SpringOne 2008 - Using Spring Security 2 by Mike Wiesner

  • formerly Acegi security -- Acegi is an abbreviation for AbCdEfGhI :-)
  • Authentication: URL (coarsegrained) or method (finegrained) authentication
  • ACL
  • LDAP support
  • SSO
  • pluggable filters (through 1 delegating servletfilter); config in security.xml.
    Eg: LDAP, JAAS, OpenID plugins
  • repository for storing (e.g.) additional user details
    --> implemented in e.g. JDBC or LDAP
    --> combine multiple data sources
  • SecurityInterceptor (AOP) for method-based security
  • @RolesAllowed annotation (JSR-250)
gotcha: The RBAC pattern decouples users from permissions through roles: users >-<roles>-< permissions! Test on permissions and let the repository associate your user with the correct permissions through the assigned roles. Never test on roles in your code.

Spring security also provides a authz-taglib for querying security-permissions while building a web page. This is helpful, but you still have to secure the basic URLs and methods.

No comments: