Announcement Announcement Module
No announcement yet.
Advice on implementing security Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Advice on implementing security

    Hi All,

    I am developing an application at work and have successfully used Acegi for security. The current implementation uses usernames/passwords/roles within the config (xml) files as a proof of concept.

    The next stage is where i need advice. My dept has minimum security requirements which i must meet. Mostly they are things like password length, non-reuse of passwords, disable session after x minutes, disable account for inactivity after y days, etc.

    How best to move to this? Should i build an adhoc db and the associated java code to do the checks?

    Also, the dept has implmented security seperately in each app and I was wondering if we could build a single system which can provide security for other apps. I looked into CAS and looks promising but we don't need SSO as such. Also, I wasnt sure how to implement the security policies we need.

    Any advice on this appreciated, sorry if it is not a direct Acegi question.


  • #2
    Well, no one seems to want to reply so perhaps I am asking the wrong question. I've done a bit more research and have come up with the following plan:

    1. Custom build a db to support authentication but not authorisation.
    2. Build a java API to support authentication which has two main components:
    a. username/password authentication using JAAS. This way it can be used by Acegi as well as other non-spring apps.
    b. company-specific password policies eg password length/content, session timeouts, password history, etc.
    3. Authorization will be done on a per app basis and for me I will use Acegi.

    Is this a good approach? Am i reinventing wheel(s)???




    • #3
      Your approach looks fine. You generally will implement password policies and alike in your web controller (or, ideally, in the services layer method that it calls). Acegi Security does not get involved in password policies, as we should authentication information in one direction only (read, not write) from AuthenticationDao.