Acegi is Ben Alex's comprehensive security framework for Spring-based applications. Acegi can be used for both user authentication and authorization, and solves several limitations of the standard J2EE security model. A recent JavaWorld article by Xinyu Liu, From Java EE security to Acegi: The right way to protect your Web application, compares the standard J2EE security model with Acegi, showing what areas of application security each solution is appropriate for:

Acegi offers flexible and comprehensive authentication services implemented through servlet filters for applications using Spring. Besides the common form, basic, digest, and client-certification login methods, Acegi also supports anonymous, remember-me, and redirect for SSO authentications that happen on some centralized login Web sites...

Web applications usually have both protected and unprotected URLs, and anonymous users can gain access to unsecured resources without authentication. However, you may picture this scenario differently in Acegi. Anonymous authentication in Acegi allows you to associate anonymous users with a specific user identity and role, so that programming access control is unanimous across protected and unprotected resources...

Remember-me authentication in Acegi enables a Web site to remember a user's identity between Web sessions. A long-duration cookie is sent—with the value of a digested identity and password—to the browser so the cookie will be detected during future sessions, causing automated login to take place, a desirable feature for many commercial Web sites.

Liu's article also highlights other Acegi features, such as concurrent session control that's especially useful in cluster-based Spring deployments, and Acegi's support of transport-level security.

While Acegi was initially developed for Spring applications, it can be made to work with non-Spring applications as well, as the article points out. What do you think of Acegi as an enterprise security framework?