Contact Us 1-800-596-4880

Upgrading from Acegi to Spring Security

Mule Runtime 3.9 supports Spring Security 4.0.4. Upgrading your Mule application to use Spring Security instead of Acegi involves the following steps:

  1. Adding the necessary namespaces to your Mule configuration

  2. Updating the Acegi package names

  3. Updating your Mule configuration to use an AuthenticationManager

  4. Simplification using new Spring Security elements

Adding the Namespaces

Your Mule configuration file should have the following namespaces declared.

<mule xmlns="http://www.mulesource.org/schema/mule/core"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:spring="http://www.springframework.org/schema/beans"
    xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security"
    xmlns:ss="http://www.springframework.org/schema/security"
    xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-current.xsd
    http://www.mulesource.org/schema/mule/core http://www.mulesource.org/schema/mule/core/current/mule.xsd
    http://www.mulesource.org/schema/mule/spring-security
        http://www.mulesource.org/schema/mule/spring-security/current/mule-spring-security.xsd
    http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-current.xsd">
...
</mule>

The mule-ss namespace is for the Mule Spring Security extensions. The ss namespace is for the Spring Security schema elements that are not Mule specific and allows you to use the less verbose XML that is part of Spring Security 2.0.

Updating the Acegi Package Names

Except for the changed package names, the Spring Security API has remained largely compatible with Acegi. For example, assume you configured a DaoAuthenticationProvider like this one:

<bean class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userService"/>
</bean>

To use Spring Security, you simply change the acegisecurity package to springframework.security:

<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userService"/>
</bean>

Repeat this step for all your Acegi bean definitions. To find the correct spring framework package names, check the API documentation at Spring 4.0.4 API docs.

Using an AuthenticationManager

The only major difference between Mule integration with Acegi and Spring Security is that the latter uses the AuthenticationManager to provider authentication functions, while the former tied in at the Acegi AuthenticationProvider level. With the Acegi provider, the authentication flow followed this progression:

AcegiProviderAdapter (Mule) -> AuthenticationProvider (Acegi)

With the new Spring Security adapter, it follows this progression:

SpringProviderAdapter (Mule) -> AuthenticationManager (Spring Security) -> AuthenticationProvider (Spring Security)

This allows the authentication manager to try multiple authentication providers to authenticate your messages.

Configuration of this approach requires a little more XML. For example, consider this original configuration:

<mule ...>
    <acegi:security-manager>
        <acegi:delegate-security-provider name="memory-dao" delegate-ref="daoAuthenticationProvider"/>
    </acegi:security-manager>

    <spring:bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
        <spring:property name="userMap">
            <spring:value>
                ross=ross,ROLE_ADMIN
                anon=anon,ROLE_ANONYMOUS
            </spring:value>
        </spring:property>
    </spring:bean>

    <spring:bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <spring:property name="userDetailsService" ref="inMemoryDaoImpl"/>
    </spring:bean>

</mule>

To upgrade this configuration, you add an AuthenticationManager. This would result in the following:

<mule ...>
    <mule-ss:security-manager>
        <mule-ss:delegate-security-provider name="memory-dao" delegate-ref="authenticationManager"/>
    </mule-ss:security-manager>

    <spring:bean id="inMemoryDaoImpl" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
        <spring:property name="userMap">
            <spring:value>
                ross=ross,ROLE_ADMIN
                anon=anon,ROLE_ANONYMOUS
            </spring:value>
        </spring:property>
    </spring:bean>

    <spring:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <spring:property name="userDetailsService" ref="inMemoryDaoImpl"/>
    </spring:bean>

    <spring:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <spring:constructor-arg>
            <spring:list>
                 <spring:ref bean="daoAuthenticationProvider"/>
            </spring:list>
        </spring:constructor-arg>
    </spring:bean>
</mule>

Simplifying the Configuration

Spring Security includes new XML syntax that can simplify configurations, especially in simple cases. For example, the previous example has an in-memory user database, a DAO authentication provider, and an authentication manager. This can be simplified to:

<mule ...>
    <mule-ss:security-manager>
        <mule-ss:delegate-security-provider name="memory-dao" delegate-ref="authenticationManager" />
    </mule-ss:security-manager>

    <spring:beans>
      <ss:authentication-manager alias="authenticationManager">
        <ss:authentication-provider>
          <ss:user-service id="userService">
            <ss:user name="ross" password="ross" authorities="ROLE_ADMIN" />
            <ss:user name="anon" password="anon" authorities="ROLE_ANON" />
          </ss:user-service>
        </ss:authentication-provider>
      </ss:authentication-manager>
    </spring:beans>
</mule>

The <authentication-manager> element defines the name of our AuthenticationManager bean. We then create a single AuthenticationProvider with the <authentication-provider> and <user-service> elements. This <user-service> is the same as our InMemoryDaoImpl above.

For more information on how to configure Acegi, see the following Spring documentation: