Upgrading from Acegi to Spring Security
| Mule Runtime Engine versions 3.5, 3.6, and 3.7 reached End of Life on or before January 25, 2020. For more information, contact your Customer Success Manager to determine how you can migrate to the latest Mule version. |
Mule Runtime supports Spring Security version 4.0.4. Upgrading your Mule application to use Spring Security instead of Acegi involves the following steps:
-
Adding the necessary namespaces to your Mule configuration
-
Updating the Acegi package names
-
Updating your Mule configuration to use an
AuthenticationManager -
Simplification using new Spring Security elements
Adding the Namespaces
Your Mule configuration file should have the following namespaces declared.
<mule xmlns="http://www.mulesource.org/schema/mule/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:spring="http://www.springframework.org/schema/beans"
xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security"
xmlns:ss="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesource.org/schema/mule/core
http://www.mulesource.org/schema/mule/core/current/mule.xsd
http://www.mulesource.org/schema/mule/spring-security
http://www.mulesource.org/schema/mule/spring-security/current/mule-spring-security.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-current.xsd">
...
</mule>The mule-ss namespace is for the Mule Spring Security extensions. The ss namespace is for the Spring Security schema elements that are not Mule specific and allows you to use the less verbose XML that is part of Spring Security 2.0.
Updating the Acegi Package Names
Except for the changed package names, the Spring Security API has remained largely compatible with Acegi. For example, assume you configured a DaoAuthenticationProvider like this one:
<bean class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userService"/>
</bean>To use Spring Security, you simply change the acegisecurity package to springframework.security:
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userService"/>
</bean>Repeat this step for all your Acegi bean definitions. To find the correct spring framework package names, check the API documentation at http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/.
Using an AuthenticationManager
The only major difference between Mule integration with Acegi and Spring Security is that the latter uses the AuthenticationManager to provider authentication functions, while the former tied in at the Acegi AuthenticationProvider level. With the Acegi provider, the authentication flow followed this progression:
AcegiProviderAdapter (Mule) -> AuthenticationProvider (Acegi)
With the new Spring Security adapter, it follows this progression:
SpringProviderAdapter (Mule) -> AuthenticationManager (Spring Security) -> AuthenticationProvider (Spring Security)
This allows the authentication manager to try multiple authentication providers to authenticate your messages.
Configuration of this approach requires a little more XML. For example, consider this original configuration:
<mule ...>
<acegi:security-manager>
<acegi:delegate-security-provider name="memory-dao" delegate-ref="daoAuthenticationProvider"/>
</acegi:security-manager>
<spring:bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<spring:property name="userMap">
<spring:value>
ross=ross,ROLE_ADMIN
anon=anon,ROLE_ANONYMOUS
</spring:value>
</spring:property>
</spring:bean>
<spring:bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<spring:property name="userDetailsService" ref="inMemoryDaoImpl"/>
</spring:bean>
</mule>To upgrade this configuration, you add an AuthenticationManager. This would result in the following:
<mule ...>
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-dao" delegate-ref="authenticationManager"/>
</mule-ss:security-manager>
<spring:bean id="inMemoryDaoImpl" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<spring:property name="userMap">
<spring:value>
ross=ross,ROLE_ADMIN
anon=anon,ROLE_ANONYMOUS
</spring:value>
</spring:property>
</spring:bean>
<spring:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<spring:property name="userDetailsService" ref="inMemoryDaoImpl"/>
</spring:bean>
<spring:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<spring:constructor-arg>
<spring:list>
<spring:ref bean="daoAuthenticationProvider"/>
</spring:list>
</spring:constructor-arg>
</spring:bean>
</mule>Simplifying the Configuration
Spring Security includes new XML syntax that can simplify configurations, especially in simple cases. For example, the previous example has an in-memory user database, a DAO authentication provider, and an authentication manager. This can be simplified to:
<mule ...>
<mule-ss:security-manager>
<mule-ss:delegate-security-provider name="memory-dao" delegate-ref="authenticationManager" />
</mule-ss:security-manager>
<spring:beans>
<ss:authentication-manager alias="authenticationManager">
<ss:authentication-provider>
<ss:user-service id="userService">
<ss:user name="ross" password="ross" authorities="ROLE_ADMIN" />
<ss:user name="anon" password="anon" authorities="ROLE_ANON" />
</ss:user-service>
</ss:authentication-provider>
</ss:authentication-manager>
</spring:beans>
</mule>The <authentication-manager> element defines the name of our AuthenticationManager bean. We then create a single AuthenticationProvider with the <authentication-provider> and <user-service> elements. This <user-service> is the same as our InMemoryDaoImpl above.