Hi Charles,
I spent some time looking at the current implementation and the Spring Security versions. I think it is a great idea to support the newer version of Spring Security. Our engineering team will be looking into this for future releases; currently, our implementation is built upon Spring 2.5 whereas Spring Security 3.01 requires a minimum of Spring 3.0. (We have also extended some of the classes in order to provide better SQL query building capabilites for our 6.0 release, so it will require a bit more effort that just re-testing with the latest Spring jars. So, this is not likely to be included in the initial 6.0 GA release.)

In the meantime, I did some testing with configuration-only changes in the current XAware 5.4 release, and I was able to get Spring Security 2.05 working on Tomcat (v6.0.16 included in our all-in-one install), since that version of Spring Security is compatible with Spring 2.0 and 2.5.

Here are the steps I took to configure Spring Security 2.05 (using the ant commands described in the wiki article How to enable security on the HTTP connector, and following the Spring Security documentation for a basic example):

• unzip the archive (ant task)


• add the Spring Security jar files to the /updated_stub_jta/WEB-INF/lib directory:

spring-security-core-2.0.5.jar
spring-security-core-tiger-2.0.5.jar
spring-security-acl-2.0.5.jar
spring-security-taglibs-2.0.5.jar
commons-code-1.3.jar


• (optionally) delete the /WEB-INF/lib/acegi-security-1.0.5.jar


• create (copy from Spring example) /WEB-INF/applicationContext-spring-security.XML with your security configuration for Spring 2.05


• (optionally) delete the /WEB-INF/applicationContext-acegi-security.xml


• modify the /WEB-INF/web.xml as needed for Spring Security 2.05


• zip the archive (ant task)


• redploy the modified .war to your Tomcat server

Using this approach, you can configure your Spring Security 2.05 settings for securing URIs (i.e. BizDocs) in the applicationContext-spring-security.xml. However, you will have to disable the XAware security settings as referenced in the wiki ("authorizeBizViewFiles" and "authorizeResourceFiles") since these settings will cause XAware to still invoke the Acegi 1.05 security classes. This means that you will not be able to use the XAware security settings, which allows you to set roles for both BizDocs and BizComps (and throws an XAware exception when a role is not allowed). Instead, you use only standard Spring Securiy settings, and the browser will display the login prompts and error exceptions based on the roles and your security settings. You may still need to login with a valid role in the XAware Package Assembly Tool to publish a BizDoc (as configured in Spring Security for the publish BizDoc URI).

Note: You cannot set Spring <global-method-security> settings to use AspectJ pointcut expressions, unless you also upgrade the Spring .jar to Spring 2.5.6. I did not fully test XAware to see if there were any other issues with replacing the spring.jar with the 2.5.6 version.

I also did not get this example working with the embedded JBoss (4.2.2) version either, as the class loader (class loading order) was not able to resolve some of the Spring Security classes. This requires additional research.

Again, the ideal approach would be for XAware (or a community contributor) to upgrade to Spring 3.0 and Spring Security 3.05, allowing you to use either Spring Security 3.05 alone, or in conjunction with the XAware security settings for BizDoc/BizComp roles.