Re: [Acegisecurity-developer] Spring Security is not portable

[Ray Krueger]

 I have a simple war where I used spring-security to implement a BASIC login
 using JAAS.  It works fine on Tomcat but on JBoss I get the following
 error.  It seems to be ignoring my spring-security configuration because it
 wants to load users/roles from local file.

 13:54:02,128 ERROR [UsersRolesLoginModule] Failed to load
 users/passwords/role f
 iles
 java.io.IOException: No properties file: users.properties or defaults:
 defaultUs
 ers.properties found
     at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
     at
 org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRole
 sLoginModule.java:186)

 Why isn't this portable to JBoss?

It is all portable to JBoss. What you have is a JBoss problem, not an
Acegi problem.
This might help...
http://www.jboss.org/community/wiki/UsersRolesLoginModule

--
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables 
unlimited royalty-free distribution of the report engine 
for externally facing server and web deployment. 
http://p.sf.net/sfu/businessobjects
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] [ANN] Spring Security 2.0.0 Released

[Ray Krueger]

Great news!



On 4/15/08, Ben Alex [EMAIL PROTECTED] wrote:
 Dear Spring Community

 After almost two years of development, Spring Security 2.0.0 is now
 available for download. This significant new release replaces Acegi
 Security as the official security module for Spring applications.

 Spring Security 2.0.0 features substantially simplified configuration.
 Whilst old configurations required hundreds of lines of XML, our new
 convention over configuration approach ensures that many deployments
 will now require less than 10 lines.

 We've also added many other new capabilities to Spring Security 2.0.0:

 * OpenID integration, which is the web's emerging single sign on
 standard (supported by Google, IBM, Sun, Yahoo and others)

 * Windows NTLM support, providing easy enterprise-wide single sign on
 against Windows corporate networks

 * Support for JSR 250 (EJB 3) security annotations, delivering a
 standards-based model for authorization metadata

 * AspectJ pointcut expression language support, allowing developers to
 apply cross-cutting security logic across their Spring managed objects

 * Substantial improvements to the high-performance domain object
 instance security (ACL) capabilities

 * Comprehensive support for RESTful web request authorization, which
 works well with Spring 2.5's @MVC model for building RESTful systems

 * Long-requested support for groups, hierarchical roles and a user
 management API, which all combine to reduce development time and
 significantly improve system administration

 * An improved, database-backed remember me implementation

 * Support for portlet authentication out-of-the-box

 * Support for additional languages

 * Numerous other general improvements, documentation and new samples

 * New support for web state and flow transition authorization through
 the Spring Web Flow 2.0 release

 * New support for visualizing secured methods, plus configuration
 auto-completion support in Spring IDE

 * Enhanced WSS (formerly WS-Security) support through the Spring Web
 Services 1.5 release

 Please visit http://www.springframework.org/download to download the
 latest release and access the change log.

 We hope you find this new release useful in your projects.

 Best regards

 Ben Alex
 Project Lead, Spring Security

 -
 This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
 Don't miss this year's exciting event. There's still time to save $100.
 Use priority code J8TL2D2.
 http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-- 
Sent from Gmail for mobile | mobile.google.com

-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] IntelliJ license

[Ray Krueger]

Our IntelliJ IDEA license expires tomorrow (yep, we have one, contact
me for details). I've contacted IntelliJ to acquire a new open-source
license.

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] OpenID out of the sandbox

[Ray Krueger]

I've pulled the OpenID module out of the sand box, but rather than
merging it into core, it is it's own module. Meaning that integrating
it into a project will require both the spring-security-core and
spring-security-openid jar files. The OpenID module has also been
added to the parent pom.xml, which means that when you run mvn
install on the root project it will install the OpenID module as
well. I'd like to bump up the test coverage in some spots and we
definitely need to get some documentation going. We should be able to
tighten this up by the time Luke releases Spring-Security 2.0.

That being said, I wouldn't call the OpenID support done. It is out
of the sandbox though and that's good news.

So pull down the code and have a look see...
-Ray

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Acegi OpenID Support Update

[Ray Krueger]

I've updated the OpenID support in the sandbox, um, finally :) I'll
talk with Ben and Luke about getting it promoted to its rightful home
soon enough.

Anyway, read more at...
ShamelessSelfPromotion
http://raykrueger.blogspot.com/2008/01/acegi-openid-support-update.html
/ShamelessSelfPromotion

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] build failed

[Ray Krueger]

Yeah, the unit tests will only pass in English.

Try this (without your changes)

set MAVEN_OPTS=-Duser.language=en -Duser.region=US
mvn install


On Jan 13, 2008 7:03 AM, Candide Kemmler [EMAIL PROTECTED] wrote:
 Hi Ray,

 I have wiped everything in my working copy directory, then re-co'd
 everything and run mvn install, and still got the same errors.

 Attached is a patch containing the 3 tiny hacks I had to write for the
 project to compile. Maybe you have more insight than me to understand what
 was going wrong (except for the language issue).

 I'm still stuck with Eclipse. What IDE do you guys use, if any? Any hints
 about IDE usage would be very welcomed (.project .classpath anyone?)



 On Jan 12, 2008 9:51 PM, Ray Krueger  [EMAIL PROTECTED] wrote:
  I had a bad file or two that was causing trouble. I blew those out and
  got fresh code from SVN and all is well.
  Candide be sure to run mvn install first and foremost.
 
 
 
 
  On Jan 11, 2008 1:01 PM, Ray Krueger  [EMAIL PROTECTED] wrote:
   Yeah, I think we have a problem building on Windows.
   I had a problem this morning on my Windows laptop. Once I got into the
   office I pulled the code down to my linux workstation and simply ran
   mvn install, everything went off without a hitch.
  
   I'll look at it on my train ride home I think :)
  
  
   On Jan 11, 2008 11:50 AM, Candide Kemmler  [EMAIL PROTECTED] wrote:
I'm running java -version:
java version 1.6.0
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)
   
on Windows XP French
I have 2Gb of RAM,...
   
what else?
   
Looks like at least one error is due to my system being in french :-(
   
And for something else: I have problems using Eclipse
I have everywhere messages of the form The hierarchy of the type xxx
 is
inconsistent
Any idea what can be done against it?
Or, more simply: couldn't someone just hand me their .project and
 .classpath
files?
   
--
Candide Kemmler
http://www.palacehotel.org/
   
   
11/13 avenue Reine Marie-Henriette
1190 Bruxelles
mobile:+32485067980
  
   
 -
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
   
 http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
   
   
  
 
  -
  Check out the new SourceForge.net Marketplace.
  It's the best place to buy or sell services for
  just about anything Open Source.
 
 http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 



 --


 Candide Kemmler
 http://www.palacehotel.org/
 11/13 avenue Reine Marie-Henriette
 1190 Bruxelles
 mobile:+32485067980
 -
 Check out the new SourceForge.net Marketplace.
 It's the best place to buy or sell services for
 just about anything Open Source.
 http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] build failed

[Ray Krueger]

Yeah, I think we have a problem building on Windows.
I had a problem this morning on my Windows laptop. Once I got into the
office I pulled the code down to my linux workstation and simply ran
mvn install, everything went off without a hitch.

I'll look at it on my train ride home I think :)

On Jan 11, 2008 11:50 AM, Candide Kemmler [EMAIL PROTECTED] wrote:
 I'm running java -version:
 java version 1.6.0
 Java(TM) SE Runtime Environment (build 1.6.0-b105)
 Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)

 on Windows XP French
 I have 2Gb of RAM,...

 what else?

 Looks like at least one error is due to my system being in french :-(

 And for something else: I have problems using Eclipse
 I have everywhere messages of the form The hierarchy of the type xxx is
 inconsistent
 Any idea what can be done against it?
 Or, more simply: couldn't someone just hand me their .project and .classpath
 files?

 --
 Candide Kemmler
 http://www.palacehotel.org/


 11/13 avenue Reine Marie-Henriette
 1190 Bruxelles
 mobile:+32485067980
 -
 Check out the new SourceForge.net Marketplace.
 It's the best place to buy or sell services for
 just about anything Open Source.
 http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] contacts example with basic authentication only ?

[Ray Krueger]

You know, I think that responsibility may have been moved to the
exceptionTranslationFilter. That's probably not very clear...
Look at what entryPoints you have and look how they're being used.


On Nov 8, 2007 5:42 AM,  [EMAIL PROTECTED] wrote:

 I looked inside the acegi-security-sample-contacts-filter.war that came with
 acegi 1.0.4

 the filter chain in applicationContext-acegi-security.xml is defined as
 follows:

 bean id=filterChainProxy
 class=org.acegisecurity.util.FilterChainProxy
   property name=filterInvocationDefinitionSource
  value
 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 PATTERN_TYPE_APACHE_ANT

 /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter
  /value
   /property
 /bean

 The javadoc of BasicProcessingFilterEntryPoint also talks about
 SecurityEnforcementFilter. But I can not find an class/interface or bean
 name with that name ?

 Are we talking about the same acegi version ?

 Regards,
 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using AJAX and a browser.
 Download your FREE copy of Splunk now  http://get.splunk.com/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now  http://get.splunk.com/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] contacts example with basic authentication only ?

[Ray Krueger]

No problem, glad I could help.

That's the trick to remember with Acegi that I think people
misunderstand. The filters that actually handle credentials, like the
BasicProcessingFilter, AuthenticationProcessingFilter,
DigestProcessingFilter only do anything when the credentials are
presented. An entry point is used at the end of the filter chain as
the final gate keeper.

Each filter has it's own entry point wired in though, those are used
when you screw up the credentials presented to one of the filters. So
if you present bad credentials to the BasicProcessingFilter, it will
send your request to it's entry point. In your case, that's the same
entry point used by the ExceptionTranslationFilter.

I really don't like that the final enforcement is done by something
named ExceptionTranslationFilter. That's very unclear. There used to
be a SecurityEnforcementFilter back there who's name made it's
responsibility clear. The ExceptionTranslationFilter was added, as
it's name implies, to handle translating the exception messages using
ResourceBundles and such. Unfortunately it was put in as a replacement
for the ExceptionTranslationFilter which sort of blurred the line. I
should have complained about this like a year ago when it was
implemented but I wasn't paying attention :P




On Nov 8, 2007 6:31 AM,  [EMAIL PROTECTED] wrote:

 I needed to change the authenticationEntryPoint property of the
 ExceptionTranslationFilter bean in order to make it work.

 Thanks a lot Ray !
 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using AJAX and a browser.
 Download your FREE copy of Splunk now  http://get.splunk.com/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now  http://get.splunk.com/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Removal of Requirement for StatelessTicketCache on CasAuthenticationProvider

[Ray Krueger]

Yes, it's used in core. It is the default backing for the UserCache.

On 11/6/07, Scott Battaglia [EMAIL PROTECTED] wrote:
 The StatelessTicketCache is only used within the CAS support for the
 purpose of simulating sessions for stateless remote access. Normal CAS
 support does not require the StatelessTicketCache (in fact the CAS
 protocol doesn't really recommend you re-use the single use tickets ;-)).

 I'm okay with option 3 also.  I'll create a JIRA issue and commit the
 code.  Would we need to update our pom file?  Is EhCache used for
 anything besides the CAS support within Acegi?

 Thanks
 -Scott


 Ray Krueger wrote:
  Number 3 above is generally the pattern followed in Acegi...
 
  private StatelessTicketCache statelessTicketCache = new
  NullStatelessTicketCache();
 
  ...with a setter for it defining a custom implementation.
 
  I don't think that would be a big deal to change, though I'm unsure of
  it's role in the CAS stuff. I've never used our CAS support :)
 
 
  On 11/6/07, Scott Battaglia [EMAIL PROTECTED] wrote:
 
  Ben,
 
  Do you have any objections to removing the fact that a
  StatelessTicketCache is required for the CasAuthenticationProvider?  Its
  only needed when a remoting protocol is used and requires every
  application to possibly have an unnecessary dependency on EhCache.
 
  We have three options:
  1. Just turn off the check for the StatelessTicketCache (and wherever
  its called, also check for null)
  2. Create a Stub/NoCacheStatelessTicketCache that is a shell to satisfy
  the dependency but still require people to configure it
  3. Create the stub and have it be the default value in the
  CasAuthenticationProvider meaning that no configuration is required.
 
  Thoughts?
 
  Thanks
  -Scott
 
  --
  Scott Battaglia
  Application Developer, Architecture  Engineering Team
  Enterprise Systems and Services, Rutgers University
  v: 732.445.0097 | f: 732.445.5493 | [EMAIL PROTECTED]
 
 
 
  -
  This SF.net email is sponsored by: Splunk Inc.
  Still grepping through log files to find problems?  Stop.
  Now Search log events and configuration files using AJAX and a browser.
  Download your FREE copy of Splunk now  http://get.splunk.com/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 
  -
  This SF.net email is sponsored by: Splunk Inc.
  Still grepping through log files to find problems?  Stop.
  Now Search log events and configuration files using AJAX and a browser.
  Download your FREE copy of Splunk now  http://get.splunk.com/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 

 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using AJAX and a browser.
 Download your FREE copy of Splunk now  http://get.splunk.com/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now  http://get.splunk.com/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Trunk tests take 30 minutes and then fail.

[Ray Krueger]

Ok, so this is a Windows and/or Java 6 thing.

I ran the full test suite on my linux box with java5 and all is well.



On 11/4/07, Ray Krueger [EMAIL PROTECTED] wrote:
 It looks like that all starts from this test...

 Running 
 org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticatorTests

 On 11/4/07, Ray Krueger [EMAIL PROTECTED] wrote:
  This type of stuff seems to be where it takes the longest...
 
  2007-11-04 12:39:38,062 DEBUG
  org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
  eating InitialDirContext with environment
  {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
  ramework,dc=org,
  java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
  java.naming.security.
  principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
  java.naming.security.authenticat
  ion=simple, java.naming.security.credentials=**,
  java.naming.factory.object=org.springframework.
  ldap.core.support.DefaultDirObjectFactory}
 
  2007-11-04 12:39:53,203 DEBUG
  org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
  eating InitialDirContext with environment
  {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
  ramework,dc=org,
  java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
  java.naming.security.
  principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
  java.naming.security.authenticat
  ion=simple, java.naming.security.credentials=**,
  java.naming.factory.object=org.springframework.
  ldap.core.support.DefaultDirObjectFactory}
 
  2007-11-04 12:40:08,218 DEBUG
  org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
  eating InitialDirContext with environment
  {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
  ramework,dc=org,
  java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
  java.naming.security.
  principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
  java.naming.security.authenticat
  ion=simple, java.naming.security.credentials=**,
  java.naming.factory.object=org.springframework.
  ldap.core.support.DefaultDirObjectFactory}
 
  2007-11-04 12:40:23,218 DEBUG
  org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
  eating InitialDirContext with environment
  {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
  ramework,dc=org,
  java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
  java.naming.security.
  principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
  java.naming.security.authenticat
  ion=simple, java.naming.security.credentials=**,
  java.naming.factory.object=org.springframework.
  ldap.core.support.DefaultDirObjectFactory}
 
 
 
 
  On 11/4/07, Ray Krueger [EMAIL PROTECTED] wrote:
   Maven version: 2.0.7
   Java version: 1.6.0_01
   OS name: windows xp version: 5.1 arch: x86
  
   Yeah, the console scrolled way too far back for me to see what failed.
   That was just the snippet of the end of the log I showed.
  
   I'm running it again with a fresh batch of code, and running it from
   the project root.
  
   On 11/4/07, Luke Taylor [EMAIL PROTECTED] wrote:
What tests are failing? And what platform are you running on, JVM, Maven
version etc?
   
The stuff about ehcache is something to do with the shutdown hooks in
all the application contexts being executed when the VM exits so that's
not the problem, though we should be aiming to make sure that existing
tests call close() on any created app contexts to avoid this.
   
Both my automated build and the ones on build.springframework.org seem
to be running without any problems and I just built on my desktop
machine (1min 29s for a mvn clean test):
   
Maven version: 2.0.7
Java version: 1.5.0_07
OS name: mac os x version: 10.4.10 arch: i386
   
   
   
   
Ray Krueger wrote:
 I just pulled the latest code from Trunk this morning. I ran the unit
 tests in ./core and had the following result...

 2007-11-03 21:11:26,437 INFO net.sf.ehcache.CacheManager - VM shutting
 down with the CacheManager st
 ill active. Calling shutdown.
 Exception in thread Thread-77 java.lang.IllegalStateException: The
 aclCache Cache is not alive.
 at net.sf.ehcache.Cache.checkStatus(Cache.java:1201)
 at net.sf.ehcache.Cache.dispose(Cache.java:1081)
 at net.sf.ehcache.CacheManager.shutdown(CacheManager.java:702)
 at net.sf.ehcache.CacheManager$1.run(CacheManager.java:505)
 [INFO] 
 
 [ERROR] BUILD FAILURE
 [INFO] 
 
 [INFO] There are test failures.
 [INFO] 
 
 [INFO] For more information, run Maven with the -e switch
 [INFO

Re: [Acegisecurity-developer] Trunk tests take 30 minutes and then fail.

[Ray Krueger]

This type of stuff seems to be where it takes the longest...

2007-11-04 12:39:38,062 DEBUG
org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
eating InitialDirContext with environment
{java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
ramework,dc=org,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.
principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
java.naming.security.authenticat
ion=simple, java.naming.security.credentials=**,
java.naming.factory.object=org.springframework.
ldap.core.support.DefaultDirObjectFactory}

2007-11-04 12:39:53,203 DEBUG
org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
eating InitialDirContext with environment
{java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
ramework,dc=org,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.
principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
java.naming.security.authenticat
ion=simple, java.naming.security.credentials=**,
java.naming.factory.object=org.springframework.
ldap.core.support.DefaultDirObjectFactory}

2007-11-04 12:40:08,218 DEBUG
org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
eating InitialDirContext with environment
{java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
ramework,dc=org,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.
principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
java.naming.security.authenticat
ion=simple, java.naming.security.credentials=**,
java.naming.factory.object=org.springframework.
ldap.core.support.DefaultDirObjectFactory}

2007-11-04 12:40:23,218 DEBUG
org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
eating InitialDirContext with environment
{java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
ramework,dc=org,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.security.
principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
java.naming.security.authenticat
ion=simple, java.naming.security.credentials=**,
java.naming.factory.object=org.springframework.
ldap.core.support.DefaultDirObjectFactory}




On 11/4/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Maven version: 2.0.7
 Java version: 1.6.0_01
 OS name: windows xp version: 5.1 arch: x86

 Yeah, the console scrolled way too far back for me to see what failed.
 That was just the snippet of the end of the log I showed.

 I'm running it again with a fresh batch of code, and running it from
 the project root.

 On 11/4/07, Luke Taylor [EMAIL PROTECTED] wrote:
  What tests are failing? And what platform are you running on, JVM, Maven
  version etc?
 
  The stuff about ehcache is something to do with the shutdown hooks in
  all the application contexts being executed when the VM exits so that's
  not the problem, though we should be aiming to make sure that existing
  tests call close() on any created app contexts to avoid this.
 
  Both my automated build and the ones on build.springframework.org seem
  to be running without any problems and I just built on my desktop
  machine (1min 29s for a mvn clean test):
 
  Maven version: 2.0.7
  Java version: 1.5.0_07
  OS name: mac os x version: 10.4.10 arch: i386
 
 
 
 
  Ray Krueger wrote:
   I just pulled the latest code from Trunk this morning. I ran the unit
   tests in ./core and had the following result...
  
   2007-11-03 21:11:26,437 INFO net.sf.ehcache.CacheManager - VM shutting
   down with the CacheManager st
   ill active. Calling shutdown.
   Exception in thread Thread-77 java.lang.IllegalStateException: The
   aclCache Cache is not alive.
   at net.sf.ehcache.Cache.checkStatus(Cache.java:1201)
   at net.sf.ehcache.Cache.dispose(Cache.java:1081)
   at net.sf.ehcache.CacheManager.shutdown(CacheManager.java:702)
   at net.sf.ehcache.CacheManager$1.run(CacheManager.java:505)
   [INFO] 
   
   [ERROR] BUILD FAILURE
   [INFO] 
   
   [INFO] There are test failures.
   [INFO] 
   
   [INFO] For more information, run Maven with the -e switch
   [INFO] 
   
   [INFO] Total time: 30 minutes 11 seconds
   [INFO] Finished at: Sat Nov 03 21:11:26 CDT 2007
   [INFO] Final Memory: 15M/27M
   [INFO] 
   
  
  
   Not cool, I'm not sure what's going on, but it appeared to be spending
   all it's time in ldap tests.
  
 
 
  --
   Luke Taylor.  Monkey Machine Ltd.
   PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk

Re: [Acegisecurity-developer] Trunk tests take 30 minutes and then fail.

[Ray Krueger]

It looks like that all starts from this test...

Running 
org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticatorTests

On 11/4/07, Ray Krueger [EMAIL PROTECTED] wrote:
 This type of stuff seems to be where it takes the longest...

 2007-11-04 12:39:38,062 DEBUG
 org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
 eating InitialDirContext with environment
 {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
 ramework,dc=org,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.
 principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authenticat
 ion=simple, java.naming.security.credentials=**,
 java.naming.factory.object=org.springframework.
 ldap.core.support.DefaultDirObjectFactory}

 2007-11-04 12:39:53,203 DEBUG
 org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
 eating InitialDirContext with environment
 {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
 ramework,dc=org,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.
 principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authenticat
 ion=simple, java.naming.security.credentials=**,
 java.naming.factory.object=org.springframework.
 ldap.core.support.DefaultDirObjectFactory}

 2007-11-04 12:40:08,218 DEBUG
 org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
 eating InitialDirContext with environment
 {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
 ramework,dc=org,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.
 principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authenticat
 ion=simple, java.naming.security.credentials=**,
 java.naming.factory.object=org.springframework.
 ldap.core.support.DefaultDirObjectFactory}

 2007-11-04 12:40:23,218 DEBUG
 org.springframework.security.ldap.DefaultInitialDirContextFactory - Cr
 eating InitialDirContext with environment
 {java.naming.provider.url=ldap://127.0.0.1:3389/dc=springf
 ramework,dc=org,
 java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
 java.naming.security.
 principal=uid=admin,ou=system, com.sun.jndi.ldap.connect.pool=true,
 java.naming.security.authenticat
 ion=simple, java.naming.security.credentials=**,
 java.naming.factory.object=org.springframework.
 ldap.core.support.DefaultDirObjectFactory}




 On 11/4/07, Ray Krueger [EMAIL PROTECTED] wrote:
  Maven version: 2.0.7
  Java version: 1.6.0_01
  OS name: windows xp version: 5.1 arch: x86
 
  Yeah, the console scrolled way too far back for me to see what failed.
  That was just the snippet of the end of the log I showed.
 
  I'm running it again with a fresh batch of code, and running it from
  the project root.
 
  On 11/4/07, Luke Taylor [EMAIL PROTECTED] wrote:
   What tests are failing? And what platform are you running on, JVM, Maven
   version etc?
  
   The stuff about ehcache is something to do with the shutdown hooks in
   all the application contexts being executed when the VM exits so that's
   not the problem, though we should be aiming to make sure that existing
   tests call close() on any created app contexts to avoid this.
  
   Both my automated build and the ones on build.springframework.org seem
   to be running without any problems and I just built on my desktop
   machine (1min 29s for a mvn clean test):
  
   Maven version: 2.0.7
   Java version: 1.5.0_07
   OS name: mac os x version: 10.4.10 arch: i386
  
  
  
  
   Ray Krueger wrote:
I just pulled the latest code from Trunk this morning. I ran the unit
tests in ./core and had the following result...
   
2007-11-03 21:11:26,437 INFO net.sf.ehcache.CacheManager - VM shutting
down with the CacheManager st
ill active. Calling shutdown.
Exception in thread Thread-77 java.lang.IllegalStateException: The
aclCache Cache is not alive.
at net.sf.ehcache.Cache.checkStatus(Cache.java:1201)
at net.sf.ehcache.Cache.dispose(Cache.java:1081)
at net.sf.ehcache.CacheManager.shutdown(CacheManager.java:702)
at net.sf.ehcache.CacheManager$1.run(CacheManager.java:505)
[INFO] 

[ERROR] BUILD FAILURE
[INFO] 

[INFO] There are test failures.
[INFO] 

[INFO] For more information, run Maven with the -e switch
[INFO] 

[INFO] Total time: 30 minutes 11 seconds
[INFO] Finished at: Sat Nov 03 21:11:26 CDT 2007
[INFO] Final Memory: 15M/27M
[INFO

[Acegisecurity-developer] Trunk tests take 30 minutes and then fail.

[Ray Krueger]

I just pulled the latest code from Trunk this morning. I ran the unit
tests in ./core and had the following result...

2007-11-03 21:11:26,437 INFO net.sf.ehcache.CacheManager - VM shutting
down with the CacheManager st
ill active. Calling shutdown.
Exception in thread Thread-77 java.lang.IllegalStateException: The
aclCache Cache is not alive.
at net.sf.ehcache.Cache.checkStatus(Cache.java:1201)
at net.sf.ehcache.Cache.dispose(Cache.java:1081)
at net.sf.ehcache.CacheManager.shutdown(CacheManager.java:702)
at net.sf.ehcache.CacheManager$1.run(CacheManager.java:505)
[INFO] 
[ERROR] BUILD FAILURE
[INFO] 
[INFO] There are test failures.
[INFO] 
[INFO] For more information, run Maven with the -e switch
[INFO] 
[INFO] Total time: 30 minutes 11 seconds
[INFO] Finished at: Sat Nov 03 21:11:26 CDT 2007
[INFO] Final Memory: 15M/27M
[INFO] 


Not cool, I'm not sure what's going on, but it appeared to be spending
all it's time in ldap tests.

-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now  http://get.splunk.com/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] LDAP groupSearchFilter

[Ray Krueger]

Nice work.
Thanks for following up on your own question. People don't do that
often enough :)


On 10/18/07, Dimas [EMAIL PROTECTED] wrote:
 Solved.

 The solution is easy as change {0} with {1} as a user parameter.

 {0} contains all the ldap base.
 {1} only the username.

 Uff :- )

 --
 
 Dimas Streich i Colomeda
 dimas.sc ARROVA gmail.com
 http://www.dimas.cat

 2007/10/17, Dimas [EMAIL PROTECTED]:
 
  Hi!
 
  I am configuring JasperServer to authenticate users from LDAP and assign
  their roles/groups. JasperServer security authentication is based on
  AcegiSecurity bean so I try searching help in this list.
 
  Until now the LDAP users can login to JS with their passwords, but their
  ldap-grups aren't recognized. The secret is in the 
  applicationContext-security.xml file, and the important bean is:
 
  bean id=ldapAuthenticationProvider class=
  org.acegisecurity.providers.ldap.LdapAuthenticationProvider
   constructor-arg
 bean class=
  org.acegisecurity.providers.ldap.authenticator.BindAuthenticator
constructor-argref
  local=initialDirContextFactory//constructor-arg
property
 
 name=userDnPatternslistvalueuid={0},ou=Users/value/list/property
 /bean
   /constructor-arg
   constructor-arg
 bean class=
  org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator
  
constructor-arg index=0ref
  local=initialDirContextFactory//constructor-arg
constructor-arg
  index=1valueou=Groups/value/constructor-arg
property name=groupRoleAttributevaluecn/value/property
 
property
 
 name=groupSearchFiltervalue(amp;(memberUid={0})(objectclass=radiusprofile))/value/property
 /bean
   /constructor-arg
 /bean
 
  The last property, groupSearchFilter is not working. It seems that the
  {0} is not the username logging to the system. If I change it by:
 
  property
 
 name=groupSearchFiltervalue(amp;(memberUid=abcdef)(objectclass=radiusprofile))/value/property
 
 
  where 'abcdefj' is a LDAP user. If I log to JS with the user abcdef it can
  enter and his LDAP role is assigned. Why {0} is not working and literal
  username yes? Some help please?
 
  Thx!
 
  --
  
  Dimas Streich i Colomeda
  dimas.sc ARROVA gmail.com
  http://www.dimas.cat


-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now  http://get.splunk.com/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] conditional filters?

[Ray Krueger]

That's really going to be fully dependent on your applications configuration.

Maybe break up your Spring xml files so that all the acegi stuff is in
it's own file. Then have your app load the right file based on the
environment you want.

The full file has all the normal Acegi stuff in it. The test
environment file would have one single bean in it:

bean id=filterChainProxy class=org.acegisecurity.util.FilterChainProxy/


On 9/14/07, Chris Berry [EMAIL PROTECTED] wrote:
 Greetings,
 I was wondering if there was a way to conveniently switch off all the Acegi
 Servlet Filters
 In testing we generally want to run over straight http
 And sometimes in Staging we just want to switch off SSL
 Today, I am using two different web.xml files; one w/ the Filters commented
 out, and the other not.
 And it is a PITA to switch back and forth (comment/uncomment) -- or I have
 to violate DRY and make copies of the real web.xml

 Is there some convenient way to tell Acegi just to short-circuit the
 FilterChainProxy??
 Using some kind of variable on startup??

 Thanks,
 -- Chris


 S'all good  ---   chriswberry at gmail dot com




 -
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2005.
 http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] .classpath file in Subversion

[Ray Krueger]

I think the .classpath files should be removed. They are doomed to be stale.
The project is now built with maven2 completely. Maven can create the
.classpath files as needed.

Executing mvn eclipse:eclipse from the project root will create
everything needed.


On 9/10/07, Scott Battaglia [EMAIL PROTECTED] wrote:
 I'm doing some work on some of the JIRA issues assigned to me (finally
 getting a chance) and I checked out the project and noticed that the
 .classpath was referring to Spring 1.2.9 while the pom refers to 2.0.6.
 Anyone have any issues if I update the .classpath file to reflect the
 latest Spring version?

 Thanks
 -Scott

 -
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2005.
 http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] .classpath file in Subversion

[Ray Krueger]

Why isn't it?

If you're only interested in working on core then...
cd core
mvn eclipse:eclipse



On 9/10/07, Scott Battaglia [EMAIL PROTECTED] wrote:
 Executing mvn eclipse:eclipse creates projects for each of the modules,
 which is probably not what we want.

 -Scott

 Ray Krueger wrote:
  I think the .classpath files should be removed. They are doomed to be stale.
  The project is now built with maven2 completely. Maven can create the
  .classpath files as needed.
 
  Executing mvn eclipse:eclipse from the project root will create
  everything needed.
 
 
  On 9/10/07, Scott Battaglia [EMAIL PROTECTED] wrote:
 
  I'm doing some work on some of the JIRA issues assigned to me (finally
  getting a chance) and I checked out the project and noticed that the
  .classpath was referring to Spring 1.2.9 while the pom refers to 2.0.6.
  Anyone have any issues if I update the .classpath file to reflect the
  latest Spring version?
 
  Thanks
  -Scott
 
  -
  This SF.net email is sponsored by: Microsoft
  Defy all challenges. Microsoft(R) Visual Studio 2005.
  http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 
  -
  This SF.net email is sponsored by: Microsoft
  Defy all challenges. Microsoft(R) Visual Studio 2005.
  http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 

 -
 This SF.net email is sponsored by: Microsoft
 Defy all challenges. Microsoft(R) Visual Studio 2005.
 http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] [ANN] Acegi Security 1.0.5 Released

[Ray Krueger]

Copied and Pasted from Lukes post on the support forums
http://forum.springframework.org/showthread.php?t=43532

Release 1.0.5 is now available from Sourceforge.
http://sourceforge.net/project/showfiles.php?group_id=104215

This is mainly a maintenance release - the changelog can be viewed here:
http://sourceforge.net/project/shownotes.php?release_id=537521group_id=104215

It is also the first release to be built using maven 2. Maven 1 files
have been removed.

-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] (no subject)

[Ray Krueger]

Nice work Chris, any chance you could open some Jiras on that?

On 8/23/07, Chris Berry [EMAIL PROTECTED] wrote:

 I managed to answer this one myself, by trolling the Internet and reading
 the Acegi source. The final answer was to create a RESTfulDefinitionSource.
 I used Spring constructor injection to load in the security patterns:

 bean id=filterInvocationInterceptor
 class=org.acegisecurity.intercept.web.FilterSecur
 ityInterceptor
   property name=authenticationManager ref=authenticationManager/
   property name=accessDecisionManager
  ref local=httpRequestAccessDecisionManager/
   /property
   property name=objectDefinitionSource ref=filterDefinitionMap /
 /bean

 bean id=filterDefinitionMap

 class=com.homeaway.hcdata.utils.acegi.RESTfulDefi
 nitionSource 
constructor-arg type=java.lang.String 
   value
/**:GET=ROLE_READER
/**:PUT,DELETE,POST=ROLE_WRITER
   /value
/constructor-arg
 /bean

 The easiest thing was to then delegate within RESTfulDefinitionSource to a
 RESTfulPathBasedFilterInvocationDefinitionMap, which is
 essentially a clone of the
 PathBasedFilterInvocationDefinitionMap. (But one that takes
 into account Http Methods). I would have liked to extend
 PathBasedFilterInvocationDefinitionMap, but it is basically
 not friendly to subclassing. Although I followed the logic of that class
 almost exactly so that I could be sure that I got things wired correctly.

 It seems that Acegi might consider this form as the default form??
 So that patterns like this

 /**=ROLE_SUPERVISOR

 default to all methods. But patterns like this are also acceptable;

 /**:PUT,DELETE,POST=ROLE_SUPERVISOR

 It could be entirely backwards compatible. And Acegi would then support
 REST!!

 You might also consider refactoring the org.acegisecurity.intercept.web
 package. It doesn't lend itself well to extension or variation.
 Thanks,
 -- Chris


 On Aug 21, 2007, at 9:20 PM, Chris Berry wrote:
 Unfortunately, this package isn't well suited for extension.
 I could extend PathBasedFilterInvocationDefinitionMap
 but since it provides no way to access requestMap  pathMatcher
 I had to duplicate all of that code.


 But I could workaround that, what I don't see is how to get around the
 FilterInvocationDefinitionSourceEditor
 I want to be able to do something like this:

   bean id=filterInvocationInterceptor
 class=org.acegisecurity.intercept.web.FilterSecurityInterceptor
 property name=authenticationManager ref=authenticationManager/
 property name=accessDecisionManager
   ref local=httpRequestAccessDecisionManager/
 /property
 property name=objectDefinitionSource ref=filterDefinitionMap /
   /bean

   bean id=filterDefinitionMap

 class=com.homeaway.hcdata.utils.acegi.RESTfulPathBasedFilterInvocationDefinitionMap
 
 property name=objectDefinitionSource 
   value
 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 PATTERN_TYPE_APACHE_ANT
 /**=ROLE_SUPERVISOR
   /value
 /property
   /bean

 But I don't see how to accomplish it??
 Must I extend FilterInvocationDefinitionSourceEditor ??
 I'm no Spring expert, so I'm unclear how the Property Editors get wired
 in...

 Thanks,
 -- Chris


 On Aug 21, 2007, at 7:10 PM, Brian Moseley wrote:

 On 8/21/07, Chris Berry [EMAIL PROTECTED] wrote:


 Anyway, AFAICT, the solution is to provide a custom
 FilterInvocationDefinitionSource

 I plan to extend PathBasedFilterInvocationDefinitionMap.

 [...]

 sure, that looks good to me, with the following caveat:

 to support http-based protocols that extend the basic method set, like
 webdav with its PROPFIND, PROPPATCH, MKCOL, LOCK etc, and to keep
 mapping files brief, it might be handy to be able to configure named
 sets of methods on the FilterInvocationDefinitionSource.
 perhaps
 something like this:

 property name=readMethods
 value=GET,HEAD,OPTIONS,PROPFIND/
 property name=writeMethods
 value=POST,PUT,DELETE,PROPPATCH,LOCK/

 and:

 /foo/bar.html:READ_METHODS,WRITE_METHODS=ROLE_FOO
 /secure/*:READ_METHODS=ROLE_BAR
 /account/something=ROLE_BAR

 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using AJAX and a browser.
 Download your FREE copy of Splunk now   http://get.splunk.com/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

 S'all good  ---   [EMAIL PROTECTED]





 S'all good  ---   [EMAIL PROTECTED]




 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using 

Re: [Acegisecurity-developer] (no subject)

[Ray Krueger]

Agreed :)
And thanks!

On 8/23/07, Chris Berry [EMAIL PROTECTED] wrote:
 Done
 http://opensource.atlassian.com/projects/spring/browse/SEC-531
 Cheers,
 -- Chris


 On Aug 23, 2007, at 1:44 PM, Chris Berry wrote:
 Will do.
 It sure would be nice to incorporate this back into Acegi.
 IMHO, REST will (or is ;-) supplant all other web service methodologies.
 Acegi should support it natively.
 I need to soon do the same work for securing methods by Http Method
 Cheers,
 -- Chris


 On Aug 23, 2007, at 1:16 PM, Ray Krueger wrote:

 Nice work Chris, any chance you could open some Jiras on that?

 On 8/23/07, Chris Berry [EMAIL PROTECTED] wrote:

 I managed to answer this one myself, by trolling the Internet and reading
 the Acegi source. The final answer was to create a RESTfulDefinitionSource.
 I used Spring constructor injection to load in the security patterns:

 bean id=filterInvocationInterceptor
 class=org.acegisecurity.intercept.web.FilterSecur
 ityInterceptor
   property name=authenticationManager ref=authenticationManager/
   property name=accessDecisionManager
  ref local=httpRequestAccessDecisionManager/
   /property
   property name=objectDefinitionSource ref=filterDefinitionMap /
 /bean

 bean id=filterDefinitionMap

 class=com.homeaway.hcdata.utils.acegi.RESTfulDefi
 nitionSource 
constructor-arg type=java.lang.String 
   value
/**:GET=ROLE_READER
/**:PUT,DELETE,POST=ROLE_WRITER
   /value
/constructor-arg
 /bean

 The easiest thing was to then delegate within RESTfulDefinitionSource to a
 RESTfulPathBasedFilterInvocationDefinitionMap, which is
 essentially a clone of the
 PathBasedFilterInvocationDefinitionMap. (But one that takes
 into account Http Methods). I would have liked to extend
 PathBasedFilterInvocationDefinitionMap, but it is basically
 not friendly to subclassing. Although I followed the logic of that class
 almost exactly so that I could be sure that I got things wired correctly.

 It seems that Acegi might consider this form as the default form??
 So that patterns like this

 /**=ROLE_SUPERVISOR

 default to all methods. But patterns like this are also acceptable;

 /**:PUT,DELETE,POST=ROLE_SUPERVISOR

 It could be entirely backwards compatible. And Acegi would then support
 REST!!

 You might also consider refactoring the org.acegisecurity.intercept.web
 package. It doesn't lend itself well to extension or variation.
 Thanks,
 -- Chris


 On Aug 21, 2007, at 9:20 PM, Chris Berry wrote:
 Unfortunately, this package isn't well suited for extension.
 I could extend PathBasedFilterInvocationDefinitionMap
 but since it provides no way to access requestMap  pathMatcher
 I had to duplicate all of that code.


 But I could workaround that, what I don't see is how to get around the
 FilterInvocationDefinitionSourceEditor
 I want to be able to do something like this:

   bean id=filterInvocationInterceptor
 class=org.acegisecurity.intercept.web.FilterSecurityInterceptor
 property name=authenticationManager ref=authenticationManager/
 property name=accessDecisionManager
   ref local=httpRequestAccessDecisionManager/
 /property
 property name=objectDefinitionSource ref=filterDefinitionMap /
   /bean

   bean id=filterDefinitionMap

 class=com.homeaway.hcdata.utils.acegi.RESTfulPathBasedFilterInvocationDefinitionMap


 property name=objectDefinitionSource 
   value
 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 PATTERN_TYPE_APACHE_ANT
 /**=ROLE_SUPERVISOR
   /value
 /property
   /bean

 But I don't see how to accomplish it??
 Must I extend FilterInvocationDefinitionSourceEditor ??
 I'm no Spring expert, so I'm unclear how the Property Editors get wired
 in...

 Thanks,
 -- Chris


 On Aug 21, 2007, at 7:10 PM, Brian Moseley wrote:

 On 8/21/07, Chris Berry [EMAIL PROTECTED] wrote:


 Anyway, AFAICT, the solution is to provide a custom
 FilterInvocationDefinitionSource

 I plan to extend PathBasedFilterInvocationDefinitionMap.

 [...]

 sure, that looks good to me, with the following caveat:

 to support http-based protocols that extend the basic method set, like
 webdav with its PROPFIND, PROPPATCH, MKCOL, LOCK etc, and to keep
 mapping files brief, it might be handy to be able to configure named
 sets of methods on the FilterInvocationDefinitionSource.
 perhaps
 something like this:

 property name=readMethods
 value=GET,HEAD,OPTIONS,PROPFIND/
 property name=writeMethods
 value=POST,PUT,DELETE,PROPPATCH,LOCK/

 and:

 /foo/bar.html:READ_METHODS,WRITE_METHODS=ROLE_FOO
 /secure/*:READ_METHODS=ROLE_BAR
 /account/something=ROLE_BAR

 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using AJAX and a browser.
 Download your FREE copy of Splunk now   http://get.splunk.com

Re: [Acegisecurity-developer] question on FilterInvocationDefinitionSourceEditor class

[Ray Krueger]

There is a convention used when it comes to editors.
To find an editor; Spring looks in the same package as the class in
question for a class with the same name with editor appended.

So to find the editor for
org.acegisecurity.intercept.web.FilterInvocationDefinitionSource,
Spring looks for
org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor.


On 7/24/07, ShiLei [EMAIL PROTECTED] wrote:
 hello,guys

 First, we all know Acegi use
 FilterInvocationDefinitionSourceEditor  class(extends
 PropertyEditorSupport) to convert property
 FilterInvocationDefinitionSource (which is defined in XML
 file) from string to FilterInvocationDefinitionSource
 Object!
 And in spring framwork, if one wants to use a custom property editor to
 handle specified property, it has to be registered in the ApplicationContext
 XML description.
 then, here comes the question, I could not find the registration of
 FilterInvocationDefinitionSourceEditor, but the acegi
 works!

 any idea?

 thx

 Regards,
 Shi
 -
 This SF.net email is sponsored by: Splunk Inc.
 Still grepping through log files to find problems?  Stop.
 Now Search log events and configuration files using AJAX and a browser.
 Download your FREE copy of Splunk now   http://get.splunk.com/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now   http://get.splunk.com/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] [Newbie]Please help me get credential from the DB

[Ray Krueger]

Mack, yor best bet is going to be to do some research on your own first.
Read the reference guide, read the articles and tutorials, and look at
the samples.
Also, the forums are the best place for user questions.
http://forum.springframework.org



On 7/12/07, Mack Boonyoung [EMAIL PROTECTED] wrote:
 bean id=userDetailsService
 class=org.acegisecurity.userdetails.memory.InMemoryDaoImpl
property name=userProperties
bean
 class=org.springframework.beans.factory.config.PropertiesFactoryBean
   property name=location value=/WEB-INF/users.properties/
/bean
/property
 /bean

 I do like above thing to make me first project on Acegi.

 How can I change that bean definition to make it can get the credential from
 the DB? I mean if I wanna get it done by the helping hands of Spring +
 Hibernate.

 Thnx in advance
 Mack

 _
 Don't just search. Find. Check out the new MSN Search!
 http://search.msn.com/


 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] acegi openid from sandbox tip

[Ray Krueger]

Yeah, you can tell from the giant block of commented out deps in our
pom.xml file that I had some trouble.

We can upload their binary to our maven repo until they get it in
place at ibiblio or maven.org.

Phillip if your going to try this stuff out you can contact me for any
patches/fixes needed.
skype: raykrueger
gtalk: [EMAIL PROTECTED]
I have yahoo and msn as well, but they suck :P



On 7/7/07, Phillip Rhodes [EMAIL PROTECTED] wrote:

 I am working on integrating the openid from the sandbox.  Just wanted to say 
 that if you download the 0.9.3 branch of openid4java, things go much better 
 for you!

 It's worth the extra effort to install openid4java 0.9.3  All my maven 
 dependency problems disappeared...

 Phillip

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] an openid use aces

[Ray Krueger]

Eventually I was hoping to implement the suck in using the OpenId
attribute exchange. So that you could create the local account once
OpenId has been authenticated. You draw in the nickname and maybe
email address and then create the local account.

This was only thoughts though, I haven't looked at doing anything
concrete yet. Figuring out the proper abstractions for it is the
trick.

On 7/8/07, Phillip Rhodes [EMAIL PROTECTED] wrote:
 Hi everyone (and especially Ray).
 Got your openid lib working, great job.  Thanks!  You are working on the 
 weekend, I admire that!

 I am trying to work out the process in which a user has an openid account on 
 a 3rd party server, but they do not have an account for the openid client 
 application.

 1) User has openid account http://rhodebump.myopenid.com/
 2) User goes to openid client http://localhost/openidclient and this 
 application (using your acegi filter) will direct them to the myopenid.com 
 provider where they successfully login.
 3) myopenid.com directs user back to http://localhost/openidclient but since 
 the user is not provisioned in the openidclient, the 
 UserDetailsService.loadUserByUsername will fail.

 My use case is that the user has an openid account, but still needs to 
 complete some sort of registration process for the client application.  I was 
 wondering if you thought of this at all and if we should provide for this 
 sort of case in the design/implementation of an openid provider.

 One thing that complicates the whole thing is the question that I think we 
 would want the person to be authenticated with openid before they do this 
 registration process.  If they are authenticated using openid, we can suck 
 in some of the openid attributes from their provider to ease the 
 registration process.  However, we can not login them in their current 
 account state since they can not be retrieve from the UserDetailsService 
 until they completed setup.

 It's sort of like there are 2 authentication states, the user can be 
 authenticated remotely, and authenticated locally.
 Phillip

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] OpenID support updated

[Ray Krueger]

I've been sitting on this for far too long and finally committed the changes.

I've committed the OpenId4java support and an
OpenIdAuthenticationProcessingFilter built to replace the Servlet that
is in there now. I've been poking around with it for a while...
http://raykrueger.blogspot.com/search/label/Acegi

I had a contacts sample working, but it was a giant pain to deploy it
as our samples have no way of seeing the sandbox in the build. I hope
to build a sample separately; but don't anyone go holding their
breath.

Now what we need is other folks to jump in and play with it, test it,
break it, and most importantly PATCH IT! I know Phillip Rhodes was
offering his assistance at one point, that would be fantastic. Maybe
jdwyah would like to help out too if he's listening?

Our OpenId support is definitely going to need some more attention
than mine, I don't have much to give right now.

Have at it!
-Ray

-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] build successful, but no sandbox jars.

[Ray Krueger]

Hi Phillip,
The sandbox is not built with the main build, try this...
cd ./core
mvn install
cd ../sandbox/openid
mvn install

That oughta do it

On 6/16/07, Phillip Rhodes [EMAIL PROTECTED] wrote:
 Hi everyone,

 I got the trunk of acegi codebase, installed maven 1, the 
 commons-attributes-plugin...

 I couldn't get the jars to be built because there were test failures, so I 
 did a -Dmaven.test.skip=true

 cd $ACEGI_SECURITY/doc
 maven multiproject:install -Dmaven.test.skip=true

 Now the build is successful, but I do not see jars/classes in the 
 sandbox/openid/target directory.

 Any pointers?
 Thanks!

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] remember previously logged in password with Acegi

[Ray Krueger]

See the Remember Me functionality in the user's guide.
The user support forum is your best place to get help.
http://forum.springframework.org/forumdisplay.php?f=33


On 5/8/07, Hilda Raymond [EMAIL PROTECTED] wrote:
 Hello,

  can anyone help me to configure the following in Acegi:
 Remember a user's password when logging for the first time and
 use that password for the next logins
 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] maven 2 eclipse integration

[Ray Krueger]

Are you executing it out of the acegisecurity directory? And not in
./core or one of the other modules?

On 4/30/07, Vishal Puri [EMAIL PROTECTED] wrote:
 Hi All

 Carlos and Luke,  have you been able to generate eclipse .classpath and
 .project files with maven 2 for acegi ?

 Doing mvn eclipse:clean and mvn eclipse:eclipse doesn't generate these
 files for Acegi Security System for Spring - Parent

 Have you faced this problem?

 Vishal

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] maven 2 eclipse integration

[Ray Krueger]

Hmm. That should do it. I work with IDEA not eclipse though, I am not
sure if that stuff works.

Jetbrains was kind enough to issue us an
Open Source development license if you'd like to try it.
IDEA just works :) no plugins required.


On 5/1/07, Vishal Puri [EMAIL PROTECTED] wrote:
 I am executing in trunk/acegisecurity directory.


 Ray Krueger wrote:
  Are you executing it out of the acegisecurity directory? And not in
  ./core or one of the other modules?
 
  On 4/30/07, Vishal Puri [EMAIL PROTECTED] wrote:
 
  Hi All
 
  Carlos and Luke,  have you been able to generate eclipse .classpath and
  .project files with maven 2 for acegi ?
 
  Doing mvn eclipse:clean and mvn eclipse:eclipse doesn't generate these
  files for Acegi Security System for Spring - Parent
 
  Have you faced this problem?
 
  Vishal
 
  -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 
  -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] rememberme ...

[Ray Krueger]

Please use the forum at

http://forum.springframework.org/forumdisplay.php?f=33

for user questions. You should also supply debug log output if possible.

On 4/30/07, Tom Stroobants [EMAIL PROTECTED] wrote:






 Since a few months we are having problems with the rememberme option …



 We have a userform where a ckeckbox is displayed that a user can check to
 trigger the rememberme functionallity …

 When the user does not check the checkbox, he will not be able to login in …





 Anyone is having the same problem ?

 Was there anything changed in the latest versions ?



 Thanks,



 Tom.
 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] IllegalStateException On Login

[Ray Krueger]

The IllegalStateException is coming from Tomcat, not Acegi. I say that
because you may have better luck looking for help with Tomcat with a
wider audience than us.

It looks like this IllegalStateException is not a new thing.
http://www.google.com/search?q=ResponseFacade+sendRedirect+IllegalStateExceptionie=utf-8oe=utf-8aq=trls=org.mozilla:en-US:officialclient=firefox-a

Lots of folks seem to have this problem, so you should be able to find
a good solution somewhere. It definitely isn't an Acegi problem; which
means your configuration is probably fine.

On 4/25/07, Murthy Avvari [EMAIL PROTECTED] wrote:
 Hi,

 I have been trying to fix this specific problem for my client who is using
 acegisecurity 1.0.3 for their web aplication running under Tomcat 5.5.x
 version.
 Here is the problem reproducing sequence.

 1. Set the session time out to just 1 Minute in Tomcat web xml
 configuration.
 2. Go to Login page. Enter Username and password but dont hit the submit
 button.
 3. Wait for little over 1 Minute.
 4. Hit the Submit button.

 Now I get the following exception. I am not sure is this the problem in

 1. Acegisecurity package?
 2. If yes, because The AbstractProcessingFilter is not configured as the
 First Filter?

 I really appreciate any help on this please.

 Thanks,
 - Murthy
 ---
 2007-04-25 00:24:01,800 DEBUG -
 HttpSessionContextIntegrationFilter.doFilter(282) |
 SecurityContext stored to HttpSession:
 '[EMAIL PROTECTED] :
 Authentication: [EMAIL PROTECTED]'
 2007-04-25 00:24:01,801 DEBUG -
 HttpSessionContextIntegrationFilter.doFilter(291) |
 SecurityContextHolder set to new context, as request processing completed
 2007-04-25 00:24:01,802 ERROR - StandardWrapperValve.invoke(260) |
 Servlet.service() for servlet jsp threw exception
 java.lang.IllegalStateException
 at
 org.apache.catalina.connector.ResponseFacade.sendRedirect
 (ResponseFacade.java:432)
 at
 javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:125)
 at
 org.acegisecurity.ui.AbstractProcessingFilter.sendRedirect(AbstractProcessingFilter.java
 :322)
 at
 org.acegisecurity.ui.AbstractProcessingFilter.successfulAuthentication(AbstractProcessingFilter.java:404)
 at
 org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java
 :212)
 at
 org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)
 at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at
 org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229)
  at
 org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)
 at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at
 org.apache.catalina.core.ApplicationFilterChain.doFilter
 (ApplicationFilterChain.java:173)
 at
 edu.ggu.search.web.LoginGoogleFilter.doFilter(LoginGoogleFilter.java:56)
 at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java
 :202)
 at
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Cannot build, problems with ibiblio?

[Ray Krueger]

I'm still trying to get a contacts sample to build here. The only good
way to do that is with maven 1.0. The maven1 builds for core and the
contacts sample fail due to ibiblio returning 301 responses for some
(maybe all) jar file downloads. This causes the build to fail for
missing dependencies.

I've been trying to get this to work on and off for two days, hoping
the 301 would go away. I've attached the core build log. I can't do
the contacts build, because the core build fails.

Any ideas?


core.log
Description: Binary data
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Cannot build, problems with ibiblio?

[Ray Krueger]

You know...
I saw that the maven2 builds were using that repo, I didn't even think
to tell the maven1 to use it.

I'll add that repo to the project.properties files to solve this once
and for all.

Thanks!

On 4/24/07, Jose Luis Huertas Fernández
[EMAIL PROTECTED] wrote:
 Hi Ray,
 some weeks ago I had a similar issue with another project. I solved it
 following these instructions I found in the Maven 1.x page:

 
 7 December 2006 - Central repository isn't working for maven 1.0.x users

  If you are using Maven 1.0.x you may have found that the repository is not
 working and Maven is unable to download new dependencies. The reason is that
 the ibiblio guys have moved the repo to another machine and Maven 1.0.x
 can't handle redirects across different host names.

  The workaround is to use the new central repository configuration until
 ibiblio fixes the problem. Add to your project.properties :
 maven.repo.remote=http://repo1.maven.org/maven
  

 Hope this helps,

 Jose Luis.

 2007/4/24, Ray Krueger [EMAIL PROTECTED]:
 
  I'm still trying to get a contacts sample to build here. The only good
  way to do that is with maven 1.0. The maven1 builds for core and the
  contacts sample fail due to ibiblio returning 301 responses for some
  (maybe all) jar file downloads. This causes the build to fail for
  missing dependencies.
 
  I've been trying to get this to work on and off for two days, hoping
  the 301 would go away. I've attached the core build log. I can't do
  the contacts build, because the core build fails.
 
  Any ideas?
 
 
 -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
 
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 


 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Our build is a mess...

[Ray Krueger]

The AuthorizeTagExpressionLanguageTests fail for me on Windows XP in
all Maven versions due to a NoSuchMethod exception.

We had a discussion a few months back with one of the users having the
same problem. I have no idea what the issue is, but it always fails
for me.

There is even a bug open for this.
http://opensource.atlassian.com/projects/spring/browse/SEC-445


On 4/23/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
 On 4/21/07, Ray Krueger [EMAIL PROTECTED] wrote:
  * Maven 2.0.5 and 2.0.6 both cause the
  AuthorizeTagExpressionLanguageTests to fail, whereas 2.0.4 builds it
  fine.

 what is the problem? it passes for me

 
  * The contacts sample cannot be built with maven2 from the
  instructions on our website, the multiwar plugin doesn't exist.
 
  * Using 'mvn war' in samples/contacts produces an invalid application.
  It doesn't copy in the common and filter directories.
 
  * We have maven1 instructions up for everything, yet we only seem to
  support maven2. We need to update our instructions. I'd gladly do it
  if someone can tell me how to build the sample apps with maven2.
 
  -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 --
 I could give you my word as a Spaniard.
 No good. I've known too many Spaniards.
  -- The Princess Bride

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Our build is a mess...

[Ray Krueger]

Running a clean test now, I'll update the bug.

Any ideas on the war/multiwar thing? Is there a maven2 equivalent to multiwar?

On 4/23/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
 i can't reproduce with 2.0.6
 I need the test report in
 target/surefire-reports/.../AuthorizeTagExpressionLanguageTests.txt


 On 4/23/07, Ray Krueger [EMAIL PROTECTED] wrote:
  The AuthorizeTagExpressionLanguageTests fail for me on Windows XP in
  all Maven versions due to a NoSuchMethod exception.
 
  We had a discussion a few months back with one of the users having the
  same problem. I have no idea what the issue is, but it always fails
  for me.
 
  There is even a bug open for this.
  http://opensource.atlassian.com/projects/spring/browse/SEC-445
 
 
  On 4/23/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
   On 4/21/07, Ray Krueger [EMAIL PROTECTED] wrote:
* Maven 2.0.5 and 2.0.6 both cause the
AuthorizeTagExpressionLanguageTests to fail, whereas 2.0.4 builds it
fine.
  
   what is the problem? it passes for me
  
   
* The contacts sample cannot be built with maven2 from the
instructions on our website, the multiwar plugin doesn't exist.
   
* Using 'mvn war' in samples/contacts produces an invalid application.
It doesn't copy in the common and filter directories.
   
* We have maven1 instructions up for everything, yet we only seem to
support maven2. We need to update our instructions. I'd gladly do it
if someone can tell me how to build the sample apps with maven2.
   
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
   
  
  
   --
   I could give you my word as a Spaniard.
   No good. I've known too many Spaniards.
-- The Princess Bride
  
   -
   This SF.net email is sponsored by DB2 Express
   Download DB2 Express C - the FREE version of DB2 express and take
   control of your XML. No limits. Just data. Click to get it now.
   http://sourceforge.net/powerbar/db2/
   ___
   Home: http://acegisecurity.org
   Acegisecurity-developer mailing list
   Acegisecurity-developer@lists.sourceforge.net
   https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
  
 
  -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 --
 I could give you my word as a Spaniard.
 No good. I've known too many Spaniards.
  -- The Princess Bride

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Our build is a mess...

[Ray Krueger]

All, I've fixed the
http://opensource.atlassian.com/projects/spring/browse/SEC-445 bug.

The fix is to bring in servlet-api 2.4 so that we get the correct
version of PageContext into the classpath.

Is that going to be a problem?




On 4/23/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Running a clean test now, I'll update the bug.

 Any ideas on the war/multiwar thing? Is there a maven2 equivalent to multiwar?

 On 4/23/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
  i can't reproduce with 2.0.6
  I need the test report in
  target/surefire-reports/.../AuthorizeTagExpressionLanguageTests.txt
 
 
  On 4/23/07, Ray Krueger [EMAIL PROTECTED] wrote:
   The AuthorizeTagExpressionLanguageTests fail for me on Windows XP in
   all Maven versions due to a NoSuchMethod exception.
  
   We had a discussion a few months back with one of the users having the
   same problem. I have no idea what the issue is, but it always fails
   for me.
  
   There is even a bug open for this.
   http://opensource.atlassian.com/projects/spring/browse/SEC-445
  
  
   On 4/23/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
On 4/21/07, Ray Krueger [EMAIL PROTECTED] wrote:
 * Maven 2.0.5 and 2.0.6 both cause the
 AuthorizeTagExpressionLanguageTests to fail, whereas 2.0.4 builds it
 fine.
   
what is the problem? it passes for me
   

 * The contacts sample cannot be built with maven2 from the
 instructions on our website, the multiwar plugin doesn't exist.

 * Using 'mvn war' in samples/contacts produces an invalid application.
 It doesn't copy in the common and filter directories.

 * We have maven1 instructions up for everything, yet we only seem to
 support maven2. We need to update our instructions. I'd gladly do it
 if someone can tell me how to build the sample apps with maven2.

 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

   
   
--
I could give you my word as a Spaniard.
No good. I've known too many Spaniards.
 -- The Princess Bride
   
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
   
  
   -
   This SF.net email is sponsored by DB2 Express
   Download DB2 Express C - the FREE version of DB2 express and take
   control of your XML. No limits. Just data. Click to get it now.
   http://sourceforge.net/powerbar/db2/
   ___
   Home: http://acegisecurity.org
   Acegisecurity-developer mailing list
   Acegisecurity-developer@lists.sourceforge.net
   https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
  
 
 
  --
  I could give you my word as a Spaniard.
  No good. I've known too many Spaniards.
   -- The Princess Bride
 
  -
  This SF.net email is sponsored by DB2 Express
  Download DB2 Express C - the FREE version of DB2 express and take
  control of your XML. No limits. Just data. Click to get it now.
  http://sourceforge.net/powerbar/db2/
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Our build is a mess...

[Ray Krueger]

On 4/22/07, Luke Taylor [EMAIL PROTECTED] wrote:


 Luke Taylor wrote:
  I suggested a while back that we refactor the sample app into a simple

 s/simple/single
I like simple better :)

  webapp which uses the standard authentication filter and leave the other
  context files commented out in web.xml so that it's possible to switch
  to another version and build it just by changing file. I think we agreed
  that was a good idea. That would make the code layout easier to follow
  and the build simpler. I got part of the way through doing this but
  didn't have time to test all the different versions of the app.
 
  I dunno what's wrong with the later maven versions.
 


 --
  Luke Taylor.  Monkey Machine Ltd.
  PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk


 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Our build is a mess...

[Ray Krueger]

* Maven 2.0.5 and 2.0.6 both cause the
AuthorizeTagExpressionLanguageTests to fail, whereas 2.0.4 builds it
fine.

* The contacts sample cannot be built with maven2 from the
instructions on our website, the multiwar plugin doesn't exist.

* Using 'mvn war' in samples/contacts produces an invalid application.
It doesn't copy in the common and filter directories.

* We have maven1 instructions up for everything, yet we only seem to
support maven2. We need to update our instructions. I'd gladly do it
if someone can tell me how to build the sample apps with maven2.

-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Jalopy?

[Ray Krueger]

It might be worthwhile to consider pruning Jalopy down to where it
only fixes those nagging things that Checkstyle finds (spaces around
brackets and such).

On 4/20/07, Luke Taylor [EMAIL PROTECTED] wrote:

 Ray Krueger wrote:
  Yeah, I totally agree.
  Applying Jalopy on the new code works well because it adds all the
  file header stuff. After that though, checkstyle is much more
  effective. Unfortunately we haven't been adhering to the Checkstyle
  requirements from the start. That will take some effort to bring the
  errors down as you've said.
 

 Hey, I spent ages bringing the errors down a while back :). There are
 only 34 at the moment in core and 12 are due to spaces around
 brackets. If we can get someone to nail the file down to what we want
 the code to look like (e.g. our benevolent dictator, Ben?), then we can
 run from there. At the moment it's just an approximation based on my
 best guesses.

 cheers,

 Luke.

 --
  Luke Taylor.  Monkey Machine Ltd.
  PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk


 -
 This SF.net email is sponsored by DB2 Express
 Download DB2 Express C - the FREE version of DB2 express and take
 control of your XML. No limits. Just data. Click to get it now.
 http://sourceforge.net/powerbar/db2/
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] OpenID support added to sandbox!

[Ray Krueger]

I've already started working on some refactoring. I believe I can
reduce the OpenIDResponseProcessingFilter and
OpenIDLoginInitiationServlet into one standard OpenIdProcessingFilter.

This also has the side effect of increasing test coverage by reducing
the amount of code to test :)

On 4/20/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Thanks to the efforts of Robin Bramley; we now have a first draft of
 OpenID support in the sandbox. The code is mostly as-is from when
 Robin submitted sent it to me. I've done all the standard jalopy
 formatting of the code so it blends in and has the proper file
 headers.

 I've noted two basic Todo items for the code:
 * Improve test coverage
 * Replace OpenIDLoginInitiationServlet with a Filter to apply to our
 normal FilterChain

 I apologize for taking so long to get it together and get it
 committed. Everyone has their priorities to manage!

 Thanks again to Robin for the excellent submission!


-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Maven Repos for OpenID libs

[Ray Krueger]

I'm back from vacation, and after clearing my plate a bit, I'm trying
to get this OpenID code uploaded.

Does maven2 require a complete pom to download a single jar file? I
uploaded the janrain library to
http://acegisecurity.sourceforge.net/maven/com/janrain/Janrain-Openid/2007-02-26/
Next Maven2 complained about there being no pom, so I made an empty
one. After that it complained about the md5 hash, so I created that.
Now it's complaining about the pom not being 4.0, so I added the
modelVersion. It continued to complain about the modelVersion, so I
went to bed.

Is there a better way?

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Re navigation

[Ray Krueger]

The forums are really the best place for answers.
On that note, does this sound like the problem you're having?
http://forum.springframework.org/showthread.php?p=108322#post108322


On 3/20/07, Hilda Raymond [EMAIL PROTECTED] wrote:
 I have an app setup with Acegi. But if I give a url of an application as
 soon as i open a browser, acegi intercepts and navigates the user to
 acegilogin.jsp, but when I login from here, The application does'nt take the
 normal route of Authentication and authorization but seemingly navigates
 directly to the unauthorizedly naivagated page. Is it a problem of session
 unclearance or cache
 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys-and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] OpenID support

[Ray Krueger]

Awesome :)
What else is there to say?

On 3/14/07, Robin.Bramley [EMAIL PROTECTED] wrote:
 Sorry guys I've had a busy week and I'm only on the digest list so Ray's
 message took a while to come through.


 Matt - I agree that an application should only have one login form (if
 it's a standard username* and a password is included we can create a
 UsernamePasswordAuthenticationToken and then call
 AuthenticationManager.authenticate). I'm also not convinced about the
 use of email addresses as OpenIDs as lots of existing sites use email
 for usernames.

 As for absolute transparency, some OpenID providers (e.g. myopenid) have
 a 'safe mode' that will only allow you to authenticate on their site...


 Ray - * Regex matching of the submitted principal makes perfect sense.

 I've currently got a TODO in the OpenIDAuthenticationProvider for
 mapping URLs to usernames before calling the AuthoritiesPopulator - it
 should be configurable but with sufficient documentation to try to
 prevent misconfiguration that might allow alice.evilopenid.com to access
 a local alice account.
 This becomes more critical if the webapp is also an OpenID provider and
 you allow users to use https://openid.mysite.com/{username} - (thinking
 out loud) in which case the OpenIDAuthenticationProvider could take a
 Map of openid.server domains to patterns (or some form of transformer
 bean)...

 It would be useful to refactor the
 CasAuthoritiesPopulator/DaoCasAuthoritiesPopulator etc. to an sso
 package (maybe rationalise the LdapAuthoritiesPopulator and the
 CasAuthoritiesPopulator interfaces?). For backwards compatibility it
 might be nice to make
 org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator an
 empty subclass of the new DaoSsoAuthoritiesPopulator.

 I'll finish off the refactoring to abstract the JanRain consumer
 library, add some unit tests, move the package from com.opsera.acegi to
 org.acegisecurity and rewrite the steps in my initial reply to Matt for
 the reference guide and then zip it all up for the sandbox (I'll aim for
 early next week).

 Then I need to find the time to resume the server implementation; my
 primary concern is around seamlessly tying the user interaction into the
 flow - Myopenid makes you authenticate in a second window before
 clicking continue to be returned to the consuming site. Current idea is
 to configure the OpenID server authentication servlet URL as a secured
 resource - assume I may need to modify some Acegi code to allow the data
 to be rePOSTed to the servlet (or appended as a query string and then I
 can implement doGet on the servlet).

 Cheers,

 Robin

 -Original Message-
 Subject: Acegisecurity-developer Digest, Vol 11, Issue 2
 To: acegisecurity-developer@lists.sourceforge.net
 Reply-to: acegisecurity-developer@lists.sourceforge.net
 Date: Tue, 13 Mar 2007 08:40:43 -0700

 snip

 Date: Thu, 8 Mar 2007 08:41:46 -0600
 From: Ray Krueger
 Subject: Re: [Acegisecurity-developer] OpenID support

 I am interested in getting involved in this effort as well. I agree
 with the transparency of the OpenId vs Username field. One of the
 ideas that I lean towards is following a url pattern, rather than just
 the host.domain pattern.
 DHH (the rails guy) talked about this exact subject a few days ago on
 his blog:
 http://www.loudthinking.com/arc/000606.html

 Following a URL pattern makes it extremely easy to tell the difference
 between the two. Providing a means in the code to define an
 'openIdMatchPattern' that defines a regex to tell the difference would
 be the best way to go on our end in Acegi.

 Also, there several openId libraries out there, it would be senseless
 to build the authentication and delegation functionalities directly
 into Acegi. I think Robin is definitely on the right track there.

 I don't like the idea of our OpenID support calling off into our CAS
 code though, if the functionality there is useful outside of CAS it
 should get refactored into a new home.

 Robin, if you would like to get some other folks involved zip up the
 code and email it to me directly. I'll find a home for it in the
 sandbox and we can all start taking a look at it.



 -Original Message-
 From: Matt Raible
 Sent: 08 March 2007 14:20
 To: Robin.Bramley
 Cc: acegisecurity-developer@lists.sourceforge.net
 Subject: Re: [Acegisecurity-developer] OpenID support

 That's great to hear someone is working on this.  However, I'm wondering
 if it's possible to make it more transparent to the user.
 For example, have some sort of bean or filter that's OpenID aware and
 has a list of servers to talk to. If there's two dots in the username,
 Acegi attempts to authenticate with open id (through some background
 call that's transparent to the user).  If not, it attempts normal
 authentication.

 Is there any problem with providing this type of transparency?  I like
 the idea behind having the openid string and username come from the same
 text box.

 http://www.pjhyett.com

Re: [Acegisecurity-developer] Authentication Propagation across JMS

[Ray Krueger]

When you send the message, you could attach the Authentication to the
message by calling:
message.setObjectProperty(authentication,
SecurityContextHolder.getContext().getAuthentication());

Then on the receiving end you just get it back...
Authentication auth = (Authentication)
message.getObjectProperty(authentication);
//add null checking...
SecurityContextHolder.getContext().setAuthentication(auth);

On 3/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 Greetings:

 I'm using Acegi and Spring 1.2 in our application.  I am currently using
 HTTP Invoker Authentication propagation to push credentials to the
 service layer for web services calls.  I'd like to use a similar
 facility to pass credentials with my JMS messages so I might secure the
 asynchronous operations in a similarly transparent manner.

 Does a declarative propagation methodology exist for Acegi and JMS?  Is
 this something that is possible?

 -jason

 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys-and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] OpenID support

[Ray Krueger]

I am interested in getting involved in this effort as well. I agree
with the transparency of the OpenId vs Username field. One of the
ideas that I lean towards is following a url pattern, rather than just
the host.domain pattern.
DHH (the rails guy) talked about this exact subject a few days ago on his blog:
http://www.loudthinking.com/arc/000606.html

Following a URL pattern makes it extremely easy to tell the difference
between the two. Providing a means in the code to define an
'openIdMatchPattern' that defines a regex to tell the difference would
be the best way to go on our end in Acegi.

Also, there several openId libraries out there, it would be senseless
to build the authentication and delegation functionalities directly
into Acegi. I think Robin is definitely on the right track there.

I don't like the idea of our OpenID support calling off into our CAS
code though, if the functionality there is useful outside of CAS it
should get refactored into a new home.

Robin, if you would like to get some other folks involved zip up the
code and email it to me directly. I'll find a home for it in the
sandbox and we can all start taking a look at it.

On 3/8/07, Matt Raible [EMAIL PROTECTED] wrote:
 That's great to hear someone is working on this.  However, I'm
 wondering if it's possible to make it more transparent to the user.
 For example, have some sort of bean or filter that's OpenID aware and
 has a list of servers to talk to. If there's two dots in the username,
 Acegi attempts to authenticate with open id (through some background
 call that's transparent to the user).  If not, it attempts normal
 authentication.

 Is there any problem with providing this type of transparency?  I like
 the idea behind having the openid string and username come from the
 same text box.

 http://www.pjhyett.com/posts/213-openid-isn-t-going-to-work-unless

 I don't know about the fake e-mail address in the above post, but I
 like the idea of assuming openid when no password is entered.

 Matt

 On 3/8/07, Robin.Bramley [EMAIL PROTECTED] wrote:
  Hi Matt,
 
  I'm currently working on OpenID ui, provider  adaptor classes for Acegi
  - with the intention of tidying them up and contributing them to the
  project.
 
  I've got a prototype Acegi OpenID consumer authentication working (using
  the JanRain library - I plan to abstract the library support).
  The flow is:
   1. User requests a secured page and the
  AuthenticationProcessingFilterEntryPoint (configured on the
  ExceptionTranslationFilter) sends the user off to an OpenID login form
   2. The user enters their OpenID (e.g. rbramley.myopenid.com) and
  submits the form
   3. The form POSTs to /j_acegi_openid mapped to
  OpenIDLoginInitiationServlet (uses Spring web app context to get the
  JanRain OpenID Store)
   4. The Consumer.begin method looks up the identity page, associates to
  the server etc.
   5. The servlet redirects the user to the OpenID server (e.g.
  myopenid.com), setting the return to URL as
  /j_acegi_openid_security_check
   6. The user logs on and the OpenID server returns the user
   7. Acegi passes the request to the OpenIDProcessingFilter based on the
  filterProcessesUrl property
   8. The Consumer.complete method provides a response object which is
  wrapped in an OpenIDAuthenticationToken
   9. This is passed to the OpenIDAuthenticationProvider (via the
  AuthenticationManager)
   10. If the response is a successul authentication, the auth provider
  uses the CasAuthoritiesPopulator interface to obtain the UserDetails
   11. The Authentication is returned and the user sent to the originally
  requested URL (as stored in the
  AuthenticationProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY HttpSession
  attribute by the SecurityEnforcementFilter).
 
 
  The next steps are to finish the OpenID server (may use the openid4java
  library from sxip) backed by Acegi and then look at how to encapsulate
  the registration functionality.
 
  Cheers,
 
  Robin
 
  Robin Bramley
  Opsera
  www.opsera.com http://www.opsera.com/
 
   Matt Raible
   Fri, 29 Dec 2006 15:34:32 -0800
  
   Are there any plans to support OpenID as a SSO option with Acegi
  Security?
  
   http://openid.net http://openid.net/
  
   We've seen some interest in supporting this with Roller - which uses
   Acegi for its security.
  
   Thanks,
  
   Matt
  
   --
   http://raibledesigns.com http://raibledesigns.com/
  
 
 
 
 
 


 --
 http://raibledesigns.com

 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys-and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 

Re: [Acegisecurity-developer] Unresolved dependency problems

[Ray Krueger]

Brad, can you try deleting the following, and trying the build again?
YOUR_HOME_FOLDER\.m2\repository\javax\servlet\jsp-api\2.0
Where 'YOUR_HOME_FOLDER' is something like C:\Documents and Settings\bcox

Also, are you using Maven 2.0.4 or better?


On 2/26/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
 it works for me, so only thing is open a jira in
 http://opensource.atlassian.com/projects/spring/browse/SEC

 On 2/26/07, Brad Cox, Ph.D. [EMAIL PROTECTED] wrote:
  Carlos Sanchez wrote:
   check target/surefire-reports folder in the module that failed and
   you'll find a file with name
   org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests*
  
   send the error
 
  You mean this?
  ---
  Test set:
  org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests
  ---
  Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.052
  sec  FAILURE!
  testAllGrantedUsesExpressionLanguageWhenExpressionIsEL(org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests)
Time elapsed: 0
  .018 sec   ERROR!
  java.lang.NoSuchMethodError:
  javax.servlet.jsp.PageContext.getExpressionEvaluator()Ljavax/servlet/jsp/el/ExpressionEvaluator;
   at
  org.springframework.web.util.ExpressionEvaluationUtils$Jsp20ExpressionEvaluationHelper.evaluate(ExpressionEvaluationUtils.java:21
  6)
   at
  org.springframework.web.util.ExpressionEvaluationUtils.evaluateString(ExpressionEvaluationUtils.java:150)
   at
  org.acegisecurity.taglibs.authz.AuthorizeTag.doStartTag(AuthorizeTag.java:93)
   at
  org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests.testAllGrantedUsesExpressionLanguageWhenExpressionIsEL(Author
  izeTagExpressionLanguageTests.java:66)
 
  testAnyGrantedUsesExpressionLanguageWhenExpressionIsEL(org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests)
Time elapsed: 0
  .007 sec   ERROR!
  java.lang.NoSuchMethodError:
  javax.servlet.jsp.PageContext.getExpressionEvaluator()Ljavax/servlet/jsp/el/ExpressionEvaluator;
   at
  org.springframework.web.util.ExpressionEvaluationUtils$Jsp20ExpressionEvaluationHelper.evaluate(ExpressionEvaluationUtils.java:21
  6)
   at
  org.springframework.web.util.ExpressionEvaluationUtils.evaluateString(ExpressionEvaluationUtils.java:150)
   at
  org.acegisecurity.taglibs.authz.AuthorizeTag.doStartTag(AuthorizeTag.java:102)
   at
  org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests.testAnyGrantedUsesExpressionLanguageWhenExpressionIsEL(Author
  izeTagExpressionLanguageTests.java:75)
 
  testNotGrantedUsesExpressionLanguageWhenExpressionIsEL(org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests)
Time elapsed: 0
  .002 sec   ERROR!
  java.lang.NoSuchMethodError:
  javax.servlet.jsp.PageContext.getExpressionEvaluator()Ljavax/servlet/jsp/el/ExpressionEvaluator;
   at
  org.springframework.web.util.ExpressionEvaluationUtils$Jsp20ExpressionEvaluationHelper.evaluate(ExpressionEvaluationUtils.java:21
  6)
   at
  org.springframework.web.util.ExpressionEvaluationUtils.evaluateString(ExpressionEvaluationUtils.java:150)
   at
  org.acegisecurity.taglibs.authz.AuthorizeTag.doStartTag(AuthorizeTag.java:82)
   at
  org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests.testNotGrantedUsesExpressionLanguageWhenExpressionIsEL(Author
  izeTagExpressionLanguageTests.java:84)
 
   On 2/26/07, Brad Cox, Ph.D. [EMAIL PROTECTED] wrote:
   Carlos Sanchez wrote:
run mvn install from the root folder before trying to build the
samples so you have the latest acegi jars. Or change the sample to use
last release instead of using snapshots.
  
   Thanks!! mvn install in the root folder ran except for one test failure:
   Running
   org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests
   Tests run: 3, Failures: 0, Errors: 3, Skipped: 0, Time elapsed: 0.051
   sec  FAILURE!
  
   So hoping for the best...
  
First of all, deploy the Tutorial Sample, which is included in the
   main distribution ZIP file. The sample doesn't do a great deal, but it
   does give you a template that can be quickly and easily used to
   integrate into your own project.
  
   imac:/G5B/Java/acegisecurity/samples/tutorial bcox$ mvn deploy
   [INFO] Scanning for projects...
   [INFO]
   
  
   [INFO] Building Maven Default Project
   [INFO]task-segment: [deploy]
   [INFO]
   
  
   [INFO] artifact org.apache.maven.plugins:maven-deploy-plugin: checking
   for updates from central
   Downloading:
   http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-deploy-plugin/2.3/maven-deploy-plugin-2.3.pom
  
   

Re: [Acegisecurity-developer] Jboss Portal + Acegi

[Ray Krueger]

Arturo, please consider posting on the forums, there are lots of folks
out there who have tied JBoss Portal with Acegi.

On 2/27/07, Arturo San Feliciano Martín [EMAIL PROTECTED] wrote:




 Hello,



   I´m still trying to join acegi with jboss portal. I put the jboss adapter
 but when I try to access to SecurityContextHolder to get the Authenticate
 object,  i´m always getting null. The adapter don´t put the authenticate
 object on the server thread? Should I rewrite login method to do this
 operation? Is there any other better way to do this?



 Thanks



 Arturo San Feliciano Martín




 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys-and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Jboss Portal + Acegi

[Ray Krueger]

Forgot to post the link, sorry
http://forum.springframework.org/forumdisplay.php?f=33


On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Arturo, please consider posting on the forums, there are lots of folks
 out there who have tied JBoss Portal with Acegi.

 On 2/27/07, Arturo San Feliciano Martín [EMAIL PROTECTED] wrote:
 
 
 
 
  Hello,
 
 
 
I´m still trying to join acegi with jboss portal. I put the jboss adapter
  but when I try to access to SecurityContextHolder to get the Authenticate
  object,  i´m always getting null. The adapter don´t put the authenticate
  object on the server thread? Should I rewrite login method to do this
  operation? Is there any other better way to do this?
 
 
 
  Thanks
 
 
 
  Arturo San Feliciano Martín
 
 
 
 
  -
  Take Surveys. Earn Cash. Influence the Future of IT
  Join SourceForge.net's Techsay panel and you'll get the chance to share your
  opinions on IT  business topics through brief surveys-and earn cash
  http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Unresolved dependency problems

[Ray Krueger]

Pasting massive logs to the list makes the listserv mad.

I'm truncating this message for clarity.



On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
 I just updated to the latest code from SVN and the build is failing
 for me as well.
 Same test actually:
 org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests

 I'll take a look, but I'm buried at work and can't spend much time on it.

 Be back in a bit :)


 On 2/27/07, Brad Cox, Ph.D. [EMAIL PROTECTED] wrote:
  Ray Krueger wrote:
   Brad, can you try deleting the following, and trying the build again?
   YOUR_HOME_FOLDER\.m2\repository\javax\servlet\jsp-api\2.0
   Where 'YOUR_HOME_FOLDER' is something like C:\Documents and Settings\bcox
 
  Deleted /home/bcox/.m2/repository/javax/servlet/jsp-api/2.0
 
  See attached. Failure still there
 
   Also, are you using Maven 2.0.4 or better?
 
  imac:/G5B/Java/acegisecurity bcox$ mvn -v
  Maven version: 2.0.5
 

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Unresolved dependency problems

[Ray Krueger]

This test only fails in Maven 2.0.5
Executing mvn clean test with Maven 2.0.4 passes fine. This test
also passes fine when run directly in the IDE (IntelliJ for me).

Maven really does not handle test failures well. There is no clue as
to what test failed, you only get [INFO] There are test failures.
There should be some clue as to what test failed. Can the html report
be generated directly to get a summary? Can I run the
maven-surefire-report-plugin direclty?

(Sorry for the direct email rather than the list Brad, I do that a lot haha)

On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Pasting massive logs to the list makes the listserv mad.

 I'm truncating this message for clarity.



 On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
  I just updated to the latest code from SVN and the build is failing
  for me as well.
  Same test actually:
  org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests
 
  I'll take a look, but I'm buried at work and can't spend much time on it.
 
  Be back in a bit :)
 
 
  On 2/27/07, Brad Cox, Ph.D. [EMAIL PROTECTED] wrote:
   Ray Krueger wrote:
Brad, can you try deleting the following, and trying the build again?
YOUR_HOME_FOLDER\.m2\repository\javax\servlet\jsp-api\2.0
Where 'YOUR_HOME_FOLDER' is something like C:\Documents and 
Settings\bcox
  
   Deleted /home/bcox/.m2/repository/javax/servlet/jsp-api/2.0
  
   See attached. Failure still there
  
Also, are you using Maven 2.0.4 or better?
  
   imac:/G5B/Java/acegisecurity bcox$ mvn -v
   Maven version: 2.0.5
  


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Unresolved dependency problems

[Ray Krueger]

OK, I assumed you meant there was summary.
Having the failure buried in with 600 success messages isn't what I
was looking for. That's what I meant by it not being easy.



On 2/27/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
 in the previous lines it tells you which test failed

 On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
  Maven 2.0.5 says...
 
  Results :
  Tests run: 963, Failures: 0, Errors: 3, Skipped: 0
 
  [INFO] 
  
  [ERROR] BUILD FAILURE
  [INFO] 
  
  [INFO] There are test failures.
  [INFO] 
  
  [INFO] For more information, run Maven with the -e switch
  [INFO] 
  
  [INFO] Total time: 1 minute 25 seconds
  [INFO] Finished at: Tue Feb 27 12:22:38 CST 2007
  [INFO] Final Memory: 6M/12M
  [INFO] 
  
 
  Is it because these are errors, not failures, that Maven stays silent
  about the what test went wrong?
 
  Why would deleting my repository change fix the 2.0.5 problem, when it
  builds fine with 2.0.4 using the same repository?
 
 
  On 2/27/07, Carlos Sanchez [EMAIL PROTECTED] wrote:
   i use 2.0.5 and builds fine for me
  
   try deleting your local repo ~/.m2/repository
  
   maven reports the tests that fail, just check the lines before [INFO]
   There are test failures.
  
   On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
This test only fails in Maven 2.0.5
Executing mvn clean test with Maven 2.0.4 passes fine. This test
also passes fine when run directly in the IDE (IntelliJ for me).
   
Maven really does not handle test failures well. There is no clue as
to what test failed, you only get [INFO] There are test failures.
There should be some clue as to what test failed. Can the html report
be generated directly to get a summary? Can I run the
maven-surefire-report-plugin direclty?
   
(Sorry for the direct email rather than the list Brad, I do that a lot 
haha)
   
On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Pasting massive logs to the list makes the listserv mad.

 I'm truncating this message for clarity.



 On 2/27/07, Ray Krueger [EMAIL PROTECTED] wrote:
  I just updated to the latest code from SVN and the build is failing
  for me as well.
  Same test actually:
  org.acegisecurity.taglibs.authz.AuthorizeTagExpressionLanguageTests
 
  I'll take a look, but I'm buried at work and can't spend much time 
  on it.
 
  Be back in a bit :)
 
 
  On 2/27/07, Brad Cox, Ph.D. [EMAIL PROTECTED] wrote:
   Ray Krueger wrote:
Brad, can you try deleting the following, and trying the build 
again?
YOUR_HOME_FOLDER\.m2\repository\javax\servlet\jsp-api\2.0
Where 'YOUR_HOME_FOLDER' is something like C:\Documents and 
Settings\bcox
  
   Deleted /home/bcox/.m2/repository/javax/servlet/jsp-api/2.0
  
   See attached. Failure still there
  
Also, are you using Maven 2.0.4 or better?
  
   imac:/G5B/Java/acegisecurity bcox$ mvn -v
   Maven version: 2.0.5
  

   
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share 
your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
   
  
  
   --
   I could give you my word as a Spaniard.
   No good. I've known too many Spaniards.
-- The Princess Bride
  
   -
   Take Surveys. Earn Cash. Influence the Future of IT
   Join SourceForge.net's Techsay panel and you'll get the chance to share 
   your
   opinions on IT  business topics through brief surveys-and earn cash
   http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
   ___
   Home: http://acegisecurity.org
   Acegisecurity-developer mailing list
   Acegisecurity-developer@lists.sourceforge.net
   https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
  
 
  -
  Take Surveys. Earn Cash. Influence the Future of IT
  Join SourceForge.net's Techsay panel and you'll get the chance to share your

Re: [Acegisecurity-developer] Beyond Low-Hanging Fruit: Domain Access Control List

[Ray Krueger]

I got this email the other day from those folks...
Though I don't know if they're available to the public...

{quote}
Dear Ray,

Greetings!  We are happy to announce that video/ audio from TSE 2006
is now available!

Here are the instructions:

1).  Go to www.thespringexperience.com
2).  userid = email address
3).  password = what you chose - remember feature available
4).  Video link will be found in the upper left hand corner above the
slide download link
5).  Choose the session you wish to watch and enjoy - the slides are
available for download again as well.
{quote}


On 2/21/07, Karl Moore [EMAIL PROTECTED] wrote:

 Does anyone have a copy of this presentation, or know when it will be
 available?  This has been brought up a few times on the forum after the blog
 post.
 http://blog.interface21.com/main/2006/12/16/whats-new-and-cool-in-spring-20/

 
 Discover the new Windows Vista Learn more!
 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys-and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Multiple applications and different roles

[Ray Krueger]

Sounds like a single sign-on solution would work best. Have a look at
the Acegi support for CAS. Using CAS with Acegi might provide the
features you are looking for.

On 2/8/07, Stephane Bailliez [EMAIL PROTECTED] wrote:
 Hi all,

 I'm trying to see whether there is an easy way to implement roles
 (authorities) for several applications. Each application having its own
 set of authorities (ie: john being registered as ROLE_SUPERVISOR only
 for application A, does not apply to application B and C for example).

 Seems there is no support for this out of the box and the model is
 rather flat.

 A potential workaround I was thinking to avoid too much initial code
 would be to have a convention such such as: ROLE_A_SUPERVISOR,
 ROLE_B_SUPERVISOR respectively for application A and B which will be an
 acceptable workaround for half a dozen applications in the short term
 even though not extremely elegant.

 Does any one have solve this type of issue differently or any opinion on
 the above ?

 Thanks,

 -- stephane


 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job
 easier.
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] In the Acegi config xml file why use /A and /Z in the URL pattern?

[Ray Krueger]

The best explanation of FilterSecurityInterceptor
ObjectDefinitionSource is here:
http://acegisecurity.org/docbook/acegi.html#filter-invocation-authorization

Basically, you are using regular expressions in the example you gave
and the \A means beginging of the line and \Z means end of the
line.

What you have is actually broken though. You're declaring to Acegi
PATTERN_TYPE_APACHE_ANT which tells the code that the patterns
should be Ant style, and then you're passing regular expressions.

Whereas with Ant patterns you would use /c/portal/login*
Also, you should consider adding the
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON directive, as it eliminates
case-sensitivity issues when matching the patterns.

And one last thing, you probably shouldn't be protecting your /login
url with ROLE_AUTHENTICATED as that login is probably where they are
sent when they are NOT ROLE_AUTHENTICATED and you'll go into a loop.

Hope that helps,
-Ray


On 1/22/07, Garvey, Paul M (GE Comm Fin) [EMAIL PROTECTED] wrote:


 In the following snippet below why are /A and /Z used in the URL? For
 example  \A/c/portal/login\Z?
 Why not remove the /A and /Z to leave  /c/portal/login?


  bean id=filterInvocationInterceptor
 class=org.acegisecurity.intercept.web.FilterSecurityInterceptor
   property name=authenticationManager ref=authenticationManager /
   property name=accessDecisionManager ref=accessDecisionManager /
   property name=objectDefinitionSource
value
 PATTERN_TYPE_APACHE_ANT
 \A/c/portal/login\Z=ROLE_AUTHENTICATED
 \A/c/portal/logout\Z=ROLE_AUTHENTICATED
 \A/c/portal/layout.*\Z=ROLE_AUTHENTICATED
 \A/group/.*\Z=ROLE_AUTHENTICATED
/value
   /property
  /bean



 - Paul

 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys - and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer




-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Setting serviceProperties in Acegi

[Ray Krueger]

Ben answered your original email on this subject...

Is there a reason you cannot use a PropertyPlaceholderConfigurer?

http://www.springframework.org/docs/api/org/springframework/beans/factory/config/PropertyPlaceholderConfigurer.html



On 1/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:




 In using Acegi with Cas in a web application. As you know, I have to set the
 serviceProperties property of CasProcessingFilterEntryPoint to the url that
 CAS will call after authentication. I don't like to set this url in
 applicationContext-acegi-security.xml but I prefere this
 value Is build automatically. To do it I'm going to extends
 org.acegisecurity.ui.cas.ServiceProperties with a class
 that try to build the service property if is not setted (null) using
 something like this:



 serviceProperties=http://+request.request.getLocalAddr()+:+request.getLocalPort()+/+request.getContextPath()+/j_acegi_cas_security_check

 (I don't use https in this case….)



 What's your opinion?



 Please, any suggestions are welcome.



 Regards

 Mario Buonopane




 This message is for the designated recipient only and may contain
 privileged, proprietary, or otherwise private information. If you have
 received it in error, please notify the sender immediately and delete the
 original. Any other use of the email by you is prohibited.
 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys - and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV

 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer




-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] [Fwd: [Fwd: Re: Authentication and authorization status in OGC-compliant OSS GIS software]]

[Ray Krueger]

If you can find a means to make java code authenticate against DACS,
then it would be easy enough to write an Acegi AuthenticationProvider
that talks to it.



On 1/19/07, Krystian Nowak [EMAIL PROTECTED] wrote:
 Do you think it is possible to include DACS (http://dacs.dss.ca/) as a
 authentication adapter (just as it is with Yale's CAS)? There were talks
 about the future of authorization in OSS GIS GeoServer
 (http://docs.codehaus.org/display/GEOS/Home) which heavily uses Spring,
 so it would be natural to use Acegi. On the other hand there is an Open
 Geospatial Consortium (OGC) standardising organisation for GIS software
 and one of their implementation for security used in demos is DACS. The
 problem is that DACS is native application whereas the GeoServer is a
 Java webapp.

 Maybe you have some ideas or already have head about works between DACS
 and Acegi? Do you find it possible to integrate in any scope (just
 authentication or maybe even more - to simulate DACS-like authorization
 using Acegi)?

 Below there is an email on these talks. If it's not clear for you,
 please, do not hesitate to ask questions to make it more informative.

 Thanks in advance for your help!

 Kind regards,
 Krystian Nowak
 PSNC


 --
 Krystian Nowak
 [EMAIL PROTECTED]
 ===
 Poznan Supercomputing and Networking Center
 Poland, 60-814 Poznan, Zwierzyniecka 20
 tel. (+48 61) 8582159 fax. (+48 61) 8582151
 http://www.man.poznan.pl
 ===


  Wiadomość oryginalna 
 Temat: Re: Authentication and authorization status in OGC-compliant OSS
 GIS  software
 Data: Thu, 18 Jan 2007 10:36:48 -0800
 Nadawca: Barry Brachman [EMAIL PROTECTED]
 Odpowiedź-Do: [EMAIL PROTECTED]
 Adresat: Krystian Nowak [EMAIL PROTECTED]
 Kopia: [EMAIL PROTECTED], [EMAIL PROTECTED],
 [EMAIL PROTECTED],[EMAIL PROTECTED],
 [EMAIL PROTECTED], [EMAIL PROTECTED]


 Hi all --

 Some of this thread was forwarded to me.  As the principal designer and
 implementor of DACS, I thought I might be able to comment a little on a few
 things that caught my attention.

 Jody Garnett napisa³(a):
  I know DACS has been used in an OGC context
 Is it an OGC standard or only at OWS as demo?

 DACS is not an OGC standard.
 It was the subject of three OGC initiatives: CIPI 1.1, CIPI 1.2, and OWS-3.
 That work mainly dealt with understanding and solving authentication and
 authorization interoperability issues, and some of the results of those
 projects were integrated with DACS.  As far as I know, nothing is currently
 being done by the OGC with DACS.

  what is the benifit for ACEGI? Ah it is a spring security
  system ...

 I don't know anything about Acegi (http://acegisecurity.org) other than
 what I have read on their home page, so I really can't comment on it or
 compare it with DACS.  But at first glance it looks to me like it is
 quite different from DACS in philosophy, implementation, operation, and
 feature set.  So I suspect the two systems might be aimed at different
 audiences.

 As for CAS, it is simply an authentication method, and it is one of many
 methods supported by DACS.

 Regardless of how authentication is performed, DACS creates a common
 internal representation (credentials) which is then exported from DACS
 to a client, and later sent by a client to DACS with its request.  In
 theory at least, DACS does not care how credentials are transmitted - in
 an HTTP cookie, via an HTTP extension header, within a URL, or as an
 argument - these are all possibilities.  Clients, which can be
 middleware, can ask DACS to decode or export credentials, so a DACS
 identity can easily be converted to some other representation, and
 importation to DACS from other representations is also possible.
 Middleware can ask DACS to create credentials.

 The authorization side of DACS is largely separate and independent of
 the authentication side.  You do not have to use DACS authentication in
 order to use the DACS access control rule-processing engine.

 I also can't comment on GeoServer.  I believe that, like Acegi, it is a
 Java application, and DACS being C/C++ software, people who prefer a
 pure Java solution might not be happy with a system that must use JNI.
 Supporting DACS as an optional, third-party component of GeoServer might
 be a possibility though.

 One other thing that I noticed:
  Do you know if there is any way to integrate Acegi with DACS?

 I don't really understand this question because the two systems are
 quite different, yet in broad terms, do the same kinds of things.  So
 I'm not sure what it would mean to integrate Acegi with DACS.  It might
 be possible for Acegi to use DACS's authentication components, its
 access control component, or both, but that's probably a question to ask
 the Acegi folks. And there's also that pesky pure Java issue.

 It might be possible for the two systems to interoperate, but I don't
 think that's what you're talking 

Re: [Acegisecurity-developer] Setting serviceProperties in Acegi

[Ray Krueger]

OK...

Subclassing ServiceProperties isn't going to do any good, because you
don't have access to the HttpRequest.

You can use a PropertyPlaceHolderConfigurer so that your xml looks like...
bean id=serviceProperties class=org.acegisecurity.ui.cas.ServiceProperties
property 
name=servicevalue${serviceProperties.serviceUrl}/value/property
property name=sendRenewvaluefalse/value/property
/bean

And then you can externalize these deployment specific parameters into
a properties file that gets setup at the client site.

We should consider adding a hookmethod into the
CasProcessingFilterEntryPoint to allow customization of how the
serviceUrl is added to the cas redirect.

Oh, and a little tip, you don't have to hard code the http:// part you
can use request.getScheme() (terrible name, go Sun).


On 1/19/07, Ray Krueger [EMAIL PROTECTED] wrote:
 Now that I read your email a little more thoroughly, let me take a
 closer look. Personally I've never used the CAS support in Acegi.

 I'll get back to you in a minute or two :)


 On 1/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  Sorry Ray, but how can I use PropertyPlaceholderConfigurer for this
  scope? Can you explain me with an example please?
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf
  Of Ray Krueger
  Sent: 19 gennaio 2007 13.07
  To: acegisecurity-developer@lists.sourceforge.net
  Subject: Re: [Acegisecurity-developer] Setting serviceProperties in
  Acegi
 
  Ben answered your original email on this subject...
 
  Is there a reason you cannot use a PropertyPlaceholderConfigurer?
 
  http://www.springframework.org/docs/api/org/springframework/beans/factor
  y/config/PropertyPlaceholderConfigurer.html
 
 
 
  On 1/19/07, [EMAIL PROTECTED]
  [EMAIL PROTECTED] wrote:
  
  
  
  
   In using Acegi with Cas in a web application. As you know, I have to
  set the
   serviceProperties property of CasProcessingFilterEntryPoint to the url
  that
   CAS will call after authentication. I don't like to set this url in
   applicationContext-acegi-security.xml but I prefere this
   value Is build automatically. To do it I'm going to extends
   org.acegisecurity.ui.cas.ServiceProperties with a class
   that try to build the service property if is not setted (null) using
   something like this:
  
  
  
  
  serviceProperties=http://+request.request.getLocalAddr()+:+request.g
  etLocalPort()+/+request.getContextPath()+/j_acegi_cas_security_check
  
   (I don't use https in this case)
  
  
  
   What's your opinion?
  
  
  
   Please, any suggestions are welcome.
  
  
  
   Regards
  
   Mario Buonopane
  
  
  
  
   This message is for the designated recipient only and may contain
   privileged, proprietary, or otherwise private information. If you have
   received it in error, please notify the sender immediately and delete
  the
   original. Any other use of the email by you is prohibited.
  
  
  -
   Take Surveys. Earn Cash. Influence the Future of IT
   Join SourceForge.net's Techsay panel and you'll get the chance to
  share your
   opinions on IT  business topics through brief surveys - and earn cash
  
  http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDE
  V
  
   ___
   Home: http://acegisecurity.org
   Acegisecurity-developer mailing list
   Acegisecurity-developer@lists.sourceforge.net
   https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
  
  
  
 
  
  -
  Take Surveys. Earn Cash. Influence the Future of IT
  Join SourceForge.net's Techsay panel and you'll get the chance to share
  your
  opinions on IT  business topics through brief surveys - and earn cash
  http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDE
  V
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
  This message is for the designated recipient only and may contain 
  privileged, proprietary, or otherwise private information.  If you have 
  received it in error, please notify the sender immediately and delete the 
  original.  Any other use of the email by you is prohibited.
 
  -
  Take Surveys. Earn Cash. Influence the Future of IT
  Join SourceForge.net's Techsay panel and you'll get the chance to share your
  opinions on IT  business topics through brief surveys - and earn cash
  http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net

Re: [Acegisecurity-developer] How to propagate Authentication context?

[Ray Krueger]

You should post this to the community forum at:
http://forum.springframework.org/forumdisplay.php?f=33

There are thousands of users out there that may have done such a thing.

On 12/15/06, Tomislav Stojcevich [EMAIL PROTECTED] wrote:
 I have the same requirements and have found little documentation
 anywhere as to how to get it to actually work.  I haven't played
 around too much with it but I do need to eventually.  This thread
 might help.  It talks about it but I can't derive a solution from it:

 http://forum.springframework.org/archive/index.php/t-10122.html

 --
 tom

 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys - and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] @Secured @Transactional on the same bean(s) - best practice(s) ?

[Ray Krueger]

Wim,
One of the applications that I work on has 3 interception layers going
right now. Security, Transactions, and Monitoring. All interception is
done using DefaultAutoProxyCreator with Advisors declared as beans.
The interceptors are kept in a specific order using the order
attribute of the advisors (the order of your annotations doesn't enter
into it).

In setting all of this up I've found that Spring gets confused pretty
easily when the annotations are on the Impl, or mixed between the impl
and the interface. Especially when the beans are declared as you have
them; with a ProxyFactoryBean and Impl for the same instance hanging
out in the context.

What ended up solving all of our configuration woes was to put all of
the Annotations on the interfaces. The reasoning behind this is that
in most instances of navigating the BeanFactory, all Spring sees is
the interface. The question of wether to look at the interface or the
impl for the annotations is eliminated. The interface is always there
in plainsight with all the information needed.

We also segmented our ApplicationContext xml files into specific
areas. The reasoning for this answers your concern about leaving off
the transaction interceptor in some cases (I think). All of our
transaction configuration is in one file, all of the method level
security stuff is in another file, and our monitoring stuff is in a
third file. The Advisors for those realms are declared in those realm
specific files as well. The DefaultAutoProxyCreator is declared in a
fourth file, that is always included with the app. So, if we want to
leave out method level security we just leave out that file.

Wether or not the Annotations 'belong' on the interfaces is probably
in the same category as wether or not curly braces 'belong' on the
same line or not :)

Hope that helps,
-Ray


On 10/26/06, Wim Lambrecht [EMAIL PROTECTED] wrote:
 wow,

 i did include some typos my mail,
 excuse me,
 i'll correct them now:

 Wim Lambrecht schreef:
  Hi,
 
  I have a java (service) interface and an implementation and i want to
  apply transactional (using Springs @Transactional annotation) and
  security (using Acegi's @Secured annotation) aspects on it.
  I'm pretty sure i can manage to use then in a separate setup/deployment
  (meaning: either transactional or secured), but both at the same time
  does not give me the desired result.
 
  My setup:
  - an java interface for my service
  - an implementation of that service interface
  - i want it to be secure and transactional guarded.
  I must be honest: i'm actually using a manually configured
  transactionale proxy (using TransactionProxyFactoryBean) in combinatie
  with acegi's @Secured annotation (using auto-proxing via
  DefaultAdvisorAutoProxyCreator and MethodDefinitionSourceAdvisor).
  - the TransactionProxyFactoryBean is directly in front of my actual
  service implementation
  - the @Secured stuff is annotated on some methods on the service interface.
 
  public interface OrderService {
 
  @Secured({ROLE_ORDERMANAGER})
  public void deleteOrder(Order o);
 
  //...
  }
 
  public class StandardOrderService implements OrderService {
 
  OrderDAO orderDAO = ...
 
  public void deleteOrder(Order o) {
 someOrderDAO.deleteOrder(o);
  }
 
  }
 
  //spring-config extraction:
  bean id=orderService
  class=org.springframework.transaction.interceptor.TransactionProxyFactoryBean
  property name=transactionManager
  ref bean=myTransactionManager/
  /property
  property name=target
  ref local=orderServiceNoTX/
  /property
  property name=transactionAttributes
  props
  prop key=delete*PROPAGATION_REQUIRED/prop
  !-- etc --
  /props
  /property
  /bean
 
  bean id=orderServiceNoTX class=org.myorg.order.StandardOrderService
  // stuff (like DAO config etc)
  /bean
  //spring-config extraction (END)
 
 
  What happens:
  (--- is 'target')
  - my service implementation gets proxied, which is great:
  $proxy12 (tx-proxy)  actual service implementation
  - since the 'tx-proxy' also implements (i guess) my OrderService, it
  gets secured-proxied, again 'great', that's what i like. But naturally
  my service implementation also implements my OrderService interface, so
  it gets secured-proxied as well. So, i end up with 2 security interceptions:
  $proxy13 (sec-proxy on tx-proxy) --- $proxy12 (tx-proxy) 
  $proxy14 (second sec-proxy !) ---actual service implementation
 
 
  What i desire:
  - the best possible setup, so that calls to the service implementation
  go through maximum 2 proxies, being: 1) the security front and 2) (ones
  you're in) the transactional protection.
  - i like to use the @Transactional approach instead, so that security and
  transactional behavior can be annotated (no config-file fuzz).
 

  - this seems like a common behaviour, so i guess 

Re: [Acegisecurity-developer] getting user information at the page level

[Ray Krueger]

From a velocity page?
I'm not sure how you get access to the request itself, but start with that...

request.remoteUser
request.userPrincipal.principal.username

You need to add the ContextHolderAwareRequestFilter to your
filterChainProxy for those to work, like Scott had mentioned.


On 8/31/06, Matt Raible [EMAIL PROTECTED] wrote:
 Here's what I use:

 authz:authentication operation=fullName/

 Matt

 On 8/31/06, Charles Harvey III [EMAIL PROTECTED] wrote:
  Hello.
  I'm quite new to Acegi but I think I am getting the hang of it fairly
  quickly.
  There is one thing though that I am struggling with.
 
  How do I get things like username to be displayed on a web page?
 
  I thought the UserDetails was stored in the Session.  But it is really
  stored
  in an Authentication object, which is stored in a SecurityContext, which is
  stored in a SecurityContextHolder.  Which is all fine.  But, how do I access
  the SecurityContextHolder from the page level after a successful login?
 
  Is it available as a Session variable?  If so, what is the name of the
  Session
  attribute?  If not, how do I access the SecurityContextHolder from say, a
  Velocity page?  I'm sure this is done quite regularly so I am hoping someone
  can point me in the right direction.
 
  Thanks for the help.
 
 
  Charlie
 
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Dynamic defaultTargetUrl

[Ray Krueger]

We could wire in a strategy interface for that logic as well.

On 8/31/06, Brian Pontarelli [EMAIL PROTECTED] wrote:

 Great I'm glad that worked. This could be an option on the APF at some
 point, but sub-classing is a good solution. It would be great to be able
 to add a parameter to URLs that will trigger ACEGI to use the referrer
 URL. That way some URLs will return and others won't. Perhaps an
 enhancement for a future release.

 -bp




 Tom Stroobants wrote:
  We have subclassed the AuthenticationProcessingFilter class and have
  overridden the successfulAuthentication method.
 
  Very easy ... We just put the referrer URL on the session before
  triggering ACEGI.
  I hit the login button and our own created class just checks if the
  targetUrl is empty and if it is get the referrer url from the session
  and redirect to that page ...
 
  Best regards,
 
  Tom.
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf
  Of Ben Alex
  Sent: zaterdag 26 augustus 2006 0:26
  To: acegisecurity-developer@lists.sourceforge.net
  Subject: Re: [Acegisecurity-developer] Dynamic defaultTargetUrl
 
  Brian Pontarelli wrote:
 
  I think the issue is that the login is a component that exists on many
 
 
 
  pages and the login/failure should return the user to the page they
 
  were
 
  viewing rather than a stock login/home page.
 
  The best bet at this point is probably to subclass APF and just
 
  redirect
 
  or forward back to a URL stored in a form parameter. You will have to
  place the current URL in a hidden field. You might be able to pull off
 
  a
 
  referrer URL as well depending on your setup.
 
 
  If the referrer URL approach works, I think this would be of general
  usefulness to others as well. We could have a new property,
  forceReturnToReferrerUrl on AbstractProcessingFilter. If anyone gets
  this to consistently work, please pop your code into a JIRA patch and
  I'll get it applied.
 
  Cheers
  Ben
 
  
  -
  Using Tomcat but need to do more? Need to support web services,
  security?
  Get stuff done quickly with pre-integrated technology to make your job
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache
  Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] getting user information at the page level

[Ray Krueger]

When using the filter, the UserPrincipal is an instance of the Acegi
token ( forgot the classname for some reason).
It depends on what classes you're using I suppose.
Does $request.remoteUser work for you?

On 8/31/06, Charles Harvey III [EMAIL PROTECTED] wrote:
 When using VelocityViewServlet all request, response and session values
 are put into the velocityContext.  So I should be able to do:

 $request.userPrincipal.principal.username

 But there is no getPrincipal() method attached to java.security.Principal.
 The only useful methods available are getName() and toString().

 So I'll just try $request.userPrincipal.name and see what happens.

 I added things like email and zipcode to my AuthUser (which extends User).
 How do I get those values?  Are they also somehow in the userPrincipal?

 Thanks a lot


 Charlie


 Ray Krueger said the following on 8/31/2006 1:28 PM:
  From a velocity page?
  I'm not sure how you get access to the request itself, but start with 
  that...
 
  request.remoteUser
  request.userPrincipal.principal.username
 
  You need to add the ContextHolderAwareRequestFilter to your
  filterChainProxy for those to work, like Scott had mentioned.
 
 
  On 8/31/06, Matt Raible [EMAIL PROTECTED] wrote:
 
  Here's what I use:
 
  authz:authentication operation=fullName/
 
  Matt
 
  On 8/31/06, Charles Harvey III [EMAIL PROTECTED] wrote:
 
  Hello.
  I'm quite new to Acegi but I think I am getting the hang of it fairly
  quickly.
  There is one thing though that I am struggling with.
 
  How do I get things like username to be displayed on a web page?
 
  I thought the UserDetails was stored in the Session.  But it is really
  stored
  in an Authentication object, which is stored in a SecurityContext, which 
  is
  stored in a SecurityContextHolder.  Which is all fine.  But, how do I 
  access
  the SecurityContextHolder from the page level after a successful login?
 
  Is it available as a Session variable?  If so, what is the name of the
  Session
  attribute?  If not, how do I access the SecurityContextHolder from say, a
  Velocity page?  I'm sure this is done quite regularly so I am hoping 
  someone
  can point me in the right direction.
 
  Thanks for the help.
 
 
  Charlie
 
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere

Re: [Acegisecurity-developer] About The Following Acegi Releases

[Ray Krueger]

See, I knew Carlos had an answer for that :P
That is really good to know.

Unfortunately, that only helps people that use mvn for THEIR project.
That doesn't really help with Ben's scenario. I didn't think of that
when I brought it up.

People that are importing acegi into their project and would like to
see the source code.
People need to understand that the the sources.jar is for reference,
not compilation.

Ben, does eclipse automatically recognize the source code when it is
distributed inside the compiled Jar?

On 8/28/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
 just one line:

 mvn eclipse:eclipse -DdownloadSources=true

 and you'll see how sources and javadocs are downloaded and linked in
 eclipse project

 maven makes:

 acegi-security-1.0.1.jar binaries
 acegi-security-1.0.1-sources.jar sources
 acegi-security-1.0.1-javadoc.jar javadocs

 I think it'll be good to keep this.

 And if you run the previous line in a multiproject it will link the
 subprojects between themselves, eg. in the top level acegi dir


 On 8/28/06, Ben Alex [EMAIL PROTECTED] wrote:
  Luke Taylor wrote:
   On the branching front, it seems like we could be making more use of
   branches with subversion.
 
  I am happy for these changes to be made. Whilst changing to Maven 2 we
  should also give consideration to how we distribute source code for IDE
  integration. At present we release a separate ZIP file containing the
  sources (which is not intended for compilation). I noticed that the
  Maven 2 approach appears to be a name-of-artifact-sources.jar file in
  the standard jar repository.
 
  Whilst I see merit in the above approach, I am not particularly fond of
  it because I still have to undertake the manual step of configuring
  Eclipse to look at a particular source JAR or ZIP. In addition, as new
  releases are made, it is not uncommon to forget to change the old source
  code attachment location. So your source code appears to be for say
  release 2.0 but it is really for 1.2.7. I am also unaware if Maven 2 can
  be made to automatically understand it needs to download source
  artifacts but not include them as classpath resources.
 
  Those of you who have been using Google Web Toolkit (GWT) would know
  Google bundles both source code and compiled class files into the same
  JAR. This saves the manual step and I have found it extremely useful. I
  just point to the new release JAR and my JavaDocs and source code
  attachment is correct. The only downside is a bigger JAR, which in my
  view is a low price to pay for enhanced productivity and troubleshooting
  reliability. To put the bigger JAR issue into context:
 
  63 2006-06-17 03:50 acegi-security-1.0.1.jar
  529413 2006-06-23 05:34 acegi-security-1.0.1-sources.jar
 
  Based on release 1.0.1, we'd go from a 444Kb release to a 973Kb combined
  JAR. I don't think this is a serious issue from a download or disk space
  perspective. Especially concerned people can always re-jar for their
  production deployment.
 
  How would people feel about future Acegi Security release JARs including
  source code, as per GWT? I guess we could continue to have two releases,
  but our acegi-security-release-sources.jar would contain *both*
  classes and source code.
 
  It would be good to discuss this and get some feedback from the community.
 
  Cheers
  Ben
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 --
 I could give you my word as a Spaniard.
 No good. I've known too many Spaniards.
  -- The Princess Bride

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application 

Re: [Acegisecurity-developer] About The Following Acegi Releases

[Ray Krueger]

Ben were you suggesting having acegi-version.jar would be just binary,
and acegi-version-sources.jar would be binary with source?

I personally think that seperate binary and source jars is fine. The
majority of projects work that way. Most people know that, or can
figure it out.

~0 is my vote


On 8/28/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
 On 8/28/06, Ben Alex [EMAIL PROTECTED] wrote:
  Carlos Sanchez wrote:
 
   Ben, does eclipse automatically recognize the source code when it is
   distributed inside the compiled Jar?
  
   I don't think so and I don't really like that approach because if you
   provide the sources, why don't provide the javadocs too?
 
  Eclipse DOES automatically recognise if there is source code in the JAR.
   To see this in action, download GWT and then add its gwt-user.jar to
  your project. Then do a CTRL+ALT+T for GWT's Panel.
 

 good to know

  To answer Ray's earlier question, we don't need to advertise to users
  that this is available because their IDE (well, Eclipse anyway) will
  automatically just do it for them.
 
  I don't think there's any benefit providing JavaDocs in the JARs given
  the source code offers the JavaDocs anyhow and it would bloat the size.

 I still don't like adding the source for the same reason. A jar is a
 jar to execute, if you want to develop with sources here they are the
 jars with the sources. If everybody adds the sources to their jars
 you'd get huge applications.

 If you want to do it in the distribution that is manually downloed go
 for it, but please make jars for the maven repo without sources.

 
  Cheers
  Ben
 
  -
  Using Tomcat but need to do more? Need to support web services, security?
  Get stuff done quickly with pre-integrated technology to make your job 
  easier
  Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
  http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 --
 I could give you my word as a Spaniard.
 No good. I've known too many Spaniards.
  -- The Princess Bride

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] About The Following Acegi Releases

[Ray Krueger]

Well put...
Dual jars covers both camps.

I spend 85% of my day in mentor mode for Spring, Hibernate, and Acegi.
So your people are time poor comment really swung my vote heh.


On 8/28/06, Ben Alex [EMAIL PROTECTED] wrote:
 Ray Krueger wrote:

  Ben were you suggesting having acegi-version.jar would be just binary,
  and acegi-version-sources.jar would be binary with source?

 Yes, a traditional .class-only JAR, and a combined .class plus .java
 JAR. People like me would use the latter, whereas people concerned about
 the extra 500 Kb in their download can use the former.

 In my experience delivering training courses, I know how very useful it
 is to have automatic JavaDocs and source code available to people trying
 to learn a new API.

 It is really an issue of what do we value more:

 * Minimizing bandwidth. Bandwidth is cheap. Every decent library
 (Spring, Eclipse, Java) is now dozens of megabytes to download. I won't
 lose much sleep adding 500 Kb (or even 1 Mb!) to a JAR download.

 * Maximizing productivity. Unlike bandwidth, people are expensive.
 People are time poor. People are constantly dealing with API changes and
 new APIs. People don't remember every argument and interface contract
 they read. We can make peoples' lives easier by including source in the
 JARs. Besides, we're more likely to get bugs detected and fixes
 contributed back if more people see the source code.

 Google (GWT) have obviously concluded the latter is more important, and
 I'm not aware of anyone objecting to their inclusion of source code.
 They don't even offer a source-code-free JAR, yet we would continue to.

 Cheers
 Ben

 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ehcache 1.1 vs 1.2.1

[Ray Krueger]

Please consider using the support forums at:
http://forum.springframework.org/forumdisplay.php?f=33

Consider this a reply to all 3 of your emails today.
You have some classpath issues to work out.
In your previous email you're missing a method from commons-lang

ava.lang.NoSuchMethodError:
org.apache.commons.lang.StringUtils.substringBeforeLast(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;

Check your classpath and make sure you only have one commons-lang
version in there.

As for this email,
java.lang.ClassNotFoundException:
org.springframework.cache.ehcache.EhCacheManagerFactoryBean

That is a class not found exception for the EhCacheManagerFactoryBean
itself, not an EHCache version issue.

I am guessing you're using the modularized spring-hibernate.jar and
spring-web.jar, stuff.
Make sure you include whichever jar includes the
EhCacheManagerFactoryBean, or just use the fully loaded spring.jar.

Your above issues are classpath issues, not Acegi specific issues.

Good luck
-Ray



On 8/7/06, hv @ Fashion Content [EMAIL PROTECTED] wrote:
 I currently use EhCache 1.2.1 with my hibernate app, but Acegi seems to
 depend on version 1.1 or perhaps its the Spring DAO stuff.

 Whats the solution to :

 java.lang.ClassNotFoundException:
 org.springframework.cache.ehcache.EhCacheManagerFactoryBean

 at
 org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1338)

 at
 org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1187)

 at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)

 at java.lang.Class.forName0(Native Method)

 at java.lang.Class.forName(Class.java:242)

 at org.springframework.util.ClassUtils.forName(ClassUtils.java:109)

 at
 org.springframework.beans.factory.support.BeanDefinitionReaderUtils.createBeanDefinition(BeanDefinitionReaderUtils.java:65)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:466)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:432)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertySubElement(DefaultXmlBeanDefinitionParser.java:795)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyValue(DefaultXmlBeanDefinitionParser.java:784)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyElement(DefaultXmlBeanDefinitionParser.java:722)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyElements(DefaultXmlBeanDefinitionParser.java:621)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:464)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:432)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertySubElement(DefaultXmlBeanDefinitionParser.java:795)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyValue(DefaultXmlBeanDefinitionParser.java:784)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyElement(DefaultXmlBeanDefinitionParser.java:722)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyElements(DefaultXmlBeanDefinitionParser.java:621)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:464)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:432)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertySubElement(DefaultXmlBeanDefinitionParser.java:795)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyValue(DefaultXmlBeanDefinitionParser.java:784)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyElement(DefaultXmlBeanDefinitionParser.java:722)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parsePropertyElements(DefaultXmlBeanDefinitionParser.java:621)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:464)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:432)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitions(DefaultXmlBeanDefinitionParser.java:347)

 at
 org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.registerBeanDefinitions(DefaultXmlBeanDefinitionParser.java:197)

 at
 

Re: [Acegisecurity-developer] JAAS Integration - JBoss hijacking?

[Ray Krueger]

Benjamin, you posted this thread once already. Myself and some others
already replied.
Please read the replies to your previous post.

On 7/20/06, Benjamin Brown [EMAIL PROTECTED] wrote:
 Hi,

 I'm new to Acegi but I understand the basic concepts well enough to
 configure it with our Spring based webapp.

 I'm having a particular problem with JAAS and Kerberos integration - it
 appears our JBoss application server is possibly hijacking
 authentication calls by JAAS but I'm unsure why. Its looking for a
 users/passwords/role file despite being configured to use Kerberos, not
 a dao setup. Does anyone know how to prevent this?

 Any pointers would be greatly appreciated,

 Benjamin

 Here's the relevant part of the log:

 17:28:40,625 ERROR [UsersRolesLoginModule] Failed to load
 users/passwords/role files
 java.io.IOException: Properties file users.properties not found
 at
 org.jboss.security.auth.spi.UsersRolesLoginModule.loadProperties(UsersRolesLoginModule.java:217)
 at
 org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:234)
 at
 org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:100)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
 sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at
 sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:324)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:662)
 at
 javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
 at java.security.AccessController.doPrivileged(Native Method)
 at
 javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
 at
 org.acegisecurity.providers.jaas.JaasAuthenticationProvider.authenticate(JaasAuthenticationProvider.java:162)

 Here's the JAAS config:

 JAASTest {
   com.sun.security.auth.module.Krb5LoginModule required debug=true;
 };

 Here's the relevant parts of the applicationContext-acegi-security.xml
 (kerberos bean is an initializing bean to simply set the relevant
 java.security properties for kerberos on startup) :

 bean id=authenticationManager
 class=org.acegisecurity.providers.ProviderManager
 property name=providers
 list
 ref bean=jaasAuthenticationProvider/
 /list
 /property
 /bean

 bean id=jaasAuthenticationProvider
 class=org.acegisecurity.providers.jaas.JaasAuthenticationProvider
 property
 name=loginConfigvalue/WEB-INF/login.conf/value/property
 property name=loginContextNamevalueJAASTest/value/property
 property name=callbackHandlers
 list
 bean
 class=org.acegisecurity.providers.jaas.JaasNameCallbackHandler/
 bean
 class=org.acegisecurity.providers.jaas.JaasPasswordCallbackHandler/
   /list
   /property
   property name=authorityGranters
   list
 !-- NOTE OUR ACTUAL PACKAGE NAMES REMOVED FROM THE
 EXAMPLE --
   bean
 class=OURPACKAGE.security.PrincipalRoleAuthorityGranter/
   /list
   /property
 /bean

 !-- NOTE OUR ACTUAL REALM, PACAKAGE AND KDC REMOVED FROM THE
 EXAMPLE --
 bean id=kerberosBean class=OURPACKAGE.security.KerberosBean
 property name=realm value=OURREALM.COM/
 property name=kdc value=OURKDC/
property name=debug value=false/
 /bean

 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys -- and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Patch to fix get header on tomcat

[Ray Krueger]

Thanks for the patch, I have applied it.


On 7/12/06, Nadeem Bitar [EMAIL PROTECTED] wrote:
 Hi,

 Can an Acegi developer kindly review the patch [1] that fixes a bug in
 retrieving headers from a request on tomcat, and hopefully incorporate
 it.

 Thanks,

 Nadeem


 [1] http://opensource.atlassian.com/projects/spring/browse/SEC-308



 -
 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ACEGI patch to support AJAX

[Ray Krueger]

Hey Brian! Good to hear from ya...
And definitely glad to have you tinkering with some new stuff for
Acegi. I personally would love to have a look at your ideas. Any
chance you could create a Jira at
http://opensource.atlassian.com/projects/spring/browse/SEC and attach
your code there. Then any one of us can look at integrating it into
the code base.

Thanks!

On 7/6/06, Brian Pontarelli [EMAIL PROTECTED] wrote:
 Hello all,

 There have beean a few emails go between me and Ben Alex regarding ACEGI
 and support for AJAX. I have completed a patch on the 1.1 SNAPSHOT line
 that allows AJAX integration with ACEGI. This patch mostly adds
 additional configuration properties for AJAX URLs and also leverages
 regular expressions to match incoming URLs to determine which URLs are
 AJAX and which aren't. I also added a new authentication URL for
 handling AJAX authentication. The reason I added all of these parameters
 is essentially so that I can leverage forwards of the HTTP Servlet
 Request rather than redirects such that HTML content, JSON or XML
 generated from a JSP or servlet can be sent back to an AJAX request and
 the browser can handle it without worrying about 302 response codes.

 Ideally I would like to give this patch back to ACEGI so that I'm not
 maintaining a fork. The code when complete will be fully unit tested and
 deployed to a production website (https://www.naymz.com). If anyone
 would like to discuss the finer points about a possible patch to the
 source tree let me know. Or if anyone wants to look over the code and
 discuss it in detail that's fine as well.

 Thanks,
 -bp

 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Java Appliaction + Spring httpinvoker authentication

[Ray Krueger]

Luke was replying to the original email Zoran.

Your email was definitely not the issue :)


On 7/6/06, Zoran Regvart [EMAIL PROTECTED] wrote:
 Hi,

 On 7/6/06, Luke Taylor [EMAIL PROTECTED] wrote:
  Please post user questions in the forum, not the dev mailing list.

 sorry about that, do I need to repost my answer to the forum?

  P.S. Whatever your opinion, if you are asking for help in using an OS
  project, you are much more likely to get it if you steer clear of terms
  like CRAP! and rubbish when describing it.

 you seem to be misdirected here... :)

 zoran

 Using Tomcat but need to do more? Need to support web services, security?
 Get stuff done quickly with pre-integrated technology to make your job easier
 Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Authentication required but no role

[Ray Krueger]

One option is to always grant users a role like ROLE_AUTHENTICATED
when they log in. Then you protect those areas with that
ROLE_AUTHENTICATED role. This role wouldn't exist in your user
maintenance screens and what not.

For instance, if you're using the DaoAuthenticationProvider and
JdbcDaoImpl; you would extend JdbcDaoImpl and override the
addCustomAuthorities method. In your method you always add the
ROLE_AUTHENTICATED role to the list.

Hope that helps.

On 6/12/06, Seth Stankowski [EMAIL PROTECTED] wrote:
 Within Acegi is there a way to protect a URL in a way that requires
 authentication but doesn't require a specific role to access?  I have
 an application which requires users to login and then access different
 things depending on their role.  One section of the application,
 Manage Account, I would like to be accessible to any authenticated
 user so I don't have to manage a role for this specific section.  Is
 this possible using Acegi?  I've tried different things with the
 FilterSecurityInterceptor and role voter but can't see to get it.

 Thanks,
 Seth


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Authentication required but no role

[Ray Krueger]

Good call Scott, I didn't even realize we had such a thing :)

On 6/13/06, Scott Battaglia [EMAIL PROTECTED] wrote:
 Would something like this help?
 http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/vote/AuthenticatedVoter.html

 -Scott

 Ray Krueger wrote:

 One option is to always grant users a role like ROLE_AUTHENTICATED
 when they log in. Then you protect those areas with that
 ROLE_AUTHENTICATED role. This role wouldn't exist in your user
 maintenance screens and what not.
 
 For instance, if you're using the DaoAuthenticationProvider and
 JdbcDaoImpl; you would extend JdbcDaoImpl and override the
 addCustomAuthorities method. In your method you always add the
 ROLE_AUTHENTICATED role to the list.
 
 Hope that helps.
 
 On 6/12/06, Seth Stankowski [EMAIL PROTECTED] wrote:
 
 
 Within Acegi is there a way to protect a URL in a way that requires
 authentication but doesn't require a specific role to access?  I have
 an application which requires users to login and then access different
 things depending on their role.  One section of the application,
 Manage Account, I would like to be accessible to any authenticated
 user so I don't have to manage a role for this specific section.  Is
 this possible using Acegi?  I've tried different things with the
 FilterSecurityInterceptor and role voter but can't see to get it.
 
 Thanks,
 Seth
 
 
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 
 
 
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] 1.0.1 patch release?

[Ray Krueger]

I just locally changed my project.xml to use Spring 1.2.6 and 1.2.8. I
ran full test runs against both. Everything looks good.

The constructor signature for MockFilterConfig from spring-mock
changed which caused compilation failures with 1.2.8. That really only
effects the unit tests. I updated the two tests that use that class so
that they are compatible with both versions. I'll commit both of those
changes (again, just the unit tests are changing).

I propose we all refrain from committing anything and encourage people
to use the snapshot till we can get a signed release out.

-Ray


On 6/10/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
 I could roll out a release. The only problem I can think about is that
 the jars won't be signed. Ben used do do this.

 On 6/10/06, Matt Raible [EMAIL PROTECTED] wrote:
  On 6/9/06, Luke Taylor [EMAIL PROTECTED] wrote:
  
   I'm not sure a release will be possible until Ben gets back from Europe.
  
   There are always the nightly builds until then, if people need a quick 
   fix.
 
  Isn't it possible for someone else to roll a release?  It's probably a
  good time to contact Ben to see how he does it and designate another
  release manager in his absense.  There's nothing worse than reaching
  the illustrious 1.0 and then have it be broken for a month. ;-)
 
  Matt
 
  
  
   Ray Krueger wrote:
OK so, 1.0.0 did not release well. The LDAP/Spring compatability
issue, and the NotSerializableException issue both warrant getting a
patch out asap I would think.
   
Unfortunately there hasn't been any talk about that. What's the plan 
here?
   
   
  
  
  
   --
 Luke Taylor.  Monkey Machine Ltd.
 PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
  
  
  
   ___
   Home: http://acegisecurity.org
   Acegisecurity-developer mailing list
   Acegisecurity-developer@lists.sourceforge.net
   https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
  
 
 
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 --
 I could give you my word as a Spaniard.
 No good. I've known too many Spaniards.
  -- The Princess Bride


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] SEC-96 and backwards compatiblity

[Ray Krueger]

I looked at SEC-96
http://opensource.atlassian.com/projects/spring/browse/SEC-96 and
thought it would be an easy thing to jump on.
The refactoring is actually very beneficial, as the Md5 and Sha
PasswordEncoder classes were basically duplicates with one word
changed (yuck).

I've refactored that into a much more flexible situation, while
maintaining compatibility for the Md5PasswordEncoder and
ShaPasswordEncoder. The question I have though is about their super
class, BaseDigestPasswordEncoder. That class was originally abstract,
with a no constructor. I have made it regular class with a constructor
for the requried option, algorithm. This class can now be used
stand-alone if it was ever required of it.

As BaseDigestPasswordEncoder was an internal class, I don't think this
is a backwards compatibility issue. The two public api classes,
Md5PasswordEncoder and ShaPasswordEncoder, have not changed in
contract at all.

Any thoughts?


___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SEC-96 and backwards compatiblity

[Ray Krueger]

Really, just scratch the thought. The BaseDigestPasswordEncoder is
simple enough in it's purpose that I can leave it alone and put all my
MessageDigest stuff in it's own subclass.

On 5/30/06, Ray Krueger [EMAIL PROTECTED] wrote:
 I looked at SEC-96
 http://opensource.atlassian.com/projects/spring/browse/SEC-96 and
 thought it would be an easy thing to jump on.
 The refactoring is actually very beneficial, as the Md5 and Sha
 PasswordEncoder classes were basically duplicates with one word
 changed (yuck).

 I've refactored that into a much more flexible situation, while
 maintaining compatibility for the Md5PasswordEncoder and
 ShaPasswordEncoder. The question I have though is about their super
 class, BaseDigestPasswordEncoder. That class was originally abstract,
 with a no constructor. I have made it regular class with a constructor
 for the requried option, algorithm. This class can now be used
 stand-alone if it was ever required of it.

 As BaseDigestPasswordEncoder was an internal class, I don't think this
 is a backwards compatibility issue. The two public api classes,
 Md5PasswordEncoder and ShaPasswordEncoder, have not changed in
 contract at all.

 Any thoughts?



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi Security 1.0.0 is released!

[Ray Krueger]

That should read: I saw that, should it have been 1.0.1 though?
mashed the send button mid-correction hehe.

On 5/31/06, Ray Krueger [EMAIL PROTECTED] wrote:
 I saw that, my should it have been 1.0.1 though?

 On 5/30/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
  I took the freedom also to tag the source tree and bump the pom
  versions to 1.1.0-SNAPSHOT
 
  On 5/30/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
   I'll take care of that
  
   On 5/30/06, Ray Krueger [EMAIL PROTECTED] wrote:
Can we get the maven repos updated?
Right now mvn compile fails because
org.acegisecurity:acegi-security-parent:pom:1.0.0 cannot be
downloaded.
   
On 5/30/06, Mark St.Godard [EMAIL PROTECTED] wrote:
 Hi Ben,

 The configuration was referencing net.sf... some of the config was
 moved over to org. however not all. Including the userdetails
 refactoring. Plus some of the JSPs were also referencing net.sf in
 page imports.

 I am running through and testing the app right now, currently failing
 on a call to getPrincipal from User object... I will fix it up, retest
 it, run the unit testing and check in the changes.

 Re: the tutorial app... yeah I noticed that .. very nice... much more
 concise config.

 I am usng Spring 2.0 and I am really digging the schema-based 
 config...

 I am also using MethodSecurityInterceptors using the new Aspect 
 pointcuts.
 Not sure if we should also include examples of usage using Spring 2.0?
 I assume we need to wait for it to go final.

 Uri is on it...Great, I'll keep my eyes posted for acegi:config  :)

 Cheers
 Mark

 On 5/30/06, Ben Alex [EMAIL PROTECTED] wrote:
  Mark St.Godard wrote:
   Just a note, Ben I will be updating the contacts-tiger sample 
   project,
   I noticed it was not converted over.  I will create an JIRA entry 
   for
   myself and update this tomorow.
  
  I just checked and it looked to me like it was built for 1.0.0. What
  specifically wasn't converted?
 
   Also with Spring 2.0, I noticed that a jira entry was created for
   namespace handlers, XSD support, etc..
  
  http://opensource.atlassian.com/projects/spring/browse/SEC-271 for 
  those
  interested.
 
   If you have someone to do this fine... otherwise I can take it 
   up...
   its something that I would really like to get in...  and reduce 
   some
   of the XML verbosity.
  
  
  Uri Boness has volunteered, but I'm unsure whether work has 
  commenced. I
  am happy for anyone to take a look at it who has sufficient time.
 
  As for verbose XML, I'd encourage people to take a look at the new
  tutorial sample, which is just 148 lines of XML. This includes 
  comments,
  whitespace and full support for form authentication, remember-me,
  anonymous and web request authorization. I think that's a pretty 
  good
  base given the features, but nevertheless it will be even less with
  SEC-271 improvements.
 
  Cheers
  Ben
 
 
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

   
   
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
   
  
  
   --
   I could give you my word as a Spaniard.
   No good. I've known too many Spaniards.
-- The Princess Bride
  
 
 
  --
  I could give you my word as a Spaniard.
  No good. I've known too many Spaniards.
   -- The Princess Bride
 
 
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ldap blowing up after upgrade to 1.0 final

[Ray Krueger]

http://opensource.atlassian.com/projects/spring/browse/SEC-288

I made it a blocker for 1.0.1
This means that the 1078 people that have downloaded 1.0.0 to this
point cannot use Ldap correct?

On 5/31/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
 I'm afraid it's true. It no longer compiles under Spring 1.2.7.
 Something to log in JIRA for a 1.0.1.

 On 5/31/06, Ben Munat [EMAIL PROTECTED] wrote:
  Hi,
 
  We upgraded to the 1.0 final jar the other day and things worked fine on 
  our dev build,
  which uses an InMemoryDao implementation. However, last night we tried to 
  push out a build
  to the client and the context will no longer start due to a NoClassDefFound 
  in the Acegi
  code. (FilterBasedLdapUserSearch)
 
  I googled for the class -- 
  org/springframework/dao/EmptyResultDataAccessException -- and
  it's only in Spring 2.0! I hope 1.0 final hasn't presumed that people will 
  switch to
  Spring 2.0. Is there something I need to change ldap-wise when moving from 
  1.0 rc2 to 1.0
  final?
 
  Stacktrace below. Any help greatly appreciated. Heh, this was supposed to 
  be the real
  production deploy with the client hitting the system hard tomorrow morning 
  (and needing to
  do some admin setup today).
 
  thanks,
 
  Ben
 
  2006-05-31 00:34:15,900 INFO
  org.springframework.web.context.ContextLoader  - Root
  WebApplicationContext: initialization started
2006-05-31 00:34:15,902 INFO
  org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/totaltime]
- Loading Spring root WebApplicationContext
2006-05-31 00:34:15,952 INFO  org.springframework.core.CollectionFactory
  - JDK 1.4+ collections available
2006-05-31 00:34:15,962 INFO  org.springframework.core.CollectionFactory
  - Commons Collections 3.x available
2006-05-31 00:34:16,119 ERROR
  org.springframework.web.context.ContextLoader  - Context initialization
  failed
org.springframework.beans.factory.BeanDefinitionStoreException: Error
  registering bean with name 'userSearch' defined in ServletContext
  resource
  [/WEB-INF/config/acegi/fragments/ldapAuthenticationProviderCommon.xml]:
  Class that bean class
  [org.acegisecurity.ldap.search.FilterBasedLdapUserSearch] depends on not
  found; nested exception is java.lang.NoClassDefFoundError:
  org/springframework/dao/EmptyResultDataAccessException
  java.lang.NoClassDefFoundError:
  org/springframework/dao/EmptyResultDataAccessException
   at java.lang.Class.forName0(Native Method)
   at java.lang.Class.forName(Class.java:242)
   at org.springframework.util.ClassUtils.forName(ClassUtils.java:109)
   at
  org.springframework.beans.factory.support.BeanDefinitionReaderUtils.createBeanDefinition(BeanDefinitionReaderUtils.java:65)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:466)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitionElement(DefaultXmlBeanDefinitionParser.java:432)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitions(DefaultXmlBeanDefinitionParser.java:347)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.registerBeanDefinitions(DefaultXmlBeanDefinitionParser.java:197)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:295)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:223)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:173)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:148)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.importBeanDefinitionResource(DefaultXmlBeanDefinitionParser.java:374)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.parseBeanDefinitions(DefaultXmlBeanDefinitionParser.java:338)
   at
  org.springframework.beans.factory.xml.DefaultXmlBeanDefinitionParser.registerBeanDefinitions(DefaultXmlBeanDefinitionParser.java:197)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:295)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:223)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:173)
   at
  org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:148)
   at
  

[Acegisecurity-developer] maven tests fail

[Ray Krueger]

I pulled an update from Subversion, and executed the following...
cd core
maven test

The tests run and then build failed, test failures.

One thing I've always wanted to know, and I know Carlos is going to
have the quick answer on this...

Where is one supposed to go to see what tests failed? Scrolling back
through the console looking for FAILED is just lame, and impossible
given how many tests we have. The only output is a big pile of XML
files, no clue there.


___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi Security 1.0.0 is released!

[Ray Krueger]

Can we get the maven repos updated?
Right now mvn compile fails because
org.acegisecurity:acegi-security-parent:pom:1.0.0 cannot be
downloaded.

On 5/30/06, Mark St.Godard [EMAIL PROTECTED] wrote:
 Hi Ben,

 The configuration was referencing net.sf... some of the config was
 moved over to org. however not all. Including the userdetails
 refactoring. Plus some of the JSPs were also referencing net.sf in
 page imports.

 I am running through and testing the app right now, currently failing
 on a call to getPrincipal from User object... I will fix it up, retest
 it, run the unit testing and check in the changes.

 Re: the tutorial app... yeah I noticed that .. very nice... much more
 concise config.

 I am usng Spring 2.0 and I am really digging the schema-based config...

 I am also using MethodSecurityInterceptors using the new Aspect pointcuts.
 Not sure if we should also include examples of usage using Spring 2.0?
 I assume we need to wait for it to go final.

 Uri is on it...Great, I'll keep my eyes posted for acegi:config  :)

 Cheers
 Mark

 On 5/30/06, Ben Alex [EMAIL PROTECTED] wrote:
  Mark St.Godard wrote:
   Just a note, Ben I will be updating the contacts-tiger sample project,
   I noticed it was not converted over.  I will create an JIRA entry for
   myself and update this tomorow.
  
  I just checked and it looked to me like it was built for 1.0.0. What
  specifically wasn't converted?
 
   Also with Spring 2.0, I noticed that a jira entry was created for
   namespace handlers, XSD support, etc..
  
  http://opensource.atlassian.com/projects/spring/browse/SEC-271 for those
  interested.
 
   If you have someone to do this fine... otherwise I can take it up...
   its something that I would really like to get in...  and reduce some
   of the XML verbosity.
  
  
  Uri Boness has volunteered, but I'm unsure whether work has commenced. I
  am happy for anyone to take a look at it who has sufficient time.
 
  As for verbose XML, I'd encourage people to take a look at the new
  tutorial sample, which is just 148 lines of XML. This includes comments,
  whitespace and full support for form authentication, remember-me,
  anonymous and web request authorization. I think that's a pretty good
  base given the features, but nevertheless it will be even less with
  SEC-271 improvements.
 
  Cheers
  Ben
 
 
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Ldap changes

[Ray Krueger]

The project I work on right now is fast approaching the security
phase. We are about 90% sure of LDAP right now. So I'm all for making
the LDAP support as solid as possible. The approaches you've described
would definitely allow the most flexibility. What Robert mentioned
about the diversity of LDAP implementations is definitely the biggest
hurdle.

I don't know what sort of schedule Ben has put forth for a 1.0
release, but the community is anxious for one. So if the LDAP
refactoring can happen without much delay to a release, have at it I
say.


On 5/9/06, Robert r. Sanders [EMAIL PROTECTED] wrote:

 I'm all for better, more reusable LDAP code.  I think the main issue with
LDAP is the variety of ways in which it can be configured and used; so
moving stuff into a template class as suggested would seem to make a lot of
sense.



 Luke Taylor wrote:
Hi all,

 I've got some changes I want to make to the LDAP code to address some
shortcomings which have come to light. I thought I'd run them past the list
so that those who are interested in LDAP in Acegi have a chance to comment.
I've moved the main content of this mail into a JIRA issue

http://opensource.atlassian.com/projects/spring/browse/SEC-264

 Comments, questions or better suggestions are welcome there or here on the
list.

 Luke.


 P.S. No comments about RC versions please. That boat's already sailed :).
I'd like to get the best working API we can come up with in place pre-1.0
rather than have to make changes in future versions. Bugs are another matter
and can be fixed in 1.0.1.





--
 Robert r. Sanders
 Chief Technologist
 iPOV
 (334) 821-5412
 www.ipov.net





---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid0709bid3057dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Build from CVS checkout broken

[Ray Krueger]

Let's have a look at a somewhat lighter task.
Would you mind running maven java:compile from the core directory
and tell us if that compiles ok?

On 4/20/06, Richard Clark [EMAIL PROTECTED] wrote:
 I'm coming back to AGEGI after a hiatus, and I followed the instructions for
 a CVS checkout via maven (from
 http://acegisecurity.org/building.html)

 When I try to build via the instructions (cd core; maven jar:install), the
 build fails with 100 compile errors:

  java:compile:
  [echo] Compiling to
 /development/acegisecurity/core/target/classes
  [javac] Compiling 286 source files to
 /development/acegisecurity/core/target/classes
 
 /development/acegisecurity/core/src/main/java/org/acegisecurity/AcegiSecurityException.java:18:
 package  org.springframework.core does not exist
 import org.springframework.core.NestedRuntimeException;

 I had to use a snapshot last time (due to CVS problems), so:
 1) Which snapshot will build?
 2) Is there a plan for fixing the build problems?

 Frustratedly,

  ...RIchard






---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid0709bid3057dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Quest question about using LDAP

[Ray Krueger]

When using LDAP as an authentication source, where do you guys feel
the ROLEs belong? Should they be managed in LDAP by whatever LDAP
admin is in charge, or should the ROLEs be stored in the application
database and associated to some user table based on the LDAP username?

I thinki it is a design question that could go either way. I just
wanted to get some expert opinions.
-Ray


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Subversion?

[Ray Krueger]

+1
Big fan

On 3/25/06, Matthew E. Porter [EMAIL PROTECTED] wrote:
 +1

 On Mar 25, 2006, at 7:46 AM, Mark St.Godard wrote:

  +1
 
  On 3/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
  No concerns here.
  Scott
 
  -Original Message-
  From: Ben Alex [mailto:[EMAIL PROTECTED]
  Sent: Saturday, March 25, 2006 5:43 AM
  To: acegisecurity-developer@lists.sourceforge.net
  Subject: [Acegisecurity-developer] Subversion?
 
  Hi everyone
 
  SourceForge have recently modified their offering so we can
  migrate to SVN (without losing revision history) - see
  http://sourceforge.net/docman/display_doc.php?docid=31070grou
  p_id=1#import.
 
  I have also been using SVN recently and had good results. The
  Subclipse plugin at Update Manager URL
  http://subclipse.tigris.org/update_1.0.x
  works quite well.
 
  Does anyone have any concerns with the project migrating from
  CVS to SVN? If there aren't any objections, I'll make the
  change in about a week.
 
  Cheers
  Ben
 
 
 
  ---
  This SF.Net email is sponsored by xPML, a groundbreaking scripting
  language
  that extends applications into web and mobile media. Attend the
  live webcast
  and join the prime developer group breaking into this new coding
  territory!
  http://sel.as-us.falkag.net/sel?
  cmd=lnkkid=110944bid=241720dat=121642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 
 
 
  ---
  This SF.Net email is sponsored by xPML, a groundbreaking scripting
  language
  that extends applications into web and mobile media. Attend the
  live webcast
  and join the prime developer group breaking into this new coding
  territory!
  http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



 ---
 This SF.Net email is sponsored by xPML, a groundbreaking scripting language
 that extends applications into web and mobile media. Attend the live webcast
 and join the prime developer group breaking into this new coding territory!
 http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations

[Ray Krueger]

Heya Tim.
The JaasAuthenticationProvider doesn't use UserDetails at all. It uses
Jaas, and Jaas LoginModules. The JaasAuthenticationProvider
essentially leaves all the can this guy login? logic up to the
LoginModule, and then reacts to any LoginException that might be
thrown.

On 3/23/06, Tim Kettering [EMAIL PROTECTED] wrote:
 Hey all,

 Can someone (Ben?) explain if it is expected to check the various
 UserDetails states such as isAccountNonExpired(),
 isAccountNonLocked(), isCredentialsNonExpired(), and isEnabled() in a
 AuthenticationProvider?  This seems to be applied inconsistently...

 We had originally been using DaoAuthenticationProvider, which in its
 code does those checks, then we switched over to the
 JaasAuthenticationProvider and after seeing some logins that occured
 that shouldn't have occured, I tracked down the issue to
 JaasAuthenticationProvider not doing those checks at all.  Looking at
 CasAuthenticationProvider, this seems to not either.

 Maybe it'd be useful if those checks found in
 DaoAuthenticationProvider be made available as a pluggable component
 that other AuthenticationProviders can utilize?

 Thanks,

 -tim


 ---
 This SF.Net email is sponsored by xPML, a groundbreaking scripting language
 that extends applications into web and mobile media. Attend the live webcast
 and join the prime developer group breaking into this new coding territory!
 http://sel.as-us.falkag.net/sel?cmdlnkkid0944bid$1720dat1642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CVS build failing due to test failures.

[Ray Krueger]

OK, let's start over here.
If I run maven -Dtestmatch=**/jaas/*Tests test:match from the core
directory, I get no failures for the jaas tests.

What command, and from what directory are you running the tests?



On 2/2/06, Luke Taylor [EMAIL PROTECTED] wrote:


 Ray Krueger wrote:
  hehe yeah that I knwew :P
  I was hoping Maven could be a little clearer on what class. I think
  it's the last one it's trying to Find NameComponentNormalizer. Would
  that be correct?
 

 That's the problem with the apacheds stuff...

 It's probably best to disable/ignore the LDAP tests for the time being.

 --
  Luke Taylor.  Monkey Machine Ltd.
  PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Sub classing JAAS provider implementation

[Ray Krueger]

Easy enough. Do you have a suggestion as to what properties should be
protected, or should have getters for?

On 2/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

 It's a pity so many of the instance variables and methods in the JAAS
 Provider are declared private and aren't protected.
 I'd like to be able to sub-class some of it for a Kerberos Provider.
 The Sun GSS-API implementation uses the JAAS login modules under the hood
 for the initial TGT requests.  I'd prefer to not reinvent the wheel if
 possible.

 Anthony Geoghegan
  Framework Architect
  DeCare Systems Ireland,
  Building 1,
  University Technology Centre,
  Curraheen Road,
  Cork, Ireland
  phone: +353 21 4925 172
  fax: +353 21 4925 166
  web: http://www.decaresystems.ie
  blog: http://blog.decaresystems.ie/wordpress/


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CVS build failing due to test failures.

[Ray Krueger]

I am trying to jump in and see why the Jaas tests would be failing,
but I cannot get Maven to play nice. Any ideas anyone? Carlos? *nudge
nudge*


[junit] [DEBUG] Finding class
org.apache.ldap.server.normalization.NormalizationService
[junit] [DEBUG] Finding class
org.apache.ldap.server.interceptor.BaseInterceptor
[junit] [DEBUG] Class
org.apache.ldap.server.interceptor.BaseInterceptor loaded from ant
loader
[junit] [DEBUG] Class
org.apache.ldap.server.normalization.NormalizationService loaded from
ant loader
[junit] [DEBUG] Class javax.naming.NamingEnumeration loaded from
parent loader
[junit] [DEBUG] Finding class org.apache.ldap.common.filter.FilterVisitor
[junit] [DEBUG] Class org.apache.ldap.common.filter.FilterVisitor
loaded from ant loader
[junit] [DEBUG] Finding class
org.apache.ldap.common.name.NameComponentNormalizer
popping off [EMAIL PROTECTED] for
[EMAIL PROTECTED] in
maven-java-plugin:maven-
java-plugin
popping off [EMAIL PROTECTED] for
[EMAIL PROTECTED] in
maven-antlr-plugin:mave
n-antlr-plugin
popping off [EMAIL PROTECTED] for
[EMAIL PROTECTED] in
maven-test-plugin:maven-
test-plugin
popping off [EMAIL PROTECTED] for
[EMAIL PROTECTED] in
org.acegisecurity:acegi-s
ecurity

BUILD FAILED
File.. C:\Documents and
Settings\rkrueger\.maven\cache\maven-test-plugin-1.6.2\plugin.jelly
Element... junit
Line.. 133
Column 41
java.lang.NoClassDefFoundError





On 1/31/06, Luke Taylor [EMAIL PROTECTED] wrote:
 Hi,

 The LDAP tests are failing because of changes in the ApacheDS snaphots
 which the provider uses as an embedded server for testing.

 I've been discussing their planned release with them, which should be
 out this week. Once it appears I'll modify the build to use it so that
 we have something stable to test against.

 You can skip the tests by running with maven -Dmaven.test.skip.
 Alternatively, you can set up the tests to point to an external server
 by uncommenting the appropriate lines in the base class for the Ldap
 tests (AbstractLdapServerTestCase, or whatever). I've attached a copy of
 the test data. It also expects to have an admin user with username
 manager and password acegisecurity available.

 cheers,

 Luke.

 --
  Luke Taylor.  Monkey Machine Ltd.
  PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk



 version: 1
 dn: dc=acegisecurity,dc=org
 objectClass: dcObject
 objectClass: organization
 dc: acegisecurity
 description: Acegi Security (Test LDAP DIT)
 o: Monkey Machine Ltd.

 dn: ou=people,dc=acegisecurity,dc=org
 objectClass: organizationalUnit
 description: All people in organisation
 ou: people

 dn: cn=Ben Alex,ou=people,dc=acegisecurity,dc=org
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 cn: Ben Alex
 ou:: 5a6J5YWo
 sn: Alex
 uid: Ben
 userPassword:: e1NIQX1uRkNlYldqeGZhTGJISEcxUWs1VVU0dHJidlE9

 dn: uid=bob,ou=people,dc=acegisecurity,dc=org
 objectClass: inetOrgPerson
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
 cn: Bob Hamilton
 sn: Hamilton
 uid: bob
 userPassword:: Ym9ic3Bhc3N3b3Jk

 dn: ou=groups,dc=acegisecurity,dc=org
 objectClass: top
 objectClass: organizationalUnit
 ou: groups

 dn: cn=developers,ou=groups,dc=acegisecurity,dc=org
 objectClass: groupOfNames
 objectClass: top
 cn: developers
 description: Acegi Security Developers
 member: uid=bob,ou=people,dc=acegisecurity,dc=org
 member: cn=ben alex,ou=people,dc=acegisecurity,dc=org
 o: Acegi Security System for Spring
 ou: developer

 dn: cn=managers,ou=groups,dc=acegisecurity,dc=org
 objectClass: groupOfNames
 objectClass: top
 cn: managers
 member: cn=ben alex,ou=people,dc=acegisecurity,dc=org
 ou: manager






---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CVS build failing due to test failures.

[Ray Krueger]

Good Point,
Anythony, can you post this log file please?
{acegisourcecode}/core/target/test-reports/TEST-org.acegisecurity.providers.jaas.JaasAuthenticationProviderTests.xml

Carlos any idea what that ClassDefNotFound is from? Just so I
understand how to read that next time.


On 2/1/06, Carlos Sanchez [EMAIL PROTECTED] wrote:
 The test output is in the target folder test-reports or something like that

 On 2/1/06, Ray Krueger [EMAIL PROTECTED] wrote:
  I am trying to jump in and see why the Jaas tests would be failing,
  but I cannot get Maven to play nice. Any ideas anyone? Carlos? *nudge
  nudge*
 
 
  [junit] [DEBUG] Finding class
  org.apache.ldap.server.normalization.NormalizationService
  [junit] [DEBUG] Finding class
  org.apache.ldap.server.interceptor.BaseInterceptor
  [junit] [DEBUG] Class
  org.apache.ldap.server.interceptor.BaseInterceptor loaded from ant
  loader
  [junit] [DEBUG] Class
  org.apache.ldap.server.normalization.NormalizationService loaded from
  ant loader
  [junit] [DEBUG] Class javax.naming.NamingEnumeration loaded from
  parent loader
  [junit] [DEBUG] Finding class 
  org.apache.ldap.common.filter.FilterVisitor
  [junit] [DEBUG] Class org.apache.ldap.common.filter.FilterVisitor
  loaded from ant loader
  [junit] [DEBUG] Finding class
  org.apache.ldap.common.name.NameComponentNormalizer
  popping off [EMAIL PROTECTED] for
  [EMAIL PROTECTED] in
  maven-java-plugin:maven-
  java-plugin
  popping off [EMAIL PROTECTED] for
  [EMAIL PROTECTED] in
  maven-antlr-plugin:mave
  n-antlr-plugin
  popping off [EMAIL PROTECTED] for
  [EMAIL PROTECTED] in
  maven-test-plugin:maven-
  test-plugin
  popping off [EMAIL PROTECTED] for
  [EMAIL PROTECTED] in
  org.acegisecurity:acegi-s
  ecurity
 
  BUILD FAILED
  File.. C:\Documents and
  Settings\rkrueger\.maven\cache\maven-test-plugin-1.6.2\plugin.jelly
  Element... junit
  Line.. 133
  Column 41
  java.lang.NoClassDefFoundError
 
 
 
 
 
  On 1/31/06, Luke Taylor [EMAIL PROTECTED] wrote:
   Hi,
  
   The LDAP tests are failing because of changes in the ApacheDS snaphots
   which the provider uses as an embedded server for testing.
  
   I've been discussing their planned release with them, which should be
   out this week. Once it appears I'll modify the build to use it so that
   we have something stable to test against.
  
   You can skip the tests by running with maven -Dmaven.test.skip.
   Alternatively, you can set up the tests to point to an external server
   by uncommenting the appropriate lines in the base class for the Ldap
   tests (AbstractLdapServerTestCase, or whatever). I've attached a copy of
   the test data. It also expects to have an admin user with username
   manager and password acegisecurity available.
  
   cheers,
  
   Luke.
  
   --
Luke Taylor.  Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
  
  
  
   version: 1
   dn: dc=acegisecurity,dc=org
   objectClass: dcObject
   objectClass: organization
   dc: acegisecurity
   description: Acegi Security (Test LDAP DIT)
   o: Monkey Machine Ltd.
  
   dn: ou=people,dc=acegisecurity,dc=org
   objectClass: organizationalUnit
   description: All people in organisation
   ou: people
  
   dn: cn=Ben Alex,ou=people,dc=acegisecurity,dc=org
   objectClass: inetOrgPerson
   objectClass: organizationalPerson
   objectClass: person
   objectClass: top
   cn: Ben Alex
   ou:: 5a6J5YWo
   sn: Alex
   uid: Ben
   userPassword:: e1NIQX1uRkNlYldqeGZhTGJISEcxUWs1VVU0dHJidlE9
  
   dn: uid=bob,ou=people,dc=acegisecurity,dc=org
   objectClass: inetOrgPerson
   objectClass: organizationalPerson
   objectClass: person
   objectClass: top
   cn: Bob Hamilton
   sn: Hamilton
   uid: bob
   userPassword:: Ym9ic3Bhc3N3b3Jk
  
   dn: ou=groups,dc=acegisecurity,dc=org
   objectClass: top
   objectClass: organizationalUnit
   ou: groups
  
   dn: cn=developers,ou=groups,dc=acegisecurity,dc=org
   objectClass: groupOfNames
   objectClass: top
   cn: developers
   description: Acegi Security Developers
   member: uid=bob,ou=people,dc=acegisecurity,dc=org
   member: cn=ben alex,ou=people,dc=acegisecurity,dc=org
   o: Acegi Security System for Spring
   ou: developer
  
   dn: cn=managers,ou=groups,dc=acegisecurity,dc=org
   objectClass: groupOfNames
   objectClass: top
   cn: managers
   member: cn=ben alex,ou=people,dc=acegisecurity,dc=org
   ou: manager
  
  
  
  
 
 
  ---
  This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
  for problems?  Stop!  Download the new AJAX search engine that makes
  searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
  http://sel.as-us.falkag.net/sel?cmdlnkkid3432bid#0486dat1642
  ___
  Home: http://acegisecurity.org
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https

Re: [Acegisecurity-developer] New LDAP stuff

[Ray Krueger]

Awesome.
Brandon please have a look at Luke's docs as soon as they are up if
you can, that would be a huge help.

I have several people from different teams at my company asking me
about Acegi and LDAP right now. They're pretty excited, but
unfortunately I'm stuck yammering and hand-waiving about the LDAP
support hehe.

Thanks guys

On 1/31/06, Luke Taylor [EMAIL PROTECTED] wrote:
 Hi,

 I already have quite a bit of documentation written. I'll let you know
 when it's in CVS for review and you could perhaps make some suggestions
 then. it should also appear on the web site via the automated build
 (easier to read than the XML :) ).

 Luke.

 Brandon Keepers wrote:
  I would be willing to do this if you wanted some help.  I've been using
  the new LDAP code extensively in the last month.  If anyone else is
  already working on this, just let me know.  Otherwise I'll get started
  on it in the next day or so.
 
  Brandon
 


 --
  Luke Taylor.  Monkey Machine Ltd.
  PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] New LDAP stuff

[Ray Krueger]

Hey guys, where can I point someone to if they wanted to read about
LDAP support?

I see the org.acegisecurity.providers.ldap package in the javadocs in
the site; but that is the old stuff isn't it?


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] New LDAP stuff

[Ray Krueger]

Cool, that's what I hoped you would say.

Now write some reference material! :P

On 1/30/06, Luke Taylor [EMAIL PROTECTED] wrote:


 Ray Krueger wrote:
  Hey guys, where can I point someone to if they wanted to read about
  LDAP support?
 
  I see the org.acegisecurity.providers.ldap package in the javadocs in
  the site; but that is the old stuff isn't it?
 
 

 Hi Ray,

 No, the non-sandbox stuff is up-to-date. There's also an example in the
 contacts directory and quite a bit of information in recent forum posts.

 cheers,

 Luke.


 --
  Luke Taylor.  Monkey Machine Ltd.
  PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk



 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Siteminder / Acegi 0.9.0 integration

[Ray Krueger]

That is actually just an overly verbose DEBUG statement if you look.

If your Siteminder integration is actually working I would turn off
DEBUG SecurityEnforcementFilter in log4j.

On 1/19/06, Garvey, Paul M (GE Commercial Finance) [EMAIL PROTECTED] wrote:



 Help!,
  I am having a hard time getting Acegi to work with Siteminder I am getting
 the following error shown below.
  I am using appfuse 1.8.2 and deploying my app to JBoss 4.0.0
 net.sf.acegisecurity.event.authorization.AuthenticationCredentialsNotFoundEvent[source=FilterInvocation:
 URL: /mainMenu.html]

 2006-01-18 17:53:18,864 DEBUG
 [net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter]
 Authentication exception occurred; redirecting to authentication entry point

 net.sf.acegisecurity.AuthenticationCredentialsNotFoundException:
 Authentication credentials were not found in the SecurityContext

 at
 net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:478)
 at
 net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:377)
 at
 net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:105)
  at
 net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter(SecurityEnforcementFilter.java:197)
  at
 net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
  at
 net.sf.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:50)

 at
 net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
  at
 net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:220)

 at
 net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:303)
  at
 net.sf.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:173)
  at
 net.sf.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:120)
  at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
  at
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
  at
 org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75)
  at
 org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
  at
 org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
  at
 org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
  at
 org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
  at
 org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
  at
 org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
  at
 org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:44)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
  at
 org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
  at
 org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
  at
 org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
  at
 org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
  at
 org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
  at
 org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  at
 org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
  at
 org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
  at
 org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
  at
 org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
  at
 org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:300)
  at
 org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:374)
  at
 org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:743)
  at
 org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675)
  at
 org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:866)
  at
 org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
  at java.lang.Thread.run(Thread.java:534)
 I have the following beans based on the the 

Re: [Acegisecurity-developer] Proposal: Rename AuthenticationDao interface

[Ray Krueger]

lol Sorry Scott :)
When Ben puts it like that I gotta agree hehe.
+1

On 11/17/05, Dmitriy Kopylenko [EMAIL PROTECTED] wrote:
  +1 also

  Darrell Kundel wrote:
  +1

 I support the change, it makes more sense to me.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 On Behalf
 Of Ben Alex
 Sent: Thursday, November 17, 2005 9:23 AM
 To: acegisecurity-developer@lists.sourceforge.net
 Subject: Re: [Acegisecurity-developer] Proposal: Rename
 AuthenticationDao interface

 Ray Krueger wrote:


  You currently have an AuthenticationDao that successfully returns a
 UserDetails instance that is built up by your four database scheme
 now, correct? The whole point of the AuthenticationDao is to build a
 UserDetails instance, by whatever means necessary. So, no, users like
 you should do exactly what you're doing. I don't see a reason for you
 two implement a new AuthenticationProvider, unless the
 DaoAuthenticationProvider is not meeting you're needs.



 The one and only method defined by AuthenticationDao is:

  public UserDetails loadUserByUsername(String username) throws
 UsernameNotFoundException, DataAccessException;

 AuthenticationDao is used variously within the system:

 Implementation: JdbcDaoImpl
 Implementation: InMemoryDaoImpl
 User: DaoAuthenticationProvider
 User: DaoCasAuthoritiesPopulator
 User: DaoX509AuthoritiesPopulator
 User: DigestProcessingFilter
 User: TokenBasedRememberMeServices
 User: SwitchUserProcessingFilter

 AuthenticationDao is presently found in the
 org.acegisecurity.providers.dao package. Given only the first three
 classes above are actually in that package or a subpackage, perhaps
 AuthenticationDao should be moved to a higher-level package to reflect
 its broader use in five other areas of the framework. We faced a similar

 transition for UserDetails itself, from the DAO package to the top-level

 package for a similar reason.

 Whilst it's mostly semantics, the other side is clarifying relationships

 and scope of services within the framework. Perhaps we should rename
 org.acegisecurity.providers.dao.AuthenticationDao to
 org.acegisecurity.UserDetailsService. It will mean that
 most users have
 to make a fairly minor change
  to the interface they're implementing in their AuthenticationDao
 implementations, but aside from that it will be transparent. If we do
 this, it might even be better to make an org.acegisecurity.userdetails
 package, to hold UserDetails, User, UserDetailsService and the two
 implementations listed above. At least we'd be emphasising these
 classes can be used anywhere within the framework or by your code - not

 just for DaoAuthenticationProvider.

 Anyhow, I note the current responses consider this mostly a semantics
 issue, but I tend to see where Scott's coming from regarding clarifying
 architectural use and layering. We can make these moves with losing
 revision history (I feel game - I'll log another SF CVS job! :-) ). And
 users are already going to be *having* to change the import of their
 AuthenticationDao implementations anyway, due to the package rename in
 SEC-104.

 Thoughts?

 Cheers
 Ben


 ---
 This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
 Register for a JBoss Training Course. Free Certification Exam
 for All Training Attendees Through End of 2005. For more info visit:
 http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



 ---
 This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
 Register for a JBoss Training Course. Free Certification Exam
 for All Training Attendees Through End of 2005. For more info visit:
 http://ads.osdn.com/?ad_idv28alloc_id845op=click
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer





---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28alloc_id845op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Proposal: Rename AuthenticationDao interface

[Ray Krueger]

You currently have an AuthenticationDao that successfully returns a
UserDetails instance that is built up by your four database scheme
now, correct? The whole point of the AuthenticationDao is to build a
UserDetails instance, by whatever means necessary. So, no, users like
you should do exactly what you're doing. I don't see a reason for you
two implement a new AuthenticationProvider, unless the
DaoAuthenticationProvider is not meeting you're needs.

On 11/16/05, Scott McCrory [EMAIL PROTECTED] wrote:


  Ray Krueger wrote:
  I do sort of see your point Scott, but I have to agree with Mark here.
  AuthenticationDao may not be the best name, but it isn't the service.
  I could see the ProviderManager as a service, or even the
  AuthenticationProvider, but not the AuthenticationDao.
 
  Either way, I think the naming of AuthenticationDao is some what of a
  semantic issue, and renaming it would have pretty far reaching effect
  for little gain. My vote, if this is one hehe, would be no as well.

 I'm OK with No if users like me really should be implementing
 AuthenticationProvider instead of AuthenticationDao whenever they need to
 hit more than one data source.  Can someone comment to that?

 Quoting Scott Battaglia [EMAIL PROTECTED]:
  Not to suggest any more renaming, but is the Authentication part of
  AuthenticationDao even appropriate? :-)  In the case of someone using
  CAS, the AuthenticationDao is really being used for Authorization.
  By virtue of using CAS, you are already authenticated.

 Yea, but then again it _is_ acting as a steward for the pre-authenticated
 user.  I envision this as a buddy getting you a free ticket at a concert.
 He is trusted by the band and he already knows (has authenticated) you.  The
 authentication happened before getting to the gates, but he did do it
 nonetheless.

 Scott



---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28alloc_id845op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] How to unsubscribe this list??

[Ray Krueger]

Which means he probably didn't get that message :P

On 11/10/05, Ben Alex [EMAIL PROTECTED] wrote:
 I have subscribed you.

 Marcelo Alcantara wrote:

 Hi,
 
 Somebody can help on how to unsubscribe this list??
 
 Thanks in advance.
 
 Maralc
 
 --
 
 Marcelo Alcantara
 Senior Developer/Architect
 [EMAIL PROTECTED]
 +55 11 81968823
 
 



 ---
 SF.Net email is sponsored by:
 Tame your development challenges with Apache's Geronimo App Server. Download
 it for free - -and be entered to win a 42 plasma tv or your very own
 Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors

[Ray Krueger]

Tiny URL version: http://tinyurl.com/8zhka


On 11/7/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 Oliver,
 Very, very interesting - excellent find.  I have several things to
 test tomorrow.
 Scott

  -Original Message-
  From: Oliver Hutchison [mailto:[EMAIL PROTECTED]
  Sent: Monday, November 07, 2005 11:13 PM
  To: acegisecurity-developer@lists.sourceforge.net
  Subject: RE: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors
 
  Looks like this you hit this:
 
  http://groups.google.com/groups?hl=delr=ie=UTF-8oe=UTF-8th
 readm=3F84
  200E.4060207%40profitsoftware.comrnum=1prev=/groups%3Fq%3D%2
 52Binherit
  ablethreadlocal%2Bnullpointerexception%26ie%3DUTF-8%26oe%3DUTF
 -8%26hl%3D
  de
  http://groups.google.com/groups?hl=delr=ie=UTF-8oe=UTF-8t
 hreadm=3F8
  4200E.4060207%40profitsoftware.comrnum=1prev=/groups%3Fq%3D%
  252Binheri
  tablethreadlocal%2Bnullpointerexception%26ie%3DUTF-8%26oe%3DUT
 F-8%26hl%3
  Dde
 
  HTH
 
  Ollie
 
  
 
From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]
  On Behalf Of Mark St.Godard
Sent: Tuesday, 8 November 2005 2:46 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Acegi 0.8.3 to
  0.9.0 errors
 
 
I dont think its in the Assert...from the stackTrace it
  looks like it is getting into the contextHolder.set( ) when it NPEs
 
I use Websphere 6 and Tomcat 5.5 ... I will also
  upgrade to 0.9 tomorow and see if it
displays the appropriate behavior.
 
Cheers,
Mark
 
On 11/7/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 
Hi Mark and Ben,
I'm using WSAD 5.1 with its built-in
  Websphere 5.0 Test Environment on Windows XP Pro, then
  deploying to a Websphere Application Server 5.0 instance on
  Windows 2000 Server.  Websphere 5.0 is still widely used in
  the financial industry, and uses IBM's JDK 1.3.
  It isn't practical for me to test the app under Tomcat due to
  some classloading issue I haven't had time to debug, but I
  suspect it would work OK (as would running it within WAS
  6.0).  I'd be glad to switch the code back to ThreadLocal but
  I'm wondering if the Assert code might actually be the problem?
Thanks,
Scott
 
  
 
From: Mark St.Godard [mailto:[EMAIL PROTECTED] ]
Sent: Monday, November 07, 2005 9:34 PM
To: acegisecurity-developer@lists.sourceforge.net
  mailto:acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Acegi
  0.8.3 to 0.9.0 errors
 
 
 
Ben, Scott,
 
Scott what version of Websphere are you running?
  What JRE/JDK version?
 
Ben the code looks fine... seems
  abnormal for InheritableThreadLocal to NPE...
 
Scott, try without the InheritableTL or
  as Ben suggests try a different servlet container / appserver
  if you can.
 
Cheers,
Mark
 
On 11/7/05, Ben Alex [EMAIL PROTECTED] 
  wrote:
 
[EMAIL PROTECTED]
  mailto:[EMAIL PROTECTED] wrote:
 
 [11/7/05 15:24:43:513 EST] 5a6d5a6d
  WebGroup  E SRVE0026E:
 [Servlet Error]-[Filter
  [Acegi Filter Chain Proxy]: filter is
 unavailable.]:
  java.lang.NullPointerException
 at
  java.lang.Throwable.init(Throwable.java)
 at java.lang.Throwable
  .init(Throwable.java)
 at

  java.lang.NullPointerException.init(NullPointerException.java:63)
 at

  java.lang.InheritableThreadLocal.set(InheritableThreadLocal.java :95)
 at

  net.sf.acegisecurity.context.SecurityContextHolder.setContext(
  SecurityCo
  ntextHolder.java:58)

 at

  net.sf.acegisecurity.context.HttpSessionContextIntegrationFilt
  er.doFilte
  r (HttpSessionContextIntegrationFilter.java:207)


Very odd. If you look at the code for
  SecurityContextHolder:
 
   private static
  InheritableThreadLocal contextHolder = new
InheritableThreadLocal();
 
   public static void
  setContext(SecurityContext context) {
   Assert.notNull(context,
 

Re: [Acegisecurity-developer] Vote: Release 0.9.0

[Ray Krueger]

+1 for Tuesday

On 11/6/05, Ben Alex [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] wrote:

  Can I have until Tuesday to test 0.9.0-SNAPSHOT with our
  Siteminder-integrated application?  We additionally make extensive use
  of Authz tags and method interceptors and I'd like to run them through
  their paces first.
 
 Sure, we'll wait until Tuesday but in the meantime if others could
 please vote it would be appreciated. Scott, please post a follow-up when
 your testing is done.



 ---
 SF.Net email is sponsored by:
 Tame your development challenges with Apache's Geronimo App Server. Download
 it for free - -and be entered to win a 42 plasma tv or your very own
 Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Preparing for 0.9.0

[Ray Krueger]

Hey Ben,
I jumped on http://opensource2.atlassian.com/projects/spring/browse/SEC-23
(Jaas Logout) even after we said we'd put it off till 1.0. I'll be
committing it shortly...




On 11/3/05, Ben Alex [EMAIL PROTECTED] wrote:
 Hi everyone

 CVS now contains pretty much all the tasks scheduled for 0.9.0. The
 roadmap is at:

 http://opensource2.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel

 I'd be grateful if people using CVS could checkout and provide feedback
 on the changes / stability of the code over the next couple of days so
 that we can release.

 Cheers
 Ben


 ---
 SF.Net email is sponsored by:
 Tame your development challenges with Apache's Geronimo App Server. Download
 it for free - -and be entered to win a 42 plasma tv or your very own
 Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Problem checking out from CVS with Maven

[Ray Krueger]

I'm pretty sure the Maven scm plugin requires you to have the cvs
client in your path in order to check out from cvs. You'll need to
install the cvs client first.

For Windows:
http://www.march-hare.com/cvspro/#free
or
http://www.wincvs.org/



On 11/4/05, Carlos Sanchez [EMAIL PROTECTED] wrote:
 It works for me in maven 1.1-beta-2. Deprecated properties still work.

 On 11/4/05, Ballard, Ken [EMAIL PROTECTED] wrote:
  Hi,
 
  Someone I work with pointed out that the instructions for checking out Maven
  [http://www.acegisecurity.org/building.html] don't work. It might just be
  because the SCM plugin has deprecated maven.scm.method,
  maven.scm.cvs.module, maven.scm.method, and maven.scm.cvs.root. I tried to
  use other properties, but I don't have a CVS client (We use SVN and
  StarTeam). I think it would be a quick fix. I'll try to download a CVS
  client when I get a chance and try it with other properties.
 
  Thanks,
  Ken
 
 
  ---
  SF.Net email is sponsored by:
  Tame your development challenges with Apache's Geronimo App Server. Download
  it for free - -and be entered to win a 42 plasma tv or your very own
  Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
  ___
  Home: http://acegisecurity.sourceforge.net
  Acegisecurity-developer mailing list
  Acegisecurity-developer@lists.sourceforge.net
  https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
 


 ---
 SF.Net email is sponsored by:
 Tame your development challenges with Apache's Geronimo App Server. Download
 it for free - -and be entered to win a 42 plasma tv or your very own
 Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer