Reference Documentation
1.0.0
Copyright (c) 2004, 2005, 2006 - Ben Alex
Table of Contents
Preface .............................................................................................................................................v
I. Overall Architecture ......................................................................................................................6
1. Introduction ..........................................................................................................................7
1.1. Before You Begin ...................................................................................................... 7
1.2. What is Acegi Security? .............................................................................................7
1.3. History ......................................................................................................................8
1.4. Release Numbering .................................................................................................... 9
2. Technical Overview ............................................................................................................ 10
2.1. Runtime Environment .............................................................................................. 10
2.2. Shared Components .................................................................................................. 10
2.3. Authentication ......................................................................................................... 12
2.4. Secure Objects ......................................................................................................... 13
2.5. Conclusion .............................................................................................................. 15
3. Supporting Infrastructure ..................................................................................................... 16
3.1. Localization ............................................................................................................. 16
3.2. Filters ...................................................................................................................... 16
4. Channel Security ................................................................................................................. 20
4.1. Overview ................................................................................................................. 20
4.2. Configuration ........................................................................................................... 20
4.3. Conclusion .............................................................................................................. 21
5. Tag Libraries ...................................................................................................................... 23
5.1. Overview ................................................................................................................. 23
5.2. Configuration ........................................................................................................... 23
5.3. Usage ...................................................................................................................... 23
II. Authentication ............................................................................................................................ 24
6. Common Authentication Services ........................................................................................ 25
6.1. Mechanisms, Providers and Entry Points ................................................................... 25
6.2. UserDetails and Associated Types ............................................................................. 27
6.2.1. In-Memory Authentication ............................................................................. 28
6.2.2. JDBC Authentication ..................................................................................... 28
6.3. Concurrent Session Handling .................................................................................... 29
6.4. Authentication Tag Libraries ..................................................................................... 30
7. DAO Authentication Provider .............................................................................................. 31
7.1. Overview ................................................................................................................. 31
7.2. Configuration ........................................................................................................... 31
8. Java Authentication and Authorization Service (JAAS) Provider ............................................ 33
8.1. Overview ................................................................................................................. 33
8.2. Configuration ........................................................................................................... 33
8.2.1. JAAS CallbackHandler .................................................................................. 33
8.2.2. JAAS AuthorityGranter ................................................................................. 34
9. Siteminder Authentication Mechanism ................................................................................. 35
9.1. Overview ................................................................................................................. 35
9.2. Configuration ........................................................................................................... 35
10. Run-As Authentication Replacement .................................................................................. 37
10.1. Overview ............................................................................................................... 37
10.2. Configuration ......................................................................................................... 37
11. Form Authentication Mechanism ....................................................................................... 39
11.1. Overview ............................................................................................................... 39
Acegi Security System for Spring ii
11.2. Configuration ......................................................................................................... 39
12. BASIC Authentication Mechanism ..................................................................................... 41
12.1. Overview ............................................................................................................... 41
12.2. Configuration ......................................................................................................... 41
13. Digest Authentication ........................................................................................................ 42
13.1. Overview ............................................................................................................... 42
13.2. Configuration ......................................................................................................... 43
14. Anonymous Authentication ............................................................................................... 44
14.1. Overview ............................................................................................................... 44
14.2. Configuration ......................................................................................................... 44
15. Remember-Me Authentication ........................................................................................... 46
15.1. Overview ............................................................................................................... 46
15.2. Configuration ......................................................................................................... 46
16. X509 Authentication ......................................................................................................... 48
16.1. Overview ............................................................................................................... 48
16.2. Using X509 with Acegi Security ............................................................................. 48
16.3. Configuration ......................................................................................................... 49
17. LDAP Authentication ........................................................................................................ 50
17.1. Overview ............................................................................................................... 50
17.2. Using LDAP with Acegi Security ............................................................................ 50
17.2.1. LdapAuthenticator Implementations ............................................................. 50
17.2.2. Connecting to the LDAP Server .................................................................... 51
17.2.3. LDAP Search Objects .................................................................................. 51
17.3. Configuration ......................................................................................................... 52
18. CAS Authentication .......................................................................................................... 53
18.1. Overview ............................................................................................................... 53
18.2. How CAS Works ................................................................................................... 53
18.3. Optional CAS Server Setup ..................................................................................... 56
18.3.1. CAS Version 2.0 ......................................................................................... 56
18.3.2. CAS Version 3.0 ......................................................................................... 57
18.4. Configuration of CAS Client ................................................................................... 58
18.5. Advanced Issues ..................................................................................................... 61
19. Container Adapter Authentication ...................................................................................... 62
19.1. Overview ............................................................................................................... 62
19.2. Adapter Authentication Provider ............................................................................. 62
19.3. Jetty ...................................................................................................................... 63
19.4. JBoss ..................................................................................................................... 64
19.5. Resin ..................................................................................................................... 65
19.6. Tomcat .................................................................................................................. 66
III. Authorization ............................................................................................................................ 68
20. Common Authorization Concepts ....................................................................................... 69
20.1. Authorities ............................................................................................................. 69
20.2. Pre-Invocation Handling ......................................................................................... 69
20.3. After Invocation Handling ...................................................................................... 71
20.3.1. ACL-Aware AfterInvocationProviders .......................................................... 72
20.4. Authorization Tag Libraries .................................................................................... 73
21. Secure Object Implementations .......................................................................................... 75
21.1. AOP Alliance (MethodInvocation) Security Interceptor ............................................ 75
21.2. AspectJ (JoinPoint) Security Interceptor .................................................................. 77
21.3. FilterInvocation Security Interceptor ........................................................................ 79
22. Domain Object Security .................................................................................................... 82
22.1. Overview ............................................................................................................... 82
Acegi Security
Acegi Security System for Spring iii
22.2. Basic ACL Package ................................................................................................ 82
IV. Other Resources ........................................................................................................................ 89
23. Sample Applications ......................................................................................................... 90
23.1. Contacts ................................................................................................................. 90
23.2. Tutorial Sample ...................................................................................................... 91
24. Community Support .......................................................................................................... 92
24.1. Use JIRA for Issue Tracking ................................................................................... 92
24.2. Becoming Involved ................................................................................................ 92
24.3. Further Information ................................................................................................ 92
Acegi Security
1.0.0
Preface
Acegi Security provides a comprehensive security solution for J2EE-based enterprise software applications. As
you will discover as you venture through this reference guide, we have tried to provide you a useful and highly
configurable security system.
Security is an ever-moving target, and it's important to pursue a comprehensive, system-wide approach. In
security circles we encourage you to adopt "layers of security", so that each layer tries to be as secure as
possible in its own right, with successive layers providing additional security. The "tighter" the security of each
layer, the more robust and safe your application will be. At the bottom level you'll need to deal with issues such
as transport security and system identification, in order to mitigate man-in-the-middle attacks. Next you'll
generally utilise firewalls, perhaps with VPNs or IP security to ensure only authorised systems can attempt to
connect. In corporate environments you may deploy a DMZ to separate public-facing servers from backend
database and application servers. Your operating system will also play a critical part, addressing issues such as
running processes as non-privileged users and maximising file system security. An operating system will
usually also be configured with its own firewall. Hopefully somewhere along the way you'll be trying to
prevent denial of service and brute force attacks against the system. An intrusion detection system will also be
especially useful for monitoring and responding to attacks, with such systems able to take protective action
such as blocking offending TCP/IP addresses in real-time. Moving to the higher layers, your Java Virtual
Machine will hopefully be configured to minimize the permissions granted to different Java types, and then
your application will add its own problem domain-specific security configuration. Acegi Security makes this
latter area - application security - much easier.
Of course, you will need to properly address all security layers mentioned above, together with managerial
factors that encompass every layer. A non-exhaustive list of such managerial factors would include security
bulletin monitoring, patching, personnel vetting, audits, change control, engineering management systems, data
backup, disaster recovery, performance benchmarking, load monitoring, centralised logging, incident response
procedures etc.
With Acegi Security being focused on helping you with the enterprise application security layer, you will find
that there are as many different requirements as there are business problem domains. A banking application has
different needs from an ecommerce application. An ecommerce application has different needs from a
corporate sales force automation tool. These custom requirements make application security interesting,
challenging and rewarding.
This reference guide has been largely restructured for the 1.0.0 release of Acegi Security. Please read Part I,
Overall Architecture, in its entirety. The remaining parts of the reference guide are structured in a more
traditional reference style, designed to be read on an as-required basis.
We hope that you find this reference guide useful, and we welcome your feedback and suggestions.
Finally, welcome to the Acegi Security community.
Acegi Security System for Spring v