Rod Johnson, the President and CEO of SpringSource, announced the release of Spring Security 2.0.0, which replaces Acegi Security as the official security module for Spring applications. As reported previously on InfoQ, Acegi security has been one of the most comprehensive Java security frameworks for enterprise software, that provides comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities:.
Acegi Security began in late 2003 in response to a Spring Developers' mailing list question about whether a Spring-based security implementation was in the works. Since then, Acegi has become one of the few Java security frameworks out there, and definitely one of the most comprehensive. Insufficient features and lack of portability of Servlet and EJB security standards initially drove interest in Acegi, which since has evolved into a project with support for most of today's authentication schemes. While much has been written about authentication, the hardest security challenges (which are also the least discussed) is authorization, for which Acegi supports authorization on web requests, method calls, and even access to individual domain object instances.
The new features include simplified configuration, and new capabilities including OpenID, NTLM, JSR 250 annotations, AspectJ pointcut support, domain ACL enhancements, RESTful URI authorization, groups, hierarchical roles, user management API, database-backed "remember me", portlet authentication, additional languages, Web Flow 2.0 support, Spring IDE visualization and auto-completion, enhanced WSS support via Spring Web Services 1.5 and more.
This is a major step forward for the Spring Portfolio. Spring (Acegi) Security is already the Java platform's most widely used enterprise security framework, with over 250,000 downloads on SourceForge and over 20,000 downloads per release. Through making it so much simpler to use, this release will undoubtedly take adoption to a new level.
On the Acegi Security homepage there are more technical details regarding the new project:
Spring Security 2.0.0 builds on Acegi Security's solid foundations, adding many new features:
- Simplified namespace-based configuration syntax. Old configurations could require hundreds of lines of XML but our new convention over configuration approach ensures that many deployments will now require less than 10 lines.
- OpenID integration, which is the web's emerging single sign on standard (supported by Google, IBM, Sun, Yahoo and others)
- Windows NTLM support, providing easy enterprise-wide single sign on against Windows corporate networks
- Support for JSR 250 ("EJB 3") security annotations, delivering a standards-based model for authorization metadata
- AspectJ pointcut expression language support, allowing developers to apply cross-cutting security logic across their Spring managed objects
- Substantial improvements to the high-performance domain object instance security ("ACL") capabilities
- Comprehensive support for RESTful web request authorization, which works well with Spring 2.5's @MVC model for building RESTful systems
- Long-requested support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration
- An improved, database-backed "remember me" implementation
- Support for portlet authentication out-of-the-box
- Support for additional languages
- Numerous other general improvements, documentation and new samples
- New support for web state and flow transition authorization through the Spring Web Flow 2.0 release
- New support for visualizing secured methods, plus configuration auto-completion support in Spring IDE
- Enhanced WSS (formerly WS-Security) support through the Spring Web Services 1.5 release
Matt Raible describes his personal experiences while upgrading to Spring Security 2.0:
It's nice to see that Spring Security 2.0 gives you exponentially more power and flexibility without all the XML. Thanks guys!
Matt has also made available the full changelog for this upgrade.
Chris Baker elaborates on his pathway from Acegi to Spring Security 2.0 and outlines the steps for converting your existing Acegi based Spring application to use Spring Security 2.0:
This short guide on how to configure Spring Security 2.0 with access to resources stored in a database does not come close to illustrating the host of new features that are available in Spring Security 2.0, however I think that it does show some of the most commonly used abilities of the framework and I hope that you will find it useful.
One of the benefits of Spring Security 2.0 over ACEGI is the ability to write more concise configuration files, this is clearly shown when I compare my old ACEGI configuration (172 lines) file to my new one (42 lines).
As I said in step 1, downloading Spring Security was the trickiest step of all. From there on it was plain sailing...
Rod Johnson humorously declares that the new version of the security framework “is good for the fairy kingdom” as a reply to an earlier comment from Dan which proclaimed that “every time you use Acegi a fairy dies”. The latter has also been commented on by SpringSource’s Ben Alex, prior to the release of Spring Security 2.0:
Between our community forums, developer lists, JIRA, user conference BOFs, training, support, consulting and team blog, we receive a great deal of community feedback. There is little doubt that many people have sought improvements to the Spring Security (formerly Acegi) configuration format, and we've invested a lot of time in making that possible.
As I'll be presenting at next week's Spring Experience conference, Spring Security 2.0.0 M1 features tremendously simplified configuration.
The latest Spring Security release is available for download.
You can find more information of Spring here: infoq.com/Spring