Re: [Acegisecurity-developer] Acegi with portlets
There is some woefully out-of-date integration between Spring Portlet MVC and Acegi available for Acegi 0.8.3 on the Spring Portlet MVC web site: http://opensource.atlassian.com/confluence/spring/download/attachments/10/acegi-portlet.zip I spoke with Ben Alex at the Spring Experience conference about updating this integration and getting it merged into Acegi, hopefully in time for the 1.1 release. I have not made much progress on that work, but I do plan to attack it in the next few weeks. John Lewis Mat Lowery wrote: Because I didn’t want to figure out how JBoss Portal URLs were generated, I chose to use JbossAcegiLoginModule, which is a JAAS LoginModule that uses Acegi Security’s AuthenticationManager. The benefit to this solution is that the portal decides when authentication is needed. So I can use JBoss Portal to lock down specific portlet instances and leave it to the portal to decide when to prompt the user for login given that the originally requested page contains multiple portlets with different security needs. *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Arturo San Feliciano Martín *Sent:* Thursday, February 15, 2007 4:05 AM *To:* acegisecurity-developer@lists.sourceforge.net *Subject:* [Acegisecurity-developer] Acegi with portlets Hello! ¿Anyone knows where I could find examples or docs about acegi and portlets integration? ¿is it possible?. I´m going to try to integrate a JBoss Portal Application with Acegi security framework, please if anyone knows how or problems with the integration I will be thankful. Thanks! Arturo San Feliciano Martín - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: Acegi and JSR-168 portlets
Ken Patrick, I've developed some initial JSR-168 Portlet support for Acegi. It is a separate provider with its own implementation of AbstractAuthenticationToken, AuthenticationProvider, UserCache, etc. I've also provided a PortletSessionContextIntegrationInterceptor and PortletProcessingInterceptor. One of the unique challenges of portlet development in this space is that filters are not applied to portlet requests, so none of the existing filter-based can be used with the portlets. But with the two interceptors above I think it covers the basics and allows for use of MethodSecurityInterceptor and for the taglib in JSP content. The main thing that is missing at this point is an equivalent of the URL-based security mechanisms such as FilterSecurityInterceptor. Since portlet requests don't include traditional URLs, this is difficult to translate. I think the best thing here will be to implement something parallel to the HandlerMapping classes that allows security to be applied in the same way. I've posted the classes and some example application context entries on the Spring Portlet Wiki site. You can download the file here: http://opensource2.atlassian.com/confluence/spring/download/attachments/10/acegi-portlet.zip At this point it is integrated with Acegi 0.8.3 and needs to be refactored for integration with 0.9.0. I'm very interested in your feedback. Let me know what you think. John Lewis Ballard, Ken wrote: Hi, I'm pushing for my company to use Acegi. At some point my company will probably start using JSR-168 portlets and it would help if I could show that Acegi's security framwork will work with a portal application (probaly WebSphere or JetSpeed). Will Acegi support this? Thanks, Ken --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: Acegi JSR-168 Portlet Integration
I just reposted the code and have included a DaoPortletAuthoritiesPopulator which is essentially a duplicate of DaoCasAuthoritiesPopulator. Thanks again for the feedback! John Ben Alex wrote: John Lewis wrote: - You are correct that the portlet container performs the authentication and then provides a String username to portlets running within the portlet container. It is very similar to CAS and X509 and I modeled the code after those two quite a bit. Unfortunately, the JSR-168 spec completely delegates the authentication to the portlet-container and does not provide a standard way to plug an authentication mechanism into it. Of course, a portlet container implementation could use Acegi directly (I believe that the Gridsphere team is considering this in the near future). I have not created a default implementation of PortletAuthoritiesPopulator at this point. The only authorities mechanism in JSR-168 is the same isUserInRole method as in the Servlet spec. I suppose we could create a default PortletAuthoritiesPopulator that could be configured with a list of roles to check. It seems a very common requirement for a separate system to authenticate a user and provide only a String-based username to an application. This is seen with CAS, X509, Portlets and a range of external authentication services. Therefore, it would seem desirable to offer a generic equivalent to CasAuthoritiesPopulator/X509AuthoritiesPopulator. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: Acegi JSR-168 Portlet Integration
Ben, Thanks for the feedback. Here are the responses to your questions and comments: - I'll start working on updating to 0.9.0 next month. We are close to a deployment of our own and I don't want to start refactoring until after that. - PortletSessionContextIntegrationInterceptor is in the zip file in the net.sf.acegisecurity.context package. PortletSecurityEnforcementInterceptor was intentionally excluded because my implementation is not mature enough yet. I have removed the reference to it from the app-context-examples.txt file. - You are correct that the portlet container performs the authentication and then provides a String username to portlets running within the portlet container. It is very similar to CAS and X509 and I modeled the code after those two quite a bit. Unfortunately, the JSR-168 spec completely delegates the authentication to the portlet-container and does not provide a standard way to plug an authentication mechanism into it. Of course, a portlet container implementation could use Acegi directly (I believe that the Gridsphere team is considering this in the near future). I have not created a default implementation of PortletAuthoritiesPopulator at this point. The only authorities mechanism in JSR-168 is the same isUserInRole method as in the Servlet spec. I suppose we could create a default PortletAuthoritiesPopulator that could be configured with a list of roles to check. - I have not yet created any unit tests directly for these classes. We have unit tests in our application that test higher-level services that depend on these, but they are obviously out-of-scope for Acegi itself. I will work on creating some unit tests after I have updated to 0.9.0 next month. I'll keep you posted on my progress. Thanks again! John Ben Alex wrote: John Lewis wrote: I'm very interested in your feedback. When you get a chance to take a look at it all, let me know what you think. Hi John Thanks for contributing this code. I just had a quick look, and have a couple of questions and comments: - Could you make it compatible with 0.9.0 snapshot? I notice you're using the = 0.8.3 context management code, which has been refactored. - PortletSecurityEnforcementInterceptor and the PortletSessionContextIntegrationInterceptor do not appear to be in the ZIP file. - Am I correct in reading the code that the portlet container performs the authentication, which yields a String-based username, and your classes implement a PortletAuthoritiesPopulator (like CAS and X509)? If so, is there scope to plug in Acegi Security so that the portlet container can use our AuthenticationManager? Also, is there a default implementation of PortletAuthoritiesPopulator? - Are there any unit tests available? Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi JSR-168 Portlet Integration
Ben, I've evolved my initial effort in JSR-168 Portlet support for Acegi into something that I think is close to ready for inclusion into the overall framework. I've reimplemented it all as a separate provider with its own implementation of AbstractAuthenticationToken, AuthenticationProvider, UserCache, etc. I've also provided a PortletSessionContextIntegrationInterceptor and PortletProcessingInterceptor. One of the unique challenges of portlet development in this space is that filters are not applied to portlet requests, so none of the existing filter-based can be used with the portlets. But with the two interceptors above I think it covers the basics and allows for use of MethodSecurityInterceptor and for the taglib in JSP content. The main thing that is missing at this point is an equivalent of the URL-based security mechanisms such as FilterSecurityInterceptor. Since portlet requests don't include tradition URLs, this is difficult to translate. I think the best thing here will be to implement something parallel to the HandlerMapping classes that allows security to be applied in the same way. I've posted the classes and some example application context entries on the Spring Portlet Wiki site. You can download the file here: http://opensource2.atlassian.com/confluence/spring/download/attachments/10/acegi-portlet.zip I'm very interested in your feedback. When you get a chance to take a look at it all, let me know what you think. John Lewis --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Integration w/ Spring Portlet MVC Framework
I just posted some code from our initial integration of Acegi with the JSR-168 compliant Spring Portlet MVC Framework. You can see the code here: http://forum.springframework.org/viewtopic.php?p=26141 I'm interested in any feedback on this, including if something along these lines should be formally included somewhere. John Lewis [EMAIL PROTECTED] --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
