Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Tree: c8055b57d7
Branches Tags
spring-security
/
doc
/
xdocs
/
index.html

index.html 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167 
  1. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    2. 

  2. <HTML><HEAD><TITLE>Acegi Security System for Spring</TITLE>
    3. 

  3. <META http-equiv=Content-Type content="text/html; charset=windows-1252">
    4. 

  4. <META content="MSHTML 6.00.2900.2180" name=GENERATOR></HEAD>
    5. 

  5. <BODY>
    6. 

  6.       <CENTER>
    7. 

  7.       </CENTER><BR><BR><FONT 
    8. 

  8.       face=Arial size=-1>
    9. 

  9.       <CENTER><B>
    10. 

  10.       <HR>
    11. 

  11. 

  12.       <CENTER>Mission Statement</CENTER></B>
    13. 

  13.       <HR>
    14. 

  14.       <BR>To provide comprehensive security services for <A 
    15. 

  15.       href="http://www.springframework.org/"><I>The Spring Framework</I></A>. 
    16. 

  16.       </CENTER><BR><B>
    17. 

  17.       <HR>
    18. 

  18. 

  19.       <CENTER>Key Features</CENTER></B>
    20. 

  20.       <HR>
    21. 

  21.       <BR>
    22. 

  22.       <UL>
    23. 

  23.         <LI><B>It is ready NOW.</B> As explained in the reference guide, the API 
    24. 

  24.         is now quite stable. We also use the <A 
    25. 

  25.         href="http://apr.apache.org/versioning.html">Apache APR Project 
    26. 

  26.         Versioning Guidelines</A> so you can identify backward 
    27. 

  27.         compatibility.<BR><BR>
    28. 

  28.         <LI><B>Fast results:</B> View our <a href="suggested.html">Suggested Steps</a>
    29. 

  29.         for the fastest way to develop complex, security-compliant applications.<BR><BR>
    30. 

  30.         <LI><B>Enterprise-wide single sign on:</B> Using Yale University's open 
    31. 

  31.         source <A href="http://www.yale.edu/tp/auth/">Central Authentication 
    32. 

  32.         Service</A> (CAS), the Acegi Security System for Spring can participate 
    33. 

  33.         in an enterprise-wide single sign on environment. You no longer need 
    34. 

  34.         every web application to have its own authentication database. Nor are 
    35. 

  35.         you restricted to single sign on across a single web container. Advanced 
    36. 

  36.         single sign on features like proxy support and forced refresh of logins 
    37. 

  37.         are supported by both CAS and Acegi Security.<BR><BR>
    38. 

  38.         <LI><B>Reuses your Spring expertise:</B> We use Spring application 
    39. 

  39.         contexts for all configuration, which should help Spring developers get 
    40. 

  40.         up-to-speed nice and quickly.<BR><BR>
    41. 

  41.         <LI><B>Domain object instance security:</B> In many applications it's 
    42. 

  42.         desirable to define Access Control Lists (ACLs) for individual domain 
    43. 

  43.         object instances. We provide a comprehensive ACL package with features 
    44. 

  44.         including integer bit masking, permission inheritence (including 
    45. 

  45.         blocking), a JDBC-backed ACL repository, caching and a pluggable, 
    46. 

  46.         interface-driven design.<BR><BR>
    47. 

  47.         <LI><B>Non-intrusive setup:</B> The entire security system can operate 
    48. 

  48.         within a single web application using the provided filters. There is no 
    49. 

  49.         need to make special changes or deploy libraries to your Servlet or EJB 
    50. 

  50.         container.<BR><BR>
    51. 

  51.         <LI><B>Full (but optional) container integration:</B> The credential 
    52. 

  52.         collection and authorization capabilities of your Servlet or EJB 
    53. 

  53.         container can be fully utilised via included "container adapters". We 
    54. 

  54.         currently support Catalina (Tomcat), Jetty, JBoss and Resin, with 
    55. 

  55.         additional containers easily added.<BR><BR>
    56. 

  56.         <LI><B>Keeps your objects free of security code:</B> Many applications 
    57. 

  57.         need to secure data at the bean level based on any combination of 
    58. 

  58.         parameters (user, time of day, authorities held, method being invoked, 
    59. 

  59.         parameter on method being invoked....). This package gives you this 
    60. 

  60.         flexibility without adding security code to your Spring business 
    61. 

  61.         objects.<BR><BR>
    62. 

  62.         <LI><B>After invocation security:</B> Acegi Security can not only protect
    63. 

  63. 		methods from being invoked in the first place, but it can also
    64. 

  64. 		deal with the Objects returned from the methods. Included implementations 
    65. 

  65. 		of after invocation security can throw an exception or mutate the returned
    66. 

  66. 		object based on ACLs.<BR><BR>
    67. 

  67.         <LI><B>Secures your HTTP requests as well:</B> In addition to securing 
    68. 

  68.         your beans, the project also secures your HTTP requests. No longer is it 
    69. 

  69.         necessary to rely on web.xml security constraints. Best of all, your 
    70. 

  70.         HTTP requests can now be secured by your choice of regular expressions 
    71. 

  71.         or Apache Ant paths, along with pluggable authentication, authorization 
    72. 

  72.         and run-as replacement managers.<BR><BR>
    73. 

  73.         <LI><B>Channel security:</B> The Acegi Security System for Spring can 
    74. 

  74.         automatically redirect requests across an appropriate transport channel. 
    75. 

  75.         Whilst flexible enough to support any of your "channel" requirements (eg 
    76. 

  76.         the remote user is a human, not a robot), a common channel security 
    77. 

  77.         feature is to ensure your secure pages will only be available over 
    78. 

  78.         HTTPS, and your public pages only over HTTP. Acegi Security also 
    79. 

  79.         supports unusual port combinations and pluggable transport decision 
    80. 

  80.         managers.<BR><BR>
    81. 

  81.         <LI><B>Supports HTTP BASIC authentication:</B> Perfect for remoting 
    82. 

  82.         protocols or those web applications that prefer a simple browser pop-up 
    83. 

  83.         (rather than a form login), Acegi Security can directly process HTTP 
    84. 

  84.         BASIC authentication requests as per RFC 1945.<BR><BR>
    85. 

  85.         <LI><B>Convenient security taglib:</B> Your JSP files can use our taglib 
    86. 

  86.         to ensure that protected content like links and messages are only 
    87. 

  87.         displayed to users holding the appropriate granted authorities. The taglib
    88. 

  88. 		also fully integrates with Acegi Security's ACL services.<BR><BR>
    89. 

  89.         <LI><B>Application context or attribute-based configuration:</B> You 
    90. 

  90.         select the method used to configure your security environment. The 
    91. 

  91.         project supports configuration via Spring application contexts as well 
    92. 

  92.         as Jakarta Commons Attributes.<BR><BR>
    93. 

  93.         <LI><B>Various authentication backends:</B> We include the ability to 
    94. 

  94.         retrieve your user and granted authority definitions from either an XML 
    95. 

  95.         file or JDBC datasource. Alternatively, you can implement the 
    96. 

  96.         single-method DAO interface and obtain authentication details from 
    97. 

  97.         anywhere you like.<BR><BR>
    98. 

  98.         <LI><B>Event support:</B> Building upon Spring's 
    99. 

  99.         <CODE>ApplicationEvent</CODE> services, you can write your own listeners 
    100. 

  100.         for authentication-related events, along with authorisation-related events.
    101. 

  101. 		This enables you to implement account lockout and audit log systems, with
    102. 

  102. 		complete decoupling from Acegi Security code.<BR><BR>
    103. 

  103.         <LI><B>Easy integration with existing databases:</B> Our implementations 
    104. 

  104.         have been designed to make it very easy to use your existing 
    105. 

  105.         authentication schema and data (without modification). Of course,
    106. 

  106. 		you can also provide your own Data Access Object if you wish.<BR><BR>
    107. 

  107.         <LI><B>Caching:</B> Acegi Security integrates with Spring's <A 
    108. 

  108.         href="http://ehcache.sourceforge.net/">EHCACHE</A> factory. 
    109. 

  109.         This flexibility means your database (or other authentication 
    110. 

  110.         repository) is not repeatedly queried for authentication 
    111. 

  111.         information.<BR><BR>
    112. 

  112.         <LI><B>Pluggable architecture:</B> Every critical aspect of the package 
    113. 

  113.         has been modelled using high cohesion, loose coupling, interface-driven 
    114. 

  114.         design principles. You can easily replace, customise or extend parts of 
    115. 

  115.         the package.<BR><BR>
    116. 

  116.         <LI><B>Startup-time validation:</B> Every critical object dependency and 
    117. 

  117.         configuration parameter is validated at application context startup 
    118. 

  118.         time. Security configuration errors are therefore detected early and 
    119. 

  119.         corrected quickly.<BR><BR>
    120. 

  120.         <LI><B>Remoting support:</B> Does your project use a rich client? Not a 
    121. 

  121.         problem. Acegi Security integrates with standard Spring remoting 
    122. 

  122.         protocols, because it automatically processes the HTTP BASIC 
    123. 

  123.         authentication headers they present. Add our BASIC authentication filter 
    124. 

  124.         to your web.xml and you're done.<BR><BR>
    125. 

  125.         <LI><B>Advanced password encoding:</B> Of course, passwords in your 
    126. 

  126.         authentication repository need not be in plain text. We support both SHA 
    127. 

  127.         and MD5 encoding, and also pluggable "salt" providers to maximise 
    128. 

  128.         password security.<BR><BR>
    129. 

  129.         <LI><B>Run-as replacement:</B> The security system fully supports 
    130. 

  130.         temporarily replacing the authenticated user for the duration of the web 
    131. 

  131.         request or bean invocation. This enables you to build public-facing 
    132. 

  132.         object tiers with different security configurations than your backend 
    133. 

  133.         objects.<BR><BR>
    134. 

  134.         <LI><B>Transparent security propagation:</B> Acegi Security can automatically
    135. 

  135. 		transfer its core authentication information from one machine to another,
    136. 

  136. 		using a variety of protocols including RMI and Spring's HttpInvoker.<BR><BR>
    137. 

  137.         <LI><B>Compatible with HttpServletRequest.getRemoteUser():</B> Even though
    138. 

  138. 		Acegi Security can deliver authentication using a range of pluggable mechanisms
    139. 

  139. 		(most of which require no web container configuration), we allow you to access
    140. 

  140. 		the resulting Authentication object via the getRemoteUser() method.<BR><BR>
    141. 

  141.         <LI><B>Unit tests:</B> A must-have of any quality security project, unit 
    142. 

  142.         tests are included. Our unit test coverage is very high, as shown in the
    143. 

  143. 		<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<BR><BR>
    144. 

  144.         <LI><B>Built by Maven:</B> This assists you in effectively reusing the Acegi
    145. 

  145. 		Security artifacts in your own Maven-based projects.<BR><BR>
    146. 

  146.         <LI><B>Supports your own unit tests:</B> We provide a number of classes 
    147. 

  147.         that assist with your own unit testing of secured business objects. For 
    148. 

  148.         example, you can change the authentication identity and its associated 
    149. 

  149.         granted authorities directly within your test methods.<BR><BR>
    150. 

  150.         <LI><B>Peer reviewed:</B> Whilst nothing is ever completely secure, 
    151. 

  151.         using an open source security package leverages the continuous design 
    152. 

  152.         and code quality improvements that emerge from peer review.<BR><BR>
    153. 

  153.         <LI><B>Thorough documentation:</B> All APIs are fully documented using 
    154. 

  154.         JavaDoc, with a 40+ page reference guide providing an easy-to-follow 
    155. 

  155.         introduction. More documentation is provided on this web site, as
    156. 

  156. 		shown in the left hand navigation sidebar.<BR><BR>
    157. 

  157.         <LI><B>Apache license.</B><BR><BR></LI></UL><BR><B>
    158. 

  158.       <HR>
    159. 

  159. 

  160.       <CENTER>Project Resources</CENTER></B>
    161. 

  161.       <HR>
    162. 

  162.       <BR>
    163. 

  163.       <CENTER><A href="http://forum.springframework.org/"><B>Support 
    164. 

  164.       Forums</B></A><BR><BR><A 
    165. 

  165.       href="http://sourceforge.net/project/showfiles.php?group_id=104215"><B>Downloads</B></A>
    166. 

  166.       </CENTER></FONT>
    167. 

  167. </BODY></HTML>
    168.