes a HTTPS request            to the CAS server in order to validate the service ticket. The            <literal>CasProxyTicketValidator</literal> may also include a            proxy callback URL, which is included in this example:            <literal>https://my.company.com/cas/proxyValidate?service=https%3A%2F%2Fserver3.company.com%2Fwebapp%2Fj_acegi_cas_security_check&ticket=ST-0-ER94xMJmn6pha35CQRoZ&pgtUrl=https://server3.company.com/webapp/casProxy/receptor</literal>.</para>          </listitem>          <listitem>            <para>Back on the CAS server, the proxy validation request will be            received. If the presented service ticket matches the service URL            the ticket was issued to, CAS will provide an affirmative response            in XML indicating the username. If any proxy was involved in the            authentication (discussed below), the list of proxies is also            included in the XML response.</para>          </listitem>          <listitem>            <para>[OPTIONAL] If the request to the CAS validation service            included the proxy callback URL (in the <literal>pgtUrl</literal>            parameter), CAS will include a <literal>pgtIou</literal> string in            the XML response. This <literal>pgtIou</literal> represents a            proxy-granting ticket IOU. The CAS server will then create its own            HTTPS connection back to the <literal>pgtUrl</literal>. This is to            mutually authenticate the CAS server and the claimed service URL.            The HTTPS connection will be used to send a proxy granting ticket            to the original web application. For example,            <literal>https://server3.company.com/webapp/casProxy/receptor?pgtIou=PGTIOU-0-R0zlgrl4pdAQwBvJWO3vnNpevwqStbSGcq3vKB2SqSFFRnjPHt&pgtId=PGT-1-si9YkkHLrtACBo64rmsi3v2nf7cpCResXg5MpESZFArbaZiOKH</literal>.            We suggest you use CAS' <literal>ProxyTicketReceptor</literal>            servlet to receive these proxy-granting tickets, if they are            required.</para>          </listitem>          <listitem>            <para>The <literal>CasProxyTicketValidator</literal> will parse            the XML received from the CAS server. It will return to the            <literal>CasAuthenticationProvider</literal> a            <literal>TicketResponse</literal>, which includes the username            (mandatory), proxy list (if any were involved), and proxy-granting            ticket IOU (if the proxy callback was requested).</para>          </listitem>          <listitem>            <para>Next <literal>CasAuthenticationProvider</literal> will call            a configured <literal>CasProxyDecider</literal>. The            <literal>CasProxyDecider</literal> indicates whether the proxy            list in the <literal>TicketResponse</literal> is acceptable to the            service. Several implementations are provided with Acegi Security            System: <literal>RejectProxyTickets</literal>,            <literal>AcceptAnyCasProxy</literal> and            <literal>NamedCasProxyDecider</literal>. These names are largely            self-explanatory, except <literal>NamedCasProxyDecider</literal>            which allows a <literal>List</literal> of trusted proxies to be            provided.</para>          </listitem>          <listitem>            <para><literal>CasAuthenticationProvider</literal> will next            request a <literal>CasAuthoritiesPopulator</literal> to advise the            <literal>GrantedAuthority</literal> objects that apply to the user            contained in the <literal>TicketResponse</literal>. Acegi Security            includes a <literal>DaoCasAuthoritiesPopulator</literal> which            simply uses the <literal>UserDetailsService</literal>            infrastructure to find the <literal>UserDetails</literal> and            their associated <literal>GrantedAuthority</literal>s. Note that            the password and enabled/disabled status of            <literal>UserDetails</literal> returned by the            <literal>UserDetailsService</literal> are ignored, as the CAS            server is responsible for authentication decisions.            <literal>DaoCasAuthoritiesPopulator</literal> is only concerned            with retrieving the <literal>GrantedAuthority</literal>s.</para>          </listitem>          <listitem>            <para>If there were no problems,            <literal>CasAuthenticationProvider</literal> constructs a            <literal>CasAuthenticationToken</literal> including the details            contained in the <literal>TicketResponse</literal> and the            <literal>GrantedAuthority</literal>s. The            <literal>CasAuthenticationToken</literal> contains the hash of a            key, so that the <literal>CasAuthenticationProvider</literal>            knows it created it.</para>          </listitem>          <listitem>            <para>Control then returns to            <literal>CasProcessingFilter</literal>, which places the created            <literal>CasAuthenticationToken</literal> into the            <literal>HttpSession</literal> attribute named            <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.</para>          </listitem>          <listitem>            <para>The user's browser is redirected to the original page that            caused the <literal>AuthenticationException</literal>.</para>          </listitem>          <listitem>            <para>As the <literal>Authentication</literal> object is now in            the well-known location, it is handled like any other            authentication approach. Usually the            <literal>HttpSessionIntegrationFilter</literal> will be used to            associate the <literal>Authentication</literal> object with the            <literal>SecurityContextHolder</literal> for the duration of each            request.</para>          </listitem>        </orderedlist>        <para>It's good that you're still here! It might sound involved, but        you can relax as Acegi Security classes hide much of the complexity.        Let's now look at how this is configured</para>      </sect1>      <sect1 id="cas-server">        <title>Optional CAS Server Setup</title>        <para>Acegi Security can even act as the backend which a CAS version        2.0 or 3.0 server utilises. The configuration approach is described        below. Of course, if you have an existing CAS environment you might        just like to use it instead.</para>        <sect2 id="cas-server-2">          <title>CAS Version 2.0</title>          <para>As mentioned above, Acegi Security includes a          <literal>PasswordHandler</literal> that bridges your existing          <literal>AuthenticationManager</literal> into CAS 2.0. You do not          need to use this <literal>PasswordHandler</literal> to use Acegi          Security on the client side (any CAS          <literal>PasswordHandler</literal> will do).</para>          <para>To install, you will need to download and extract the CAS          server archive. We used version 2.0.12. There will be a          <literal>/web</literal> directory in the root of the deployment.          Copy an <literal>applicationContext.xml</literal> containing your          <literal>AuthenticationManager</literal> as well as the          <literal>CasPasswordHandler</literal> into the          <literal>/web/WEB-INF</literal> directory. A sample          <literal>applicationContext.xml</literal> is included below:</para>          <programlisting><bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">  <property name="userMap">    <value>      marissa=koala,ROLES_IGNORED_BY_CAS      dianne=emu,ROLES_IGNORED_BY_CAS      scott=wombat,ROLES_IGNORED_BY_CAS      peter=opal,disabled,ROLES_IGNORED_BY_CAS    </value>  </property></bean><bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">  <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property></bean><bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">  <property name="providers">    <list>      <ref bean="daoAuthenticationProvider"/>    </list>  </property></bean><bean id="casPasswordHandler" class="org.acegisecurity.adapters.cas.CasPasswordHandler">  <property name="authenticationManager"><ref bean="authenticationManager"/></property></bean>        </programlisting>          <para>Note the granted authorities are ignored by CAS because it has          no way of communicating the granted authorities to calling          applications. CAS is only concerned with username and passwords (and          the enabled/disabled status).</para>          <para>Next you will need to edit the existing          <literal>/web/WEB-INF/web.xml</literal> file. Add (or edit in the          case of the <literal>authHandler</literal> property) the following          lines:</para>          <para><programlisting><context-param>  <param-name>edu.yale.its.tp.cas.authHandler</param-name>  <param-value>org.acegisecurity.adapters.cas.CasPasswordHandlerProxy</param-value></context-param><context-param>  <param-name>contextConfigLocation</param-name>  <param-value>/WEB-INF/applicationContext.xml</param-value></context-param><listener>  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class></listener>        </programlisting></para>          <para>Copy the <literal>spring.jar</literal> and          <literal>acegi-security.jar</literal> files into          <literal>/web/WEB-INF/lib</literal>. Now use the <literal>ant          dist</literal> task in the <literal>build.xml</literal> in the root          of the directory structure. This will create          <literal>/lib/cas.war</literal>, which is ready for deployment to          your servlet container.</para>          <para>Note CAS heavily relies on HTTPS. You can't even test the          system without a HTTPS certificate. Whilst you should refer to your          web container's documentation on setting up HTTPS, if you need some          additional help or a test certificate you might like to check the          <literal>samples/contacts/etc/ssl</literal> directory</para>        </sect2>        <sect2 id="cas-server-3">          <title>CAS Version 3.0</title>          <para>As mentioned above, Acegi Security includes an          <literal>AuthenticationHandler</literal> that bridges your existing          <literal>AuthenticationManager</literal> into CAS 3.0. You do not          need to use this <literal>AuthenticationHandler</literal> to use          Acegi Security on the client side (any CAS          <literal>AuthenticationHandler</literal> will do).</para>          <para>To install, you will need to download and extract the CAS          server archive. We used version 3.0.4. There will be a          <literal>/webapp</literal> directory in the root of the deployment.          Edit the an <literal>deployerConfigContext.xml</literal> so that it          contains your <literal>AuthenticationManager</literal> as well as          the <literal>CasAuthenticationHandler</literal>. A sample          <literal>applicationContext.xml</literal> is included below:</para>          <programlisting>	<?xml version="1.0" encoding="UTF-8"?>	<!DOCTYPE beans PUBLIC  "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">	<beans>		<bean			id="authenticationManager"			class="org.jasig.cas.authentication.AuthenticationManagerImpl">			<property name="credentialsToPrincipalResolvers">				<list>					<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />					<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />				</list>			</property>				<property name="authenticationHandlers">				<list>					<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />					<bean class="org.acegisecurity.adapters.cas3.CasAuthenticationHandler">						<property name="authenticationManager" ref="acegiAuthenticationManager" />					</bean>				</list>			</property>		</bean>						<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">	  		<property name="userMap">				<value>					marissa=koala,ROLES_IGNORED_BY_CAS					dianne=emu,ROLES_IGNORED_BY_CAS					scott=wombat,ROLES_IGNORED_BY_CAS					peter=opal,disabled,ROLES_IGNORED_BY_CAS				</value>			</property>		</bean>				<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">	     	<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>		</bean>			<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager">			<property name="providers">			  <list>			    <ref bean="daoAuthenticationProvider"/>			  </list>			</property>		</bean>	</beans>	        </programlisting>          <para>Note the granted authorities are ignored by CAS because it has          no way of communicating the granted authorities to calling          applications. CAS is only concerned with username and passwords (and          the enabled/disabled status).</para>          <para>Copy Acegi<literal>-security.jar</literal> file into          <literal>/localPlugins/lib</literal>. Now use the <literal>ant          war</literal> task in the <literal>build.xml</literal> in the          /localPlugins directory. This will create          <literal>/localPlugins/target/cas.war</literal>, which is ready for          deployment to your servlet container.</para>          <para>Note CAS heavily relies on HTTPS. You can't even test the          system without a HTTPS certificate. Whilst you should refer to your          web container's documentation on setting up HTTPS, if you need some          additional help or a test certificate you might like to check the          CAS documentation on setting up SSL:          <literal>http://www.ja-sig.org/products/cas/server/ssl/index.html</literal></para>        </sect2>      </sect1>      <sect1 id="cas-client">        <title>Configuration of CAS Client</title>        <para>The web application side of CAS is made easy due to Acegi        Security. It is assumed you already know the basics of using Acegi        Security, so these are not covered again below. Only the CAS-specific        beans are mentioned.</para>        <para>You will need to add a <literal>ServiceProperties</literal> bean        to your application context. This represents your service:</para>        <para><programlisting><bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties">  <property name="service"><value>https://localhost:8443/contacts-cas/j_acegi_cas_security_check</value></property>  <property name="sendRenew"><value>false</value></property></bean>        </programlisting></para>        <para>The <literal>service</literal> must equal a URL that will be        monitored by the <literal>CasProcessingFilter</literal>. The        <literal>sendRenew</literal> defaults to false, but should be set to        true if your application is particularly sensitive. What this        parameter does is tell the CAS login service that a single sign on        login is unacceptable. Instead, the user will need to re-enter their        username and password in order to gain access to the service.</para>        <para>The following beans should be configured to commence the CAS        authentication process:</para>        <para><programlisting><bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>  <property name="defaultTargetUrl"><value>/</value></property>  <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property></bean><bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">  <property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property></bean>          <bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">  <property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>  <property name="serviceProperties"><ref bean="serviceProperties"/></property></bean>        </programlisting></para>        <para>You will also need to add the        <literal>CasProcessingFilter</literal> to web.xml:</para>        <para><programlisting>          <filter>  <filter-name>Acegi CAS Processing Filter</filter-name>  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>  <init-param>    <param-name>targetClass</param-name>    <param-value>org.acegisecurity.ui.cas.CasProcessingFilter</param-value>  </init-param></filter><filter-mapping>  <filter-name>Acegi CAS Processing Filter</filter-name>  <url-pattern>/*</url-pattern></filter-mapping>        </programlisting></para>        <para>The <literal>CasProcessingFilter</literal> has very similar        properties to the <literal>AuthenticationProcessingFilter</literal>        (used for form-based logins). Each property is        self-explanatory.</para>        <para>For CAS to operate, the        <literal>ExceptionTranslationFilter</literal> must have its        <literal>authenticationEntryPoint</literal> property set to the        <literal>CasProcessingFilterEntryPoint</literal> bean.</para>        <para>The <literal>CasProcessingFilterEntryPoint</literal> must refer        to the <literal>ServiceProperties</literal> bean (discussed above),        which provides the URL to the enterprise's CAS login server. This is        where the user's browser will be redirected.</para>        <para>Next you need to add an <literal>AuthenticationManager</literal>        that uses <literal>CasAuthenticationProvider</literal> and its        collaborators:</para>        <para><programlisting><bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">  <property name="providers">    <list>      <ref bean="casAuthenticationProvider"/>    </list>  </property></bean><bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider">  <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property>  <property name="casProxyDecider"><ref bean="casProxyDecider"/></property>  <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property>  <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property>  <property name="key"><value>my_password_for_this_auth_provider_only</value></property></bean><bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator">  <property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property>  <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property>  <property name="serviceProperties"><ref bean="serviceProperties"/></property>  <!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> --></bean><bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">  <property name="configLocation">    <value>classpath:/ehcache-failsafe.xml</value>  </property></bean>    <bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">  <property name="cacheManager">    <ref local="cacheManager"/>  </property>  <property name="cacheName">    <value>ticketCache</value>  </property></bean>   <bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">  <property name="cache"><ref local="ticketCacheBackend"/></property></bean><bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator">  <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property></bean><bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/>        </programlisting></para>        <para>The beans are all reasonable self-explanatory if you refer back        to the "How CAS Works" section. Careful readers might notice one        surprise: the <literal>statelessTicketCache</literal> property of the        <literal>CasAuthenticationProvider</literal>. This is discussed in        detail in the "Advanced CAS Usage" section.</para>        <para>Note the <literal>CasProxyTicketValidator</literal> has a        remarked out <literal>trustStore</literal> property. This property        might be helpful if you experience HTTPS certificate issues. Also note        the <literal>proxyCallbackUrl</literal> is set so the service can        receive a proxy-granting ticket. As mentioned above, this is optional        and unnecessary if you do not require proxy-granting tickets. If you        do use this feature, you will need to configure a suitable servlet to        receive the proxy-granting tickets. We suggest you use CAS'        <literal>ProxyTicketReceptor</literal> by adding the following to your        web application's <literal>web.xml</literal>:</para>        <para><programlisting><servlet>  <servlet-name>casproxy</servlet-name>  <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class></servlet><servlet-mapping>  <servlet-name>casproxy</servlet-name>  <url-pattern>/casProxy/*</url-pattern></servlet-mapping>        </programlisting></para>        <para>This completes the configuration of CAS. If you haven't made any        mistakes, your web application should happily work within the        framework of CAS single sign on. No other parts of Acegi Security need        to be concerned about the fact CAS handled authentication.</para>        <para>There is also a <literal>contacts-cas.war</literal> file in the        sample applications directory. This sample application uses the above        settings and can be deployed to see CAS in operation</para>      </sect1>      <sect1 id="cas-advanced">        <title>Advanced Issues</title>        <para>The <literal>CasAuthenticationProvider</literal> distinguishes        between stateful and stateless clients. A stateful client is        considered any that originates via the        <literal>CasProcessingFilter</literal>. A stateless client is any that        presents an authentication request via the        <literal>UsernamePasswordAuthenticationToken</literal> with a        principal equal to        <literal>CasProcessingFilter.CAS_STATELESS_IDENTIFIER</literal>.</para>        <para>Stateless clients are likely to be via remoting protocols such        as Hessian and Burlap. The <literal>BasicProcessingFilter</literal> is        still used in this case, but the remoting protocol client is expected        to present a username equal to the static string above, and a password        equal to a CAS service ticket. Clients should acquire a CAS service        ticket directly from the CAS server.</para>        <para>Because remoting protocols have no way of presenting themselves        within the context of a <literal>HttpSession</literal>, it isn't        possible to rely on the <literal>HttpSession</literal>'s        <literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>        attribute to locate the <literal>CasAuthenticationToken</literal>.        Furthermore, because the CAS server invalidates a service ticket after        it has been validated by the <literal>TicketValidator</literal>,        presenting the same service ticket on subsequent requests will not        work. It is similarly very difficult to obtain a proxy-granting ticket        for a remoting protocol client, as they are often deployed on client        machines which rarely have HTTPS URLs that would be accessible to the        CAS server.</para>        <para>One obvious option is to not use CAS at all for remoting        protocol clients. However, this would eliminate many of the desirable        features of CAS.</para>        <para>As a middle-ground, the        <literal>CasAuthenticationProvider</literal> uses a        <literal>StatelessTicketCache</literal>. This is used solely for        requests with a principal equal to        <literal>CasProcessingFilter.CAS_STATELESS_IDENTIFIER</literal>. What        happens is the <literal>CasAuthenticationProvider</literal> will store        the resulting <literal>CasAuthenticationToken</literal> in the        <literal>StatelessTicketCache</literal>, keyed on the service ticket.        Accordingly, remoting protocol clients can present the same service        ticket and the <literal>CasAuthenticationProvider</literal> will not        need to contact the CAS server for validation (aside from the first        request).</para>        <para>The other aspect of advanced CAS usage involves creating proxy        tickets from the proxy-granting ticket. As indicated above, we        recommend you use CAS' <literal>ProxyTicketReceptor</literal> to        receive these tickets. The <literal>ProxyTicketReceptor</literal>        provides a static method that enables you to obtain a proxy ticket by        presenting the proxy-granting IOU ticket. You can obtain the        proxy-granting IOU ticket by calling        <literal>CasAuthenticationToken.getProxyGrantingTicketIou()</literal>.</para>        <para>It is hoped you find CAS integration easy and useful with Acegi        Security classes. Welcome to enterprise-wide single sign on!</para>      </sect1>    </chapter>    <chapter id="ca">      <title>Container Adapter Authentication</title>      <sect1 id="ca-overview">        <title>Overview</title>        <para>Very early versions of Acegi Security exclusively used Container        Adapters for interfacing authentication with end users. Whilst this        worked well, it required considerable time to support multiple        container versions and the configuration itself was relatively        time-consuming for developers. For this reason the HTTP Form        Authentication and HTTP Basic Authentication approaches were        developed, and are today recommended for almost all        applications.</para>        <para>Container Adapters enable Acegi Security to integrate directly        with the containers used to host end user applications. This        integration means that applications can continue to leverage the        authentication and authorization capabilities built into containers        (such as <literal>isUserInRole()</literal> and form-based or basic        authentication), whilst benefiting from the enhanced security        interception capabilities provided by Acegi Security (it should be        noted that Acegi Security also offers        <literal>ContextHolderAwareRequestWrapper</literal> to deliver        <literal>isUserInRole()</literal> and similar Servlet Specification        compatibility methods).</para>        <para>The integration between a container and Acegi Security is        achieved through an adapter. The adapter provides a        container-compatible user authentication provider, and needs to return        a container-compatible user object.</para>        <para>The adapter is instantiated by the container and is defined in a        container-specific configuration file. The adapter then loads a Spring        application context which defines the normal authentication manager        settings, such as the authentication providers that can be used to        authenticate the request. The application context is usually named        <literal>acegisecurity.xml</literal> and is placed in a        container-specific location.</para>        <para>Acegi Security currently supports Jetty, Catalina (Tomcat),        JBoss and Resin. Additional container adapters can easily be        written</para>      </sect1>      <sect1 id="ca-adapter">        <title>Adapter Authentication Provider</title>        <para>As is always the case, the container adapter generated        <literal>Authentication</literal> object still needs to be        authenticated by an <literal>AuthenticationManager</literal> when        requested to do so by the        <literal>AbstractSecurityInterceptor</literal>. The        <literal>AuthenticationManager</literal> needs to be certain the        adapter-provided <literal>Authentication</literal> object is valid and        was actually authenticated by a trusted adapter.</para>        <para>Adapters create <literal>Authentication</literal> objects which        are immutable and implement the <literal>AuthByAdapter</literal>        interface. These objects store the hash of a key that is defined by        the adapter. This allows the <literal>Authentication</literal> object        to be validated by the <literal>AuthByAdapterProvider</literal>. This        authentication provider is defined as follows:</para>        <para><programlisting><bean id="authByAdapterProvider" class="org.acegisecurity.adapters.AuthByAdapterProvider">  <property name="key"><value>my_password</value></property></bean>       </programlisting></para>        <para>The key must match the key that is defined in the        container-specific configuration file that starts the adapter. The        <literal>AuthByAdapterProvider</literal> automatically accepts as        valid any <literal>AuthByAdapter</literal> implementation that returns        the expected hash of the key.</para>        <para>To reiterate, this means the adapter will perform the initial        authentication using providers such as        <literal>DaoAuthenticationProvider</literal>, returning an        <literal>AuthByAdapter</literal> instance that contains a hash code of        the key. Later, when an application calls a security interceptor        managed resource, the <literal>AuthByAdapter</literal> instance in the        <literal>SecurityContext</literal> in the        <literal>SecurityContextHolder</literal> will be tested by the        application's <literal>AuthByAdapterProvider</literal>. There is no        requirement for additional authentication providers such as        <literal>DaoAuthenticationProvider</literal> within the        application-specific application context, as the only type of        <literal>Authentication</literal> instance that will be presented by        the application is from the container adapter.</para>        <para>Classloader issues are frequent with containers and the use of        container adapters illustrates this further. Each container requires a        very specific configuration. The installation instructions are        provided below. Once installed, please take the time to try the sample        application to ensure your container adapter is properly        configured.</para>        <para>When using container adapters with the        <literal>DaoAuthenticationProvider</literal>, ensure you set its        <literal>forcePrincipalAsString</literal> property to        <literal>true</literal>.</para>      </sect1>      <sect1 id="ca-jetty">        <title>Jetty</title>        <para>The following was tested with Jetty 4.2.18.</para>        <para><literal>$JETTY_HOME</literal> refers to the root of your Jetty        installation.</para>        <para>Edit your <literal>$JETTY_HOME/etc/jetty.xml</literal> file so        the <literal><Configure class></literal> section has a new        <literal>addRealm</literal> call:</para>        <para><programlisting>  <Call name="addRealm">    <Arg>      <New class="org.acegisecurity.adapters.jetty.JettyAcegiUserRealm">        <Arg>Spring Powered Realm</Arg>        <Arg>my_password</Arg>        <Arg>etc/acegisecurity.xml</Arg>      </New>    </Arg>  </Call>        </programlisting></para>        <para>Copy <literal>acegisecurity.xml</literal> into        <literal>$JETTY_HOME/etc</literal>.</para>        <para>Copy the following files into        <literal>$JETTY_HOME/ext</literal>:<itemizedlist>            <listitem>              <para><literal>aopalliance.jar</literal></para>            </listitem>            <listitem>              <para><literal>commons-logging.jar</literal></para>            </listitem>            <listitem>              <para><literal>spring.jar</literal></para>            </listitem>            <listitem>              <para><literal>acegi-security-jetty-XX.jar</literal></para>            </listitem>            <listitem>              <para><literal>commons-codec.jar</literal></para>            </listitem>            <listitem>              <para><literal>burlap.jar</literal></para>            </listitem>            <listitem>              <para><literal>hessian.jar</literal></para>            </listitem>          </itemizedlist></para>        <para>None of the above JAR files (or        <literal>acegi-security-XX.jar</literal>) should be in your        application's <literal>WEB-INF/lib</literal>. The realm name indicated        in your <literal>web.xml</literal> does matter with Jetty. The        <literal>web.xml</literal> must express the same        <literal><realm-name></literal> as your        <literal>jetty.xml</literal> (in the example above, "Spring Powered        Realm").</para>      </sect1>      <sect1 id="ca-jboss">        <title>JBoss</title>        <para>The following was tested with JBoss 3.2.6.</para>        <para><literal>$JBOSS_HOME</literal> refers to the root of your JBoss        installation.</para>        <para>There are two different ways of making spring context available        to the Jboss integration classes.</para>        <para>The first approach is by editing your        <literal>$JBOSS_HOME/server/your_config/conf/login-config.xml</literal>        file so that it contains a new entry under the        <literal><Policy></literal> section:</para>        <para><programlisting> <application-policy name = "SpringPoweredRealm">   <authentication>      <login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"        flag = "required">        <module-option name = "appContextLocation">acegisecurity.xml</module-option>        <module-option name = "key">my_password</module-option>     </login-module>   </authentication></application-policy>                </programlisting></para>        <para>Copy <literal>acegisecurity.xml</literal> into        <literal>$JBOSS_HOME/server/your_config/conf</literal>.</para>        <para>In this configuration <literal>acegisecurity.xml</literal>        contains the spring context definition including all the        authentication manager beans. You have to bear in mind though, that        <literal>SecurityContext</literal> is created and destroyed on each        login request, so the login operation might become costly.        Alternatively, the second approach is to use Spring singleton        capabilities through        <literal>org.springframework.beans.factory.access.SingletonBeanFactoryLocator</literal>.        The required configuration for this approach is:</para>        <para><programlisting><application-policy name = "SpringPoweredRealm">   <authentication>      <login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"        flag = "required">        <module-option name = "singletonId">springRealm</module-option>        <module-option name = "key">my_password</module-option>        <module-option name = "authenticationManager">authenticationManager</module-option>     </login-module>   </authentication></application-policy>        </programlisting></para>        <para>In the above code fragment,        <literal>authenticationManager</literal> is a helper property that        defines the expected name of the        <literal>AuthenticationManager</literal> in case you have several        defined in the IoC container. The <literal>singletonId</literal>        property references a bean defined in a        <literal>beanRefFactory.xml</literal> file. This file needs to be        available from anywhere on the JBoss classpath, including        <literal>$JBOSS_HOME/server/your_config/conf</literal>. The        <literal>beanRefFactory.xml</literal> contains the following        declaration:</para>        <para><programlisting><beans>  <bean id="springRealm" singleton="true" lazy-init="true" class="org.springframework.context.support.ClassPathXmlApplicationContext">    <constructor-arg>      <list>        <value>acegisecurity.xml</value>      </list>    </constructor-arg>  </bean></beans>        </programlisting></para>        <para>Finally, irrespective of the configuration approach you need to        copy the following files into        <literal>$JBOSS_HOME/server/your_config/lib</literal>:<itemizedlist>            <listitem>              <para><literal>aopalliance.jar</literal></para>            </listitem>            <listitem>              <para><literal>spring.jar</literal></para>            </listitem>            <listitem>              <para><literal>acegi-security-jboss-XX.jar</literal></para>            </listitem>            <listitem>              <para><literal>commons-codec.jar</literal></para>            </listitem>            <listitem>              <para><literal>burlap.jar</literal></para>            </listitem>            <listitem>              <para><literal>hessian.jar</literal></para>            </listitem>          </itemizedlist></para>        <para>None of the above JAR files (or        <literal>acegi-security-XX.jar</literal>) should be in your        application's <literal>WEB-INF/lib</literal>. The realm name indicated        in your <literal>web.xml</literal> does not matter with JBoss.        However, your web application's        <literal>WEB-INF/jboss-web.xml</literal> must express the same        <literal><security-domain></literal> as your        <literal>login-config.xml</literal>. For example, to match the above        example, your <literal>jboss-web.xml</literal> would look like        this:</para>        <para><programlisting><jboss-web>  <security-domain>java:/jaas/SpringPoweredRealm</security-domain></jboss-web></programlisting></para>        <para>JBoss is a widely-used container adapter (mostly due to the need        to support legacy EJBs), so please let us know if you have any        difficulties.</para>      </sect1>      <sect1 id="ca-resin">        <title>Resin</title>        <para>The following was tested with Resin 3.0.6.</para>        <para><literal>$RESIN_HOME</literal> refers to the root of your Resin        installation.</para>        <para>Resin provides several ways to support the container adapter. In        the instructions below we have elected to maximise consistency with        other container adapter configurations. This will allow Resin users to        simply deploy the sample application and confirm correct        configuration. Developers comfortable with Resin are naturally able to        use its capabilities to package the JARs with the web application        itself, and/or support single sign-on.</para>        <para>Copy the following files into        <literal>$RESIN_HOME/lib</literal>:<itemizedlist>            <listitem>              <para><literal>aopalliance.jar</literal></para>            </listitem>            <listitem>              <para><literal>commons-logging.jar</literal></para>            </listitem>            <listitem>              <para><literal>spring.jar</literal></para>            </listitem>            <listitem>              <para><literal>acegi-security-resin-XX.jar</literal></para>            </listitem>            <listitem>              <para><literal>commons-codec.jar</literal></para>            </listitem>            <listitem>              <para><literal>burlap.jar</literal></para>            </listitem>            <listitem>              <para><literal>hessian.jar</literal></para>            </listitem>          </itemizedlist></para>        <para>Unlike the container-wide <literal>acegisecurity.xml</literal>        files used by other container adapters, each Resin web application        will contain its own        <literal>WEB-INF/resin-acegisecurity.xml</literal> file. Each web        application will also contain a <literal>resin-web.xml</literal> file        which Resin uses to start the container adapter:</para>        <para><programlisting><web-app>  <authenticator>    <type>org.acegisecurity.adapters.resin.ResinAcegiAuthenticator</type>    <init>      <app-context-location>WEB-INF/resin-acegisecurity.xml</app-context-location>      <key>my_password</key>    </init>  </authenticator></web-app>        </programlisting></para>        <para>With the basic configuration provided above, none of the JAR        files listed (or <literal>acegi-security-XX.jar</literal>) should be        in your application's <literal>WEB-INF/lib</literal>. The realm name        indicated in your <literal>web.xml</literal> does not matter with        Resin, as the relevant authentication class is indicated by the        <literal><authenticator></literal> setting</para>      </sect1>      <sect1 id="ca-tomcat">        <title>Tomcat</title>        <para>The following was tested with Jakarta Tomcat 4.1.30 and        5.0.19.</para>        <para><literal>$CATALINA_HOME</literal> refers to the root of your        Catalina (Tomcat) installation.</para>        <para>Edit your <literal>$CATALINA_HOME/conf/server.xml</literal> file        so the <literal><Engine></literal> section contains only one        active <literal><Realm></literal> entry. An example realm        entry:</para>        <para><programlisting>      <Realm className="org.acegisecurity.adapters.catalina.CatalinaAcegiUserRealm"             appContextLocation="conf/acegisecurity.xml"             key="my_password" /></programlisting></para>        <para>Be sure to remove any other <literal><Realm></literal>        entry from your <literal><Engine></literal> section.</para>        <para>Copy <literal>acegisecurity.xml</literal> into        <literal>$CATALINA_HOME/conf</literal>.</para>        <para>Copy <literal>acegi-security-catalina-XX.jar</literal> into        <literal>$CATALINA_HOME/server/lib</literal>.</para>        <para>Copy the following files into        <literal>$CATALINA_HOME/common/lib</literal>:</para>        <itemizedlist>          <listitem>            <para><literal>aopalliance.jar</literal></para>          </listitem>          <listitem>            <para><literal>spring.jar</literal></para>          </listitem>          <listitem>            <para><literal>commons-codec.jar</literal></para>          </listitem>          <listitem>            <para><literal>burlap.jar</literal></para>          </listitem>          <listitem>            <para><literal>hessian.jar</literal></para>          </listitem>        </itemizedlist>        <para>None of the above JAR files (or        <literal>acegi-security-XX.jar</literal>) should be in your        application's <literal>WEB-INF/lib</literal>. The realm name indicated        in your <literal>web.xml</literal> does not matter with        Catalina.</para>        <para>We have received reports of problems using this Container        Adapter with Mac OS X. A work-around is to use a script such as        follows:</para>        <para><programlisting>#!/bin/shexport CATALINA_HOME="/Library/Tomcat"export JAVA_HOME="/Library/Java/Home"cd /$CATALINA_HOME/bin/startup.sh</programlisting></para>        <para>Finally, restart Tomcat.</para>      </sect1>    </chapter>  </part>  <part id="authorization">    <title>Authorization</title>    <partintro>      <para>The advanced authorization capabilities within Acegi Security      represent one of the most compelling reasons for its popularity.      Irrespective of how you choose to authenticate - whether using an Acegi      Security-provided mechanism and provider, or integrating with a      container or other non-Acegi Security authentication authority - you      will find the authorization services can be used within your application      in a consistent and simple way.</para>      <para>In this part we'll explore the different      <literal>AbstractSecurityInterceptor</literal> implementations, which      were introduced in Part I. We then move on to explore how to fine-tune      authorization through use of domain access control lists.</para>    </partintro>    <chapter id="authorization-common">      <title>Common Authorization Concepts</title>      <sect1 id="authorities">        <title>Authorities</title>        <para>As briefly mentioned in the Authentication section, all        <literal>Authentication</literal> implementations are required to        store an array of <literal>GrantedAuthority</literal> objects. These        represent the authorities that have been granted to the principal. The        <literal>GrantedAuthority</literal> objects are inserted into the        <literal>Authentication</literal> object by the        <literal>AuthenticationManager</literal> and are later read by        <literal>AccessDecisionManager</literal>s when making authorization        decisions.</para>        <para><literal>GrantedAuthority</literal> is an interface with only        one method:</para>        <para><programlisting>public String getAuthority();</programlisting></para>        <para>This method allows <literal>AccessDecisionManager</literal>s to        obtain a precise <literal>String</literal> representation of the        <literal>GrantedAuthority</literal>. By returning a representation as        a <literal>String</literal>, a <literal>GrantedAuthority</literal> can        be easily "read" by most <literal>AccessDecisionManager</literal>s. If        a <literal>GrantedAuthority</literal> cannot be precisely represented        as a <literal>String</literal>, the        <literal>GrantedAuthority</literal> is considered "complex" and        <literal>getAuthority()</literal> must return        <literal>null</literal>.</para>        <para>An example of a "complex" <literal>GrantedAuthority</literal>        would be an implementation that stores a list of operations and        authority thresholds that apply to different customer account numbers.        Representing this complex <literal>GrantedAuthority</literal> as a        <literal>String</literal> would be quite complex, and as a result the        <literal>getAuthority()</literal> method should return        <literal>null</literal>. This will indicate to any        <literal>AccessDecisionManager</literal> that it will need to        specifically support the <literal>GrantedAuthority</literal>        implementation in order to understand its contents.</para>        <para>Acegi Security includes one concrete        <literal>GrantedAuthority</literal> implementation,        <literal>GrantedAuthorityImpl</literal>. This allows any        user-specified <literal>String</literal> to be converted into a        <literal>GrantedAuthority</literal>. All        <literal>AuthenticationProvider</literal>s included with the security        architecture use <literal>GrantedAuthorityImpl</literal> to populate        the <literal>Authentication</literal> object.</para>      </sect1>      <sect1 id="pre-invocation">        <title>Pre-Invocation Handling</title>        <para>The <literal>AccessDecisionManager</literal> is called by the        <literal>AbstractSecurityInterceptor</literal> and is responsible for        making final access control decisions. The        <literal>AccessDecisionManager</literal> interface contains three        methods:</para>        <para><programlisting>public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;public boolean supports(ConfigAttribute attribute);public boolean supports(Class clazz);</programlisting></para>        <para>As can be seen from the first method, the        <literal>AccessDecisionManager</literal> is passed via method        parameters all information that is likely to be of value in assessing        an authorization decision. In particular, passing the secure        <literal>Object</literal> enables those arguments contained in the        actual secure object invocation to be inspected. For example, let's        assume the secure object was a <literal>MethodInvocation</literal>. It        would be easy to query the <literal>MethodInvocation</literal> for any        <literal>Customer</literal> argument, and then implement some sort of        security logic in the <literal>AccessDecisionManager</literal> to        ensure the principal is permitted to operate on that customer.        Implementations are expected to throw an        <literal>AccessDeniedException</literal> if access is denied.</para>        <para>The <literal>supports(ConfigAttribute)</literal> method is        called by the <literal>AbstractSecurityInterceptor</literal> at        startup time to determine if the        <literal>AccessDecisionManager</literal> can process the passed        <literal>ConfigAttribute</literal>. The        <literal>supports(Class)</literal> method is called by a security        interceptor implementation to ensure the configured        <literal>AccessDecisionManager</literal> supports the type of secure        object that the security interceptor will present.</para>        <para>Whilst users can implement their own        <literal>AccessDecisionManager</literal> to control all aspects of        authorization, Acegi Security includes several        <literal>AccessDecisionManager</literal> implementations that are        based on voting. Figure 4 illustrates the relevant classes.</para>        <para><mediaobject>            <imageobject role="html">              <imagedata align="center"                         fileref="images/AccessDecisionVoting.gif"                         format="GIF" />            </imageobject>            <caption>              <para>Figure 4: Voting Decision Manager</para>            </caption>          </mediaobject></para>        <para>Using this approach, a series of        <literal>AccessDecisionVoter</literal> implementations are polled on        an authorization decision. The        <literal>AccessDecisionManager</literal> then decides whether or not        to throw an <literal>AccessDeniedException</literal> based on its        assessment of the votes.</para>        <para>The <literal>AccessDecisionVoter</literal> interface has three        methods:</para>        <para><programlisting>public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);public boolean supports(ConfigAttribute attribute);public boolean supports(Class clazz);</programlisting></para>        <para>Concrete implementations return an <literal>int</literal>, with        possible values being reflected in the        <literal>AccessDecisionVoter</literal> static fields        <literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>        and <literal>ACCESS_GRANTED</literal>. A voting implementation will        return <literal>ACCESS_ABSTAIN</literal> if it has no opinion on an        authorization decision. If it does have an opinion, it must return        either <literal>ACCESS_DENIED</literal> or        <literal>ACCESS_GRANTED</literal>.</para>        <para>There are three concrete        <literal>AccessDecisionManager</literal>s provided with Acegi Security        that tally the votes. The <literal>ConsensusBased</literal>        implementation will grant or deny access based on the consensus of        non-abstain votes. Properties are provided to control behavior in the        event of an equality of votes or if all votes are abstain. The        <literal>AffirmativeBased</literal> implementation will grant access        if one or more <literal>ACCESS_GRANTED</literal> votes were received        (ie a deny vote will be ignored, provided there was at least one grant        vote). Like the <literal>ConsensusBased</literal> implementation,        there is a parameter that controls the behavior if all voters abstain.        The <literal>UnanimousBased</literal> provider expects unanimous        <literal>ACCESS_GRANTED</literal> votes in order to grant access,        ignoring abstains. It will deny access if there is any        <literal>ACCESS_DENIED</literal> vote. Like the other implementations,        there is a parameter that controls the behaviour if all voters        abstain.</para>        <para>It is possible to implement a custom        <literal>AccessDecisionManager</literal> that tallies votes        differently. For example, votes from a particular        <literal>AccessDecisionVoter</literal> might receive additional        weighting, whilst a deny vote from a particular voter may have a veto        effect.</para>        <para>There are two concrete <literal>AccessDecisionVoter</literal>        implementations provided with Acegi Security. The        <literal>RoleVoter</literal> class will vote if any ConfigAttribute        begins with <literal>ROLE_</literal>. It will vote to grant access if        there is a <literal>GrantedAuthority</literal> which returns a        <literal>String</literal> representation (via the        <literal>getAuthority()</literal> method) exactly equal to one or more        <literal>ConfigAttributes</literal> starting with        <literal>ROLE_</literal>. If there is no exact match of any        <literal>ConfigAttribute</literal> starting with        <literal>ROLE_</literal>, the <literal>RoleVoter</literal> will vote        to deny access. If no <literal>ConfigAttribute</literal> begins with        <literal>ROLE_</literal>, the voter will abstain.        <literal>RoleVoter</literal> is case sensitive on comparisons as well        as the <literal>ROLE_</literal> prefix.</para>        <para><literal>BasicAclEntryVoter</literal> is the other concrete        voter included with Acegi Security. It integrates with Acegi        Security's <literal>AclManager</literal> (discussed later). This voter        is designed to have multiple instances in the same application        context, such as:</para>        <para><programlisting><bean id="aclContactReadVoter" class="org.acegisecurity.vote.BasicAclEntryVoter">  <property name="processConfigAttribute"><value>ACL_CONTACT_READ</value></property>  <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property>  <property name="aclManager"><ref local="aclManager"/></property>  <property name="requirePermission">    <list>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/>    </list>  </property></bean><bean id="aclContactDeleteVoter" class="org.acegisecurity.vote.BasicAclEntryVoter">  <property name="processConfigAttribute"><value>ACL_CONTACT_DELETE</value></property>  <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property>  <property name="aclManager"><ref local="aclManager"/></property>  <property name="requirePermission">    <list>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.DELETE"/>    </list>  </property></bean>        </programlisting></para>        <para>In the above example, you'd define        <literal>ACL_CONTACT_READ</literal> or        <literal>ACL_CONTACT_DELETE</literal> against some methods on a        <literal>MethodSecurityInterceptor</literal> or        <literal>AspectJSecurityInterceptor</literal>. When those methods are        invoked, the above applicable voter defined above would vote to grant        or deny access. The voter would look at the method invocation to        locate the first argument of type        <literal>sample.contact.Contact</literal>, and then pass that        <literal>Contact</literal> to the <literal>AclManager</literal>. The        <literal>AclManager</literal> will then return an access control list        (ACL) that applies to the current <literal>Authentication</literal>.        Assuming that ACL contains one of the listed        <literal>requirePermission</literal>s, the voter will vote to grant        access. If the ACL does not contain one of the permissions defined        against the voter, the voter will vote to deny access.        <literal>BasicAclEntryVoter</literal> is an important class as it        allows you to build truly complex applications with domain object        security entirely defined in the application context. If you're        interested in learning more about Acegi Security's ACL capabilities        and how best to apply them, please see the ACL and "After Invocation"        sections of this reference guide, and the Contacts sample        application.</para>        <para>It is also possible to implement a custom        <literal>AccessDecisionVoter</literal>. Several examples are provided        in Acegi Security unit tests, including        <literal>ContactSecurityVoter</literal> and        <literal>DenyVoter</literal>. The        <literal>ContactSecurityVoter</literal> abstains from voting decisions        where a <literal>CONTACT_OWNED_BY_CURRENT_USER</literal>        <literal>ConfigAttribute</literal> is not found. If voting, it queries        the <literal>MethodInvocation</literal> to extract the owner of the        <literal>Contact</literal> object that is subject of the method call.        It votes to grant access if the <literal>Contact</literal> owner        matches the principal presented in the        <literal>Authentication</literal> object. It could have just as easily        compared the <literal>Contact</literal> owner with some        <literal>GrantedAuthority</literal> the        <literal>Authentication</literal> object presented. All of this is        achieved with relatively few lines of code and demonstrates the        flexibility of the authorization model.</para>        <para>TODO: Remove references to the old ACL package when it's        deprecated, and have all references to the replacement package limited        to the chapter describing the new ACL implementation.</para>      </sect1>      <sect1 id="after-invocation">        <title>After Invocation Handling</title>        <para>Whilst the <literal>AccessDecisionManager</literal> is called by        the <literal>AbstractSecurityInterceptor</literal> before proceeding        with the secure object invocation, some applications need a way of        modifying the object actually returned by the secure object        invocation. Whilst you could easily implement your own AOP concern to        achieve this, Acegi Security provides a convenient hook that has        several concrete implementations that integrate with its ACL        capabilities.</para>        <para>Figure 5 illustrates Acegi Security's        <literal>AfterInvocationManager</literal> and its concrete        implementations.</para>        <para><mediaobject>            <imageobject role="html">              <imagedata align="center" fileref="images/AfterInvocation.gif"                         format="GIF" />            </imageobject>            <caption>              <para>Figure 5: After Invocation Implementation</para>            </caption>          </mediaobject></para>        <para>Like many other parts of Acegi Security,        <literal>AfterInvocationManager</literal> has a single concrete        implementation, <literal>AfterInvocationProvider</literal>, which        polls a list of <literal>AfterInvocationProvider</literal>s. Each        <literal>AfterInvocationProvider</literal> is allowed to modify the        return object or throw an <literal>AccessDeniedException</literal>.        Indeed multiple providers can modify the object, as the result of the        previous provider is passed to the next in the list. Let's now        consider our ACL-aware implementations of        <literal>AfterInvocationProvider</literal>.</para>        <para>Please be aware that if you're using        <literal>AfterInvocationManager</literal>, you will still need        configuration attributes that allow the        <literal>MethodSecurityInterceptor</literal>'s        <literal>AccessDecisionManager</literal> to allow an operation. If        you're using the typical Acegi Security included        <literal>AccessDecisionManager</literal> implementations, having no        configuration attributes defined for a particular secure method        invocation will cause each <literal>AccessDecisionVoter</literal> to        abstain from voting. In turn, if the        <literal>AccessDecisionManager</literal> property        "<literal>allowIfAllAbstainDecisions</literal>" is        <literal>false</literal>, an <literal>AccessDeniedException</literal>        will be thrown. You may avoid this potential issue by either (i)        setting "<literal>allowIfAllAbstainDecisions</literal>" to        <literal>true</literal> (although this is generally not recommended)        or (ii) simply ensure that there is at least one configuration        attribute that an <literal>AccessDecisionVoter</literal> will vote to        grant access for. This latter (recommended) approach is usually        achieved through a <literal>ROLE_USER</literal> or        <literal>ROLE_AUTHENTICATED</literal> configuration attribute</para>        <sect2 id="after-invocation-acl-aware">          <title>ACL-Aware AfterInvocationProviders</title>          <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new          ACL module. The new ACL module is a significant rewrite of the          existing ACL module. The new module can be found under the          <literal>org.acegisecurity.acls</literal> package, with the old ACL          module under <literal>org.acegisecurity.acl</literal>. We encourage          users to consider testing with the new ACL module and build          applications with it. The old ACL module should be considered          deprecated and may be removed from a future release. The following          information relates to the new ACL package, and is thus          recommended.</para>          <para>A common services layer method we've all written at one stage          or another looks like this:</para>          <para><programlisting>public Contact getById(Integer id);</programlisting></para>          <para>Quite often, only principals with permission to read the          <literal>Contact</literal> should be allowed to obtain it. In this          situation the <literal>AccessDecisionManager</literal> approach          provided by the <literal>AbstractSecurityInterceptor</literal> will          not suffice. This is because the identity of the          <literal>Contact</literal> is all that is available before the          secure object is invoked. The          <literal>AclAfterInvocationProvider</literal> delivers a solution,          and is configured as follows:</para>          <para><programlisting><bean id="afterAclRead" class="org.acegisecurity.afterinvocation.AclEntryAfterInvocationProvider">  <constructor-arg>    <ref bean="aclService"/>  </constructor-arg>  <constructor-arg>    <list>      <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/>      <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/>    </list>  </constructor-arg></bean>      </programlisting></para>          <para>In the above example, the <literal>Contact</literal> will be          retrieved and passed to the          <literal>AclEntryAfterInvocationProvider</literal>. The provider          will thrown an <literal>AccessDeniedException</literal> if one of          the listed <literal>requirePermission</literal>s is not held by the          <literal>Authentication</literal>. The          <literal>AclEntryAfterInvocationProvider</literal> queries the          <literal>Acl</literal>Service to determine the ACL that applies for          this domain object to this <literal>Authentication</literal>.</para>          <para>Similar to the          <literal>AclEntryAfterInvocationProvider</literal> is          <literal>AclEntryAfterInvocationCollectionFilteringProvider</literal>.          It is designed to remove <literal>Collection</literal> or array          elements for which a principal does not have access. It never thrown          an <literal>AccessDeniedException</literal> - simply silently          removes the offending elements. The provider is configured as          follows:</para>          <para><programlisting><bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">  <constructor-arg>    <ref bean="aclService"/>  </constructor-arg>  <constructor-arg>    <list>      <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/>      <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/>    </list>  </constructor-arg></bean>    </programlisting></para>          <para>As you can imagine, the returned <literal>Object</literal>          must be a <literal>Collection</literal> or array for this provider          to operate. It will remove any element if the          <literal>AclManager</literal> indicates the          <literal>Authentication</literal> does not hold one of the listed          <literal>requirePermission</literal>s.</para>          <para>The Contacts sample application demonstrates these two          <literal>AfterInvocationProvider</literal>s.</para>        </sect2>        <sect2 id="after-invocation-acl-aware-old">          <title>ACL-Aware AfterInvocationProviders (old ACL module)</title>          <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new          ACL module. The new ACL module is a significant rewrite of the          existing ACL module. The new module can be found under the          <literal>org.acegisecurity.acls</literal> package, with the old ACL          module under <literal>org.acegisecurity.acl</literal>. We encourage          users to consider testing with the new ACL module and build          applications with it. The old ACL module should be considered          deprecated and may be removed from a future release.</para>          <para>A common services layer method we've all written at one stage          or another looks like this:</para>          <para><programlisting>public Contact getById(Integer id);</programlisting></para>          <para>Quite often, only principals with permission to read the          <literal>Contact</literal> should be allowed to obtain it. In this          situation the <literal>AccessDecisionManager</literal> approach          provided by the <literal>AbstractSecurityInterceptor</literal> will          not suffice. This is because the identity of the          <literal>Contact</literal> is all that is available before the          secure object is invoked. The          <literal>BasicAclAfterInvocationProvider</literal> delivers a          solution, and is configured as follows:</para>          <para><programlisting><bean id="afterAclRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider">  <property name="aclManager"><ref local="aclManager"/></property>  <property name="requirePermission">    <list>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/>    </list>  </property></bean>       </programlisting></para>          <para>In the above example, the <literal>Contact</literal> will be          retrieved and passed to the          <literal>BasicAclEntryAfterInvocationProvider</literal>. The          provider will thrown an <literal>AccessDeniedException</literal> if          one of the listed <literal>requirePermission</literal>s is not held          by the <literal>Authentication</literal>. The          <literal>BasicAclEntryAfterInvocationProvider</literal> queries the          <literal>AclManager</literal> to determine the ACL that applies for          this domain object to this <literal>Authentication</literal>.</para>          <para>Similar to the          <literal>BasicAclEntryAfterInvocationProvider</literal> is          <literal>BasicAclEntryAfterInvocationCollectionFilteringProvider</literal>.          It is designed to remove <literal>Collection</literal> or array          elements for which a principal does not have access. It never thrown          an <literal>AccessDeniedException</literal> - simply silently          removes the offending elements. The provider is configured as          follows:</para>          <para><programlisting><bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">  <property name="aclManager"><ref local="aclManager"/></property>  <property name="requirePermission">    <list>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>      <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/>    </list>  </property></bean>       </programlisting></para>          <para>As you can imagine, the returned <literal>Object</literal>          must be a <literal>Collection</literal> or array for this provider          to operate. It will remove any element if the          <literal>AclManager</literal> indicates the          <literal>Authentication</literal> does not hold one of the listed          <literal>requirePermission</literal>s.</para>          <para>The Contacts sample application demonstrates these two          <literal>AfterInvocationProvider</literal>s.</para>        </sect2>      </sect1>      <sect1 id="authorization-taglibs">        <title>Authorization Tag Libraries</title>        <para><literal>AuthorizeTag</literal> is used to include content if        the current principal holds certain        <literal>GrantedAuthority</literal>s.</para>        <para>The following JSP fragment illustrates how to use the        <literal>AuthorizeTag</literal>:</para>        <para><programlisting><authz:authorize ifAllGranted="ROLE_SUPERVISOR">  <td>    <A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A>  </td></authz:authorize>          </programlisting></para>        <para>This tag would cause the tag's body to be output if the        principal has been granted ROLE_SUPERVISOR.</para>        <para>The <literal>authz:authorize</literal> tag declares the        following attributes:</para>        <para><itemizedlist spacing="compact">            <listitem>              <para><literal>ifAllGranted</literal>: All the listed roles must              be granted for the tag to output its body.</para>            </listitem>            <listitem>              <para><literal>ifAnyGranted</literal>: Any of the listed roles              must be granted for the tag to output its body.</para>            </listitem>            <listitem>              <para><literal>ifNotGranted</literal>: None of the listed roles              must be granted for the tag to output its body.</para>            </listitem>          </itemizedlist></para>        <para>You'll note that in each attribute you can list multiple roles.        Simply separate the roles using a comma. The        <literal>authorize</literal> tag ignores whitespace in        attributes.</para>        <para>The tag library logically ANDs all of it's parameters together.        This means that if you combine two or more attributes, all attributes        must be true for the tag to output it's body. Don't add an        <literal>ifAllGranted="ROLE_SUPERVISOR"</literal>, followed by an        <literal>ifNotGranted="ROLE_SUPERVISOR"</literal>, or you'll be        surprised to never see the tag's body.</para>        <para>By requiring all attributes to return true, the authorize tag        allows you to create more complex authorization scenarios. For        example, you could declare an        <literal>ifAllGranted="ROLE_SUPERVISOR"</literal> and an        <literal>ifNotGranted="ROLE_NEWBIE_SUPERVISOR"</literal> in the same        tag, in order to prevent new supervisors from seeing the tag body.        However it would no doubt be simpler to use        <literal>ifAllGranted="ROLE_EXPERIENCED_SUPERVISOR"</literal> rather        than inserting NOT conditions into your design.</para>        <para>One last item: the tag verifies the authorizations in a specific        order: first <literal>ifNotGranted</literal>, then        <literal>ifAllGranted</literal>, and finally, <literal>if        AnyGranted</literal>.</para>        <para><literal>AccessControlListTag</literal> is used to include        content if the current principal has an ACL to the indicated domain        object.</para>        <para>The following JSP fragment illustrates how to use the        <literal>AccessControlListTag</literal>:</para>        <para><programlisting><authz:accesscontrollist domainObject="${contact}" hasPermission="8,16">  <td><A HREF="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</A></td></authz:accesscontrollist></programlisting></para>        <para>This tag would cause the tag's body to be output if the        principal holds either permission 16 or permission 1 for the "contact"        domain object. The numbers are actually integers that are used with        <literal>BasePermission</literal> bit masking. Please refer to the ACL        section of this reference guide to understand more about the ACL        capabilities of Acegi Security.</para>        <para><literal>AclTag</literal> is part of the old ACL module and        should be considered deprecated. For the sake of historical reference,        works exactly the samae as        <literal>AccessControlListTag</literal>.</para>      </sect1>    </chapter>    <chapter id="secure-object-impls">      <title>Secure Object Implementations</title>      <sect1 id="aop-alliance">        <title>AOP Alliance (MethodInvocation) Security Interceptor</title>        <para>To secure <literal>MethodInvocation</literal>s, developers        simply add a properly configured        <literal>MethodSecurityInterceptor</literal> into the application        context. Next the beans requiring security are chained into the        interceptor. This chaining is accomplished using Spring’s        <literal>ProxyFactoryBean</literal> or        <literal>BeanNameAutoProxyCreator</literal>, as commonly used by many        other parts of Spring (refer to the sample application for examples).        Alternatively, Acegi Security provides a        <literal>MethodDefinitionSourceAdvisor</literal> which may be used        with Spring's <literal>DefaultAdvisorAutoProxyCreator</literal> to        automatically chain the security interceptor in front of any beans        defined against the <literal>MethodSecurityInterceptor</literal>. The        <literal>MethodSecurityInterceptor</literal> itself is configured as        follows:</para>        <programlisting><bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">  <property name="validateConfigAttributes"><value>true</value></property>  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>  <property name="runAsManager"><ref bean="runAsManager"/></property>  <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>  <property name="objectDefinitionSource">    <value>      org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER      org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER    </value>  </property></bean>        </programlisting>        <para>As shown above, the <literal>MethodSecurityInterceptor</literal>        is configured with a reference to an        <literal>AuthenticationManager</literal>,        <literal>AccessDecisionManager</literal> and        <literal>RunAsManager</literal>, which are each discussed in separate        sections below. In this case we've also defined an        <literal>AfterInvocationManager</literal>, although this is entirely        optional. The <literal>MethodSecurityInterceptor</literal> is also        configured with configuration attributes that apply to different        method signatures. A full discussion of configuration attributes is        provided in the High Level Design section of this document.</para>        <para>The <literal>MethodSecurityInterceptor</literal> can be        configured with configuration attributes in three ways. The first is        via a property editor and the application context, which is shown        above. The second is via defining the configuration attributes in your        source code using Jakarta Commons Attributes or Java 5 Annotations.        The third is via writing your own        <literal>ObjectDefinitionSource</literal>, although this is beyond the        scope of this document. Irrespective of the approach used, the        <literal>ObjectDefinitionSource</literal> is responsible for returning        a <literal>ConfigAttributeDefinition</literal> object that contains        all of the configuration attributes associated with a single secure        method.</para>        <para>It should be noted that the        <literal>MethodSecurityInterceptor.setObjectDefinitionSource()</literal>        method actually expects an instance of        <literal>MethodDefinitionSource</literal>. This is a marker interface        which subclasses <literal>ObjectDefinitionSource</literal>. It simply        denotes the <literal>ObjectDefinitionSource</literal> understands        <literal>MethodInvocation</literal>s. In the interests of simplicity        we'll continue to refer to the        <literal>MethodDefinitionSource</literal> as an        <literal>ObjectDefinitionSource</literal>, as the distinction is of        little relevance to most users of the        <literal>MethodSecurityInterceptor</literal>.</para>        <para>If using the application context property editor approach (as        shown above), commas are used to delimit the different configuration        attributes that apply to a given method pattern. Each configuration        attribute is assigned into its own <literal>SecurityConfig</literal>        object. The <literal>SecurityConfig</literal> object is discussed in        the High Level Design section.</para>        <para>If you are using the Jakarta Commons Attributes approach, your        bean context will be configured differently:</para>        <programlisting><bean id="attributes" class="org.springframework.metadata.commons.CommonsAttributes"/><bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">  <property name="attributes"><ref local="attributes"/></property></bean><bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">  <property name="validateConfigAttributes"><value>false</value></property>  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>  <property name="runAsManager"><ref bean="runAsManager"/></property>  <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property></bean>       </programlisting>        <para>In addition, your source code will contain Jakarta Commons        Attributes tags that refer to a concrete implementation of        <literal>ConfigAttribute</literal>. The following example uses the        <literal>SecurityConfig</literal> implementation to represent the        configuration attributes, and results in the same security        configuration as provided by the property editor approach        above:</para>        <programlisting>public interface BankManager {    /**     * @@SecurityConfig("ROLE_SUPERVISOR")     * @@SecurityConfig("RUN_AS_SERVER")     */    public void deleteSomething(int id);    /**     * @@SecurityConfig("ROLE_SUPERVISOR")     * @@SecurityConfig("RUN_AS_SERVER")     */    public void deleteAnother(int id);    /**     * @@SecurityConfig("ROLE_TELLER")     * @@SecurityConfig("ROLE_SUPERVISOR")     * @@SecurityConfig("BANKSECURITY_CUSTOMER")     * @@SecurityConfig("RUN_AS_SERVER")     */    public float getBalance(int id);}</programlisting>        <para>If you are using the Acegi Security Java 5 Annotations approach,        your bean context will be configured as follows:</para>        <programlisting><bean id="attributes" class="org.acegisecurity.annotation.SecurityAnnotationAttributes"/><bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">  <property name="attributes"><ref local="attributes"/></property></bean><bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">  <property name="validateConfigAttributes"><value>false</value></property>  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>  <property name="runAsManager"><ref bean="runAsManager"/></property>  <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property></bean>        </programlisting>        <para>In addition, your source code will contain Acegi Java 5 Security        Annotations that represent the <literal>ConfigAttribute</literal>. The        following example uses the <literal>@Secured</literal> annotations to        represent the configuration attributes, and results in the same        security configuration as provided by the property editor        approach:</para>        <programlisting>import org.acegisecurity.annotation.Secured;public interface BankManager {    /**     * Delete something     */    @Secured({"ROLE_SUPERVISOR","RUN_AS_SERVER" })    public void deleteSomething(int id);    /**     * Delete another     */    @Secured({"ROLE_SUPERVISOR","RUN_AS_SERVER" })    public void deleteAnother(int id);    /**     * Get balance     */    @Secured({"ROLE_TELLER","ROLE_SUPERVISOR","BANKSECURITY_CUSTOMER","RUN_AS_SERVER" })    public float getBalance(int id);}</programlisting>        <para>You might have noticed the        <literal>validateConfigAttributes</literal> property in the above        <literal>MethodSecurityInterceptor</literal> examples. When set to        <literal>true</literal> (the default), at startup time the        <literal>MethodSecurityInterceptor</literal> will evaluate if the        provided configuration attributes are valid. It does this by checking        each configuration attribute can be processed by either the        <literal>AccessDecisionManager</literal> or the        <literal>RunAsManager</literal>. If neither of these can process a        given configuration attribute, an exception is thrown. If using the        Jakarta Commons Attributes method of configuration, you should set        <literal>validateConfigAttributes</literal> to        <literal>false</literal>.</para>        <para>Please note that when using        <literal>BeanNameAutoProxyCreator</literal> to create the required        proxy for security, the configuration must contain the property        <literal>proxyTargetClass</literal> set to <literal>true</literal>.        Otherwise, the method passed to        <literal>MethodSecurityInterceptor.invoke</literal> is the proxy's        caller, not the proxy's target. Note that this introduces a        requirement on CGLIB. See an example of using        <literal>BeanNameAutoProxyCreator</literal> below:</para>        <programlisting><bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">  <property name="interceptorNames">    <list><value>methodSecurityInterceptor</value></list>  </property>  <property name="beanNames">    <list><value>targetObjectName</value></list>  </property>  <property name="proxyTargetClass" value="true"/></bean>        </programlisting>      </sect1>      <sect1 id="aspectj">        <title>AspectJ (JoinPoint) Security Interceptor</title>        <para>The AspectJ security interceptor is very similar to the AOP        Alliance security interceptor discussed in the previous section.        Indeed we will only discuss the differences in this section.</para>        <para>The AspectJ interceptor is named        <literal>AspectJSecurityInterceptor</literal>. Unlike the AOP Alliance        security interceptor, which relies on the Spring application context        to weave in the security interceptor via proxying, the        <literal>AspectJSecurityInterceptor</literal> is weaved in via the        AspectJ compiler. It would not be uncommon to use both types of        security interceptors in the same application, with        <literal>AspectJSecurityInterceptor</literal> being used for domain        object instance security and the AOP Alliance        <literal>MethodSecurityInterceptor</literal> being used for services        layer security.</para>        <para>Let's first consider how the        <literal>AspectJSecurityInterceptor</literal> is configured in the        Spring application context:</para>        <programlisting><bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor">  <property name="validateConfigAttributes"><value>true</value></property>  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>  <property name="runAsManager"><ref bean="runAsManager"/></property>  <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>  <property name="objectDefinitionSource">    <value>      org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER      org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER    </value>  </property></bean>        </programlisting>        <para>As you can see, aside from the class name, the        <literal>AspectJSecurityInterceptor</literal> is exactly the same as        the AOP Alliance security interceptor. Indeed the two interceptors can        share the same <literal>objectDefinitionSource</literal>, as the        <literal>ObjectDefinitionSource</literal> works with        <literal>java.lang.reflect.Method</literal>s rather than an AOP        library-specific class. Of course, your access decisions have access        to the relevant AOP library-specific invocation (ie        <literal>MethodInvocation</literal> or <literal>JoinPoint</literal>)        and as such can consider a range of addition criteria when making        access decisions (such as method arguments).</para>        <para>Next you'll need to define an AspectJ <literal>aspect</literal>.        For example:</para>        <programlisting>package org.acegisecurity.samples.aspectj;import org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor;import org.acegisecurity.intercept.method.aspectj.AspectJCallback;import org.springframework.beans.factory.InitializingBean;public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {  private AspectJSecurityInterceptor securityInterceptor;  pointcut domainObjectInstanceExecution(): target(PersistableEntity)              && execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect);  Object around(): domainObjectInstanceExecution() {    if (this.securityInterceptor != null) {      AspectJCallback callback = new AspectJCallback() {        public Object proceedWithObject() {        return proceed();      }    };    return this.securityInterceptor.invoke(thisJoinPoint, callback);    } else {      return proceed();    }  }  public AspectJSecurityInterceptor getSecurityInterceptor() {    return securityInterceptor;  }  public void setSecurityInterceptor(AspectJSecurityInterceptor securityInterceptor) {    this.securityInterceptor = securityInterceptor;  }  public void afterPropertiesSet() throws Exception {    if (this.securityInterceptor == null)      throw new IllegalArgumentException("securityInterceptor required");  }}</programlisting>        <para>In the above example, the security interceptor will be applied        to every instance of <literal>PersistableEntity</literal>, which is an        abstract class not shown (you can use any other class or        <literal>pointcut</literal> expression you like). For those curious,        <literal>AspectJCallback</literal> is needed because the        <literal>proceed();</literal> statement has special meaning only        within an <literal>around()</literal> body. The        <literal>AspectJSecurityInterceptor</literal> calls this anonymous        <literal>AspectJCallback</literal> class when it wants the target        object to continue.</para>        <para>You will need to configure Spring to load the aspect and wire it        with the <literal>AspectJSecurityInterceptor</literal>. A bean        declaration which achieves this is shown below:</para>        <programlisting><bean id="domainObjectInstanceSecurityAspect"     class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect"    factory-method="aspectOf">  <property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property></bean>        </programlisting>        <para>That's it! Now you can create your beans from anywhere within        your application, using whatever means you think fit (eg <literal>new        Person();</literal>) and they will have the security interceptor        applied.</para>      </sect1>      <sect1 id="filter-invocation-authorization">        <title>FilterInvocation Security Interceptor</title>        <para>To secure <literal>FilterInvocation</literal>s, developers need        to add a filter to their <literal>web.xml</literal> that delegates to        the <literal>FilterSecurityInterceptor</literal>. A typical        configuration example is provided below:</para>        <programlisting><filter>  <filter-name>Acegi HTTP Request Security Filter</filter-name>  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>  <init-param>    <param-name>targetClass</param-name>    <param-value>org.acegisecurity.intercept.web.FilterSecurityInterceptor</param-value>  </init-param></filter><filter-mapping>  <filter-name>Acegi HTTP Request Security Filter</filter-name>  <url-pattern>/*</url-pattern></filter-mapping></programlisting>        <para>Notice that the filter is actually a        <literal>FilterToBeanProxy</literal>. Most of the filters used by        Acegi Security use this class. Refer to the Filters section to learn        more about this bean.</para>        <para>In the application context you will need to configure three        beans:</para>        <programlisting><bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">  <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property></bean><bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">  <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>  <property name="forceHttps"><value>false</value></property></bean>      <bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>  <property name="objectDefinitionSource">    <value>      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON      \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE      \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER    </value>  </property></bean>        </programlisting>        <para>The <classname>ExceptionTranslationFilter</classname> provides        the bridge between Java exceptions and HTTP responses. It is solely        concerned with maintaining the user interface. This filter does not do        any actual security enforcement. If an        <exceptionname>AuthenticationException</exceptionname> is detected,        the filter will call the AuthenticationEntryPoint to commence the        authentication process (e.g. a user login).</para>        <para>The <literal>AuthenticationEntryPoint</literal> will be called        if the user requests a secure HTTP resource but they are not        authenticated. The class handles presenting the appropriate response        to the user so that authentication can begin. Three concrete        implementations are provided with Acegi Security:        <literal>AuthenticationProcessingFilterEntryPoint</literal> for        commencing a form-based authentication,        <literal>BasicProcessingFilterEntryPoint</literal> for commencing a        HTTP Basic authentication process, and        <literal>CasProcessingFilterEntryPoint</literal> for commencing a        JA-SIG Central Authentication Service (CAS) login. The        <literal>AuthenticationProcessingFilterEntryPoint</literal> and        <literal>CasProcessingFilterEntryPoint</literal> have optional        properties related to forcing the use of HTTPS, so please refer to the        JavaDocs if you require this.</para>        <para><literal>FilterSecurityInterceptor</literal> is responsible for        handling the security of HTTP resources. Like any other security        interceptor, it requires a reference to an        <literal>AuthenticationManager</literal> and an        <literal>AccessDecisionManager</literal>, which are both discussed in        separate sections below. The        <literal>FilterSecurityInterceptor</literal> is also configured with        configuration attributes that apply to different HTTP URL requests. A        full discussion of configuration attributes is provided in the High        Level Design section of this document.</para>        <para>The <literal>FilterSecurityInterceptor</literal> can be        configured with configuration attributes in two ways. The first is via        a property editor and the application context, which is shown above.        The second is via writing your own        <literal>ObjectDefinitionSource</literal>, although this is beyond the        scope of this document. Irrespective of the approach used, the        <literal>ObjectDefinitionSource</literal> is responsible for returning        a <literal>ConfigAttributeDefinition</literal> object that contains        all of the configuration attributes associated with a single secure        HTTP URL.</para>        <para>It should be noted that the        <literal>FilterSecurityInterceptor.setObjectDefinitionSource()</literal>        method actually expects an instance of        <literal>FilterInvocationDefinitionSource</literal>. This is a marker        interface which subclasses <literal>ObjectDefinitionSource</literal>.        It simply denotes the <literal>ObjectDefinitionSource</literal>        understands <literal>FilterInvocation</literal>s. In the interests of        simplicity we'll continue to refer to the        <literal>FilterInvocationDefinitionSource</literal> as an        <literal>ObjectDefinitionSource</literal>, as the distinction is of        little relevance to most users of the        <literal>FilterSecurityInterceptor</literal>.</para>        <para>If using the application context property editor approach (as        shown above), commas are used to delimit the different configuration        attributes that apply to each HTTP URL. Each configuration attribute        is assigned into its own <literal>SecurityConfig</literal> object. The        <literal>SecurityConfig</literal> object is discussed in the High        Level Design section. The <literal>ObjectDefinitionSource</literal>        created by the property editor,        <literal>FilterInvocationDefinitionSource</literal>, matches        configuration attributes against <literal>FilterInvocations</literal>        based on expression evaluation of the request URL. Two standard        expression syntaxes are supported. The default is to treat all        expressions as regular expressions. Alternatively, the presence of a        <literal>PATTERN_TYPE_APACHE_ANT</literal> directive will cause all        expressions to be treated as Apache Ant paths. It is not possible to        mix expression syntaxes within the same definition. For example, the        earlier configuration could be generated using Apache Ant paths as        follows:</para>        <programlisting><bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">  <property name="authenticationManager"><ref bean="authenticationManager"/></property>  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>  <property name="runAsManager"><ref bean="runAsManager"/></property>  <property name="objectDefinitionSource">    <value>      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON      PATTERN_TYPE_APACHE_ANT      /secure/super/**=ROLE_WE_DONT_HAVE      /secure/**=ROLE_SUPERVISOR,ROLE_TELLER    </value>  </property></bean>        </programlisting>        <para>Irrespective of the type of expression syntax used, expressions        are always evaluated in the order they are defined. Thus it is        important that more specific expressions are defined higher in the        list than less specific expressions. This is reflected in our example        above, where the more specific <literal>/secure/super/</literal>        pattern appears higher than the less specific        <literal>/secure/</literal> pattern. If they were reversed, the        <literal>/secure/</literal> pattern would always match and the        <literal>/secure/super/</literal> pattern would never be        evaluated.</para>        <para>The special keyword        <literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> causes        the <literal>FilterInvocationDefinitionSource</literal> to        automatically convert a request URL to lowercase before comparison        against the expressions. Whilst by default the case of the request URL        is not converted, it is generally recommended to use        <literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> and        write each expression assuming lowercase.</para>        <para>As with other security interceptors, the        <literal>validateConfigAttributes</literal> property is observed. When        set to <literal>true</literal> (the default), at startup time the        <literal>FilterSecurityInterceptor</literal> will evaluate if the        provided configuration attributes are valid. It does this by checking        each configuration attribute can be processed by either the        <literal>AccessDecisionManager</literal> or the        <literal>RunAsManager</literal>. If neither of these can process a        given configuration attribute, an exception is thrown.</para>      </sect1>    </chapter>    <chapter id="domain-acls">      <title>Domain Object Security</title>      <section id="domain-acls-overview">        <title>Overview</title>        <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new        ACL module. The new ACL module is a significant rewrite of the        existing ACL module. The new module can be found under the        <literal>org.acegisecurity.acls</literal> package, with the old ACL        module under <literal>org.acegisecurity.acl</literal>. We encourage        users to consider testing with the new ACL module and build        applications with it. The old ACL module should be considered        deprecated and may be removed from a future release.</para>        <para>Complex applications often will find the need to define access        permissions not simply at a web request or method invocation level.        Instead, security decisions need to comprise both who        (<literal>Authentication</literal>), where        (<literal>MethodInvocation</literal>) and what        (<literal>SomeDomainObject</literal>). In other words, authorization        decisions also need to consider the actual domain object instance        subject of a method invocation.</para>        <para>Imagine you're designing an application for a pet clinic. There        will be two main groups of users of your Spring-based application:        staff of the pet clinic, as well as the pet clinic's customers. The        staff will have access to all of the data, whilst your customers will        only be able to see their own customer records. To make it a little        more interesting, your customers can allow other users to see their        customer records, such as their "puppy preschool "mentor or president        of their local "Pony Club". Using Acegi Security as the foundation,        you have several approaches that can be used:<orderedlist>            <listitem>              <para>Write your business methods to enforce the security. You              could consult a collection within the              <literal>Customer</literal> domain object instance to determine              which users have access. By using the              <literal>SecurityContextHolder.getContext().getAuthentication()</literal>,              you'll be able to access the <literal>Authentication</literal>              object.</para>            </listitem>            <listitem>              <para>Write an <literal>AccessDecisionVoter</literal> to enforce              the security from the <literal>GrantedAuthority[]</literal>s              stored in the <literal>Authentication</literal> object. This              would mean your <literal>AuthenticationManager</literal> would              need to populate the <literal>Authentication</literal> with              custom <literal>GrantedAuthority</literal>[]s representing each              of the <literal>Customer</literal> domain object instances the              principal has access to.</para>            </listitem>            <listitem>              <para>Write an <literal>AccessDecisionVoter</literal> to enforce              the security and open the target <literal>Customer</literal>              domain object directly. This would mean your voter needs access              to a DAO that allows it to retrieve the              <literal>Customer</literal> object. It would then access the              <literal>Customer</literal> object's collection of approved              users and make the appropriate decision.</para>            </listitem>          </orderedlist></para>        <para>Each one of these approaches is perfectly legitimate. However,        the first couples your authorization checking to your business code.        The main problems with this include the enhanced difficulty of unit        testing and the fact it would be more difficult to reuse the        <literal>Customer</literal> authorization logic elsewhere. Obtaining        the <literal>GrantedAuthority[]</literal>s from the        <literal>Authentication</literal> object is also fine, but will not        scale to large numbers of <literal>Customer</literal>s. If a user        might be able to access 5,000 <literal>Customer</literal>s (unlikely        in this case, but imagine if it were a popular vet for a large Pony        Club!) the amount of memory consumed and time required to construct        the <literal>Authentication</literal> object would be undesirable. The        final method, opening the <literal>Customer</literal> directly from        external code, is probably the best of the three. It achieves        separation of concerns, and doesn't misuse memory or CPU cycles, but        it is still inefficient in that both the        <literal>AccessDecisionVoter</literal> and the eventual business        method itself will perform a call to the DAO responsible for        retrieving the <literal>Customer</literal> object. Two accesses per        method invocation is clearly undesirable. In addition, with every        approach listed you'll need to write your own access control list        (ACL) persistence and business logic from scratch.</para>        <para>Fortunately, there is another alternative, which we'll talk        about below.</para>      </section>      <section id="domain-acls-key-concepts">        <title>Key Concepts</title>        <para>The org.acegisecurity.acls package should be consulted for its        major interfaces. The key interfaces are:</para>        <itemizedlist spacing="compact">          <listitem>            <para><literal>Acl</literal>: Every domain object has one and only            one <literal>Acl</literal> object, which internally holds the            <literal>AccessControlEntry</literal>s as well as knows the owner            of the <literal>Acl</literal>. An Acl does not refer directly to            the domain object, but instead to an            <literal>ObjectIdentity</literal>.</para>          </listitem>          <listitem>            <para><literal><literal>AccessControlEntry</literal></literal>: An            Acl holds multiple <literal>AccessControlEntry</literal>s, which            are often abbreviated as ACEs in the framework. Each ACE refers to            a specific tuple of <literal>Permission</literal>,            <literal>Sid</literal> and <literal>Acl</literal>. An ACE can also            be granting or non-granting and contain audit settings.</para>          </listitem>          <listitem>            <para><literal>Permission</literal>: A permission represents an            immutable particular bit mask, and offers convenience functions            for bit masking and outputting information.</para>          </listitem>          <listitem>            <para><literal>Sid</literal>: The ACL module needs to refer to            principals and <literal>GrantedAuthority[]</literal>s. A level of            indirection is provided by the <literal>Sid</literal> interface.            Common classes include <literal>PrincipalSid</literal> (to            represent the principal inside an            <literal>Authentication</literal> object) and            <literal>GrantedAuthoritySid</literal>.</para>          </listitem>          <listitem>            <para><literal>ObjectIdentity</literal>: Each domain object is            represented internally within the ACL module by an            <literal>ObjectIdentity</literal>.</para>          </listitem>          <listitem>            <para><literal>AclService</literal>: Retrieves the            <literal>Acl</literal> applicable for a given            <literal>ObjectIdentity</literal>.</para>          </listitem>          <listitem>            <para><literal>MutableAclService</literal>: Allows a modified            <literal>Acl</literal> to be presented for persistence. It is not            essential to use this interface if you do not wish.</para>          </listitem>        </itemizedlist>        <para>The ACL module was based on extensive feedback from the user        community following real-world use of the original ACL module. This        feedback resulted in a rearchitecture of the ACL module to offer        significantly enhanced performance (particularly in the area of        database retrieval), significantly better encapsulation, higher        cohesion, and enhanced customisation points.</para>        <para>The Contacts Sample that ships with Acegi Security 1.0.3 offers        a demonstration of the new ACL module. Converting Contacts from using        the old module to the new module was relatively simple, and users of        the old ACL module will likely find their applications can be modified        with relatively little work.</para>        <para>We will document the new ACL module more fully with a subsequent        release. Please note that the new ACL module should be considered a        preview only (ie do not use in production without proper prior        testing), and there is a small chance there may be changes between        1.0.3 and 1.1.0 when it will become final. Nevertheless,        compatibility-affecting changes are considered quite unlikely,        especially given the module is already based on several years of        feedback from users of the original ACL module.</para>      </section>    </chapter>    <chapter id="domain-acls-old">      <title>Domain Object Security (old ACL module)</title>      <section id="domain-acls-overview-old">        <title>Overview</title>        <para>PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new        ACL module. The new ACL module is a significant rewrite of the        existing ACL module. The new module can be found under the        <literal>org.acegisecurity.acls</literal> package, with the old ACL        module under <literal>org.acegisecurity.acl</literal>. We encourage        users to consider testing with the new ACL module and build        applications with it. The old ACL module should be considered        deprecated and may be removed from a future release.</para>        <para>Complex applications often will find the need to define access        permissions not simply at a web request or method invocation level.        Instead, security decisions need to comprise both who        (<literal>Authentication</literal>), where        (<literal>MethodInvocation</literal>) and what        (<literal>SomeDomainObject</literal>). In other words, authorization        decisions also need to consider the actual domain object instance        subject of a method invocation.</para>        <para>Imagine you're designing an application for a pet clinic. There        will be two main groups of users of your Spring-based application:        staff of the pet clinic, as well as the pet clinic's customers. The        staff will have access to all of the data, whilst your customers will        only be able to see their own customer records. To make it a little        more interesting, your customers can allow other users to see their        customer records, such as their "puppy preschool "mentor or president        of their local "Pony Club". Using Acegi Security as the foundation,        you have several approaches that can be used:<orderedlist>            <listitem>              <para>Write your business methods to enforce the security. You              could consult a collection within the              <literal>Customer</literal> domain object instance to determine              which users have access. By using the              <literal>SecurityContextHolder.getContext().getAuthentication()</literal>,              you'll be able to access the <literal>Authentication</literal>              object.</para>            </listitem>            <listitem>              <para>Write an <literal>AccessDecisionVoter</literal> to enforce              the security from the <literal>GrantedAuthority[]</literal>s              stored in the <literal>Authentication</literal> object. This              would mean your <literal>AuthenticationManager</literal> would              need to populate the <literal>Authentication</literal> with              custom <literal>GrantedAuthority</literal>[]s representing each              of the <literal>Customer</literal> domain object instances the              principal has access to.</para>            </listitem>            <listitem>              <para>Write an <literal>AccessDecisionVoter</literal> to enforce              the security and open the target <literal>Customer</literal>              domain object directly. This would mean your voter needs access              to a DAO that allows it to retrieve the              <literal>Customer</literal> object. It would then access the              <literal>Customer</literal> object's collection of approved              users and make the appropriate decision.</para>            </listitem>          </orderedlist></para>        <para>Each one of these approaches is perfectly legitimate. However,        the first couples your authorization checking to your business code.        The main problems with this include the enhanced difficulty of unit        testing and the fact it would be more difficult to reuse the        <literal>Customer</literal> authorization logic elsewhere. Obtaining        the <literal>GrantedAuthority[]</literal>s from the        <literal>Authentication</literal> object is also fine, but will not        scale to large numbers of <literal>Customer</literal>s. If a user        might be able to access 5,000 <literal>Customer</literal>s (unlikely        in this case, but imagine if it were a popular vet for a large Pony        Club!) the amount of memory consumed and time required to construct        the <literal>Authentication</literal> object would be undesirable. The        final method, opening the <literal>Customer</literal> directly from        external code, is probably the best of the three. It achieves        separation of concerns, and doesn't misuse memory or CPU cycles, but        it is still inefficient in that both the        <literal>AccessDecisionVoter</literal> and the eventual business        method itself will perform a call to the DAO responsible for        retrieving the <literal>Customer</literal> object. Two accesses per        method invocation is clearly undesirable. In addition, with every        approach listed you'll need to write your own access control list        (ACL) persistence and business logic from scratch.</para>        <para>Fortunately, there is another alternative, which we'll talk        about below.</para>      </section>      <section id="domain-acls-basic-old">        <title>Basic ACL Package</title>        <para>Please note that our Basic ACL services are currently being        refactored. We expect release 1.1.0 will contain this new code.        Planned code is already in the Acegi Security Subversion sandbox, so        please check there if you have a new application requiring ACLs or are        in the planning stages. The Basic ACL services will be deprecated from        release 1.1.0.</para>        <para>The <literal>org.acegisecurity.acl</literal> package is very        simple, comprising only a handful of interfaces and a single class, as        shown in Figure 6. It provides the basic foundation for access control        list (ACL) lookups.</para>        <para><mediaobject>            <imageobject role="html">              <imagedata align="center" fileref="images/ACLSecurity.gif"                         format="GIF" />            </imageobject>            <caption>              <para>Figure 6: Access Control List Manager</para>            </caption>          </mediaobject></para>        <para>The central interface is <literal>AclManager</literal>, which is        defined by two methods:</para>        <para><programlisting>public AclEntry[] getAcls(java.lang.Object domainInstance);public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authentication);</programlisting></para>        <para><literal>AclManager</literal> is intended to be used as a        collaborator against your business objects, or, more desirably,        <literal>AccessDecisionVoter</literal>s. This means you use Spring's        normal <literal>ApplicationContext</literal> features to wire up your        <literal>AccessDecisionVoter</literal> (or business method) with an        <literal>AclManager</literal>. Consideration was given to placing the        ACL information in the <literal>ContextHolder</literal>, but it was        felt this would be inefficient both in terms of memory usage as well        as the time spent loading potentially unused ACL information. The        trade-off of needing to wire up a collaborator for those objects        requiring ACL information is rather minor, particularly in a        Spring-managed application.</para>        <para>The first method of the <literal>AclManager</literal> will        return all ACLs applying to the domain object instance passed to it.        The second method does the same, but only returns those ACLs which        apply to the passed <literal>Authentication</literal> object.</para>        <para>The <literal>AclEntry</literal> interface returned by        <literal>AclManager</literal> is merely a marker interface. You will        need to provide an implementation that reflects that ACL permissions        for your application.</para>        <para>Rounding out the <literal>org.acegisecurity.acl</literal>        package is an <literal>AclProviderManager</literal> class, with a        corresponding <literal>AclProvider</literal> interface.        <literal>AclProviderManager</literal> is a concrete implementation of        <literal>AclManager</literal>, which iterates through registered        <literal>AclProvider</literal>s. The first        <literal>AclProvider</literal> that indicates it can authoritatively        provide ACL information for the presented domain object instance will        be used. This is very similar to the        <literal>AuthenticationProvider</literal> interface used for        authentication.</para>        <para>With this background, let's now look at a usable ACL        implementation.</para>        <para>Acegi Security includes a production-quality ACL provider        implementation, which is shown in Figure 7.</para>        <para><mediaobject>            <imageobject role="html">              <imagedata align="center" fileref="images/BasicAclProvider.gif"                         format="GIF" />            </imageobject>            <caption>              <para>Figure 7: Basic ACL Manager</para>            </caption>          </mediaobject></para>        <para>The implementation is based on integer masking, which is        commonly used for ACL permissions given its flexibility and speed.        Anyone who has used Unix's <literal>chmod</literal> command will know        all about this type of permission masking (eg <literal>chmod        777</literal>). You'll find the classes and interfaces for the integer        masking ACL package under        <literal>org.acegisecurity.acl.basic</literal>.</para>        <para>Extending the <literal>AclEntry</literal> interface is a        <literal>BasicAclEntry</literal> interface, with the main methods        shown below:</para>        <para><programlisting>public AclObjectIdentity getAclObjectIdentity();public AclObjectIdentity getAclObjectParentIdentity();public int getMask();public java.lang.Object getRecipient();</programlisting></para>        <para>As shown, each <literal>BasicAclEntry</literal> has four main        properties. The <literal>mask</literal> is the integer that represents        the permissions granted to the <literal>recipient</literal>. The        <literal>aclObjectIdentity</literal> is able to identify the domain        object instance for which the ACL applies, and the        <literal>aclObjectParentIdentity</literal> optionally specifies the        parent of the domain object instance. Multiple        <literal>BasicAclEntry</literal>s usually exist against a single        domain object instance, and as suggested by the parent identity        property, permissions granted higher in the object hierarchy will        trickle down and be inherited (unless blocked by integer zero).</para>        <para><literal>BasicAclEntry</literal> implementations typically        provide convenience methods, such as        <literal>isReadAllowed()</literal>, to avoid application classes        needing to perform bit masking themselves. The        <literal>SimpleAclEntry</literal> and        <literal>AbstractBasicAclEntry</literal> demonstrate and provide much        of this bit masking logic.</para>        <para>The <literal>AclObjectIdentity</literal> itself is merely a        marker interface, so you need to provide implementations for your        domain objects. However, the package does include a        <literal>NamedEntityObjectIdentity</literal> implementation which will        suit many needs. The <literal>NamedEntityObjectIdentity</literal>        identifies a given domain object instance by the classname of the        instance and the identity of the instance. A        <literal>NamedEntityObjectIdentity</literal> can be constructed        manually (by calling the constructor and providing the classname and        identity <literal>String</literal>s), or by passing in any domain        object that contains a <literal>getId()</literal> method.</para>        <para>The actual <literal>AclProvider</literal> implementation is        named <literal>BasicAclProvider</literal>. It has adopted a similar        design to that used by the authentication-related        <literal>DaoAuthenticationProvder</literal>. Specifically, you define        a <literal>BasicAclDao</literal> against the provider, so different        ACL repository types can be accessed in a pluggable manner. The        <literal>BasicAclProvider</literal> also supports pluggable cache        providers (with Acegi Security including an implementation that fronts        EH-CACHE).</para>        <para>The <literal>BasicAclDao</literal> interface is very simple to        implement:</para>        <para><programlisting>public BasicAclEntry[] getAcls(AclObjectIdentity aclObjectIdentity);</programlisting></para>        <para>A <literal>BasicAclDao</literal> implementation needs to        understand the presented <literal>AclObjectIdentity</literal> and how        it maps to a storage repository, find the relevant records, and create        appropriate <literal>BasicAclEntry</literal> objects and return        them.</para>        <para>Acegi Security includes a single <literal>BasicAclDao</literal>        implementation called <literal>JdbcDaoImpl</literal>. As implied by        the name, <literal>JdbcDaoImpl</literal> accesses ACL information from        a JDBC database. There is also an extended version of this DAO,        <literal>JdbcExtendedDaoImpl</literal>, which provides CRUD operations        on the JDBC database, although we won't discuss these features here.        The default database schema and some sample data will aid in        understanding its function:</para>        <para><programlisting>CREATE TABLE acl_object_identity (     id IDENTITY NOT NULL,     object_identity VARCHAR_IGNORECASE(250) NOT NULL,     parent_object INTEGER,     acl_class VARCHAR_IGNORECASE(250) NOT NULL,     CONSTRAINT unique_object_identity UNIQUE(object_identity),     FOREIGN KEY (parent_object) REFERENCES acl_object_identity(id));CREATE TABLE acl_permission (     id IDENTITY NOT NULL,     acl_object_identity INTEGER NOT NULL,     recipient VARCHAR_IGNORECASE(100) NOT NULL,     mask INTEGER NOT NULL,     CONSTRAINT unique_recipient UNIQUE(acl_object_identity, recipient),     FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id));INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'org.acegisecurity.acl.basic.SimpleAclEntry');INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry');INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry');INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry');INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry');INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry');INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1);INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0);INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2);INSERT INTO acl_permission VALUES (null, 3, 'scott', 14);INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>        <para>As can be seen, database-specific constraints are used        extensively to ensure the integrity of the ACL information. If you        need to use a different database (Hypersonic SQL statements are shown        above), you should try to implement equivalent constraints. The        equivalent Oracle configuration is:</para>        <para><programlisting>CREATE TABLE ACL_OBJECT_IDENTITY (     ID number(19,0) not null,     OBJECT_IDENTITY varchar2(255) NOT NULL,     PARENT_OBJECT number(19,0),     ACL_CLASS varchar2(255) NOT NULL,     primary key (ID));ALTER TABLE ACL_OBJECT_IDENTITY ADD CONTRAINT FK_PARENT_OBJECT foreign key (ID) references ACL_OBJECT_IDENTITYCREATE SEQUENCE ACL_OBJECT_IDENTITY_SEQ;CREATE OR REPLACE TRIGGER ACL_OBJECT_IDENTITY_IDBEFORE INSERT ON ACL_OBJECT_IDENTITYFOR EACH ROWBEGIN  SELECT ACL_OBJECT_IDENTITY_SEQ.NEXTVAL INTO :new.id FROM dual;END;CREATE TABLE ACL_PERMISSION (     ID number(19,0) not null,     ACL_OBJECT_IDENTITY number(19,0) NOT NULL,     RECIPIENT varchar2(255) NOT NULL,     MASK number(19,0) NOT NULL,     primary key (ID));ALTER TABLE ACL_PERMISSION ADD CONTRAINT UNIQUE_ID_RECIPIENT unique (acl_object_identity, recipient);CREATE SEQUENCE ACL_PERMISSION_SEQ;CREATE OR REPLACE TRIGGER ACL_PERMISSION_IDBEFORE INSERT ON ACL_PERMISSIONFOR EACH ROWBEGIN  SELECT ACL_PERMISSION_SEQ.NEXTVAL INTO :new.id FROM dual;END;<bean id="basicAclExtendedDao" class="org.acegisecurity.acl.basic.jdbc.JdbcExtendedDaoImpl">    <property name="dataSource">        <ref bean="dataSource"/>    </property>    <property name="objectPropertiesQuery" value="${acegi.objectPropertiesQuery}"/></bean><prop key="acegi.objectPropertiesQuery">SELECT CHILD.ID, CHILD.OBJECT_IDENTITY, CHILD.ACL_CLASS, PARENT.OBJECT_IDENTITY as PARENT_OBJECT_IDENTITY FROM acl_object_identity as CHILD LEFT OUTER JOIN acl_object_identity as PARENT ON CHILD.parent_object=PARENT.id WHERE CHILD.object_identity = ?</prop> </programlisting></para>        <para>The <literal>JdbcDaoImpl</literal> will only respond to requests        for <literal>NamedEntityObjectIdentity</literal>s. It converts such        identities into a single <literal>String</literal>, comprising        the<literal> NamedEntityObjectIdentity.getClassname()</literal> +        <literal>":"</literal> +        <literal>NamedEntityObjectIdentity.getId()</literal>. This yields the        type of <literal>object_identity</literal> values shown above. As        indicated by the sample data, each database row corresponds to a        single <literal>BasicAclEntry</literal>. As stated earlier and        demonstrated by <literal>corp.DomainObject:2</literal> in the above        sample data, each domain object instance will often have multiple        <literal>BasicAclEntry</literal>[]s.</para>        <para>As <literal>JdbcDaoImpl</literal> is required to return concrete        <literal>BasicAclEntry</literal> classes, it needs to know which        <literal>BasicAclEntry</literal> implementation it is to create and        populate. This is the role of the <literal>acl_class</literal> column.        <literal>JdbcDaoImpl</literal> will create the indicated class and set        its <literal>mask</literal>, <literal>recipient</literal>,        <literal>aclObjectIdentity</literal> and        <literal>aclObjectParentIdentity</literal> properties.</para>        <para>As you can probably tell from the sample data, the        <literal>parent_object_identity</literal> value can either be null or        in the same format as the <literal>object_identity</literal>. If        non-null, <literal>JdbcDaoImpl</literal> will create a        <literal>NamedEntityObjectIdentity</literal> to place inside the        returned <literal>BasicAclEntry</literal> class.</para>        <para>Returning to the <literal>BasicAclProvider</literal>, before it        can poll the <literal>BasicAclDao</literal> implementation it needs to        convert the domain object instance it was passed into an        <literal>AclObjectIdentity</literal>.        <literal>BasicAclProvider</literal> has a <literal>protected        AclObjectIdentity obtainIdentity(Object domainInstance)</literal>        method that is responsible for this. As a protected method, it enables        subclasses to easily override. The normal implementation checks        whether the passed domain object instance implements the        <literal>AclObjectIdentityAware</literal> interface, which is merely a        getter for an <literal>AclObjectIdentity</literal>. If the domain        object does implement this interface, that is the identity returned.        If the domain object does not implement this interface, the method        will attempt to create an <literal>AclObjectIdentity</literal> by        passing the domain object instance to the constructor of a class        defined by the        <literal>BasicAclProvider.getDefaultAclObjectIdentity()</literal>        method. By default the defined class is        <literal>NamedEntityObjectIdentity</literal>, which was described in        more detail above. Therefore, you will need to either (i) provide a        <literal>getId()</literal> method on your domain objects, (ii)        implement <literal>AclObjectIdentityAware</literal> on your domain        objects, (iii) provide an alternative        <literal>AclObjectIdentity</literal> implementation that will accept        your domain object in its constructor, or (iv) override the        <literal>obtainIdentity(Object)</literal> method.</para>        <para>Once the <literal>AclObjectIdentity</literal> of the domain        object instance is determined, the <literal>BasicAclProvider</literal>        will poll the DAO to obtain its <literal>BasicAclEntry</literal>[]s.        If any of the entries returned by the DAO indicate there is a parent,        that parent will be polled, and the process will repeat until there is        no further parent. The permissions assigned to a        <literal>recipient</literal> closest to the domain object instance        will always take priority and override any inherited permissions. From        the sample data above, the following inherited permissions would        apply:</para>        <para><programlisting>--- Mask integer 0  = no permissions--- Mask integer 1  = administer--- Mask integer 2  = read--- Mask integer 6  = read and write permissions--- Mask integer 14 = read and write and create permissions------------------------------------------------------------------------ *** INHERITED RIGHTS FOR DIFFERENT INSTANCES AND RECIPIENTS ***--- INSTANCE  RECIPIENT         PERMISSION(S) (COMMENT #INSTANCE)------------------------------------------------------------------------    1      ROLE_SUPERVISOR   Administer---    2      ROLE_SUPERVISOR   None (overrides parent #1)---           marissa           Read---    3      ROLE_SUPERVISOR   Administer (from parent #1)---           scott             Read, Write, Create---    4      ROLE_SUPERVISOR   Administer (from parent #1)---    5      ROLE_SUPERVISOR   Administer (from parent #3)---           scott             Read, Write, Create (from parent #3)---    6      ROLE_SUPERVISOR   Administer (from parent #3)---           scott             Administer (overrides parent #3)</programlisting></para>        <para>So the above explains how a domain object instance has its        <literal>AclObjectIdentity</literal> discovered, and the        <literal>BasicAclDao</literal> will be polled successively until an        array of inherited permissions is constructed for the domain object        instance. The final step is to determine the        <literal>BasicAclEntry</literal>[]s that are actually applicable to a        given <literal>Authentication</literal> object.</para>        <para>As you would recall, the <literal>AclManager</literal> (and all        delegates, up to and including <literal>BasicAclProvider</literal>)        provides a method which returns only those        <literal>BasicAclEntry</literal>[]s applying to a passed        <literal>Authentication</literal> object.        <literal>BasicAclProvider</literal> delivers this functionality by        delegating the filtering operation to an        <literal>EffectiveAclsResolver</literal> implementation. The default        implementation,        <literal>GrantedAuthorityEffectiveAclsResolver</literal>, will iterate        through the <literal>BasicAclEntry</literal>[]s and include only those        where the <literal>recipient</literal> is equal to either the        <literal>Authentication</literal>'s <literal>principal</literal> or        any of the <literal>Authentication</literal>'s        <literal>GrantedAuthority</literal>[]s. Please refer to the JavaDocs        for more information.</para>        <mediaobject>          <imageobject role="html">            <imagedata align="center" fileref="images/Permissions.gif"                       format="GIF" />          </imageobject>          <caption>            <para>Figure 8: ACL Instantiation Approach</para>          </caption>        </mediaobject>        <para>The above figure explains the key relationships between objects        in the Basic ACL package.</para>      </section>    </chapter>  </part>  <part id="resources">    <title>Other Resources</title>    <partintro>      <para>In addition to this reference guide, a number of other resources      exist to help you learn how to use Acegi Security. These resources are      discussed in this section.</para>    </partintro>    <chapter id="sample-apps">      <title id="samples">Sample Applications</title>      <sect1 id="contacts-sample">        <title id="contacts">Contacts</title>        <para>Included with Acegi Security is a very simple application that        can demonstrate the basic security facilities provided by the system        (and confirm your Container Adapter is properly configured if you're        using one).</para>        <para>If you build from Subversion, the Contacts sample application        includes three deployable versions:        <literal>acegi-security-sample-contacts-filter.war</literal> is        configured with the HTTP Session Authentication approach.        Acegi<literal><literal>-security-sample-contacts-ca.war</literal></literal>        is configured to use a Container Adapter. Finally,        <literal>acegi-security-sample-contacts-cas.war</literal> is designed        to work with a JA-SIG CAS server. If you're just wanting to see how        the sample application works, please use        <literal><literal>acegi-security-sample-contacts-filter.war</literal></literal>        as it does not require special configuration of your container. This        is also the artifact included in official release ZIPs.</para>        <para>To deploy, simply copy the relevant WAR file from Acegi Security        distribution into your container’s <literal>webapps</literal>        directory.</para>        <para>After starting your container, check the application can load.        Visit        <literal>http://localhost:</literal><literal><literal>8080/</literal>acegi-security-sample-contacts-filter</literal>        (or whichever URL is appropriate for your web container and the WAR        you deployed). A random contact should be displayed. Click "Refresh"        several times and you will see different contacts. The business method        that provides this random contact is not secured.</para>        <para>Next, click "Debug". You will be prompted to authenticate, and a        series of usernames and passwords are suggested on that page. Simply        authenticate with any of these and view the resulting page. It should        contain a success message similar to the following:</para>        <blockquote>          <para>Context on SecurityContextHolder is of type:          org.acegisecurity.context.SecurityContextImpl</para>          <para>The Context implements SecurityContext.</para>          <para>Authentication object is of type:          org.acegisecurity.adapters.PrincipalAcegiUserToken</para>          <para>Authentication object as a String:          org.acegisecurity.adapters.PrincipalAcegiUserToken@e9a7c2: Username:          marissa; Password: [PROTECTED]; Authenticated: true; Granted          Authorities: ROLE_TELLER, ROLE_SUPERVISOR</para>          <para>Authentication object holds the following granted          authorities:</para>          <para>ROLE_TELLER (getAuthority(): ROLE_TELLER)</para>          <para>ROLE_SUPERVISOR (getAuthority(): ROLE_SUPERVISOR)</para>          <para>SUCCESS! Your [container adapter|web filter] appears to be          properly configured!</para>        </blockquote>        <para>If you receive a different message, and deployed        <literal>acegi-security-sample-contacts-ca.war</literal>, check you        have properly configured your Container Adapter as described elsewhere        in this reference guide.</para>        <para>Once you successfully receive the above message, return to the        sample application's home page and click "Manage". You can then try        out the application. Notice that only the contacts available to the        currently logged on user are displayed, and only users with        <literal>ROLE_SUPERVISOR</literal> are granted access to delete their        contacts. Behind the scenes, the        <literal>MethodSecurityInterceptor</literal> is securing the business        objects. If you're using        <literal><literal>acegi-security-sample-contacts-filter.war</literal></literal>        or <literal>acegi-security-sample-contacts-cas.war</literal>, the        <literal>FilterSecurityInterceptor</literal> is also securing the HTTP        requests. If using either of these WARs, be sure to try visiting        <literal>http://localhost:8080/contacts/secure/super</literal>, which        will demonstrate access being denied by the        <literal>FilterSecurityInterceptor</literal>. Note the sample        application enables you to modify the access control lists associated        with different contacts. Be sure to give this a try and understand how        it works by reviewing the sample application's application context XML        files.</para>        <para>The Contacts sample application also include a        <literal>client</literal> directory. Inside you will find a small        application that queries the backend business objects using several        web services protocols. This demonstrates how to use Acegi Security        for authentication with Spring remoting protocols. To try this client,        ensure your servlet container is still running the Contacts sample        application, and then execute <literal>client marissa koala</literal>.        The command-line parameters respectively represent the username to        use, and the password to use. Note that you may need to edit        <literal>client.properties</literal> to use a different target        URL.</para>        <para>Please note the sample application's <literal>client</literal>        does not currently support CAS. You can still give it a try, though,        if you're ambitious: try <literal>client _cas_stateless_        YOUR-SERVICE-TICKET-ID</literal>.</para>      </sect1>      <sect1 id="tutorial-sample">        <title>Tutorial Sample</title>        <para>Whilst the <link linkend="contacts-sample">Contacts        Sample</link> is quite advanced in that it illustrates the more        powerful features of domain object access control lists and so on,        sometimes you just want to start with a nice basic example. The        tutorial sample is intended to provide this for you.</para>        <para>The compiled tutorial is included in the distribution ZIP file,        ready to be deployed into your web container. Authentication is        handled by the <link        linkend="dao-provider">DaoAuthenticationProvider</link>, using the        <link linkend="in-memory-service">in-memory</link>        <literal>UserDetailsService</literal> that sources information from        the <literal>users.properties</literal> file located in the WAR's        <literal>/WEB-INF</literal> directory. The <link        linkend="form">form-based</link> authentication mechanism is used,        with the commonly-used <link linkend="remember-me">remember-me</link>        authentication provider used to automatically remember the login using        cookies.</para>        <para>In terms of authorization, to keep things simple we've        configured the tutorial to only perform some basic <link        linkend="filter-invocation-authorization">web filter        authorization</link>. We've wired two common <link        linkend="pre-invocation">pre-invocation access decision voters</link>,        being the <literal>RoleVoter</literal> and        <literal>AuthenticatedVoter</literal>, such that        <literal>ROLE_*</literal> configuration attributes and        <literal>IS_AUTHENTICATED_*</literal> configuration attributes may be        used. Of course, it's extremely easy to add in other providers, with        most users probably starting with some services-layer security using        <link linkend="aop-alliance">MethodSecurityInterceptor</link>.</para>        <para>We recommend you start with the tutorial sample, as the XML is        minimal and easy to follow. All of the needed <link        linkend="filters">filters</link> are configured properly, and using        best practise. Most importantly, you can easily this one XML file (and        its corresponding <literal>web.xml</literal> entries) to your existing        application. Only when this basic integration is achieved do we        suggest you attempt adding in method authorization or domain object        security.</para>      </sect1>    </chapter>    <chapter id="community">      <title>Community Support</title>      <sect1 id="jira">        <title>Use JIRA for Issue Tracking</title>        <para>Acegi Security uses JIRA to manage bug reports and enhancement        requests. If you find a bug, please log a report using JIRA. Do not        log it on the support forum, mailing list or by emailing the project's        developers. Such approaches are ad-hoc and we prefer to manage bugs        using a more formal process.</para>        <para>If possible, in your JIRA report please provide a JUnit test        that demonstrates any incorrect behaviour. Or, better yet, provide a        patch that corrects the issue. Similarly, enhancements are welcome to        be logged in JIRA, although we only accept commit enhancement requests        if you include corresponding unit tests. This is necessary to ensure        project test coverage is adequately maintained.</para>        <para>You can access JIRA at <ulink        url="http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040"></ulink>.</para>      </sect1>      <sect1 id="becoming-involved">        <title>Becoming Involved</title>        <para>We welcome you to become involved in Acegi Security project.        There are many ways of contributing, including reading the mailing        list and responding to questions from other people, writing new code,        improving existing code, assisting with documentation, developing        samples or tutorials, or simply making suggestions.</para>        <para>Please read our project policies web page that is available on        Acegi Security home page. This explains the path to become a        committer, and the administration approaches we use within the        project.</para>      </sect1>      <sect1 id="further-info">        <title>Further Information</title>        <para>Questions and comments on Acegi Security are welcome. Please use        the Spring Community Forum web site at <ulink        url="http://forum.springframework.org"></ulink> for all support        issues. Remember to use JIRA for bug reports, as explained above.        Everyone is also welcome to join the Acegisecurity-developer mailing        list and participate in design discussions. It's also a good way of        finding out what's happening with regard to release timing, and the        traffic volume is quite light. Finally, our project home page (where        you can obtain the latest release of the project and convenient links        to Subversion, JIRA, mailing lists, forums etc) is at <ulink        url="http://acegisecurity.org"></ulink>.</para>      </sect1>    </chapter>  </part></book>
 |