|
|
|
|
@ -7,7 +7,7 @@
@@ -7,7 +7,7 @@
|
|
|
|
|
|
|
|
|
|
<subtitle>Reference Documentation</subtitle> |
|
|
|
|
|
|
|
|
|
<releaseinfo>0.6</releaseinfo> |
|
|
|
|
<releaseinfo>0.6.1</releaseinfo> |
|
|
|
|
|
|
|
|
|
<authorgroup> |
|
|
|
|
<author> |
|
|
|
|
@ -74,6 +74,61 @@
@@ -74,6 +74,61 @@
|
|
|
|
|
The security architecture does not have a notion of roles or groups, |
|
|
|
|
which you may be familiar with from other security |
|
|
|
|
implementations.</para> |
|
|
|
|
|
|
|
|
|
<sect2 id="security-introduction-status"> |
|
|
|
|
<title>Current Status</title> |
|
|
|
|
|
|
|
|
|
<para>The Acegi Security System for Spring is widely used by members |
|
|
|
|
of the Spring Community. The APIs are considered stable and only minor |
|
|
|
|
changes are expected. Having said that, like many other projects we |
|
|
|
|
need to strike a balance between backward compatibility and |
|
|
|
|
improvement. Effective version 0.6.1, Acegi Security uses the Apache |
|
|
|
|
Portable Runtime Project versioning guidelines, available from |
|
|
|
|
<literal>http://apr.apache.org/versioning.html</literal>.</para> |
|
|
|
|
|
|
|
|
|
<para>Some improvements are currently intended prior to the 1.0.0 |
|
|
|
|
release. These are:</para> |
|
|
|
|
|
|
|
|
|
<itemizedlist spacing="compact"> |
|
|
|
|
<listitem> |
|
|
|
|
<para>Replacing the Ant build with a Maven build. When this |
|
|
|
|
happens the <literal>lib</literal> directory will no longer be |
|
|
|
|
distributed in ZIP releases or hosted in CVS.</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para>"Remember me" functionality. Some discussion on this can be |
|
|
|
|
found at |
|
|
|
|
<literal>http://sourceforge.net/mailarchive/forum.php?thread_id=5177499&forum_id=40659</literal>.</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para>A sample web application which demonstrates the access |
|
|
|
|
control list package.</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para>Implementation of an |
|
|
|
|
<literal>ObjectDefinitionSource</literal> that retrieves its |
|
|
|
|
details from a database.</para> |
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para>Deprecation of Acegi Security's various EH-CACHE-based cache |
|
|
|
|
implementations. Instead Acegi Security will provide new cache |
|
|
|
|
implementations which use Spring Framework's new (currently in |
|
|
|
|
CVS) <literal>EhCacheManagerFactoryBean</literal> factory. The |
|
|
|
|
deprecated classes may be removed from the 1.0.0 release.</para> |
|
|
|
|
</listitem> |
|
|
|
|
</itemizedlist> |
|
|
|
|
|
|
|
|
|
<para>Whilst this list is subject to change and not in any particular |
|
|
|
|
order, none of the above improvements are likely to result in changes |
|
|
|
|
to the API. The improvements are also relatively minor to implement. |
|
|
|
|
Users of Acegi Security System for Spring should therefore be |
|
|
|
|
comfortable depending on the current version of the project in their |
|
|
|
|
applications.</para> |
|
|
|
|
</sect2> |
|
|
|
|
</sect1> |
|
|
|
|
|
|
|
|
|
<sect1 id="security-high-level-design"> |
|
|
|
|
@ -1596,9 +1651,10 @@ public boolean supports(Class clazz);</programlisting></para>
@@ -1596,9 +1651,10 @@ public boolean supports(Class clazz);</programlisting></para>
|
|
|
|
|
<literal>ifNotGranted="ROLE_SUPERVISOR"</literal>, or you'll be |
|
|
|
|
surprised to never see the tag's body.</para> |
|
|
|
|
|
|
|
|
|
<para>By requiring all attributes to return true, the authorize tag allows you to |
|
|
|
|
create more complex authorization scenarios. For example, you could |
|
|
|
|
declare an <literal>ifAllGranted="ROLE_SUPERVISOR"</literal> and an |
|
|
|
|
<para>By requiring all attributes to return true, the authorize tag |
|
|
|
|
allows you to create more complex authorization scenarios. For |
|
|
|
|
example, you could declare an |
|
|
|
|
<literal>ifAllGranted="ROLE_SUPERVISOR"</literal> and an |
|
|
|
|
<literal>ifNotGranted="ROLE_NEWBIE_SUPERVISOR"</literal> in the same |
|
|
|
|
tag, in order to prevent new supervisors from seeing the tag body. |
|
|
|
|
However it would no doubt be simpler to use |
|
|
|
|
@ -1632,12 +1688,12 @@ public boolean supports(Class clazz);</programlisting></para>
@@ -1632,12 +1688,12 @@ public boolean supports(Class clazz);</programlisting></para>
|
|
|
|
|
</listitem> |
|
|
|
|
|
|
|
|
|
<listitem> |
|
|
|
|
<para>Writing an <literal>AccessDecisionVoter</literal> implementation |
|
|
|
|
and using either <literal>ConsensusBased</literal>, |
|
|
|
|
<para>Writing an <literal>AccessDecisionVoter</literal> |
|
|
|
|
implementation and using either <literal>ConsensusBased</literal>, |
|
|
|
|
<literal>AffirmativeBased</literal> or |
|
|
|
|
<literal>UnanimousBased</literal> as the |
|
|
|
|
<literal>AccessDecisionManager</literal> may be the best approach to |
|
|
|
|
implementing your custom access decision rules.</para> |
|
|
|
|
<literal>AccessDecisionManager</literal> may be the best approach |
|
|
|
|
to implementing your custom access decision rules.</para> |
|
|
|
|
</listitem> |
|
|
|
|
</itemizedlist> |
|
|
|
|
</sect2> |
|
|
|
|
@ -1755,8 +1811,8 @@ public boolean supports(Class clazz);</programlisting></para>
@@ -1755,8 +1811,8 @@ public boolean supports(Class clazz);</programlisting></para>
|
|
|
|
|
objects at runtime. However, several classes have been provided to |
|
|
|
|
make this process transparent in many situations.</para> |
|
|
|
|
|
|
|
|
|
<para>The <literal>net.sf.acegisecurity.ui</literal> package is designed |
|
|
|
|
to make interfacing web application user interfaces with the |
|
|
|
|
<para>The <literal>net.sf.acegisecurity.ui</literal> package is |
|
|
|
|
designed to make interfacing web application user interfaces with the |
|
|
|
|
<literal>ContextHolder</literal> as simple as possible. There are two |
|
|
|
|
major steps in doing this:</para> |
|
|
|
|
|
|
|
|
|
@ -2453,10 +2509,9 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
@@ -2453,10 +2509,9 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
|
|
|
|
into some type of backend authentication repository, such as an LDAP |
|
|
|
|
server or database.</para> |
|
|
|
|
|
|
|
|
|
<para>If you are already running an existing CAS server instance, |
|
|
|
|
you will have already |
|
|
|
|
established a <literal>PasswordHandler</literal>. If you do not |
|
|
|
|
already have a <literal>PasswordHandler</literal>, you |
|
|
|
|
<para>If you are already running an existing CAS server instance, you |
|
|
|
|
will have already established a <literal>PasswordHandler</literal>. If |
|
|
|
|
you do not already have a <literal>PasswordHandler</literal>, you |
|
|
|
|
might prefer to use the Acegi Security System for Spring |
|
|
|
|
<literal>CasPasswordHandler</literal> class. This class delegates |
|
|
|
|
through to the standard Acegi Security |
|
|
|
|
@ -2922,8 +2977,6 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
@@ -2922,8 +2977,6 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
|
|
|
|
<sect2 id="security-cas-advanced-usage"> |
|
|
|
|
<title>Advanced CAS Usage</title> |
|
|
|
|
|
|
|
|
|
<para>[DRAFT - COMMENTS WELCOME]</para> |
|
|
|
|
|
|
|
|
|
<para>The <literal>CasAuthenticationProvider</literal> distinguishes |
|
|
|
|
between stateful and stateless clients. A stateful client is |
|
|
|
|
considered any that originates via the |
|
|
|
|
@ -3817,10 +3870,11 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
@@ -3817,10 +3870,11 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
|
|
|
|
|
<title>Further Information</title> |
|
|
|
|
|
|
|
|
|
<para>Questions and comments on the Acegi Security System for Spring are |
|
|
|
|
welcome. Please direct comments to the Spring Users mailing list. You're |
|
|
|
|
also welcome to join the acegisecurity-developer mailing list. Our |
|
|
|
|
project home page (where you can obtain the latest release of the |
|
|
|
|
project and access to CVS, mailing lists etc) is at |
|
|
|
|
welcome. Please use the Spring Community Forum web site at |
|
|
|
|
<literal>http://forum.springframework.org</literal>. You're also welcome |
|
|
|
|
to join the acegisecurity-developer mailing list. Our project home page |
|
|
|
|
(where you can obtain the latest release of the project and access to |
|
|
|
|
CVS, mailing lists, forums etc) is at |
|
|
|
|
<literal>http://acegisecurity.sourceforge.net</literal>.</para> |
|
|
|
|
</sect1> |
|
|
|
|
</chapter> |
|
|
|
|
|
Ben Alex
22 years ago