I work for a large news company and we're designing an architecture with multiple services like: file transfer, metadata, keyframing, etc.

We want these systems to be secure so that not just anyone can log in and access these services. We want this authentication system to be SUPER simple and allow for easily switching to backup machines or to facilitate new users.

What is your question? How it can be done with Spring? How you should design a secure system? How to integrate with JAAS? What other options are available? What good books are available?

Yes sorry ... so these "services" which we are designing will be exposed client which would for example search for video or move files. Now obviously we don't everyone to have access to move files, but search is probably ok for the world.

How do we expose these services and keep this a secure environment? We're using spring and perhaps ajax or some other type of web service for the interface. We'll have web clients, rich java clients and perhaps other non-java clients.

Do we use Acegi? Or do we employ some other "simple" method?

Yes sorry ... so these "services" which we are designing will be exposed client which would for example search for video or move files. Now obviously we don't everyone to have access to move files, but search is probably ok for the world.

How do we expose these services and keep this a secure environment? We're using spring and perhaps ajax or some other type of web service for the interface. We'll have web clients, rich java clients and perhaps other non-java clients.

You could use Acegi, but you could also write your own interceptor that wrap services.

The advantage of security on top of you business layer (acegi can do this perfectly) is that the same security is used for different kinds of remoting technologies: web interfaces, webservices, rmi etc. This is something you want I think.

But Acegi is a very powerfull security api. I would not recommend implementing security yourself because you will be reinventing the wheel (and maybe it is square instead of round this time :) ).

With Acegi you can also add security on the entity level: a user can see his own email, but a user can not see the email of other users. You could use ACL, but I`m working on a different implementation: Conditional Roles. I have used it in a few projects (and it works like a dream) but it needs to be cleaned up, extra functionality added, and better documentation. I have discussed it with Ben Alex (the man behind Acegi) and if all goes well it will be part of Acegi.