Spring Security allows applications to include authentication features in J2EE applications with a very few effort. However, configuration in previous versions, like Acegi Security, was a hard task to perform by a newcomer. Spring people talks about a difference of a hundred of configuration lines between Acegi 1.0 (120 lines for configuration) and Security 2.0 (just only 16 lines). So, it’s highly advisable to use Spring Security 2.0.
These links can help in developing a small sample:
In our case, form based authentication via user/password in a webapp, we’ve include two minor adjustments in
web.xml (webapp container configuration) and
applicationContext.xml (Spring configuration).
springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /*
* I’ve replaced – character for _ character in this XML file
* I’ve replaced – character for _ character and : character for __ characters in this XML file to get a suitable visualization
login.jsp page is detailed in several resources, such as here.
It could be wonderful, but there is one important point for us which is poorly documented. Spring Security 2.0 only works with Spring 2.0.8. And we are using BEA Weblogic 10. And BEA Weblogic 10 only certifies the use of Spring 2.0.2.
So we have now a dangerous decision: shall we use Spring Security 2.0 and Spring 2.0.8 and loose BEA (I mean Oracle) support or shall we use Acegi Security 1.0 and Spring 2.0.2 and write tedious and hard to maintain configuration files?