In this chapter we've looked at security within enterprise applications, the most common type of application built with the Spring Framework.
We've seen that enterprise applications typically have four security-related requirements:
Web request security
Service layer security
Domain object instance security
We briefly considered three common approaches to implementing these requirements:
Acegi Security System for Spring
Servlet Specification security
We recommended that Acegi Security be used in all but the simplest of cases, with a simple case being one that does not need any form of services layer or domain object instance authorization, or web container portability.
We examined Acegi Security's architecture, with an emphasis on authentication, authorization, and domain object instance security. We saw how Acegi Security is configured exclusively through the Spring application context, and is similar in many ways to Spring's own transaction services (discussed in Chapter 6). We discussed many of the most commonly used Acegi Security classes in detail.
We saw that Acegi Security supports a wide range of authentication providers, and can not only authorize a web or method invocation before it happens, but also throw an AccessDeniedException or modify an Object returned from a method invocation. We saw the interface-driven nature of Acegi Security, and we looked at how role-based and access control list (ACL) authorization could be achieved solely using extensible, declarative means.
Following a review of the architecture, we reviewed a DNS application that could be used in a multi- customer Internet hosting provider. The application used Acegi Security — in particular its ACL capabilities — to restrict different customers to their own domains only. The application also leveraged DNS's inherent hierarchical nature so that ACL permissions granted to higher level domains trickled down to subdomains and their contained resource records.
As we have shown in this chapter, with proper design and an effective security framework, enterprise applications rarely require their own custom security code. Using a high-quality, generic security framework such as Acegi Security can help to free developers to focus on truly domain-specific concerns. The value proposition is just as compelling as with other generic functionality addressed by Spring and other leading frameworks.
As with transactions, security demonstrates the true potential of AOP in delivering transparent crosscutting concerns, and the real-world productivity and quality benefits this delivers.