Cloud Computing: Do You
Really Want Your Data in
the Cloud?
Don Dodge wrote: D Cheng,
Of course in-house
systems go down. What I
am sa...
Jul. 19, 2008 03:55 PM
|
 |
 |
|
|
|
|
YOUR FEEDBACK
Did you read today's front page stories & breaking news?
SYS-CON.TV |
TOP THREE LINKS YOU MUST CLICK ON Enterprise
Introduction to Acegi
Mastering the security framework
By: David Hardwick
Aug. 2, 2006 08:30 AM
Digg This!
I recently evaluated the use of Acegi as the security framework for a Web development project. In the end, we decided to move forward with Acegi but in the beginning it took a couple days to come to that decision. The amazing thing is: once you get over the initial learning curve, it's smooth sailing. Hence, I wanted to share my experiences with it because first, I wanted to expose the Acegi security framework to JDJ readers and, second, I wanted to make it easier for JDJ readers to get over the initial learning curve. Once you're over that, you should be well on your way with Acegi.
Acegi uses Spring as its configuration settings, so those familiar with Spring will be at ease with Acegi configuration. If you're not familiar with Spring, it's still easy to learn Acegi configuration by example. You don't have to use SpringMVC to secure your Web application. I have successfully used Acegi with Struts. You can use Acegi with WebWork and Velocity, Struts, SpringMVC, JSF, Web Services, and more. Why use Acegi instead of JAAS? It can be difficult to stray from well-documented standards like JAAS. However, porting container-managed security realms is not easy. With Acegi, this security layer is an application framework that is easily ported. Acegi will allow you to easily reuse and port your "Remember Me," "I forgot my password," and log-in/log-out security functions to different servlet and EJB containers. If you have a standards-based security layer that you have re-created for numerous Java applications and it is not getting reused, you need to take a good look at Acegi. Besides, why are you spending time on framework coding when you should be focusing on the business logic? Leave the framework development to product developers and the open source community.
Getting Over That Initial Learning Curve
Installation Step 1: Set up a new Tomcat Web context with the "WEB-INF/", "WEB-INF/lib/", and "WEB-INF/classes" folders per usual (see Figure 1). I called my context "/acegi-demo" and access it using http://localhost:8080/acegi-demo/. Step 2: Add another folder called "/secured," which we'll protect with Acegi. Step 3: Now let's add the necessary Acegi library files to plug-in Acegi to our Tomcat context. (Please download the acegi-demo.zip file provided with this article from http://jdj.sys-con.com.) Let's understand the JAR packages we are adding to the lib directory. The most important JAR is acegi-security-0.8.3.jar, the Acegi core library. Acegi leverages Spring for its configuration, so we also need spring-1.2.RC2.jar. The remaining JARs are utilities libraries for dealing with collections (commons-collections-3.1.jar), logging (commons-logging-1.0.4.jar, log4j-1.2.9.jar), and regular expressions (oro-2.0.8.jar). Special thanks to Apache Jakarta for these wonderful utility libraries.
Configuration Step 4: Configure the web.xml file (see Listing 1) to begin tying the Web application to the Acegi security framework.
Remember, the Acegi Filter Chain Proxy is critical. This is the backbone of the configuration. Using the servlet filter specification, Acegi is able to plug in its security functionality in a modular way. I ordered the Spring bean references in the applicationContext.xml file based on the sequence each bean is referenced, starting with the filterChainProxy bean. If you are new to Spring, just know that the order in which a bean is referenced is not important. I ordered it this way to make it as easy as possible to follow along.
<bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy"> In the filterChainProxy bean (see code snippet above), we tell Acegi that we want to use lowercase for all URL comparisons and use the Apache ANT style for pattern matching on the URLs. In our example, we run the filterChainProxy on every single URL by specifying /**=Filter1,Filter2, etc. Next, we set up the filter chain itself, where order is very important. We have four filter chains in this simple example, but when you start using Acegi, you'll most likely have more. Viewing applicationContext.xml, please take a few moments to follow all the bean references in great detail as you traverse the filter chain. I will walk through each item in the filter chain at a high level. The first item in the chain must be the httpSessionContextIntegrationFilter filter. This filter works hand-and-hand with the HTTP Session object and the Web context to see if the user is authenticated and, if so, then what roles the user has. We have little to configure for this filter. The second item in the chain is the authenticationProcessingFilter filter, which searches for any URL that matches /j_acegi_security_check because this is the URL that our login form will post a username and password to when attempting authentication. This filter also contains the configuration information detailing where to send someone if the login succeeds or fails. If it succeeds, you can configure this filter to direct the user to the page the user originally tried to access or direct the user to a particular start page where you want all authenticated users to land after authentication. I have the latter option configured in my example by setting alwaysUseDefaultTargetUrl to true and you just set it to false to get the former option. One of the beans configured in the authenticationProcessingFilter is the authenticationManager bean. This bean manages the various providers you configure. A provider is essentially a repository of usernames with corresponding passwords and roles. The authenticationManager will stop iterating through the list of providers once a user is successfully authenticated. In practice, you may have two or three providers; for example, one provider could access an Active Directory for employee credentials, while your second provider might access a database for customer credentials. You will most often need an anonymousAuthenticationProvider because you need it to allow access to pages that do not requiring authentication to access, such as the login page or the home page. The demonstration application for this article uses a memory provider and an anonymous provider. Once you get this simple application working, you probably want to add a JDBC or LDAP provider. The third item in the chain is the anonymousProcessingFilter filter. This will match the value created by the anonymousAuthenticationProvider. The fourth and final item in the filter chain is the securityEnforcementFilter filter. This filter has two beans: the filterSecurityInterceptor and the authenticationProcessingFilterEntryPoint. The latter bean is used to direct the user to the login form each time the user tries to access a secured page but is not logged in. We can also force the user to use HTTPS. The former bean, filterSecurityInterceptor, does quite a bit of heavy lifting by tying all our filters together. Page 1 of 2 next page »
LATEST JAVA STORIES & POSTS
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
|
SYS-CON FEATURED WHITEPAPERS MOST READ THIS WEEK SPONSORED BY INFRAGISTICS
BREAKING JAVA NEWS
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
| | | | | | | | |
|
|
|
|
|
|
| | | | | | | | | | | | | | | | |
|
|
| SYS-CON MEDIA: | | | | |
| SYS-CON EVENTS: | | | | | |
| INTERNATIONAL SITES: | | | | | | | | | | |
 |
Terms of Use & Our Privacy Statement  About Newsfeeds / Video Feeds |
| Copyright ©1994-2008 SYS-CON Publications, Inc. All Rights Reserved. All marks are trademarks of SYS-CON Media. |
| Reproduction in whole or in part in any form or medium without express written permission of SYS-CON Publications, Inc. is prohibited. |
.gif)
Exposing Acegi Security Framework
The pressure is on to
keep pace with Web 2.0
entrants into the
marketplace. Rewriting is
expensive; adding AJAX
widgets results in a
complex, unmaintainable
application. Both require
you to hire scarce
JavaScript developers.
Google Web Toolkit -- the
SDK that allows you to
write 
A standard from OASIS
called Web Services for
Remote Portlets (WSRP) is
used so portlets can be
decoupled from a portal.
In part one (JDJ, Volume.
13, issue 3) of this
article, we introduced
the relevant standards
and specifications and
then demonstrated WSRP's
capabilities by co
Two of the biggest
launches in Rich Internet
Application history took
place in 2007/2008 when
Adobe launched AIR 1.0 in
February '08 and
Microsoft launched
Silverlight (September
'07). At the 6th
International AJAXWorld
RIA Conference & Expo in
October SYS-CON Events is
delighted 
On Tuesday evening Sun
issued a fourth-quarter
guidance range largely
above analysts'
estimates. The company
pre-announced that
revenue for its fiscal
fourth quarter ended June
was $3.725 billion to
$3.8 billion, with gross
margin in the 44-45%
range. Sun expects
non-GAAP profits
Brian Stevens, the Chief
Technology Officer and
Vice President of
Engineering of Red Hat,
delivered his
Virtualization Keynote
'The Future of the
Virtual Enterprise' at
SYS-CON's Virtualization
Conference & Expo 2007
West in San Francisco.
'Virtualization is the
hottest subject 
JavaScript is one of the
most interesting and
misunderstood programming
languages in common use
today. Most developers
will go their entire
careers without realizing
its full potential. It's
not often that you get a
language that supports
the feature set that
JavaScript does, whi
