Ralph Goers wrote:
The only concern I would have in bringing CoWarp into Cocoon (beside the
name making me think it is an add-on for OS/2 :-) ) is that I'd want to
evaluate it against using acegi as the "standard" authentication
mechanism. Having said that, I have no familiarity with CoWarp and have
only read some high level stuff about acegi, but from that reading it
looks like a very robust framework. There was some discussion about it
on the users list a few months ago
http://marc.theaimsgroup.com/?t=111755000500004&r=1&w=2
Acegi is a very robust framework. Although the author states it could be
used without Spring [1] he strongly encourages not to :). I quite got
the point when I implemented the first application context which just
secures a single method in a dummy business service:
<beans>
<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
<bean id="accessDecisionManager"
class="net.sf.acegisecurity.vote.AffirmativeBased">
<property
name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="authenticationDao"
class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR
dianne=emu,ROLE_TELLER
scott=wombat,ROLE_TELLER
peter=opal,disabled,ROLE_TELLER
ouzo=ouzo,ROLE_ADMIN
</value>
</property>
</bean>
<bean id="cacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property
name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property>
</bean>
<bean id="userCacheBackend"
class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager"><ref local="cacheManager"/></property>
<property name="cacheName"><value>userCache</value></property>
</bean>
<bean id="userCache"
class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache"><ref local="userCacheBackend"/></property>
</bean>
<bean id="daoAuthenticationProvider"
class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao"><ref
bean="authenticationDao"/></property>
<property name="userCache"><ref bean="userCache"/></property>
</bean>
<bean id="testingAuthenticationProvider"
class="net.sf.acegisecurity.providers.TestingAuthenticationProvider"/>
<bean id="authenticationManager"
class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<!-- ref bean="daoAuthenticationProvider"/ -->
<ref bean="testingAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="beanSecurityInterceptor"
class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes"><value>true</value></property>
<property name="authenticationManager"><ref
bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
bean="accessDecisionManager"/></property>
<!-- property name="runAsManager"><ref bean="runAsManager"/></property
-->
<property name="objectDefinitionSource">
<value>
com.mobilebox.acegi.SecureBean.*=ROLE_ADMIN
</value>
</property>
</bean>
<bean id="autoProxyCreator"
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<idref local="beanSecurityInterceptor"/>
</list>
</property>
<property name="beanNames">
<list>
<value>secureBean</value>
</list>
</property>
</bean>
<!-- 'application beans' -->
<bean id="secureBean" class="com.mobilebox.acegi.SecureBeanImpl"/>
</beans>
This is ONLY business method security. "Basic" acegi sample has
applicationContext.xml at least twice this big.
Thing is: even if it's possible to use it without Spring it will be a
total hell to wrap everything as ECM components without Dependency
Injection.
Still I would love to have a functionality that replaces ANT based
request URI expressions:
<bean id="channelProcessingFilter"
class="net.sf.acegisecurity.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager"><ref
local="channelDecisionManager"/></property>
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
\A.*\Z=REQUIRES_INSECURE_CHANNEL
</value>
</property>
</bean>
<bean id="filterInvocationInterceptor"
class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref
bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref
local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS,ROLE_USER
/hello.htm=ROLE_ANONYMOUS,ROLE_USER
/logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
/acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
</value>
</property>
</bean>
and integrates it with our sitemap and pipelines definitions.
[1] http://acegisecurity.sourceforge.net/standalone.html
[2] http://acegisecurity.sourceforge.net/index.html
--
Leszek Gawron [EMAIL PROTECTED]
IT Manager MobileBox sp. z o.o.
+48 (61) 855 06 67 http://www.mobilebox.pl
mobile: +48 (501) 720 812 fax: +48 (61) 853 29 65
