XAware uses Spring Security (formerly called the Acegi project) to control access to XAware-based services invoked over HTTP.

XAware's security model includes authentication and access control. A user is authenticated with a user name and password, and is allowed to operate in one or more roles, as specified by the security configuration. The BizView files implementing a service (BizDocuments, BizComponents, and BizDrivers) each can have a "required role" assignment. Roles are assigned to a BizView file at packaging time, or via the JMX management console. At run-time, when security is enabled, access to a BizView file is allowed only if the user has a role allowed by the BizView file.

The security configuration in the delivered product configures Spring Security to use HTTP Basic authentication with a simple file-based user/role definition file. Spring Security is very flexible, however, and can be configured to use HTTP Digest or certificate-based authentication with database, LDAP, single sign-on modules, JAAS, and many other authentication mechanisms. See the Spring Security site for details on how to do this.

For more information on configuring XAware security, see the wiki article on how to enable security .