SpringOne 2008 - Using Spring Security 2 by Mike Wiesner

What?

• formerly Acegi security -- Acegi is an abbreviation for AbCdEfGhI :-)
  
• Authentication: URL (coarsegrained) or method (finegrained) authentication
• ACL
• LDAP support
• SSO

How?

• pluggable filters (through 1 delegating servletfilter); config in security.xml.
  Eg: LDAP, JAAS, OpenID plugins
• repository for storing (e.g.) additional user details
  --> implemented in e.g. JDBC or LDAP
  --> combine multiple data sources
  
• SecurityInterceptor (AOP) for method-based security
• @RolesAllowed annotation (JSR-250)

gotcha: The RBAC pattern decouples users from permissions through roles: users >-<roles>-< permissions! Test on permissions and let the repository associate your user with the correct permissions through the assigned roles. Never test on roles in your code.

Spring security also provides a authz-taglib for querying security-permissions while building a web page. This is helpful, but you still have to secure the basic URLs and methods.