Vincent Tence wrote:
On Fri, 2005-06-17 at 13:44 -0700, Richard Wallace wrote:
<snip/>
Not your fault. I've actually found what seems on first glace, a really
good security framework built specifically for Spring
http://agisecurity.sf.net. Now I don't like the fact that I'll be tied
to a specific container, but it sounds like I can do exactly the kind of
stuff that I need to do with it.
We're also using Acegi on our current project at work. Simply because,
it's the best option I found available ... until AuthX has a comprable
feature set ready of course.
Acegi has a very nice feature set, but here's what I don't like (or did
not understand):
- It's tied to Spring
That is something that puts me off a little bit. For now it's not a big
deal because I am using Spring, but I would definitely prefer to be able
to swap out any part of the system (JSF/Container/Persistence/auth)
without having to change one of the other parts of the system.
- It's role based only
That will mostly work in our situation tho. That's basically how things
are handled in the existing PHP system, with some custom authentication
code. With interceptors, I'm hoping this will work out for us.
- It's all XML stuff (and you need to write a hell lot of XML)
Heh, I just started looking at it yesterday and already I'm anticipating
the damn Spring file suddenly growing to be the largest file in the
whole project.
- You've got to play by the rules it defines
I would really like to replace our use of Acegi, but before that, here's
the list of stuff that need to be implemented:
- Hibernate Realm (not very hard, should be easier than JDBC Realm)
- Hibernate Information Provider, for loading roles from the Database
- A stack of web utilities, including permissions to define access to
web resources, servlet filters, servlet listeners, ... not that hard
either
- Utilities to setup authx, including authenticators, information
providers and authorizers, wiring them together in the minimal amount of
steps, for general usage
-- Vincent
