Raible's Wiki
Raible Designs
Wiki Home
News
Recent Changes
AppFuse
Homepage- Korean
- Chinese
- Italian
- Japanese
QuickStart Guide
- Chinese
- French
- German
- Italian
- Korean
- Portuguese
- Spanish
- Japanese
User Guide
- Korean
- Chinese
Tutorials
- Chinese
- German
- Italian
- Korean
- Portuguese
- Spanish
Other Applications
Struts ResumeSecurity Example
Struts Menu
UserPreferences
Referenced by
...nobody
![[RSS]](https://raibledesigns.com/wiki/images/xml.png "Aggregate the RSS feed")
Hide Menu
AppFuseSecurity |
|
| Your trail: | |
This is version 14.
It is not the current version, and thus it cannot be edited.
[Back to current version]
[Restore this version]
AppFuse has used Container-Managed Authentication
since it was first created. However, in version 1.8, this was replaced with the Acegi Security Framework for Spring. The main reasons for this can be found on raibledesigns.com.
The purpose of this page is to describe what I did to integrate Acegi Security into 1.8. Hopefull you can use this to change your pre-1.8 applications to Acegi Security if you like. The nice thing about migrating to Acegi Security is your application becomes more portable and you don't have to worry about configuring your application server. Also, there weren't many code changes involved in the integration process - which proves Acegi Security works very well with all the existing code that talks to the security methods of the Servlet API (i.e. request.isUserInRole(), etc.)
Part II of this tutorial shows you how to remove Acegi Security from AppFuse and revert back to Container-Managed Authentication.
NOTE: This tutorial is in progress - please don't use it until this message is gone.Table of Contents
- [1] Add Acegi Security JARs to your project
- [2] Create applicationContext-security.xml
- [3] Configure filters and filter-mappings
- [4] Remove web-security.xml from metadata/web
- [5] Add an "enabled" variable to the User object
- [6] Configure logging for Acegi Security
- [7] Remove setting from LoginServlet.java to prevent duplicate logins
Add Acegi Security JARs to your project [#1]
Download the following two JARs and put them in the lib/spring-1.1.3 directory of your project. If you're on an older version of Spring, that shouldn't matter. The Acegi Security JAR listed below contains a patch that allows you to easily exclude URLs. Before the 1.8 release, I hope to fix this so you don't need a patched version.
Create applicationContext-security.xml [#2]
Download applicationContext-security.xml and put it in your web/WEB-INF directory. Make sure your metadata/web/web-settings.xml file loads this file as part of the ContextLoaderListener. For AppFuse 1.7+, this should look as follows:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-*.xml</param-value>
</context-param>
Configure filters and filter-mappings [#3]
Add Acegi Security's filters to the top of metadata/web/filter.xml:
<filter>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
</init-param>
</filter>
<filter>
<filter-name>acegiSessionFilter</filter-name>
<filter-class>net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter</filter-class>
</filter>
<filter>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
</init-param>
</filter>
<filter>
<filter-name>acegiRemoteUserFilter</filter-name>
<filter-class>net.sf.acegisecurity.ui.wrapper.ContextHolderAwareRequestFilter</filter-class>
</filter>
Add filter-mappings for each of these filters. Put the following XML at the top of the metadata/web/filter-mappings.xml file:
<filter-mapping>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<url-pattern>/j_security_check</url-pattern>
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
</filter-mapping>
<filter-mapping>
<filter-name>acegiSessionFilter</filter-name>
<url-pattern>/*</url-pattern>
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
</filter-mapping>
<filter-mapping>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<url-pattern>*.html</url-pattern>
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
</filter-mapping>
<filter-mapping>
<filter-name>acegiRemoteUserFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Remove web-security.xml from metadata/web [#4]
Delete the file metadata/web/web-security.xml. This is no longer needed since the security settings are now controlled by the applicationContext-security.xml file.Add an "enabled" variable to the User object [#5]
TODO: This is done in CVS, now I just need to document it. In CVS, it's only done for Struts - I still need to do it for iBATIS and the other web frameworks.- Enable user as part of Signup Process
- Add "enabled" column to the sample-data.xml and enable all users
- Add key for enabled label to view and ResourceBundles
Configure logging for Acegi Security [#6]
In web/WEB-INF/classes/log4j.properties, add a setting to control the logging for Acegi Security.log4j.logger.net.sf.acegisecurity=WARN
Remove setting from LoginServlet.java to prevent duplicate logins [#7]
In LoginServet.java, remove the initial if statement at the beginning of the execute method. This involves deleting the following lines of code.
|
|
Go to top
More info...
Attach file...
|
| This particular version was published on 06-Nov-2006 13:52:43 MST by MattRaible. |