...
Steve's
...
Guide
...
to
...
Upgrading
...
from
...
Acegi
...
to
...
Spring
...
Security
...
This
...
document
...
is
...
a
...
guide
...
for
...
upgrading
...
an
...
Education
...
Systems
...
app
...
from
...
Acegi
...
Security
...
to
...
Spring
...
Security,
...
based
...
on
...
the
...
IAP
...
application
...
upgrade.
...
There
...
are
...
two
...
parts,
...
one
...
for
...
the
...
jar-file
...
project
...
upgrade
...
and
...
one
...
for
...
the
...
web
...
app
...
upgrade.
...
1.
...
Jar
...
File
...
Project
...
Upgrade
...
By
...
"jar
...
file
...
project
...
"
...
I
...
mean
...
a
...
project
...
that
...
is
...
not
...
a
...
web
...
application
...
-
...
for
...
example,
...
the
...
csf-iap
...
project.
...
1.1
...
The
...
pom
...
file
...
Under
...
the
...
"csf-security"
...
dependency,
...
remove
...
the
...
exclusions
...
for
...
Spring
...
Security
...
and
...
add
...
an
...
exclusion
...
for
...
Acegi.
...
The
...
Aegi
...
exclusion
...
looks
...
like
...
this:
| Code Block |
|---|
} <exclusion> <artifactId>acegi-security</artifactId> <groupId>org.acegisecurity</groupId> </exclusion> {code} |
The
...
CSF
...
Security
...
module
...
includes
...
dependencies
...
for
...
Spring
...
Security,
...
so
...
there
...
is
...
no
...
need
...
to
...
include
...
them
...
in
...
your
...
project.
...
1.2
...
Java
...
Code
...
a)
...
All
...
references
...
to
...
acegi
...
classes
...
were
...
replaced
...
by
...
references
...
to
...
Spring
...
Security
...
classes.
...
In
...
most
...
cases,
...
these
...
were
...
upgraded
...
by
...
changing
...
the
...
import
...
statements'
...
package
...
names.
...
e.g:
...
org.acegisecurity.context.SecurityContextHolder
...
changes
...
to
...
org.springframework.security.core.context.SecurityContextHolder
...
Eclipse
...
handled
...
these
...
changes
...
nicely
...
-
...
I
...
did
...
a
...
global
...
search
...
in
...
the
...
Java
...
code
...
for
...
"acegi",
...
deleted
...
any
...
imports
...
that
...
referenced
...
org.acegisecurity
...
package
...
names,and
...
then
...
used
...
Eclipse's
...
"Organize
...
Imports"
...
feature
...
to
...
pull
...
in
...
the
...
correct
...
Spring
...
Security
...
imports.
...
b)
...
Some
...
interfaces
...
have
...
changed
...
slightly
...
with
...
Spring
...
Security
...
-
...
in
...
particular,
...
rather
...
than
...
the
...
Acegi
...
practice
...
of
...
using
...
arrays,
...
Spring
...
Security
...
uses
...
Collections.
...
This
...
requires
...
some
...
code
...
changes
...
(e.g.
...
we
...
now
...
use
...
size()
...
to
...
determine
...
how
...
many
...
elements
...
are
...
in
...
the
...
collection
...
rather
...
than
...
length()).
...
c)
...
Some
...
class
...
names
...
changed
...
between
...
Spring
...
Sec
...
2.0
...
&
...
3.0.
...
These
...
are
...
documented
...
here:
...
...
An
...
example
...
is
...
BasicProcessingFilter
...
which
...
was
...
renamed
...
to
...
BasicAuthenticationFilter.
...
d)
...
References
...
to
...
the
...
Acegi
...
portion
...
of
...
CSF
...
Security
...
changed
...
to
...
the
...
Spring
...
Security
...
portion
...
of
...
CSF,
...
e.g.:
...
edu.mit.csf.security.acegi.MitGrantedAuthority
...
changes
...
to
...
edu.mit.csf.security.spring.MitGrantedAuthority
...
.
...
e)
...
References
...
to
...
the
...
CSF
...
Security
...
Acegi
...
XML
...
configuration
...
changed
...
to
...
the
...
Spring
...
XML
...
configuration:
...
applicationContext-csf-security-acegi.xml
...
changes
...
to
...
applicationContext-csf-security-spring.xml
...
.
...
1.3
...
XML
...
Configuration
...
Files
...
Some
...
of
...
the
...
csf-iap
...
XML
...
files
...
used
...
to
...
configure
...
Spring
...
had
...
Acegi
...
references
...
which
...
needed
...
to
...
be
...
updated:
...
a)
...
All
...
references
...
to
...
acegi
...
classes
...
were
...
replaced
...
by
...
references
...
to
...
the
...
equivalent
...
Spring
...
Security
...
classes
...
as
...
described
...
above.
...
b)
...
References
...
to
...
the
...
CSF
...
Security
...
Acegi
...
XML
...
configuration
...
changed
...
to
...
the
...
Spring
...
XML
...
configuration
...
as
...
described
...
above.
...
2.
...
Web
...
Project
...
Upgrade
...
This
...
section
...
describes
...
the
...
changes
...
needed
...
for
...
a
...
web
...
project
...
(e.g.
...
iap-web).
...
2.1
...
The
...
pom
...
File
...
No
...
changes
...
were
...
necessary
...
-
...
all
...
dependency
...
changes
...
were
...
taken
...
care
...
of
...
by
...
the
...
changes
...
to
...
the
...
Jar
...
file
...
project
...
(csf-iap
...
in
...
my
...
case).
...
2.2
...
Java
...
Code
...
All
...
references
...
to
...
Acegi
...
classes
...
were
...
removed.
...
For
...
iap-web
...
I
...
was
...
able
...
to
...
remove
...
reference
...
to
...
Acegi
...
or
...
Spring
...
security
...
altogether
...
by
...
using
...
our
...
SecurityContextService
...
interface
...
instead.
...
This
...
interface
...
provides
...
an
...
abstraction
...
barrier
...
between
...
our
...
code
...
and
...
the
...
security
...
subsystem
...
(Acegi/Spring)
...
and
...
should
...
be
...
used
...
instead
...
of
...
core
...
Spring
...
Security
...
classes
...
wherever
...
possible.
...
2.3
...
XML
...
Configuration
...
Files
...
a)
...
The
...
security
...
XML
...
config
...
file
...
(applicationContext-iap-security.xml)
...
needed
...
an
...
overhaul:
...
- Spring
...
- Security
...
- XML
...
- schema
...
- locations
...
- added
...
- to
...
- <beans>
...
- tag.
...
- In
...
- fact
...
- the
...
- whole
...
- XML
...
- file
...
- was
...
- modernized,
...
- removing
...
- the
...
- older
...
- DOCTYPE
...
- declaration.
...
- The
...
- filterChainProxy
...
- bean
...
- declaration
...
- was
...
- changed
...
- to
...
- the
...
- Spring
...
- Security
...
- format.
- Converted filterSecurityInterceptor config to new format.
- All references to acegi classes were replaced by references to the equivalent Spring Security classes as described above.
...
2.4 JSP Tags
...
The <authz> tags have been replaced by <security> tags. In some cases, the tag interfaces have changed. e.g. e.g.:
| Code Block |
|---|
# Converted _filterSecurityInterceptor_ config to new format. # All references to acegi classes were replaced by references to the equivalent Spring Security classes as described above. h6. 2.4 JSP Tags The <authz> tags have been replaced by <security> tags. In some cases, the tag interfaces have changed. e.g. e.g.: {code} <authz:authentication operation="username"/> {code} |
changes
...
to
| Code Block |
|---|
} <security:authentication property="principal.username"/> {code} |
So
...
in
...
all
...
JSPs,
...
<auth>
...
tags
...
must
...
change
...
to
...
<security>
...
tags.
...
b)
...
The
...
authz.tld
...
file
...
was
...
removed
...
from
...
the
...
project.
...
c)
...
In
...
the
...
taglibs.include
...
file
...
we
...
replaced
| Code Block |
|---|
} <%@taglib uri="/WEB-INF/authz.tld" prefix="authz" %> {code |
with
| Code Block |
|---|
} with {code} <%@taglib uri="http://www.springframework.org/security/tags" prefix="security" %> {code} h6. |
2.5
...
web.xml
...
a)
...
Spring
...
container
...
config
...
-
...
we
...
now
...
refer
...
to
...
classpath*:applicationContext-csf-security-spring.xml
...
and classpath*:applicationContext-csf-security-spring.xml
...
b)
...
Spring
...
Security
...
config
...
-
...
replaced
...
filter-name
...
"acegi"
...
with
...
filter
...
name
...
"filterChainProxy",
...
class
...
org.springframework.web.filter.DelegatingFilterProxy