InfoQ

News

Spring (Acegi) Security 2.0 Adds OpenID Support, REST Capabilities, and Performance Improvements

Posted by Dionysios Synodinos on Apr 28, 2008 08:38 PM

Community
Java
Topics
Web Frameworks ,
Security
Tags
Spring

Rod Johnson, the President and CEO of SpringSource, announced the release of Spring Security 2.0.0, which replaces Acegi Security as the official security module for Spring applications. As reported previously on InfoQ, Acegi security has been one of the most comprehensive Java security frameworks for enterprise software, that provides comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities:.

Acegi Security began in late 2003 in response to a Spring Developers' mailing list question about whether a Spring-based security implementation was in the works. Since then, Acegi has become one of the few Java security frameworks out there, and definitely one of the most comprehensive.   Insufficient features and lack of portability of Servlet and EJB security standards initially drove interest in Acegi, which since has evolved into a project with support for most of today's authentication schemes.  While much has been written about authentication, the hardest security challenges (which are also the least discussed) is authorization, for which Acegi supports authorization on web requests, method calls, and even access to individual domain object instances.

 

The new features include simplified configuration, and new capabilities including OpenID, NTLM, JSR 250 annotations, AspectJ pointcut support, domain ACL enhancements, RESTful URI authorization, groups, hierarchical roles, user management API, database-backed "remember me", portlet authentication, additional languages, Web Flow 2.0 support, Spring IDE visualization and auto-completion, enhanced WSS support via Spring Web Services 1.5 and more.

This is a major step forward for the Spring Portfolio. Spring (Acegi) Security is already the Java platform's most widely used enterprise security framework, with over 250,000 downloads on SourceForge and over 20,000 downloads per release. Through making it so much simpler to use, this release will undoubtedly take adoption to a new level.

 

On the Acegi Security homepage there are more technical details regarding the new project:

Spring Security 2.0.0 builds on Acegi Security's solid foundations, adding many new features:

 

  • Simplified namespace-based configuration syntax. Old configurations could require hundreds of lines of XML but our new convention over configuration approach ensures that many deployments will now require less than 10 lines.
  • OpenID integration, which is the web's emerging single sign on standard (supported by Google, IBM, Sun, Yahoo and others)
  • Windows NTLM support, providing easy enterprise-wide single sign on against Windows corporate networks
  • Support for JSR 250 ("EJB 3") security annotations, delivering a standards-based model for authorization metadata
  • AspectJ pointcut expression language support, allowing developers to apply cross-cutting security logic across their Spring managed objects
  • Substantial improvements to the high-performance domain object instance security ("ACL") capabilities
  • Comprehensive support for RESTful web request authorization, which works well with Spring 2.5's @MVC model for building RESTful systems
  • Long-requested support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration
  • An improved, database-backed "remember me" implementation
  • Support for portlet authentication out-of-the-box
  • Support for additional languages
  • Numerous other general improvements, documentation and new samples
  • New support for web state and flow transition authorization through the Spring Web Flow 2.0 release
  • New support for visualizing secured methods, plus configuration auto-completion support in Spring IDE
  • Enhanced WSS (formerly WS-Security) support through the Spring Web Services 1.5 release

Matt Raible describes his personal experiences while upgrading to Spring Security 2.0:

It's nice to see that Spring Security 2.0 gives you exponentially more power and flexibility without all the XML. Thanks guys!

 

Matt has also made available the full changelog for this upgrade.

Chris Baker elaborates on his pathway from Acegi to Spring Security 2.0 and outlines the steps for converting your existing Acegi based Spring application to use Spring Security 2.0:

This short guide on how to configure Spring Security 2.0 with access to resources stored in a database does not come close to illustrating the host of new features that are available in Spring Security 2.0, however I think that it does show some of the most commonly used abilities of the framework and I hope that you will find it useful.

One of the benefits of Spring Security 2.0 over ACEGI is the ability to write more concise configuration files, this is clearly shown when I compare my old ACEGI configuration (172 lines) file to my new one (42 lines).

As I said in step 1, downloading Spring Security was the trickiest step of all. From there on it was plain sailing...

Rod Johnson humorously declares that the new version of the security framework “is good for the fairy kingdom” as a reply to an earlier comment from Dan which proclaimed that “every time you use Acegi a fairy dies”. The latter has also been commented on by SpringSource’s Ben Alex, prior to the release of Spring Security 2.0:

Between our community forums, developer lists, JIRA, user conference BOFs, training, support, consulting and team blog, we receive a great deal of community feedback. There is little doubt that many people have sought improvements to the Spring Security (formerly Acegi) configuration format, and we've invested a lot of time in making that possible.

As I'll be presenting at next week's Spring Experience conference, Spring Security 2.0.0 M1 features tremendously simplified configuration.

The latest Spring Security release is available for download.

You can find more information of Spring here: infoq.com/Spring

Related Sponsor

The Adobe Flash Platform provides everything you need to develop applications, content and video across operating systems and devices.

No comments

Watch Thread Reply

Educational Content

Bindings, Platforms, and Innovation

This presentation focuses on the Internet and separating myth from fact, history from the future, and the mundane from the imaginative. Bob Frankston presents a vision of what could and should be.

  •  Jul 02, 2009,
  •  

Orchestrating Long Running Activities with JBoss / JBPM

This article explores the use of JBoss and jBPM to implement design solutions that effectively address the issue of orchestrating long running activities.

  •  Jul 01, 2009,
  •  

Neo4j - The Benefits of Graph Databases

This presentation covers the use of graph databases as an optimal solution for data that is difficult to fit in static tables, rapidly evolving data or data that has a lot of optional attributes.

Realistic about Risk: Software development with Real Options

This session introduces Real Options and shows how it can help in running your project. Real Options is a decision-making process that can be used to manage risk.

  •  Jun 30, 2009,
  •  

Communication Flexibility Using Bindings

This article discusses the use of bindings on services and references (including the instance of non-configured bindings) as the means to implement SCA communications in a Web and SOA environment.

  •  Jun 30, 2009,
  •  

Writing DSLs in Groovy

After a short introduction to DSLs, Scott Davis plays with the keyboard showing how to approach the creation of a DSL by typing working snippets of Groovy code that get executed.

Scaling Agile with C/ALM (Collaborative Application Lifecycle Management)

IBM Rational and InfoQ present, Scaling Agile with C/ALM, an eBook showing organizations how to become “finely tuned software delivery machines” by enabling team integration and scaling.

Concurrent Programming with Microsoft F#

Amanda Laucher presents a real life enterprise application written in F#. She shows actual code snippets, explaining design decisions and suggesting how to use some of the F# constructs.