Pathway from ACEGI to Spring Security 2.0

Submitted by Chris.Baker on Tue, 2008/04/22 - 9:44am.

This article outlines how to convert your existing ACEGI based Spring application to use Spring Security 2.0.

What is Spring Security 2.0

Spring Security 2.0 has recently been released as a replacement to ACEGI and it provides a host of new security features:

Goal

Currently I work on a Spring web application that uses ACEGI to control access to the secure resources. Users are stored in a database and as such we have configured ACEGI to use a JDBC based UserDetails Service. Likewise, all of our web resources are stored in the database and ACEGI is configure to use a custom AbstractFilterInvocationDefinitionSource to check authorization details for each request.
With the release of Spring Security 2.0 I would like to see if I can replace ACEGI and keep the current ability to use the database as our source of authentication and authorization instead of the XML configuration files (as most examples demonstrate).

Here are the steps that I took...

Steps

1. The first (and trickiest) step was to download the new Spring Security 2.0 Framework and make sure that the jar files are deployed to the correct location. (/WEB-INF/lib/)
   There are 22 jar files that come with the Spring Security 2.0 download. I did not need to use all of them (especially not the *sources packages). For this exercise I only had to include:
   
   • spring-security-acl-2.0.0.jar
   • spring-security-core-2.0.0.jar
   • spring-security-core-tiger-2.0.0.jar
   • spring-security-taglibs-2.0.0.jar
2. Configure a DelegatingFilterProxy in the web.xml file.
   

   <filter>
       <filter-name>springSecurityFilterChain</filter-name>
       <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
       <filter-name>springSecurityFilterChain</filter-name>
       <url-pattern>/*</url-pattern>
   </filter-mapping>

   <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
   </filter-mapping>

3. Configuration of Spring Security 2.0 is far more concise than ACEGI, so instead of changing my current ACEGI based configuration file, I found it easier to start from a empty file. If you do want to change your existing configuration file, I am sure that you will be deleting more lines than adding.
   
   The first part of the configuration is to specifiy the details for the secure resource filter, this is to allow secure resources to be read from the database and not from the actual configuration file. This is an example of what you will see in most of the examples:
   

   <http auto-config="true" access-denied-page="/403.jsp">
       <intercept-url pattern="/index.jsp" access="ROLE_ADMINISTRATOR,ROLE_USER"/>
       <intercept-url pattern="/securePage.jsp" access="ROLE_ADMINISTRATOR"/>
       <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
   </http>

   <http auto-config="true" access-denied-page="/403.jsp">
    <intercept-url pattern="/index.jsp" access="ROLE_ADMINISTRATOR,ROLE_USER"/>
    <intercept-url pattern="/securePage.jsp" access="ROLE_ADMINISTRATOR"/>
    <intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
   </http>

   Replace this with:
   

   <authentication-manager alias="authenticationManager"/>
   
   <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
       <beans:property name="allowIfAllAbstainDecisions" value="false"/>
       <beans:property name="decisionVoters">
           <beans:list>
               <beans:bean class="org.springframework.security.vote.RoleVoter"/>
               <beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
           </beans:list>
       </beans:property>
   </beans:bean>
   
   <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
   <beans:property name="authenticationManager" ref="authenticationManager"/>
       <beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
       <beans:property name="objectDefinitionSource" ref="secureResourceFilter" />
   </beans:bean>
   
   <beans:bean id="secureResourceFilter" class="org.security.SecureFilter.MySecureResourceFilter" />
   
   <http auto-config="true" access-denied-page="/403.jsp">
       <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />
       <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" default-target-url="/index.jsp" />
       <logout logout-success-url="/login.jsp"/>
    </http>

   <authentication-manager alias="authenticationManager"/>
   
   <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    <beans:property name="allowIfAllAbstainDecisions" value="false"/>
    <beans:property name="decisionVoters">
     <beans:list>
      <beans:bean class="org.springframework.security.vote.RoleVoter"/>
      <beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
     </beans:list>
     </beans:property>
   </beans:bean>
   
   <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
   <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
    <beans:property name="objectDefinitionSource" ref="secureResourceFilter" />
   </beans:bean>
   
   <beans:bean id="secureResourceFilter" class="org.security.SecureFilter.MySecureResourceFilter" />
   
   <http auto-config="true" access-denied-page="/403.jsp">
    <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />
    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" default-target-url="/index.jsp" />
    <logout logout-success-url="/login.jsp"/>
    </http>