Hi all, I'm evaluating Java security libraries at this moment. As a Spring user, I started with Spring Security, and found it very powerful, but extremely difficult to understand and follow. I am especially interested in authorization capabilities which goes beyond standard JEE role-based approach. I want to be able to declare access rules on per-object, per-method, and per-user level. Spring Security allows it with its ACL package, but it took me several days to figure out how to use it. Then I found JSecurity. First impression is very good: it seems much simpler to use, configure and understand than Spring Security, and possibly comparable with functionality, and it is not so much web-centric, which is also advantage. So i wanted to port my test application to JSecurity, but I got stuck almost at the beginning. Those are my problems - maybe you can help me with at least some of them:
1. On the project page, there is almost no decumentation. Only very simple quick-start, and some slides. This is too little to start doing anything real. In Spring Security there is user manual - not perfect, but it gives good background to start. Here I have completely nothing. 2. Because of this, I tried to learn somehthing from sample applications bundled with jsecurity distribution. I would expect to see Maven pom.xml file in each sample, so that I can open it in Eclipse or NetBeans as separate projects, analyse them, build and run (I believe especially community projects should not be tied to any IDE - and Maven pom.xml file is the perfect way to provide you with necessary metadata to open it in any IDE). But there is no Maven config in sample appplications. I spent long time to figure out how to open those projects, how to build them, etc. 3. After looking at quickstart, I looked at web sample. The most interesting section is JSecurity filter configuration in web.xml. I looked at filter JavaDoc too, but still don't know how it works: - in section [filters] you have "jsecurity.loginUrl = /login.jsp" - what is this "jsecurity.loginUrl"? where it comes from? In JSecurityFilter JavaDoc there is no phrase "jsecurity.loginUrl". is the "jsecurity" the name of filter? but still, there is no "loginUrl" property. The [filters] section in javadoc does not mention such option. - after building war and deploying it, the most suprising fact is that authentication works. How can it be? There is nowhere the list of users/passwords/specified! How the system knows the names of users, their passwords and roles??? 4. I really like the WildcardPermission concept: specifying permission with "newsletter:edit:12,13,18" seems much simpler and powerful than Spring Security solution. But this is only declaration - how do I really grant such permissions? How do I bind the "12,13,18" ids to real objects? is there some example anywhere? In Spring Security there is a JDBC-based implementation of ACL, used to store ACLs for object. There is also ObjectIdentityRetrievalStrategy interface for defining binding between class instances IDs and ACL IDs. How it is done in JSecurity? My current impression is that JSecurty is a nice and promising project, but complete lack of any documentation gives the impression that it is not used in any real-world solutions. But I know that it is not true - at least, I know Nexus project is based on JSecurity. So I think that if you really want to make JSecurity popular, you should work on some UserGuide, with better instroduction for new users. Perhaps I can help you a bit with JSecurity if I find it useful and primising enough. But it is hard to evaluate a tool when I'm stuck at the very beginning. Can you help me with it? -- View this message in context: http://n2.nabble.com/Problematic-first-steps-with-JSecurity-tp1316205p1316205.html Sent from the JSecurity Developer mailing list archive at Nabble.com.
