Goes without saying that Acegi features are impressive and difficult if not impossible to find in other software packages. And, of course, is Open Source to boot. It offers an endless list of capabilities all of them related to securing your applications. So then...what's not to love?
Let's talk about me a little. I currently work as a Software Architect at one of the biggest companies in Spain. I've worked before for companies like IBM or Accenture. I've worked with several products and technologies but mainly Java. Saying Java in this kind of companies is the same as saying J2EE (JEE if you like it).
I'm in a project now. A project whose security features could be considered pretty standard (let's say it's not a bank). We need to secure our applications (authentication) and (dis)allow access to features based in the authenticated user permissions (authorization). Nothing really amazing here but my guess is that the gross of the projects are like this. As we are using an Application Server (Weblogic 10 will be) we have all kind of services already provided by the container. As a matter of fact I only miss two things:
- Be able to secure Spring beans (as they are not managed by the container, see it)
- Hide/Show widgets in a JSP depending on the user roles
Chapter 20 of the Reference Guide shows the following code
Well, may be, it won't be that simple. To start using this niceties you have to take some steps first. First there are the configuration issues, second the Authorities. A quick read tells me I will probably have to plug the authentication module aswell. And forget about roles, everything here is based on the concept of Authority.
I don't go on reading now. I don't want to have multiple concepts for the same purpose. It seems I would need to switch everything to Acegi and integrate it then with Weblogic (EJB3). That seems a lot of work for a simple tag.
I'm not saying Acegi is too complex (it is but just because it solves complex problems aswell). I'm not saying it's not worth the effort (it is if you need a catch all solution). But it was complex for my needs this time. You could argue that we are already using a pretty expensive AS but then, they always seem to be available, that is, 99% of my projects are somehow web related and executed in a container (even though I understand the importance Java outside a container).
Nonetheless, I learned a couple of important things while considering Acegi as a possible solution and I would like to share at least one of them. After taking a peek to the source code I decided to create a more simple authorize tag that suits my problem (it somehow mimics Acegi behavior with JEE roles). Here are the results: