Introduction to Java ACEGI Framework Technology

For any one complete application system, a sound authentication and authorization mechanism is essential. Acegi Security (hereinafter referred to as ACEGI) is a framework that provides a powerful and flexible secure access control solution for enterprise applications based on spring, and Acegi has become an official subproject of spring, so it is also known as spring. It provides declarative security access control functionality by configuring a set of beans in the spring container, leveraging spring's IOC and AOP capabilities. Although Acegi can now be applied to non-spring applications, using Acegi in spring is the most natural way.

Acegi can implement secure access control granularity at the business object method level, which provides security for the following three areas of application:

Access Control for URL resources

If all users, including their name users, can access the index.jsp login page, only authorized users can access the/user/adduser.jsp page. Acegi allows you to define URL patterns through regular expressions or ant-style path expressions, allowing authorized users to access corresponding URL resources in a URL-matching pattern.

Access control for Business class methods

Methods for all beans in the spring container can be acegi managed, such as if all users can invoke the Bbtforum#getrefinedtopiccount () method, and only authorized users can invoke the Bbtforum#addtopic () method.

Access Control for domain objects

The Business class method represents a specific business operation, such as change, deletion, approval, etc., the business class method access control solves whether the user has the right to invoke some kind of operation, but does not control the object of the operation (domain objects). For our forum applications, users can call the Bbtforum#updateuser (user user) method to change user registration information, but should be limited to changing their own user information, that is, call Bbtforum#updateuser () The user in this domain must be restricted.

Acegi protects URL resources through several different uses of servlet filters, before requesting a protected URL resource, the Acegi servlet filter determines whether the user has access to the target resource, the authorized person is open, and the unauthorized person is blocked from the gate.

Acegi intercepts the managed method of the bean in the container through spring AOP, and when the user's request raises a managed method that invokes the bean, the Acegi method interceptor starts to work to block the call from the unauthorized person.

Access control over the domain object is based on the protection of the Bean method, and before the final open target Bean method is executed, Acegi checks that the user's ACL (aeccess Control List: Access controls lists) contains the realm object that is being manipulated, A user can use the Bean method to process a domain object only if the domain object is authorized. In addition, Acegi can filter the results returned by the Bean method and remove some domain objects that are not within the scope of the current user's access-that is, control of the traditional data visual domain. In general, using Acegi to control the data visual domain is not an ideal choice, but traditional dynamic SQL solutions are often more straightforward.

In essence, the servlet filter is the original original eco-AOP, so we can say that Acegi not only uses AOP technology for business class methods, domain object access control, but also uses AOP technology for access control of URL resources. The framework for using AOP technology scenarios is exciting, which means that developers can easily use Acegi to put security on their applications after the application's business functions have been developed.