Monday, May 19, 2008

Spring Security 2.0

For my home project, I updated ACEGI security to Spring Security 2.0.1. My experience was similar to Matt Raible's - positive. I was able to cut down the XML configuration quite substantially. At the end only 49 lines remained (Including XML namespace declarations).

The migration was very easy except for 2 smaller issues (See further below). First, I updated web.xml to rename the security filter to Spring Security's one:





Also, since I am using my own "user service" to pull users and roles from the database, I had to rename a few imports in my classes to reflect the package names of Spring Security 2.0.

The biggest configuration change was updating the bean definition in my context configuration file which contains all the necessary XML to wire all the beans together. Spring Security 2.0 is now providing its own XML Namespaces, which drastically simplifies configuration.

Thsu, here is the final application context configuration file for Spring Security 2.0 as used by my project:

As mentioned above, I encountered two smaller issues. First, I am using the Jasypt library which I am using for digesting passwords. It provides a password encoder that plugs into ACEGI security. Unfortunately, it has not yet been updated to also work in conjunction of Spring Security 2.0. The aforementioned implemented password still uses the old package structure. Thanks to open source this is an easy fix :-)

Thus, I checked out Jasypt into my Eclipse Ide, updated the package reference and the pom to pull in the Spring Security 2.0 jars. I also created a ticked on the Jasypt project website and submitted a patch with the changes. Let's see whether it will find its way into the prokject soon.

My second problem had to do with the rolePrefix of Spring Security. Spring Security by default pre-fixes roles names with "ROLE_". Since my project does not use prefixes for role names I had created rolevoter bean that set the rolePrefix property.

Interestingly you can't do this configuration using namespaces. With the current version you need to fall back to the traditional bean configuration support which involves creating 3 additional beans:

  • roleVoter

  • accessDecisionManager

  • authenticatedVoter
There is a little more information available on the Spring forums about this. Hopefully this maybe be simplified in the future - thus, I opened a ticket for this on the Spring Jira.


Anonymous said...

Thanks for the blog post. One question. Why would you nest almost every element in your xml file then close them all at the end? It makes it much harder to understand that way.

java generics said...

Hi, I am using ActiveDirectoryLdapAuthenticationProvider for authentication against Active directory and it also loading authorities specified there but I have requirement to create application specific ROLES in database. How can I populate extra authorities into Principal object.