News

The content has been bookmarked!

There was an error bookmarking this content! Please retry.

Spring (Acegi) Security 2.0 Adds OpenID Support, REST Capabilities, and Performance Improvements

Posted by Dionysios G. Synodinos on Apr 28, 2008

Sections: Development,; Architecture & Design
Topics: Java ,; Security ,; Web Frameworks
Tags: Spring

Rod Johnson, the President and CEO of SpringSource, announced the release of Spring Security 2.0.0, which replaces Acegi Security as the official security module for Spring applications. As reported previously on InfoQ, Acegi security has been one of the most comprehensive Java security frameworks for enterprise software, that provides comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities:.

Acegi Security began in late 2003 in response to a Spring Developers' mailing list question about whether a Spring-based security implementation was in the works. Since then, Acegi has become one of the few Java security frameworks out there, and definitely one of the most comprehensive. Insufficient features and lack of portability of Servlet and EJB security standards initially drove interest in Acegi, which since has evolved into a project with support for most of today's authentication schemes. While much has been written about authentication, the hardest security challenges (which are also the least discussed) is authorization, for which Acegi supports authorization on web requests, method calls, and even access to individual domain object instances.

The new features include simplified configuration, and new capabilities including OpenID, NTLM, JSR 250 annotations, AspectJ pointcut support, domain ACL enhancements, RESTful URI authorization, groups, hierarchical roles, user management API, database-backed "remember me", portlet authentication, additional languages, Web Flow 2.0 support, Spring IDE visualization and auto-completion, enhanced WSS support via Spring Web Services 1.5 and more.

This is a major step forward for the Spring Portfolio. Spring (Acegi) Security is already the Java platform's most widely used enterprise security framework, with over 250,000 downloads on SourceForge and over 20,000 downloads per release. Through making it so much simpler to use, this release will undoubtedly take adoption to a new level.

On the Acegi Security homepage there are more technical details regarding the new project:

Spring Security 2.0.0 builds on Acegi Security's solid foundations, adding many new features:

Simplified namespace-based configuration syntax. Old configurations could require hundreds of lines of XML but our new convention over configuration approach ensures that many deployments will now require less than 10 lines.
OpenID integration, which is the web's emerging single sign on standard (supported by Google, IBM, Sun, Yahoo and others)
Windows NTLM support, providing easy enterprise-wide single sign on against Windows corporate networks
Support for JSR 250 ("EJB 3") security annotations, delivering a standards-based model for authorization metadata
AspectJ pointcut expression language support, allowing developers to apply cross-cutting security logic across their Spring managed objects
Substantial improvements to the high-performance domain object instance security ("ACL") capabilities
Comprehensive support for RESTful web request authorization, which works well with Spring 2.5's @MVC model for building RESTful systems
Long-requested support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration
An improved, database-backed "remember me" implementation
Support for portlet authentication out-of-the-box
Support for additional languages
Numerous other general improvements, documentation and new samples
New support for web state and flow transition authorization through the Spring Web Flow 2.0 release
New support for visualizing secured methods, plus configuration auto-completion support in Spring IDE
Enhanced WSS (formerly WS-Security) support through the Spring Web Services 1.5 release

Matt Raible describes his personal experiences while upgrading to Spring Security 2.0:

It's nice to see that Spring Security 2.0 gives you exponentially more power and flexibility without all the XML. Thanks guys!

Matt has also made available the full changelog for this upgrade.

Chris Baker elaborates on his pathway from Acegi to Spring Security 2.0 and outlines the steps for converting your existing Acegi based Spring application to use Spring Security 2.0:

This short guide on how to configure Spring Security 2.0 with access to resources stored in a database does not come close to illustrating the host of new features that are available in Spring Security 2.0, however I think that it does show some of the most commonly used abilities of the framework and I hope that you will find it useful.

One of the benefits of Spring Security 2.0 over ACEGI is the ability to write more concise configuration files, this is clearly shown when I compare my old ACEGI configuration (172 lines) file to my new one (42 lines).

As I said in step 1, downloading Spring Security was the trickiest step of all. From there on it was plain sailing...

Rod Johnson humorously declares that the new version of the security framework “is good for the fairy kingdom” as a reply to an earlier comment from Dan which proclaimed that “every time you use Acegi a fairy dies”. The latter has also been commented on by SpringSource’s Ben Alex, prior to the release of Spring Security 2.0:

Between our community forums, developer lists, JIRA, user conference BOFs, training, support, consulting and team blog, we receive a great deal of community feedback. There is little doubt that many people have sought improvements to the Spring Security (formerly Acegi) configuration format, and we've invested a lot of time in making that possible.

As I'll be presenting at next week's Spring Experience conference, Spring Security 2.0.0 M1 features tremendously simplified configuration.

The latest Spring Security release is available for download.

You can find more information of Spring here: infoq.com/Spring

Dionysios G. Synodinos is a Web Engineer and a freelance consultant, focusing on Web technologies