index.apt

acegi构造安全的java系统

                                --------------------------------
                                Acegi Security System for Spring
                                --------------------------------
                                

Spring Security 2.0.0 Released

      Acegi Security is now {{{http://www.springframework.org/projects/}Spring Security}}, 
      the official security project of the {{{http://www.springframework.org/projects/}Spring Portfolio}}.
      If you are planning a new project, we'd recommend you consider using Spring Security.
      Acegi Security 1.0.7 will be the last non-critical release of the 1.0.x series.
       
      Spring Security 2.0.0 builds on Acegi Security's solid foundations, adding many new features:

      * Simplified namespace-based configuration syntax. Old configurations
       could require hundreds of lines of XML but our new convention over configuration 
       approach ensures that many deployments will now require less than 10 lines.

      * OpenID integration, which is the web's emerging single sign on
      standard (supported by Google, IBM, Sun, Yahoo and others)

      * Windows NTLM support, providing easy enterprise-wide single sign on
      against Windows corporate networks

      * Support for JSR 250 ("EJB 3") security annotations, delivering a
      standards-based model for authorization metadata

      * AspectJ pointcut expression language support, allowing developers to
      apply cross-cutting security logic across their Spring managed objects

      * Substantial improvements to the high-performance domain object
      instance security ("ACL") capabilities

      * Comprehensive support for RESTful web request authorization, which
      works well with Spring 2.5's @MVC model for building RESTful systems

      * Long-requested support for groups, hierarchical roles and a user
      management API, which all combine to reduce development time and
      significantly improve system administration

      * An improved, database-backed "remember me" implementation

      * Support for portlet authentication out-of-the-box

      * Support for additional languages

      * Numerous other general improvements, documentation and new samples

      * New support for web state and flow transition authorization through
      the Spring Web Flow 2.0 release

      * New support for visualizing secured methods, plus configuration
      auto-completion support in Spring IDE

      * Enhanced WSS (formerly WS-Security) support through the Spring Web
      Services 1.5 release

      Please visit {{{http://www.springframework.org/download}http://www.springframework.org/download}} 
      to download the latest release and access the change log.


Acegi Security - Key Features

    * <<Stable and mature:>> Acegi Security 1.0.0 was released in May 2006 after
        more than two and a half years of use in large production software projects, 70,000+ downloads
        and hundreds of community contributions.
        In terms of release numbering, we also use the
        {{{http://apr.apache.org/versioning.html}Apache APR Project Versioning Guidelines}} so that you can easily identify release compatibility.

    * <<Well documented:>> All APIs are fully documented using
        {{{http://acegisecurity.org/multiproject/acegi-security/apidocs/index.html}JavaDoc}},
        with almost 100 pages of
		{{{./reference.html}Reference Guide}} documentation providing an easy-to-follow
        introduction. Even more documentation is provided on this web site, as
		shown in the left hand navigation sidebar.

    * <<Fast results:>> View our {{{./suggested.html}suggested steps}}
        for the fastest way to develop complex, security-compliant applications.

    * <<Enterprise-wide single sign on:>> Using JA-SIG's open
        source {{{http://www.ja-sig.org/products/cas/}Central Authentication Service}} (CAS),
        the Acegi Security can participate
        in an enterprise-wide single sign on environment. You no longer need
        every web application to have its own authentication database. Nor are
        you restricted to single sign on across a single web container. Advanced
        single sign on features like proxy support and forced refresh of logins
        are supported by both CAS and Acegi Security.

    * <<Reuses your Spring expertise:>> We use Spring application
        contexts for all configuration, which should help Spring developers get
        up-to-speed nice and quickly.

    * <<Domain object instance security:>> In many applications it's
        desirable to define Access Control Lists (ACLs) for individual domain
        object instances. We provide a comprehensive ACL package with features
        including integer bit masking, permission inheritence (including
        blocking), a JDBC-backed ACL repository, caching and a pluggable,
        interface-driven design.

    * <<Non-intrusive setup:>> The entire security system can operate
        within a single web application using the provided filters. There is no
        need to make special changes or deploy libraries to your Servlet or EJB
        container.

    * <<Full (but optional) container integration:>> The credential
        collection and authorization capabilities of your Servlet or EJB
        container can be fully utilised via included "container adapters". We
        currently support Catalina (Tomcat), Jetty, JBoss and Resin, with
        additional containers easily added.

    * <<Keeps your objects free of security code:>> Many applications
        need to secure data at the bean level based on any combination of
        parameters (user, time of day, authorities held, method being invoked,
        parameter on method being invoked....). This package gives you this
        flexibility without adding security code to your Spring business
        objects.

    * <<After invocation security:>> Acegi Security can not only protect
		methods from being invoked in the first place, but it can also
		deal with the objects returned from the methods. Included implementations
		of after invocation security can throw an exception or mutate the returned
		object based on ACLs.

    * <<Secures your HTTP requests as well:>> In addition to securing
        your beans, the project also secures your HTTP requests. No longer is it
        necessary to rely on web.xml security constraints. Best of all, your
        HTTP requests can now be secured by your choice of regular expressions
        or Apache Ant paths, along with pluggable authentication, authorization
        and run-as replacement managers.

    * <<Channel security:>> Acegi Security can
        automatically redirect requests across an appropriate transport channel.
        Whilst flexible enough to support any of your "channel" requirements (eg
        the remote user is a human, not a robot), a common channel security
        feature is to ensure your secure pages will only be available over
        HTTPS, and your public pages only over HTTP. Acegi Security also
        supports unusual port combinations (including if accessed via an
        intermediate server like Apache) and pluggable transport decision
        managers.

    * <<Supports HTTP BASIC authentication:>> Perfect for remoting
        protocols or those web applications that prefer a simple browser pop-up
        (rather than a form login), Acegi Security can directly process HTTP
        BASIC authentication requests as per RFC 1945.

    * <<Supports HTTP Digest authentication:>> For greater security than
        offered by BASIC authentcation, Acegi Security also supports Digest Authentication
        (which never sends the user's password across the wire). Digest Authentication
        is widely supported by modern browsers. Acegi Security's implementation complies
        with both RFC 2617 and RFC 2069.

    * <<Computer Associates Siteminder support:>> Authentication can be
        delegated through to CA's Siteminder solution, which is common in large
        corporate environments.

    * <<X509 (Certificate) support:>> Acegi Security can easily read
        client-side X509 certificates for authenticating users.

    * <<LDAP Support:>> Do you have an LDAP directory? Acegi Security can
        happily authenticate against it.

    * <<Tag library support:>> Your JSP files can use our taglib
        to ensure that protected content like links and messages are only
        displayed to users holding the appropriate granted authorities. The taglib
		also fully integrates with Acegi Security's ACL services, and
		obtaining extra information about the logged-in principal.

    * <<Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:>> You
        select the method used to configure your security environment. The
        project supports configuration via Spring application contexts, as well
        as Jakarta Commons Attributes and Java 5's annotations feature. Some users
        (such as those building content management systems) pull configuration data
        from a database, which exemplifies Acegi Security's flexible configuration
        metadata system.

    * <<Various authentication backends:>> We include the ability to
        retrieve your user and granted authority definitions from an XML
        file, JDBC datasource or Properties file. Alternatively, you can implement the
        single-method UserDetailsService interface and obtain authentication details from
        anywhere you like.

    * <<Event support:>> Building upon Spring's
        <<<ApplicationEvent>>> services, you can write your own listeners
        for authentication-related events, along with authorisation-related events.
		This enables you to implement account lockout and audit log systems, with
		complete decoupling from Acegi Security code.

    * <<Easy integration with existing databases:>> Our implementations
        have been designed to make it very easy to use your existing
        authentication schema and data (without modification). Of course,
		you can also provide your own Data Access Object if you wish.

    * <<Caching:>> Acegi Security integrates with Spring's {{{http://ehcache.sourceforge.net}EHCACHE}} factory.
        This flexibility means your database (or other authentication
        repository) is not repeatedly queried for authentication
        information.

    * <<Pluggable architecture:>> Every critical aspect of the package
        has been modelled using high cohesion, loose coupling, interface-driven
        design principles. You can easily replace, customise or extend parts of
        the package.

    * <<Startup-time validation:>> Every critical object dependency and
        configuration parameter is validated at application context startup
        time. Security configuration errors are therefore detected early and
        corrected quickly.

    * <<Remoting support:>> Does your project use a rich client? Not a
        problem. Acegi Security integrates with standard Spring remoting
        protocols, because it automatically processes the HTTP BASIC
        authentication headers they present. Add our BASIC authentication filter
        to your web.xml and you're done. You can also easily use RMI or Digest
        authentication for your rich clients with a simple configuration statement.

    * <<Advanced password encoding:>> Of course, passwords in your
        authentication repository need not be in plain text. We support both SHA
        and MD5 encoding, and also pluggable "salt" providers to maximise
        password security. Acegi Security doesn't even need to see the password
        if your backend can use a bind-based strategy for authentication (such as
        an LDAP directory, or a database login).

    * <<Run-as replacement:>> The system fully supports
        temporarily replacing the authenticated principal for the duration of the web
        request or bean invocation. This enables you to build public-facing
        object tiers with different security configurations than your backend
        objects.

    * <<Transparent security propagation:>> Acegi Security can automatically
		transfer its core authentication information from one machine to another,
		using a variety of protocols including RMI and Spring's HttpInvoker.

    * <<Compatible with HttpServletRequest's security methods:>> Even though
		Acegi Security can deliver authentication using a range of pluggable mechanisms
		(most of which require no web container configuration), we allow you to access
		the resulting Authentication object via the getRemoteUser() and other
		security methods on HttpServletRequest.

    * <<Unit tests:>> A must-have of any quality security project, unit
        tests are included. Our unit test coverage is very high, as shown in the
		{{{acegi-security/cobertura/index.html}coverage report}}.

    * <<Built by Maven:>> This assists you in effectively reusing the Acegi
		Security artifacts in your own Maven-based projects.

    * <<Supports your own unit tests:>> We provide a number of classes
        that assist with your own unit testing of secured business objects. For
        example, you can change the authentication identity and its associated
        granted authorities directly within your test methods.

    * <<Peer reviewed:>> Whilst nothing is ever completely secure,
        using an open source security package leverages the continuous design
        and code quality improvements that emerge from peer review.

    * <<Community:>> Well-known for its supportive community, Acegi Security
        has an active group of developers and users. Visit our project resources (below)
        to access these services.

    * <<Apache license.>> You can confidently use Acegi Security in your project.