Currently working on...

migrating our application framework from Acegi to Spring Security. It sounds like a pretty easy task. It is really so as long as you go along with the standard set of security features contained in Spring Security, which is very extensive. So that in 90% of cases you would take it out of the box, configure & use. But if you have some existing peculiarities in your software landscape, that you would like to integrate, that's where it gets tough.

We for example use a web service for user authentication and authorization and had to implement our specific provider to plug it into the framework. Moreover it surprised me that there is still no reasonable JSF support in Spring Security. My idea was to use it in a JSF application and possibly write no authentication specific code. What I was hoping on, was to supply my own WS authentication provider, configure the Spring and/or JSF beans and it should work. But the truth is, actually there is no way around as to use a backing bean with authentication logic. This solution is presented here in Java World Magazine. It is a good and working one, but I wish it were simplier.

What Spring guys actually promise and underline as a highlight of Spring Security comparing with Acegi is less configuration and easy understanding. As matter of fact the main issue here is interaction between Spring Security and JSF and a question how to configure it without need to write the whole authentication / authorization logic in Java, but just to get it configured somehow.

So should you've run into an appropriate solution, please be so kind and drop a line here ...