Using Acegi to protect Java applications, part 1th: Architecture Overview and Security filters

Using Acegi security System to implement URL-based safety

Acegi Security System is a powerful and easy-to-use alternative that eliminates the need to write large amounts of secure code for Java enterprise applications. Although it is specifically for applications written with the Spring framework, no Java application of any kind is justified in not using Acegi. This three-part series describes Acegi in detail and shows how to use it to protect simple enterprise applications and more complex applications.

This series first describes the common security issues in enterprise applications, and explains how Acegi addresses these issues. You will learn about the ACEGI architecture model and its security filters, which contain most of the functionality that will be used in securing your application. You'll also learn how each filter works alone, how to combine them, and how the filter links the various functions from start to finish in an enterprise security implementation. Finally, this paper demonstrates the Acegi implementation based on the URL security system through a sample application. The next two articles in this series will explore some of the more advanced applications of Acegi, including how to design and host access control policies, and then how to configure Acegi to use these policies.

You must download Acegi so that you can compile the sample code for this article and run the sample application in this article. You must also have a TOMCAT server running as part of the workstation.

Enterprise Application Security

Because Enterprise Content Management (ECM) applications manage the authoring and processing of enterprise content stored in different types of data sources, such as file systems, relational databases, and directory services, ECM security requires control over access to these data sources. For example, an ECM application might control objects that are authorized to read, edit, or delete data that is related to the design, marketing, production, and quality control of a manufacturing enterprise.

In an ECM security scenario, it is more common to implement access control by applying security to the enterprise Resource Locator (or network address). This simple security model is called a Uniform Resource Locator or URL security. As I demonstrated later in this article (as well as later in this series), Acegi provides comprehensive features for implementing URL security.

However, in many enterprise scenarios, URL security is far from enough. For example, suppose a PDF document contains data for a particular product produced by a manufacturing company. Part of the document contains design data that will be edited and updated by the company's design department. The other part contains the production data that the production manager will use. For such scenarios, more granular security is required to apply different access rights to different parts of the document.

This article describes the various functions that ACEGI provides for the implementation of URL security. The next article in this series will demonstrate the methodology-based security of this framework, which provides finer granularity of control over enterprise data access.

Acegi Security System

Acegi security System uses secure filters to provide authentication and authorization services for enterprise applications. The framework provides different types of filters that can be configured according to the requirements of your application. You'll see the different types of security filters later in this article; now, just note that you can configure the Acegi security filter for the following tasks:

Prompts the user to log on before accessing a security resource.

Authenticate users by examining security tokens, such as passwords.

Check to see if the authenticated user has privileges to access a security resource.

Redirects a user who has successfully authenticated and authorized to the requested security resource.

Displays the Access Denied page for users who do not have access to the security resource privilege.

Logs the user who successfully authenticated on the server and sets the security cookie on the user's client computer. Use this cookie to perform the next authentication without requiring the user to log on.

Stores the authentication information in a server-side session object, which makes subsequent requests for resources safe.

Optimize performance by building and saving a cache of security information in server-side objects.

Deletes the server-side object saved for the user's secure session when the user exits.

Communicates with a large number of back-end data storage services, such as directory services or relational databases, that are used to store user security information and ECM access control policies.

As this list shows, Acegi's security filters allow you to perform almost anything you need to protect your enterprise applications.