SpringOne08: Security

Not Ben Alex, but let's not judge the speaker so fast ;)

Interesting demo showing a completely unsecured Spring-based (of course) application completely secured on the fly using Acegi...uh sorry Spring Security (I actually got used to Acegi ;)). Quite classical, but enhances the improvements in the configuration.

A few interesting things to know:
- new Spring 2.x namespace for lighter configuration.
- Only one filter: DelegatingFilterProxy with a filter chain behind.
- REST Support: you can specify the method (POST, PUT, DELETE...) in the intercept-url element.
- very nice ldap-user-service configuration... worth checking!!!
- Embedded Apache DS: very nice!
- easy to mix and match multiple schemes: OpenId for authentication, and JDBC for user details or NTML for Authentication and Active Directory for User details.

He mentions an interesting possibility: only testing the securisation of methods by completely removing the call to the underlying method. Sadly he doesn't go into details.

A nice practice also: securing based on permissions and not on roles. This is much better for further evolutions. Roles change, permissions less likely.

In the end (I knew a bit from the tests I did recently) Spring Security is an improvement in terms of useability, (if not in features, it keeps the plethora of features of the original), on Acegi.