|
|
|
|
@ -46,7 +46,7 @@
@@ -46,7 +46,7 @@
|
|
|
|
|
can be easily supported.</p> |
|
|
|
|
|
|
|
|
|
<h2>Why not just use web.xml security?</h2> |
|
|
|
|
<p>Let's assuming you're developing an enterprise application based on Spring. |
|
|
|
|
<p>Let's assume you're developing an enterprise application based on Spring. |
|
|
|
|
There are four security concerns you typically need to address: authentication, |
|
|
|
|
web request security, service layer security (ie your methods that implement |
|
|
|
|
business logic), and domain object instance security (ie different domain objects |
|
|
|
|
@ -102,8 +102,8 @@
@@ -102,8 +102,8 @@
|
|
|
|
|
so would introduce an additional argument on every services |
|
|
|
|
layer method. A more elegant approach is to use a ThreadLocal |
|
|
|
|
to hold the Principal, although this would likely increase |
|
|
|
|
development time to a point where it would become more e |
|
|
|
|
conomical (on a cost-benefit basis) to simply use a dedicated |
|
|
|
|
development time to a point where it would become more |
|
|
|
|
economical (on a cost-benefit basis) to simply use a dedicated |
|
|
|
|
security framework.</li> |
|
|
|
|
<li><i>Authorisation code quality:</i> It is often said of web |
|
|
|
|
frameworks that they "make it easier to do the right things, |
|
|
|
|
@ -117,7 +117,7 @@
@@ -117,7 +117,7 @@
|
|
|
|
|
</ol> |
|
|
|
|
</li> |
|
|
|
|
</ol> |
|
|
|
|
For simple applications, servlet specification may just be enough. |
|
|
|
|
For simple applications, servlet specification security may just be enough. |
|
|
|
|
Although when considered within the context of web container portability, |
|
|
|
|
configuration requirements, limited web request security flexibility, and |
|
|
|
|
non-existent services layer and domain object instance security, it becomes |
|
|
|
|
@ -148,9 +148,10 @@
@@ -148,9 +148,10 @@
|
|
|
|
|
<code>AuthenticationDao</code> implementations that simply don't properly |
|
|
|
|
implement the interface. For example, they return <code>null</code> instead |
|
|
|
|
of the user not found exception, or fail to add in the |
|
|
|
|
<code>GrantedAuthority[]</code>s. We suggest you write the |
|
|
|
|
<code>UserDetails</code> object generated by your <code>AuthenticationDao</code> |
|
|
|
|
to the log and check it looks correct.</p> |
|
|
|
|
<code>GrantedAuthority[]</code>s. Whilst <code>DaoAuthenticationProvider</code> |
|
|
|
|
does its best to check the <code>AuthenticationDao</code>returns a valid |
|
|
|
|
<code>UserDetails</code>, we suggest you write the |
|
|
|
|
<code>UserDetails</code> object to the log and check it looks correct.</p> |
|
|
|
|
|
|
|
|
|
<h2>I need some help. What files should I post?</h2> |
|
|
|
|
<p>The most important things to post with any support requests on the |
|
|
|
|
@ -208,7 +209,7 @@
@@ -208,7 +209,7 @@
|
|
|
|
|
Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker |
|
|
|
|
(instead of JSP). It's important to recognise that many open source projects do |
|
|
|
|
develop into de facto standards, and in doing so play a legitimate and beneficial |
|
|
|
|
role in the software development profession.</p> |
|
|
|
|
role in professional software development.</p> |
|
|
|
|
|
|
|
|
|
<h2>Do you welcome contributions?</h2> |
|
|
|
|
<p>Yes. If you've written something and it works well, please feel free to share it. |
|
|
|
|
|
Ben Alex
21 years ago