AppFuse was originally developed as part of a sample application for a book I wrote for Apress, Pro JSP
. This sample application demonstrated many security features and features for simplifying Struts development. Many of the security features in this application did not exist in J2EE's security paradigm. Authentication using container-managed authentication (CMA) was easy, but Remember Me, password hints, SSL switching, signup, and user management were nonexistent. Furthermore, the ability to protect methods based on roles was not possible in a non-EJB environment.
At first, AppFuse implemented all of these features with its own code and workarounds for CMA. I'd heard about Acegi Security when I first started learning Spring in early 2004. I compared the number of lines of XML required by Acegi (175) with the number that CMA required in web.xml (20) and quickly dismissed Acegi as too complicated.
A year and a half later – and after writing a chapter about using Acegi Security for another book, Spring Live – I had changed my mind. Acegi did (and still does) require a fair amount of XML, but it really is quite simple once you understand it. When we finally took the plunge and replaced all AppFuse's home-grown features with Acegi Security's features, we ended up deleting a lot of code. Classes upon classes went away, disappearing into the "Acegi handles that now" pile in CVS's Attic.
Acegi Security is simply the best thing that's ever happened to J2EE's security model. It allows you to implement many useful features that aren't part of the Servlet API's security model: authentication, authorization, role-protected methods, Remember Me, password encryption, SSL switching, user switching, and logout. It also allows you to store your user's credentials in an XML file, in a database, in LDAP, or in a single sign-on system such as Yale's Central Authentication Service (CAS) or SiteMinder.
AppFuse's implementation of many security-related features was nice in the beginning. Now that AppFuse uses Acegi Security, these features – and many more – are easy to implement. Acegi has many points for extension: that is the reason for its large XML configuration file. As we've integrated Acegi over the course of the last year, we've found that we've customized many bean definitions to hook into AppFuse more closely.
The combined ease of development, easily testable code, and loose coupling provided by the Spring IoC container and Acegi Security are the primary reasons that AppFuse is such a pleasure to develop with. These frameworks are nonintrusive and allow clean, testable code. AppFuse integrates many open source projects, and dependency injection allows easy integration of your application's layers.
Apply Security to Managers and DAOs
(AppFuse 2)
This page
Other pages
Account
