Craig Walls presented the Spring Security Session at the latest NFJS Java Conference in Seattle.
- Declarative Security, keeps security details out of your code
- Authentication and Authorization, against virtually any user store
- Support for anonymous sessions, concurrent sessions, remember-me, channel enforcement, and much more
- Spring-based, but can be used for non-Spring web framework
ACEGI's moving parts:
- Security Interceptors, aspects for methods, filters for servlets
- Managers, Authentication, Access Decision, Run-As, After-Invocation
- Authentication Providers
- Access Voters
Security Intercepter - First line of defense
Authentication Manager - Verifies user identity
Access Decision Manager - Determines if the authenticated user has authority to access the secured resource, by aggregating the result from the Voters
Run-As Manager - Temporarily replaces user's Authentication object for the duration of the current secure invocation
After Invocation Manager - Reviews the object returned from a secured invocation, allows for 'after-the-fact' security
The problem of ACEGI
Every time you use Acegi... A fairy dies... It's a great framework but is very hard to use.
- Lots of moving parts
- Lots of options
- Everything is a <bean> with various options injected with <property>
- Requires lots of XML
Spring Security 2.0
- Released last week (Apr.15th)
- All the Same goodness with some new stuff with much less XML
- Provides a new security configuration namespace for Spring that hides <bean> <property>
- Provides auto-configuration
Method Security
- Intercepting method using Spring AOP
- Or, Annotation Driven
No comments:
Post a Comment