Released Acegi Security System for Spring 0.6.1

Ben Alex has released the 0.6.1 version of the Acegi Security System for Spring.
For those who don’t know the project provides comprehensive security services for The Spring Framework. I think it’s a must if you need security in your applications (who doesn’t need?). It’s easy and powerful.


* It is ready NOW
* Easy to use and deploy (eg see samples/quick-start directory)
* Enterprise-wide single sign on (via Yale Uni’s CAS project)
* Reuses your Spring expertise
* Domain object instance security
* Non-intrusive setup
* Full (but optional) container integration
* Keeps your objects free of security code
* Secures your HTTP requests (regular expressions, Ant Paths etc)
* Channel security (HTTPS/HTTP auto redirection etc)
* Supports HTTP BASIC authentication (RFC 1945)
* Convenient security taglib
* Application context or attribute-based configuration
* Various authentication backends (including JDBC)
* Event support
* Easy integration with existing databases (no schema changes)
* Caching (now pluggable, with an EHCACHE implementation)
* Pluggable architecture
* Startup-time validation
* Remoting support (demonstrated in sample application)
* Advanced password encoding (SHA, MD5, salts etc)
* Run-as replacement
* Unit tests (Clover coverage is currently 98%)
* Container integration tests
* Supports your own unit tests
* Peer reviewed
* Thorough documentation
* Apache license


* Resolved to use for versioning
* Added additional DaoAuthenticationProvider event when user not found
* Added Authentication.getDetails() to DaoAuthenticationProvider resp
* Added DaoAuthenticationProvider.hideUserNotFoundExceptions
* Added PasswordAuthenticationProvider for password-validating DAOs
* Added FilterToBeanProxy compatibility with ContextLoaderServlet
* Added convenience methods to ConfigAttributeDefinition
* Improved sample applications’ bean reference notation
* Clarified contract for ObjectDefinitionSource.getAttributes(Object)
* Extracted removeUserFromCache(String) to UserCache interface
* Improved ConfigAttributeEditor so it trims spaces
* Refactored UsernamePasswordAuthenticationToken.getDetails() to Object
* Fixed MethodDefinitionAttributes to implement ObjectDefinitionSource
* Fixed EH-CACHE-based caching implementation behaviour if cache exists
* Fixed Ant “release” target not including
* Fixed GrantedAuthorityEffectiveAclsResolver if null ACLs provided
* Documentation improvements

As per the Apache APR project versioning guidelines (URL above), this is
a patch release. Existing users of release 0.6 should be able to upgrade
by simply replacing the JAR(s) and testing.

How to avoid defining each Hibernate mapping in Spring

A better option than defining each mapping resource using the mappingResources property of LocalSessionFactoryBean is using mappingDirectoryLocations with something like the following, only needed once for all the system.

<bean id="sessionFactory">
 <property name="dataSource">
   <ref bean="dataSource">
   <property name="mappingDirectoryLocations">
   <property name="hibernateProperties">
     <ref bean="hibernateProperties">

But be careful, this doesn’t allow you to use classpath locations, they have to be in the filesystem. AFAIK there’s no way to use all mapping files in the classpath under some package, that would be the best solution, e.g. I wanna use all *.hbm.xml in the classpath under net/sf/oness

Enabling transactions in MySQL the easy way

If you want to use transactions (trust me, you want) you have to use InnoDB tables, so add default-table-type=InnoDB to your mysql configuration file (my.cnf or my.ini). This solution is Hibernate friendly.

For example in windows you can use the following my.ini in the windows dir:

# Uncomment the following if you want to log updates
# Uncomment the following if you are NOT using BDB tables
# Uncomment the following if you are using Innobase tables
innodb_data_file_path = ibdata1:20M:autoextend

If you are using a MySQL version previous to 4.0 you should check InnoDB configuration to enable InnoDB.