Only Role Based security!!!!!!!!????????

[sajid2045]

I have tried to give a quick review over acegi and so far I have only seen all the security is based on Roles which are defined as soon as the user logs in. Ok, may be I am wrong because I have not put enough time on it to find our. But say I have a user who is a member of two or more programs. but the roles on the two programs are not same. for example User A may have role X on program P1 but may not have it on program P2. but i don't want the user to login for each program. once he is logged in he sould be able to visit any program and get the access he is entitled to.

so far (in my quick review) I have seen a resource( Say a http request) can be accessed based on some predefined Role....What if i want to give the user access a page for program P1 but not for program P2....what do i do with acegi....

Now, my question is, is aceji a good solution for me? Or can it solve my problem at All? i need Role Based security along with data based security........can acegi provide me that...?
i think all the experience pple out here can save a lot of my time....
regards
Sajid

[Ben Alex]

If you want transparent login between multiple applications, use Acegi Security's CAS integration. The integration uses the CAS Server for the username/principal identification, but uses a local AuthenticationDao to obtain the GrantedAuthority[]s. As such, you could have an app1.roleA which is stored completely independently and means something entirely distinct from app2.roleA.

Regarding your other question, Acegi Security's ACL capabilities are quite deep and would probably more than meet your needs - or at least provide an extensible base upon which to meet custom use cases.

[sajid2045]

yup....got it. ACL is my answer. and i have put some more effort on it. i got the concept of ACL . But unfortunately i simply couldn't find any reference. surely the reference documentation doesn't describe it enough and i couldn't find anything else on the web. it's not that i am criticizing but i think the base of success of any framework is how well documented it is. i can sense acegi possesses great power but i simply can't get to grasp it.( how unfortunate i am). don't u think at least the javadoc should be complete? Why i am saying this is because i think acegi is really a good structure for security but ordinary end users like me should be able to digest it and for that good documentation is a must. and I think the most recent stable version should come in a separate downloadable with all the dependencies and source code, sample application(with sources) and if possible an ant script. this way i don't have to go through the process of downloading through maven. what if i am not familiar with maven at all..?
hope u got the point. sorry for the long mail but i thought it was my responsibility to post my feedback.
regards
sajid

[Ben Alex]

Do you have any specific concerns with the JavaDocs? I can not think of any that do not document the class/interface reasonably well. I would be happy to add more comments to specific JavaDocs if you let me know which ones.

In terms of the reference guide, it is already 60 pages. Whilst I could easily write an entire book on Acegi Security, there is a limit to how much time I have available for such tasks. Furthermore, few would read a 500 page reference guide on a security project, no matter how interesting I tried to make it. Indeed many questions are due to people failing to read what is already there. The other issue with more reference guide content is constantly maintaining it in the wake of improvements to the codebase.

We made a decision to use Maven and retire Ant some months ago. Many projects use Maven instead of Ant. Few people need to build Acegi Security from source, although we do recommend it as installing Maven is not a big issue for most people and it lets them tinker with the sample application.

The recommended, default and most common configuration is represented in the release ZIP's Contacts Sample WAR. This sample demonstrates the ACL security properly. So people not wanting to build with Maven should not need to.

I always welcome contributions and new developers. I also link to anything people write in their blogs or articles (if I'm made aware of them) from the Acegi Security "articles" web page.

[bh5k]

People just need to dig a little deeper in the docs folder to find the api. It is not at the top level of the tree where they are use to seeing it. At least that is my guess... The java docs are a few directories deep:

acegi-security-0.8.1\docs\multiproject\acegi-security\apidocs

And yes the reference guide in addition to the javadocs and sample app was more than enough to get up and running with Acegi. FWIW, the time estimation on the getting started page for Acegi couldn't have been more accurate for my experience.

[Ben Alex]

acegi-security-0.8.1\docs\multiproject\acegi-security\apidocs

Yes, we run with the standard Maven build which puts them into those locations. In response to your feedback, though, I've just added a direct link to them from the home page's "Documentation" sidebar navigation.

And yes the reference guide in addition to the javadocs and sample app was more than enough to get up and running with Acegi. FWIW, the time estimation on the getting started page for Acegi couldn't have been more accurate for my experience.

Great! Thanks for the feedback.

[eisenb]

Not that my support is necessarily needed, but I was a bit put off even by the subject of this topic.

What a privilege it is to enjoy the benefits of a well thought out and powerful framework for FREE! And to realize that its creation is probably on personal time and yet its still of high quality.

IMHO, the javadoc and reference guide are very adequate. I am guilty of not reading it thoroughly sometimes or perhaps not connecting with what I'm reading, but that's usually solved by re-reading it or doing a bit more inspection within the project directories.

I think we should all consider ourselves lucky to have such powerful frameworks available to us and perhaps do more of our own due diligence. The authors have put in much time to prepare the frameworks, so the least we could do is to try to spend a fraction of the time reading what they have prepared.

My own personal experience with Acegi has been superb -- from download, to docs, to code, to support forum.