Announcement Announcement Module
Collapse
No announcement yet.
Simple Login: Do I need Acegi? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Simple Login: Do I need Acegi?

    I want to achieve this:

    1. My welcome page shall include fields for username, password and e.g. location.

    2. Authentication should be against a MySQL-DB.

    User+PW correct --> Proceed. Create a user object with the username and the current location (entered on the welcome page).

    User+PW incorrect --> Error. Please try again.

    3. Registration of new users should be possible.

    My question is: How do I achieve this? Do I really have to read all that Acegi stuff or is it too much for my simple task?

    I also want to avoid using Acegi 1 when Acegi 2 is just around the corner.

  • #2
    I think I will try a SimpleFormController for the login. This is just a simple research project and authentication is only needed to distinguish between several users in order to track their behaviour.

    I have only limited time and energy to put into this project and Acegi seems to have a very steep learning curve. My first impression is that I would only use 2% of Acegi's capabilities and I should better put my time and energy on the core functionalities of my little research program.

    If anyone things this is a bad idea (or a good one?!?) please feel free to post your thoughts. ;-)

    Comment


    • #3
      You are right, ACEGI takes sometime to understand !

      On the other hand, getting security right can be quite hard. Lots of corner cases that you dont think about if you are not an expert in security. That's why using a security framework, or any standard, well proven mechanism is usually a good think (tm). Than, it also depends how important security is for your application.

      As it seems your project doesnt need anything too special, I would go with the standard web.xml security. If you want to go really simple, use a BASIC authentication. If you want a nicer interface, use a FORM authentication. Have a look at weblogic reference or this article on ONJava.

      If you need to access the current logged user from your servlet, you can use HttpServletRequest.getRemoteUser().

      Comment


      • #4
        Originally posted by TSH View Post

        If anyone things this is a bad idea (or a good one?!?) please feel free to post your thoughts. ;-)
        Remember that with the new namespace configuration options (which will be in the 2.0 release), you don't have to know nearly as much about the internal implementation classes as you did with the traditional bean configuration. If you're already familiar with using Spring, then it is pretty straightforward to add security to your application.

        If you're not using Spring at all, then standard servlet security is probably good enough for your requirements.

        Comment


        • #5
          Since I read this blog post in mid-december Spring Security 2 was my first choice. However, I really need to get this login-mechanism done as quickly as possible.

          But I can't find any information, documentation or tutorials about Spring Security 2 (and by the way: I can't find a Spring Security 2 jar file...).

          Of course this would be the best solution, but: Is it possible to use Spring Security 2 *now*? Where can I find more information about it?

          Comment


          • #6
            It is possible, but it hasn't been released, so it depends very much on how comfortable you are with learning from the code and the samples. The reference material does not include this information. There is now a reasonable set of examples, all of which demonstrate the use of the new configuration options and can be easily run from within the codebase using the maven jetty plugin. So it is actually easier to try out the samples by checking out the code than it is to download a distribution, as you don't have to do any deployment or container configuration. Everything should already be set up, including SSL support.

            So install maven 2.0.8 and download the code using subversion:
            Code:
             svn co http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk/
            Then run

            Code:
            mvn install
            from the project root directory. If that goes smoothly, change directory to samples/tutorial and run

            Code:
            mvn jetty:run
            which should run the basic sample app. You can base your own app on that and expand it according to your requirements.

            Comment


            • #7
              Thank you. I think, I will use the SimpleFormController thing. Just because I need a simple mechanism *now*. I have some Spring experience, but I don't want to use a undocumented library. Perhaps I will drop the simple form code in the future and use Spring Security instead when the documentation is ready.

              BTW: Is there an estimated release date of Spring Security 2?

              Comment


              • #8
                Honestly, if you need something now, rapid and easy, robust, scalable, that will work on any server, with any framework, have a look at securing your app from the web.xml. It's standard J2EE, not related to Spring. No complex functionalities, but it just works ... You might need to spend one hour to get get it working, but it's definitely worth it, and you will be able to reuse it in other project ...

                Comment


                • #9
                  You can use the Spring Security configuration in other projects too, and it is only partly true to say that J2EE security will work "on any server" or "just works". Sure, the web.xml may be the same, but you have to configure each server differently to set up the container security. Also, can you provide some evidence that using container authentication is any more "robust and scalable" than using Spring Security.

                  Comment


                  • #10
                    Originally posted by Luke View Post
                    You can use the Spring Security configuration in other projects too, and it is only partly true to say that J2EE security will work "on any server" or "just works". Sure, the web.xml may be the same, but you have to configure each server differently to set up the container security.
                    Right, there is some server specific stuff, but overall (at least on the app server I have used), it is pretty simple to configure. And the concepts are the same moving from one server to another. And in my opinion, it is much simpler to configure than ACEGI. Of course, it is also much more limited.

                    Originally posted by Luke View Post
                    Also, can you provide some evidence that using container authentication is any more "robust and scalable" than using Spring Security.
                    I'm sorry I didnt make myself clear. I was thinking it is more robust than a home made security solution. I'm not a security expert, but I trust that ACEGI is robust and scalable ...

                    And for the record, I am myself using ACEGI on a number of projects, and I am quite happy with it. Not the perfect security solution yet, but damn useful !

                    Comment

                    Working...
                    X