Announcement Announcement Module
No announcement yet.
Migrating from Acegi Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Migrating from Acegi

    I'm looking for advice migrating an application from Acegi to Spring Security 2.0. My motivation is that I need to add method security on our service objects, and from what I've read, Spring Security makes it possible to use annotations to drive the MethodSecurityInterceptor insertion, saving me from having to modify all of our service bean definitions in addition to adding the annotations.

    I'd like to start gradually, though. I don't have time to overhaul our existing Acegi configuration for this task. So my questions are:

    (1) Is it possible to use Spring Security as a drop-in replacement for Acegi? I assume that I'll have to do a global search-and-replace on a few package names at least.

    (2) Has anyone done this? Is there a migration guide? Can't find one on the forum.

    (3) Is there a way in plain Acegi to implement method security without modifying bean definitions of all the services? Note: BeanNameAutoProxyCreator won't work, as I don't think I can rely on a naming convention.

    Any input greatly appreciated!

  • #2
    I think you can use annotations with Acegi as well for method-level security. It's just with Spring Security you get the namespace convenience.

    1) While it's not possible to use Spring Security as a drop-in replacement for Acegi, it's not all that difficult of a migration. The biggest change is changing the packaging namespace from org.acegisecurity to Once you've done that, there are only a few minor differences (keys on request attributes, for instance, have changed names from ACEGI to SPRING_SECURITY, /j_acegi_security_check becomes /j_spring_security_check, etc.) Generally you will find these right away.

    2) Keep in mind that you don't have to use the new security namespaces. You should be able to do everything "Acegi style." Migrating to namespace configuration can very much be a Phase 2-type activity.

    Keep in mind when you do this, however, that the security namespace operates on post-processing BeanDefinitions in the current application context. This means that you cannot split namespace-defined configurations between a parent and child application context; it simply will not work. So you may have a potential compatibility issue if you currently have that type of configuration.

    3) I thought that Acegi had annotation-based method definitions.


    • #3
      Thanks for the info. Yeah, I know Acegi supports the @Secured annotation for declaring roles, but they don't do any good unless the MethodSecurityInterceptor is chained into each object's proxy, right? That's the part I'm having trouble with. Ideally, I'd like to set it up so that any class/method that has the @Secured annotation automatically gets the interceptor--just like <tx:annotation-driven/> does for @Transactional.

      If I use Spring Security, it looks like I can use <global-method-security/> in the security namespace to do this. I guess my question is: What does this "expand" to in Acegi? Thanks.
      Last edited by rhasselbaum; May 15th, 2008, 09:48 AM.


      • #4
        It doesn't really. Method security has been changed substantially in 2.0. You can check out the code in GlobalMethodSecurityBeanDefinitionParser to see how this element is handled internally.


        • #5
          Originally posted by Luke Taylor View Post
          You can check out the code in GlobalMethodSecurityBeanDefinitionParser to see how this element is handled internally.
          Thanks! That's just what I needed. After more research, I think the bean definitions below meet my goal. It requires an advisor auto-proxy creator to be deployed in the context.

          <bean id="securityMethodAdvisor" class="org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor">
          	<constructor-arg index="0">
          	    <bean class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"
          	    	<property name="objectDefinitionSource">
          			    <bean class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
          			    	<property name="attributes">
          			    		<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
          	<property name="order" value="1"/>
          I'm still testing. If anyone cares to comment on this approach, I'd like feedback.


          • #6
            Spoke too soon. @Secured annotations are working with the above config, but my transaction interceptors aren't being applied anymore. I'm using <tx:annotation-driven/> for those. Any ideas?