Leszek Gawron wrote:
Acegi is a very robust framework. Although the author states it could be
used without Spring [1] he strongly encourages not to :). I quite got
the point when I implemented the first application context which just
secures a single method in a dummy business service:
This is ONLY business method security. "Basic" acegi sample has
applicationContext.xml at least twice this big.
Thing is: even if it's possible to use it without Spring it will be a
total hell to wrap everything as ECM components without Dependency
Injection.
Still I would love to have a functionality that replaces ANT based
request URI expressions:
I'm not going to proclaim myself an expert in security
matters/frameworks, but when I needed to add security (authorization
rather than just authentication) to my application I had a look at Acegi
too and found it too cumbersome too.
I came across XACML (by OASIS) [1] and it's implementation by Sun [2].
Priorities changed and I haven't looked into it further, but this at
least doesn't rely on Spring. Maybe something to consider.
My POV on security (i.e. authorization) is:
- it should be easy to configure (XML config rather than code)
- it should be role-based, preferably supporting multiple roles
(hierarchical and occasional, e.g. a person can be 'doctor' and
'treating physician'. In his latter role he can see more information of
the patient).
- it should allow me to "filter" data based on roles (e.g. 'doctor' sees
less info than 'treating physician')
- it would be great if the roles could also be applied to the UI: when
it is not possible to edit something the UI is adjusted (e.g. removal of
'edit' button or different display of widget). I know the latter is
highly dependent on the application, but there are common tasks that
could be integrated in the framework.
Just my 2ct.
Bye, Helma
[1]http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
[2]http://sunxacml.sourceforge.net/
