Steve's Guide to Upgrading from Acegi to Spring Security
This document is a guide for upgrading an Education Systems app from Acegi Security to Spring Security, based on the IAP application upgrade. There are two parts, one for the jar-file project upgrade and one for the web app upgrade.
1. Jar File Project Upgrade
By "jar file project " I mean a project that is not a web application - for example, the csf-iap project.
1.1 The pom file
Under the "csf-security" dependency, remove the exclusions for Spring Security and add an exclusion for Acegi. The Aegi exclusion looks like this:
<exclusion>
<artifactId>acegi-security</artifactId>
<groupId>org.acegisecurity</groupId>
</exclusion>
The CSF Security module includes dependencies for Spring Security, so there is no need to include them in your project.
1.2 Java Code
a) All references to acegi classes were replaced by references to Spring Security classes. In most cases, these were upgraded by changing the import statements' package names. e.g:
org.acegisecurity.context.SecurityContextHolder changes to org.springframework.security.core.context.SecurityContextHolder
Eclipse handled these changes nicely - I did a global search in the Java code for "acegi", deleted any imports that referenced org.acegisecurity package names,and then used Eclipse's "Organize Imports" feature to pull in the correct Spring Security imports.
b) Some interfaces have changed slightly with Spring Security - in particular, rather than the Acegi practice of using arrays, Spring Security uses Collections. This requires some code changes (e.g. we now use size() to determine how many elements are in the collection rather than length()).
c) Some class names changed between Spring Sec 2.0 & 3.0. These are documented here: http://git.springsource.org/~rwinch/spring-security/rwinchs-spring-security/blobs/3.0.x/class_mapping_from_2.0.x.txt
An example is BasicProcessingFilter which was renamed to BasicAuthenticationFilter.
d) References to the Acegi portion of CSF Security changed to the Spring Security portion of CSF, e.g.:
edu.mit.csf.security.acegi.MitGrantedAuthority changes to edu.mit.csf.security.spring.MitGrantedAuthority.
e) References to the CSF Security Acegi XML configuration changed to the Spring XML configuration:
applicationContext-csf-security-acegi.xml changes to applicationContext-csf-security-spring.xml.
1.3 XML Configuration Files
Some of the csf-iap XML files used to configure Spring had Acegi references which needed to be updated:
a) All references to acegi classes were replaced by references to the equivalent Spring Security classes as described above.
b) References to the CSF Security Acegi XML configuration changed to the Spring XML configuration as described above.
2. Web Project Upgrade
This section describes the changes needed for a web project (e.g. iap-web).
2.1 The pom File
No changes were necessary - all dependency changes were taken care of by the changes to the Jar file project (csf-iap in my case).
2.2 Java Code
All references to Acegi classes were removed. For iap-web I was able to remove reference to Acegi or Spring security altogether by using our SecurityContextService interface instead. This interface provides an abstraction barrier between our code and the security subsystem (Acegi/Spring) and should be used instead of core Spring Security classes wherever possible.
2.3 XML Configuration Files
a) The security XML config file (applicationContext-iap-security.xml) needed an overhaul:
- Spring Security XML schema locations added to <beans> tag. In fact the whole XML file was modernized, removing the older DOCTYPE declaration.
- The filterChainProxy bean declaration was changed to the Spring Security format.
- Converted filterSecurityInterceptor config to new format.
- All references to acegi classes were replaced by references to the equivalent Spring Security classes as described above.
2.4 JSP Tags
The <authz> tags have been replaced by <security> tags. In some cases, the tag interfaces have changed. e.g. e.g.:
<authz:authentication operation="username"/>
changes to
<security:authentication property="principal.username"/>
So in all JSPs, <auth> tags must change to <security> tags.
b) The authz.tld file was removed from the project.
c) In the taglibs.include file we replaced
<%@taglib uri="/WEB-INF/authz.tld" prefix="authz" %>
with
<%@taglib uri="http://www.springframework.org/security/tags" prefix="security" %>
2.5 web.xml
a) Spring container config - we now refer to classpath*:applicationContext-csf-security-spring.xml and classpath*:applicationContext-csf-security-spring.xml
b) Spring Security config - replaced filter-name "acegi" with filter name "filterChainProxy", class org.springframework.web.filter.DelegatingFilterProxy