GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Spring Security
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
516 Commits
54 Branches
340 Tags
121 MiB
 
 
 
 
Tree: 118fde588c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '118fde588c'
${ noResults }
spring-security/doc/xdocs/faq.html

137 lines
6.8 KiB
Raw Blame History

<!--
* ========================================================================
*
* Copyright 2004 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* ========================================================================
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Frequently Asked Questions (FAQ) on Acegi Security</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1>Frequently Asked Questions</h1>
<h2>How do you pronounce "Acegi"?</h2>
<p><i>Ah-see-gee</i>. Said quickly, without emphasis on any part.</p>
<h2>Is it called "Acegi" or "Acegi Security"?</h2>
<p>It's official name is <i>Acegi Security System for Spring</i>,
although we're happy for it to be abbreviated to
<i>Acegi Security</i>. Please don't just call it <i>Acegi</i>, though,
as that gets confused with the name of the company that maintains Acegi
Security.</p>
<h2>Why catches 80% of users reporting problems?</h2>
<p>80% of support questions are because people have not defined
the necessary filters in <code>web.xml</code>, or the filters are being
mapped in the incorrect order. Check the
<a href="reference.html">Reference Guide</a>, which
has a specific section on filter ordering.</p>
<h2>I'm sure my filters are ordered correctly. What else could be wrong?</h2>
<p>The next most common source of problems step from custom
<code>AuthenticationDao</code> implementations that simply don't properly
implement the interface. For example, they return <code>null</code> instead
of the user not found exception, or fail to add in the
<code>GrantedAuthority[]</code>s. We suggest you write the
<code>UserDetails</code> object generated by your <code>AuthenticationDao</code>
to the log and check it looks correct.</p>
<h2>How do I store custom properties, like a user's email address?</h2>
<p>In most cases write an <code>AuthenticationDao</code> which returns
a subclass of <code>User</code>. Alternatively, write your own
<code>UserDetails</code> implementation from scratch and return that.</p>
<h2>I need some help. What files should I post?</h2>
<p>The most important things to post with any support requests on the
<a href="http://forum.springframework.org">Spring Forums</a> are your
<code>web.xml</code>, <code>applicationContext.xml</code> (or whichever
XML loads the security-related beans) as well as any custom
<code>AuthenticationDao</code> you might be using. For really odd problems,
also switch on debug-level logging and include the resulting log.</p>
<h2>How do I switch on debug-level logging?</h2>
<p>Acegi Security uses Commons Logging, just as Spring does. So you use the
same approach as you'd use for Spring. Most people output to Log4J, so
the following <code>log4j.properties</code> would work:</p>
<pre>
log4j.rootCategory=WARN, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d %p %c - %m%n
log4j.category.net.sf.acegisecurity=DEBUG</pre>
<h2>Why doesn't Acegi Security use JAAS?</h2>
<p>Acegi Security targets <i>enterprise applications</i>, which are typically
multi-user, data-oriented applications that are important to
the core business. Acegi Security was designed to provide a portable and effective
security framework for this target application type. It was not designed for securing
limited privilege runtime environments, such as web browser applets.</p>
<p>We did consider JAAS when designing Acegi Security, but it simply
wasn't suitable for our purpose. We needed to avoid complex JRE configurations,
we needed container portability, and we wanted maximum leveraging of the Spring IoC
container. Particularly as limited privilege runtime environments were not
an actual requirement, this lead to the natural design of Acegi Security as
it exists today.</p>
<p>Acegi Security already provides some JAAS integration. It can today authenticate
via delegation to a JAAS login module. This means it offers the same level of JAAS
integration as many web containers. Indeed the container adapter model supported by
Acegi Security allows Acegi Security and container-managed security to happily
co-exist and benefit from each other. Any debate about Acegi Security and JAAS
should therefore centre on the authorisation issue. An evaluation of major
containers and security frameworks would reveal that Acegi Security is by no
means unusual in not using JAAS for authorisation.</p>
<p>There are many examples of open source applications being preferred to
official standards. A few that come to mind in the Java community include
using Spring managed POJOs (rather than EJBs), Hibernate (instead of entity beans),
Log4J (instead of JDK logging), Tapestry (instead of JSF), and Velocity/FreeMarker
(instead of JSP). It's important to recognise that many open source projects do
develop into de facto standards, and in doing so play a legitimate and beneficial
role in the software development profession.</p>
<h2>Do you welcome contributions?</h2>
<p>Yes. If you've written something and it works well, please feel free to share it.
Simply email the contribution to the
<a href="mail-lists.html">acegisecurity-developers</a> list. If you haven't yet
written the contribution, we encourage you to send your thoughts to the same
list so that you can receive some initial design feedback.</p>
<p>For a contribution to be used, it must have appropriate unit test coverage and
detailed JavaDocs. It will ideally have some comments for the Reference Guide
as well (this can be sent in word processor or HTML format if desired). This
helps ensure the contribution maintains the same quality as the remainder of
the project.</p>
<p>We also welcome documentation improvements, unit tests, illustrations,
people supporting the user community (especially on the forums), design ideas,
articles, blog entries, presentations and alike. If you're looking for something
to do, you can always email the
<a href="mail-lists.html">acegisecurity-developers</a> list and we'll be
pleased to suggest something. :-)</p>
</body>
</html>