Luke Taylor
19 years ago
1 changed files with 0 additions and 239 deletions
@ -1,239 +0,0 @@
@@ -1,239 +0,0 @@
|
||||
<?xml version="1.0"?> |
||||
|
||||
<document> |
||||
<properties> |
||||
<title>Acegi Security System for Spring</title> |
||||
</properties> |
||||
|
||||
|
||||
<body> |
||||
<hr /> |
||||
<section name="What is Acegi Security?"> |
||||
<hr /> |
||||
<p>Acegi Security is a powerful, flexible security solution for enterprise software, |
||||
with a particular emphasis on applications that use |
||||
<a href="http://www.springframework.org/">Spring</a>. Using Acegi Security provides your |
||||
applications with comprehensive authentication, authorization, instance-based access control, |
||||
channel security and human user detection capabilities. |
||||
</p> |
||||
</section> |
||||
|
||||
|
||||
<section name="Key Features"> |
||||
<ul> |
||||
<li><b>Stable and mature.</b> |
||||
Acegi Security 1.0.0 was released in May 2006 after |
||||
more than two and a half years of use in large production software projects, 70,000+ downloads |
||||
and hundreds of community contributions. |
||||
In terms of release numbering, we also use the <a |
||||
href="http://apr.apache.org/versioning.html">Apache APR Project |
||||
Versioning Guidelines</a> so that you can easily identify release |
||||
compatibility. |
||||
</li> |
||||
<li><b>Well documented:</b> All APIs are fully documented using |
||||
<a href="http://acegisecurity.org/multiproject/acegi-security/apidocs/index.html">JavaDoc</a>, |
||||
with almost 100 pages of |
||||
<a href="reference.html">Reference Guide</a> documentation providing an easy-to-follow |
||||
introduction. Even more documentation is provided on this web site, as |
||||
shown in the left hand navigation sidebar.<br /><br /> |
||||
</li> |
||||
<li><B>Fast results:</B> View our <a href="suggested.html">suggested steps</a> |
||||
for the fastest way to develop complex, security-compliant applications.<br /><br /> |
||||
</li> |
||||
<li><B>Enterprise-wide single sign on:</B> Using JA-SIG's open |
||||
source <A href="http://www.ja-sig.org/products/cas/">Central Authentication |
||||
Service</A> (CAS), the Acegi Security can participate |
||||
in an enterprise-wide single sign on environment. You no longer need |
||||
every web application to have its own authentication database. Nor are |
||||
you restricted to single sign on across a single web container. Advanced |
||||
single sign on features like proxy support and forced refresh of logins |
||||
are supported by both CAS and Acegi Security.<br /><br /> |
||||
</li> |
||||
<li><B>Reuses your Spring expertise:</B> We use Spring application |
||||
contexts for all configuration, which should help Spring developers get |
||||
up-to-speed nice and quickly.<br /><br /> |
||||
</li> |
||||
<li><B>Domain object instance security:</B> In many applications it's |
||||
desirable to define Access Control Lists (ACLs) for individual domain |
||||
object instances. We provide a comprehensive ACL package with features |
||||
including integer bit masking, permission inheritence (including |
||||
blocking), a JDBC-backed ACL repository, caching and a pluggable, |
||||
interface-driven design.<br /><br /> |
||||
</li> |
||||
<li><B>Non-intrusive setup:</B> The entire security system can operate |
||||
within a single web application using the provided filters. There is no |
||||
need to make special changes or deploy libraries to your Servlet or EJB |
||||
container.<br /><br /> |
||||
</li> |
||||
<li><B>Full (but optional) container integration:</B> The credential |
||||
collection and authorization capabilities of your Servlet or EJB |
||||
container can be fully utilised via included "container adapters". We |
||||
currently support Catalina (Tomcat), Jetty, JBoss and Resin, with |
||||
additional containers easily added.<br /><br /> |
||||
</li> |
||||
<li><B>Keeps your objects free of security code:</B> Many applications |
||||
need to secure data at the bean level based on any combination of |
||||
parameters (user, time of day, authorities held, method being invoked, |
||||
parameter on method being invoked....). This package gives you this |
||||
flexibility without adding security code to your Spring business |
||||
objects.<br /><br /> |
||||
</li> |
||||
<li><B>After invocation security:</B> Acegi Security can not only protect |
||||
methods from being invoked in the first place, but it can also |
||||
deal with the objects returned from the methods. Included implementations |
||||
of after invocation security can throw an exception or mutate the returned |
||||
object based on ACLs.<br /><br /> |
||||
</li> |
||||
<li><B>Secures your HTTP requests as well:</B> In addition to securing |
||||
your beans, the project also secures your HTTP requests. No longer is it |
||||
necessary to rely on web.xml security constraints. Best of all, your |
||||
HTTP requests can now be secured by your choice of regular expressions |
||||
or Apache Ant paths, along with pluggable authentication, authorization |
||||
and run-as replacement managers.<br /><br /> |
||||
</li> |
||||
<li><B>Channel security:</B> Acegi Security can |
||||
automatically redirect requests across an appropriate transport channel. |
||||
Whilst flexible enough to support any of your "channel" requirements (eg |
||||
the remote user is a human, not a robot), a common channel security |
||||
feature is to ensure your secure pages will only be available over |
||||
HTTPS, and your public pages only over HTTP. Acegi Security also |
||||
supports unusual port combinations (including if accessed via an |
||||
intermediate server like Apache) and pluggable transport decision |
||||
managers.<br /><br /> |
||||
</li> |
||||
<li><B>Supports HTTP BASIC authentication:</B> Perfect for remoting |
||||
protocols or those web applications that prefer a simple browser pop-up |
||||
(rather than a form login), Acegi Security can directly process HTTP |
||||
BASIC authentication requests as per RFC 1945.<br /><br /> |
||||
</li> |
||||
<li><B>Supports HTTP Digest authentication:</B> For greater security than |
||||
offered by BASIC authentcation, Acegi Security also supports Digest Authentication |
||||
(which never sends the user's password across the wire). Digest Authentication |
||||
is widely supported by modern browsers. Acegi Security's implementation complies |
||||
with both RFC 2617 and RFC 2069.<br /><br /> |
||||
</li> |
||||
<li><B>Computer Associates Siteminder support:</B> Authentication can be |
||||
delegated through to CA's Siteminder solution, which is common in large |
||||
corporate environments.<br /><br /> |
||||
</li> |
||||
<li><B>X509 (Certificate) support:</B> Acegi Security can easily read |
||||
client-side X509 certificates for authenticating users.<br /><br /> |
||||
</li> |
||||
<li><B>LDAP Support:</B> Do you have an LDAP directory? Acegi Security can |
||||
happily authenticate against it.<br /><br /> |
||||
</li> |
||||
<li><B>Tag library support:</B> Your JSP files can use our taglib |
||||
to ensure that protected content like links and messages are only |
||||
displayed to users holding the appropriate granted authorities. The taglib |
||||
also fully integrates with Acegi Security's ACL services, and |
||||
obtaining extra information about the logged-in principal.<br /><br /> |
||||
</li> |
||||
<li><B>Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:</B> You |
||||
select the method used to configure your security environment. The |
||||
project supports configuration via Spring application contexts, as well |
||||
as Jakarta Commons Attributes and Java 5's annotations feature. Some users |
||||
(such as those building content management systems) pull configuration data |
||||
from a database, which exemplifies Acegi Security's flexible configuration |
||||
metadata system.<br /><br /> |
||||
</li> |
||||
<li><B>Various authentication backends:</B> We include the ability to |
||||
retrieve your user and granted authority definitions from an XML |
||||
file, JDBC datasource or Properties file. Alternatively, you can implement the |
||||
single-method UserDetailsService interface and obtain authentication details from |
||||
anywhere you like.<br /><br /> |
||||
</li> |
||||
<li><B>Event support:</B> Building upon Spring's |
||||
<CODE>ApplicationEvent</CODE> services, you can write your own listeners |
||||
for authentication-related events, along with authorisation-related events. |
||||
This enables you to implement account lockout and audit log systems, with |
||||
complete decoupling from Acegi Security code.<br /><br /> |
||||
</li> |
||||
<li><B>Easy integration with existing databases:</B> Our implementations |
||||
have been designed to make it very easy to use your existing |
||||
authentication schema and data (without modification). Of course, |
||||
you can also provide your own Data Access Object if you wish.<br /><br /> |
||||
</li> |
||||
<li><B>Caching:</B> Acegi Security integrates with Spring's <A |
||||
href="http://ehcache.sourceforge.net/">EHCACHE</A> factory. |
||||
This flexibility means your database (or other authentication |
||||
repository) is not repeatedly queried for authentication |
||||
information.<br /><br /> |
||||
</li> |
||||
<li><B>Pluggable architecture:</B> Every critical aspect of the package |
||||
has been modelled using high cohesion, loose coupling, interface-driven |
||||
design principles. You can easily replace, customise or extend parts of |
||||
the package.<br /><br /> |
||||
</li> |
||||
<li><B>Startup-time validation:</B> Every critical object dependency and |
||||
configuration parameter is validated at application context startup |
||||
time. Security configuration errors are therefore detected early and |
||||
corrected quickly.<br /><br /> |
||||
</li> |
||||
<li><B>Remoting support:</B> Does your project use a rich client? Not a |
||||
problem. Acegi Security integrates with standard Spring remoting |
||||
protocols, because it automatically processes the HTTP BASIC |
||||
authentication headers they present. Add our BASIC authentication filter |
||||
to your web.xml and you're done. You can also easily use RMI or Digest |
||||
authentication for your rich clients with a simple configuration statement.<br /><br /> |
||||
</li> |
||||
<li><B>Advanced password encoding:</B> Of course, passwords in your |
||||
authentication repository need not be in plain text. We support both SHA |
||||
and MD5 encoding, and also pluggable "salt" providers to maximise |
||||
password security. Acegi Security doesn't even need to see the password |
||||
if your backend can use a bind-based strategy for authentication (such as |
||||
an LDAP directory, or a database login).<br /><br /> |
||||
</li> |
||||
<li><B>Run-as replacement:</B> The system fully supports |
||||
temporarily replacing the authenticated principal for the duration of the web |
||||
request or bean invocation. This enables you to build public-facing |
||||
object tiers with different security configurations than your backend |
||||
objects.<br /><br /> |
||||
</li> |
||||
<li><B>Transparent security propagation:</B> Acegi Security can automatically |
||||
transfer its core authentication information from one machine to another, |
||||
using a variety of protocols including RMI and Spring's HttpInvoker.<br /><br /> |
||||
</li> |
||||
<li><B>Compatible with HttpServletRequest's security methods:</B> Even though |
||||
Acegi Security can deliver authentication using a range of pluggable mechanisms |
||||
(most of which require no web container configuration), we allow you to access |
||||
the resulting Authentication object via the getRemoteUser() and other |
||||
security methods on HttpServletRequest.<br /><br /> |
||||
</li> |
||||
<li><B>Unit tests:</B> A must-have of any quality security project, unit |
||||
tests are included. Our unit test coverage is very high, as shown in the |
||||
<a href="multiproject/acegi-security/clover/index.html">coverage report</a>.<br /><br /> |
||||
</li> |
||||
<li><B>Built by Maven:</B> This assists you in effectively reusing the Acegi |
||||
Security artifacts in your own Maven-based projects.<br /><br /> |
||||
</li> |
||||
<li><B>Supports your own unit tests:</B> We provide a number of classes |
||||
that assist with your own unit testing of secured business objects. For |
||||
example, you can change the authentication identity and its associated |
||||
granted authorities directly within your test methods.<br /><br /> |
||||
</li> |
||||
<li><B>Peer reviewed:</B> Whilst nothing is ever completely secure, |
||||
using an open source security package leverages the continuous design |
||||
and code quality improvements that emerge from peer review.<br /><br /> |
||||
</li> |
||||
<li><B>Community:</B> Well-known for its supportive community, Acegi Security |
||||
has an active group of developers and users. Visit our project resources (below) |
||||
to access these services.<br /><br /> |
||||
</li> |
||||
<li><B>Apache license.</B> You can confidently use Acegi Security in your project.<br /><br /></li> |
||||
|
||||
</ul><br /> |
||||
|
||||
|
||||
</section> |
||||
|
||||
<section name="Project Resources"> |
||||
<p> |
||||
<A href="http://forum.springframework.org/"><B>Support Forums</B></A><br /><br /> |
||||
<A href="mail-lists.html"><B>Developer Mailing List</B></A><br /><br /> |
||||
<A href="downloads.html"><B>Downloads</B></A> |
||||
</p> |
||||
</section> |
||||
|
||||
</body> |
||||
|
||||
</document> |
||||
Loading…
Reference in new issue