More documentation.

21 years ago · 118fde588c
5 changed files with 351 additions and 12 deletions
--- a/doc/xdocs/articles.html
+++ b/doc/xdocs/articles.html
@ -0,0 +1,64 @@
 <!--
 * ========================================================================
 * 
 * Copyright 2004 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * 
 * ========================================================================
 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title>Articles, Blog Posts and Comments covering Acegi Security</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 </head>
 <body>
  <h1>Articles, Blog Posts and Comments covering Acegi Security</h1>
  <p>Here are some of the external pages mentioning Acegi Security. If you've
 	found another, please let us know.
  <ul>
    <li><b><a href="http://www.springframework.org">Spring Forums</a></b>:
 		The first place to look for Acegi Security support (use the 'search' function).
 	</li>
    <li><b><a href="mail-lists.html">Acegi Security Mailing Lists</a></b>:
 		If you'd like to discuss development of the project.
 	</li>
    <li><b><a href="http://www.javalobby.org/articles/acegisecurity/part1.jsp">Securing Your Java Applications - Acegi Security Style</a></b>:
 		Matthew Porter wrote this good introductory article for Javalobby.
 	</li>
    <li><b><a href="http://confluence.sourcebeat.com/display/SPL/Update+Chapters">Spring Live Update Chapters</a></b>:
 		Matt Raible is including Acegi Security in Chapter 12 of his popular ebook.
 	</li>
    <li><b><a href="http://tp.its.yale.edu/tiki/tiki-view_faq.php?faqId=2#q16">Central Authentication Service FAQ</a></b>:
 		A general overview of how Acegi Security is used with Yale's CAS.
 	</li>
    <li><b><a href="http://jroller.com/page/habuma/20041124#simplifying_acegi_configuration">Simplifying Acegi Configuration</a></b>:
 		Craig Walls provides a good approach to reusing your Acegi Security configuration between projects.
 	</li>
    <li><b><a href="http://www.almaer.com/blog/archives/000500.html">Let's leak IoC/DI into standards. You miss them when they aren't there!</a></b>:
 		Ain't that the truth! A good example of where Acegi Security's <code>FilterToProxyBean</code> comes in handy.
 	</li>
    <li><b><a href="http://www.manageability.org/blog/stuff/single-sign-on-in-java/view">Open Source Identity Management Solutions Written in Java</a></b>:
 		From <code>manageability.org</code>.
 	</li>
    <li><b><a href="http://www.orablogs.com/fnimphius/archives/000730.html">J2EE Security: Struts "Shale" proposal does improve web application security</a></b>:
 		Frank Nimphius' blog contained some comments on Acegi Security. See
 		our <a href="faq.html">FAQ</a> for additional JAAS comments.
 	</li>
  </ul>
 </body>
 </html>
--- a/doc/xdocs/faq.html
+++ b/doc/xdocs/faq.html
@ -0,0 +1,137 @@
 <!--
 * ========================================================================
 * 
 * Copyright 2004 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * 
 * ========================================================================
 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title>Frequently Asked Questions (FAQ) on Acegi Security</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 </head>
 <body>
  <h1>Frequently Asked Questions</h1>
  <h2>How do you pronounce "Acegi"?</h2>
  <p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.</p>
  <h2>Is it called "Acegi" or "Acegi Security"?</h2>
  <p>It's official name is <i>Acegi Security System for Spring</i>,
 	although we're happy for it to be abbreviated to
 	<i>Acegi Security</i>. Please don't just call it <i>Acegi</i>, though,
 	as that gets confused with the name of the company that maintains Acegi
 	Security.</p>
  <h2>Why catches 80% of users reporting problems?</h2>
  <p>80% of support questions are because people have not defined
 	the necessary filters in <code>web.xml</code>, or the filters are being
 	mapped in the incorrect order. Check the 
 	<a href="reference.html">Reference Guide</a>, which
 	has a specific section on filter ordering.</p>
  <h2>I'm sure my filters are ordered correctly. What else could be wrong?</h2>
  <p>The next most common source of problems step from custom
 	<code>AuthenticationDao</code> implementations that simply don't properly
 	implement the interface. For example, they return <code>null</code> instead
 	of the user not found exception, or fail to add in the
 	<code>GrantedAuthority[]</code>s. We suggest you write the
 	<code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
 	to the log and check it looks correct.</p>
  <h2>How do I store custom properties, like a user's email address?</h2>
  <p>In most cases write an <code>AuthenticationDao</code> which returns
 	a subclass of <code>User</code>. Alternatively, write your own
 	<code>UserDetails</code> implementation from scratch and return that.</p>
  <h2>I need some help. What files should I post?</h2>
  <p>The most important things to post with any support requests on the
 	<a href="http://forum.springframework.org">Spring Forums</a> are your
 	<code>web.xml</code>, <code>applicationContext.xml</code> (or whichever
 	XML loads the security-related beans) as well as any custom
 	<code>AuthenticationDao</code> you might be using. For really odd problems,
 	also switch on debug-level logging and include the resulting log.</p>
  <h2>How do I switch on debug-level logging?</h2>
  <p>Acegi Security uses Commons Logging, just as Spring does. So you use the
 	same approach as you'd use for Spring. Most people output to Log4J, so
 	the following <code>log4j.properties</code> would work:</p>
 	<pre>
 		log4j.rootCategory=WARN, stdout
 		log4j.appender.stdout=org.apache.log4j.ConsoleAppender
 		log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
 		log4j.appender.stdout.layout.ConversionPattern=%d %p %c - %m%n
 		log4j.category.net.sf.acegisecurity=DEBUG</pre>
  <h2>Why doesn't Acegi Security use JAAS?</h2>
  <p>Acegi Security targets <i>enterprise applications</i>, which are typically
 	multi-user, data-oriented applications that are important to
 	the core business. Acegi Security was designed to provide a portable and effective
 	security framework for this target application type. It was not designed for securing
 	limited privilege runtime environments, such as web browser applets.</p>
 	<p>We did consider JAAS when designing Acegi Security, but it simply
 	wasn't suitable for our purpose. We needed to avoid complex JRE configurations,
 	we needed container portability, and we wanted maximum leveraging of the Spring IoC
 	container. Particularly as limited privilege runtime environments were not
 	an actual requirement, this lead to the natural design of Acegi Security as
 	it exists today.</p>
 	<p>Acegi Security already provides some JAAS integration. It can today authenticate
 	via delegation to a JAAS login module. This means it offers the same level of JAAS
 	integration as many web containers. Indeed the container adapter model supported by
 	Acegi Security allows Acegi Security and container-managed security to happily
 	co-exist and benefit from each other. Any debate about Acegi Security and JAAS
 	should therefore centre on the authorisation issue. An evaluation of major
 	containers and security frameworks would reveal that Acegi Security is by no
 	means unusual in not using JAAS for authorisation.</p>
 	<p>There are many examples of open source applications being preferred to
 	official standards. A few that come to mind in the Java community include
 	using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans),
 	Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker
 	(instead of JSP). It's important to recognise that many open source projects do
 	develop into de facto standards, and in doing so play a legitimate and beneficial
 	role in the software development profession.</p>
  <h2>Do you welcome contributions?</h2>
  <p>Yes. If you've written something and it works well, please feel free to share it.
 	Simply email the contribution to the 
 	<a href="mail-lists.html">acegisecurity-developers</a> list. If you haven't yet
 	written the contribution, we encourage you to send your thoughts to the same 
 	list so that you can receive some initial design feedback.</p>
 	<p>For a contribution to be used, it must have appropriate unit test coverage and
 	detailed JavaDocs. It will ideally have some comments for the Reference Guide
 	as well (this can be sent in word processor or HTML format if desired). This
 	helps ensure the contribution maintains the same quality as the remainder of
 	the project.</p>
 	<p>We also welcome documentation improvements, unit tests, illustrations,
 	people supporting the user community (especially on the forums), design ideas,
 	articles, blog entries, presentations and alike. If you're looking for something
 	to do, you can always email the
 	<a href="mail-lists.html">acegisecurity-developers</a> list and we'll be
 	pleased to suggest something. :-)</p>
 </body>
 </html>
--- a/doc/xdocs/navigation.xml
+++ b/doc/xdocs/navigation.xml
@ -29,30 +29,30 @@
    <menu name="Overview">
      <item name="Home" href="index.html"/>
      <item name="Reference" href="reference.html"/>
      <item name="Building with Maven" href="building.html"/>
      <item name="Downloads" href="downloads.html"/>
      <item name="Subprojects" href="projects-overview.html"/>
    </menu>
-    <menu name="Core">
+    <menu name="Documentation">
-      <item name="Core" href="multiproject/acegi-security/index.html"/>
+      <item name="Suggested Steps" href="suggested.html"/>
-      <item name="Sample SQL" href="dbinit.txt"/>
+      <item name="Reference Guide" href="reference.html"/>
-    </menu>
+      <item name="Sample SQL Schema" href="dbinit.txt"/>
-
+      <item name="Frequently Asked Questions" href="faq.html"/>
-    <menu name="Upgrade Help">
+      <item name="External Web Articles" href="articles.html"/>
      <item name="Upgrading to 0.7.0" href="upgrade/upgrade-06-070.html"/>
      <item name="Upgrading to 0.6" href="upgrade/upgrade-05-06.html"/>
      <item name="Upgrading to 0.5" href="upgrade/upgrade-04-05.html"/>
      <item name="Upgrading to 0.4" href="upgrade/upgrade-03-04.html"/>
    </menu>
-    <menu name="Adapters">
+    <menu name="Projects">
      <item name="Core" href="multiproject/acegi-security/index.html"/>
      <item name="CAS" href="multiproject/acegi-security-cas/index.html"/>
      <item name="Catalina" href="multiproject/acegi-security-catalina/index.html"/>
      <item name="JBoss" href="multiproject/acegi-security-jboss/index.html"/>
      <item name="Jetty" href="multiproject/acegi-security-jetty/index.html"/>
      <item name="Resin" href="multiproject/acegi-security-resin/index.html"/>
      <item name="Subproject Index" href="projects-overview.html"/>
    </menu>
    <menu name="Samples">
@ -62,7 +62,7 @@
    <search/>
-    <menu name="" type="footer">
+    <menu type="footer">
      <item name="Spring Framework" href="http://www.springframework.org/" img="http://www.springframework.org/buttons/spring_white.png"/>
      <item name="Code Coverage by Clover" href="http://www.thecortex.net/clover" img="http://www.thecortex.net/clover/images/clovered1.gif"/>
    </menu>
--- a/doc/xdocs/reference.xml
+++ b/doc/xdocs/reference.xml
@ -39,7 +39,7 @@
            </td>
            <td>
              The original docbook-generated reference. This is a good place to start if you want
-              to use the Acegi System to secure your applications.
+              to use the Acegi Security System to secure your applications.
            </td>
          </tr>
@ -48,7 +48,7 @@
              <a href="docbook/index.pdf">Reference Guide PDF</a>
            </td>
            <td>
-              The pdf version of the reference guide.
+              The PDF version of the reference guide.
            </td>
          </tr>
--- a/doc/xdocs/suggested.html
+++ b/doc/xdocs/suggested.html
@ -0,0 +1,138 @@
 <!--
 * ========================================================================
 * 
 * Copyright 2004 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * 
 * ========================================================================
 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <title>Acegi Security Suggested Steps</title>
 <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 </head>
 <body>
  <h1>Suggested Steps</h1>
  <p>Presented below are the steps we encourage you to take in order to gain the most
  out of Acegi Security in a realistic timeframe.
  <ol>
    <li>Your first step is to ensure you're able to actually build Acegi Security. This is
 	because if you encounter any problems the first thing we'll probably suggest you do is
 	upgrade to the latest CVS HEAD. It also means you can try things out if you get stuck,
 	such as adding even more logging messages to the actual Acegi Security core code.
 	The good news is building is actually very easy, and
 	we've gone to a lot of trouble to document what is involved. If you have a working Maven
 	installation, it <i>should</i> be as simple as two commands. Have a look on the
 	<a href="building.html">Building with Maven</a> page, and follow the
 	"Checking Out from CVS" and "Building All JARs" steps. Of course, you can safely skip
 	this step if you don't have time.<br><br>
 	Estimated time: 30 minutes - 2 hours.<br><br>
 	</li>
 	<li>Next up gain a proper understanding of how the Contacts Sample application works.
 	This will probably involve deploying <code>acegi-security-sample-contacts-filter.war</code>.<br><br>
 	The actual <a target="_blank" class="newWindow" href="multiproject/acegi-security-sample-contacts/xref/index.html">java code</a>
 	is a completely standard Spring application, except <code>ContactManagerBackend</code>
 	which shows how we create and delete ACL permissions. The rest of the Java code has no
 	security awareness, with all security services being declared in the XML files
 	(don't worry, there aren't any new XML formats to learn: they're all standard Spring IoC container
 	declarations or the stock-standard <code>web.xml</code>). The main
 	XML files to review are
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/applicationContext-acegi-security.xml?view=auto">applicationContext-acegi-security.xml</a> (from the filter webapp),
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-authorization.xml?view=auto">applicationContext-common-authorization.xml</a>,
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/common/WEB-INF/applicationContext-common-business.xml?view=auto">applicationContext-common-business.xml</a> (just note we add <code>contactManagerSecurity</code> to the services layer target bean), and
 	<a target="_blank" class="newWindow" href="http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/samples/contacts/src/main/webapp/filter/WEB-INF/web.xml?view=auto">web.xml</a> (from the filter webapp).
 	The XML definitions are comprehensively discussed in the
 	<a href="reference.html">Reference Guide</a>.
 	<br><br>
 	To gain the most from reviewing these XML files, we suggest you start by understanding how
 	authentication takes place. There's not much point knowing all about authorization until authentication is
 	really clear, especially the interaction between the <code>ContextHolder</code>, the
 	authentication mechanism (such as <code>AuthenticationProcessingFilter</code>), the
 	authentication commencement process (specifically <code>SecurityEnforcementFilter</code> and
 	say <code>AuthenticationProcessingFilterEntryPoint</code>), and the system that manages authentication
 	data between invocations (say <code>HttpSessionIntegrationFilter</code>). You don't have to
 	know every detail, just basically what they do and the key differences (again, the
 	reference guide should help considerably, as there are diagrams etc).
 	<br><br>	
 	Once you understand authentication in the contacts Sample application, look at how authorisation
 	is handled. Start with <code>FilterSecurityInterceptor</code>'s role and how its
 	regular expression or Ant paths protect URIs. Next up explore how <code>RoleVoter</code>
 	works in our sample application with the <code>FilterSecurityInterceptor</code> and
 	<code>MethodSecurityInterceptor</code>. Finally, review what the
 	<code>BasicAclEntryVoter</code> does in our sample application, in terms of protecting
 	domain objects from method invocations the principal does not have permission to.
 	<br><br>Lastly, get an understanding of how the <code>AfterInvocationProviderManager</code>
 	is being used to stop domain objects being returned to which the principal has no
 	permission, and to filter <code>Collection</code>s so they don't contain domain objects to
 	which the principal has no permission. By all means comment out parts of the Spring IoC XML
 	and see the effect. For example, comment out the <code>AfterInvocationProviderManager</code> (of course, remove its reference
 	in the <code>MethodSecurityInterceptor</code>) and see how all of the contacts get returned.
 	<br><br>
 	Estimated time: 1-2 days.<br><br>
 	</li>
 	<li>By now you will have a good grasp on how Acegi Security works, and all that is left to
 	do is design your own application's implementation. The way we suggested you explore the Contacts Sample
 	is the same way we suggest you implement security in your own application: start with authentication,
 	then add basic web request URI security. Follow it with the standard role voter to protect
 	method invocations. Finally, and only if your application actually needs it, introduce
 	domain object security with the <code>BasicAclEntryVoter</code> and 
 	<code>AfterInvocationProviderManager</code>.
 	<br><br>
 	We do not encourage you to use CAS, container adapters, BASIC authentication, transparent
 	RMI invocation, run-as replacement, rich client integration or any of the other interesting features
 	of Acegi Security until you've got a "bare bones" installation working with <code>DaoAuthenticationProvider</code>,
 	one of Acegi Security's <code>AuthenticationDao</code>s (or your own), and your basic
 	authorisation configuration. Like anything, start with something simple and build on it
 	(this would be the opposite advice if you were building your own security framework,
 	where you would need to cross the highest and most difficult bridges first, to check they
 	are actually possible).<br><br>
 	If you've followed the steps above, and refer back to the reference guide, forums, and FAQ
 	for help, you'll find it pretty easy to implement Acegi Security in your application.
 	Most importantly, you'll be using a security framework that offers you complete container
 	portability, flexibility, and community support - without needing to write and maintain your
 	own code.<br><br>
 	Estimated time: 1-5 days.<br><br>
 	</br>
 	</li>
  </ol>
  <p>Please note the time estimates are just that: estimates. They will vary considerably depending
  on how much experience you have, particularly with Java and Spring. They will also vary depending
  on how complex your intended security-enabled application will be. Some people need to push the domain
  object instance access control list capabilities to the maximum, whilst others don't even need anything
  beyond web request URI security. The good thing is Acegi Security will either directly support your future
  needs, or provide a clearly-defined extension point for addressing them.
  <p>
  We welcome your feedback about how long it has actually taken you to complete each step, so we
  can update this page and help new users better assess their project timetables in the future.
  Any other tips on what you found helpful in learning Acegi Security are also very welcome.
 </body>
 </html>