RE: [Acegisecurity-developer] CVS changes + Preparing for 0.51
is it possible to upload 0.51, once released, to ibiblio for maven builds. I looked at Maven integration a few months back, but put it off due to a lack of time. Is anyone out there willing to write a Maven build file for Acegi Security? Ben --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] CVS changes + Preparing for 0.51
Documentation generation is about the only thing I can think of. Just to put it up on iBiblio requires only the jar file produced by the ant build, you don't need Maven for that... OK, will we be uploading as per http://maven.apache.org/repository-upload.html? In that case, what do we put in the project.xml? --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] Standards-based Access Control (XACML, RBAC)
have you considered providing XACML and RBAC support in Acegi? I did look at similar standards during the design phase of Acegi. Not all of them, but certainly quite a few. I ended up going with a solution that would fit our internal needs but be reasonably extensible/pluggable. I'd certainly welcome code from the community which illustrates these alternative approaches and how they might plug into Acegi Security. Best regards Ben --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - new release 0.51
Dear Spring Community I'm pleased to announce the Acegi Security System for Spring release 0.51 is now available from http://acegisecurity.sourceforge.net. The project provides comprehensive security services for The Spring Framework. FEATURES: * It is ready NOW * Easy to use and deploy (includes a new samples/quick-start directory) * Enterprise-wide single sign on (via Yale Uni's CAS project) * Reuses your Spring expertise * Non-intrusive setup * Full (but optional) container integration * Keeps your objects free of security code * Secures your HTTP requests as well (regular expressions, Ant Paths etc) * Channel security (HTTPS/HTTP auto redirection etc) * Supports HTTP BASIC authentication (RFC 1945) * Convenient security taglib * Application context or attribute-based configuration * Various authentication backends (including JDBC) * Event support * Easy integration with existing databases (no schema changes) * Caching (now pluggable, with an EHCACHE implementation) * Pluggable architecture * Startup-time validation * Remoting support (demonstrated in sample application) * Advanced password encoding (SHA, MD5, salts etc) * Run-as replacement * Unit tests (Clover coverage is currently 97%) * Container integration tests * Supports your own unit tests * Peer reviewed * Thorough documentation * Apache license CHANGES IN 0.51: * Added samples/quick-start * Added NullRunAsManager and made default for AbstractSecurityInterceptor * Added event notification (see net.sf.acegisecurity.providers.dao.event) * Updated JAR to Spring 1.0.2 * Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release * Updated GrantedAuthorityImpl to be serializable (JBoss support) * Updated Authentication interface to present extra details for a request * Updated Authentication interface to subclass java.security.Principal * Refactored DaoAuthenticationProvider caching (refer to reference docs) * Improved HttpSessionIntegrationFilter to manage additional attributes * Improved URL encoding during redirects * Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) * Fixed issue with NullPointerExceptions in taglib * Removed DaoAuthenticationToken and session-based caching * Documentation improvements Whilst 0.51 is mostly a maintenance release, we recommend that you upgrade to take advantage of the various fixes and caching improvements. The only 0.5 to 0.51 upgrade issue most typical users would need to be aware of is DaoAuthenticationProvider no longer has a key property. References to this property should be removed from your application context configuration file(s). The reference documentation describes the new pluggable caching support and event support in sections 1.5.4 and 1.5.5 respectively. Please visit http://acegisecurity.sourceforge.net to access the latest version or read more about the features. Best regards Ben --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] RE: Uploading acegisecurity to Maven repository
Hi Carlos Hi Ben, I'd like to know if you agree with the uploading of acegisecurity jars to maven repository at ibiblio.org so they are available in maven automatic dependency management system. If you agree I'll make the upload request for you and you only need to check acegisecurity dependencies are correct. If you are not familiar with maven I can suggest you to take a look at http://maven.apache.org I would be happy if someone took care of this Maven uploading. It came up on the developer list a few weeks ago. If you'd like to write a Maven build file for Acegi Security, that would be great as well! If there's anything I can do to help (commit something to CVS etc), just let me know. Best regards Ben --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] DaoAuthenticationProvider doesn't work with passwordEncoder in 0.51
Thanks for the fast fix! Hmmm, I'm a bit disappointed, because I wanted to propose you the same fix. I have made it, rebuilded my acegi-security.jar, placed it into container, tried to run it and it doesn't help :(( I'm still a Java rookie. :-/ (just a note to our GUI thread: my GUI is Tapestry, so I cannot use JGoodies at the moment.) After making the change to the DaoAuthenticationProvider.java file: ant clean alljars cd samples/contacts ant clean warfile copy dist/contacts.war %your_container%/webapps I assume you haven't put any JARs in your container classpath, as that is consistent with container adapter-based configuration and you wouldn't be using contacts.war in that case. If you've coped any JARs into your container classpath, make sure you remove them. HTH Ben --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Maven Build in CVS
Thanks to Carlos Sanchez for providing an initial Maven build file. I've just checked it into CVS along with some required changes to library names. Would others running from CVS please check if this works. As previously stated, I haven't used Maven before. It seems to build the main JAR correctly, and I guess that's the main requirement for being added to iBiblio. What is the best practise on which libraries we should be keeping in CVS now that we have a Maven build file? Comments/feedback appreciated. Carlos, are you on the acegisecurity-developer list? Luke, have you had a chance to look at running builds for Acegi Security alongside Spring as yet? Thanks Ben --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] URL redirection when session expires
Hi Shishir I think ignoreRedirectUrl is good idea. Enhancing on that, would it make sense to have a property type attribute , which will have a key URL and the URL that needs to be redirected to. If the existing URL ends with any one of the above, then redirect to the valid url as defined in the props value. If none matches, then defaultURL is picked up. If ignoreRedirectUrl is on, then straight away redirect to the default. Could you send me a patch (or full class) of what you have in mind? Thanks Ben --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] User private members
Randy Thornton wrote: I have provided my own AuthenticationDao implementation for my users and groups. I have my own user and group implementation that have data other than username, password, and capabilities. It would be nice if I could subclass off of User instead of having to create a new User object from them for all the apis. The problem is that the members of User are all private. Can these be changed to protected or is there some special reason for them to be private? Randy Hi Randy I just took a look at User and am wondering what you couldn't achieve by calling super(). Each of the properties have a getter, and the constructor performs the setting. Is there a particular use case you can't accomplish? I don't mind making them protected if needed, but I do wonder if doing so would reduce the integrity of User, as the constructor performs checks for non-null values etc. Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: User private members
Randy Thornton wrote: I am using hibernate to save my user objects. It needs public getters and setters and also a default constructor. Obviously I have worked around all this, but it would be much nicer to subclass. Thanks Hi Ryan Ah, Hibernate. To date I've had classes relying on User expect its properties be non-null. I've enforced this via the User constructor and treating it as a value object once created (ie no mutators). With the added use of User in events and to expose additional properties unrelated to security, I think it makes more sense to make User an interface and put the onus on the developer to enforce non-nulls in their implementations. This gives developers flexibility, particularly as the Acegi Security requirements of User are very low (four non-null property getters). If nobody has any concerns or objections, I'll make this change later today. I'll leave User as the concrete implementation so nobody's existing code breaks, whilst creating a UserDetails interface. Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] javadocs online
Scott Evans wrote: I wonder if you might consider putting the current release's javadocs up on the project's home page? I'd like to place a link directly to it in the javadocs for the application that I am using acegi in. Thanks to Luke Taylor, the latest API docs are always available from http://www.monkeymachine.co.uk/acegi/apidocs/index.html. Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do I avoid the IE redirect warning dialog?
Joseph Schmoley wrote: Ok Ben, I understand now. Except for one minor point... It's exactly the other way around from what you suggest. The problem isn't from HTTP to HTTPS, it's from HTTPS to HTTP. So I'd have to write a JavaScriptRetryWithHttpEntryPoint.java and wire it in. I'll go ahead and do that. Do you want me to submit it to you guys for inclusion into CVS? There has to be many others who've run into this issue as well. Hi Joseph That would be excellent. Thanks Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Authentication callback?
Joseph Schmoley wrote:
Where in the Acegi framework can I plug in a piece of code to be
called upon successful Authentication? I need a couple of things to
be placed onto the session after a user has been successfully
authenticated into our system.
I took a look at
net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter and it
looks like it's got everything I need except for a way to look for and
run a registered callback object.
Unless I'm missing some other interface/class that I haven't seen yet,
how does the following sound:
Add a callback property to the config for AuthenticationProcessingFilter:
bean id=authenticationProcessingFilter
class=net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter
property name=authenticationManager
ref bean=authenticationManager/
/property
property name=authenticationFailureUrl
value/login/loginError.do?login_error=1/value
/property
property name=defaultTargetUrl
value//value
/property
property name=filterProcessesUrl
value/login/j_acegi_security_check.flt/value
/property
property name=callback
ref bean=authenticationCallback/
/property
/bean
bean id=authenticationCallback
class=mycompany.mypackageAuthenticationCallback
AuthenticationCallback would implement an interface HttpCallback:
/**
* A callback interface to be used whenever another process needs to be
notified of an
* HTTP-related event that's occured. Its first use is a callback right
after a successful
* authentication attemp.
*/
public interface HttpCallback {
*public* *void* callback(HttpServletRequest request,
HttpServletResponse response);
}
This way the code at the end
of AuthenticationProcessingFilter.attemptAuthentication() can be
changed to check for this registered callback and call it before
returning the Authentication object.
How does this sound?
Joseph
Hi Joseph
A callback is not a problem, it's just the methods to pass to the
interface. Did you need something specific from the HttpServletRequest,
or could we use an object not bound to the web tier (such as
Authentication)?
Also, did you look at the recent changes to DaoAuthenticationProvider,
which allows the User to store extra properties? This might be a way for
you to store extra authentication success information, as User is placed
in the Authentication upon authentication by DaoAuthenticationProvider.
Another possible approach might be to listen for AuthenticationEvents
which are generated by DaoAuthenticationProvider.
I'm not sure which way is optimal, given I'm not sure what your callback
is doing.
Best regards
Ben
---
This SF.Net email sponsored by Black Hat Briefings Training.
Attend Black Hat Briefings Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CasAuthenticationProvider taking advantage of custom Authentication object?
Mike Youngstrom wrote: Maybe I'm missing something but it appears that the only CAS and AuthenticationDao integration point is in the DaoCasAuthoritiesPopulator in getAuthorities method where it appears to only load the user in order to get the authorities(). Maybe I should ask my question this way. I am using CAS and a custom UserDetails implementation. I'm returning my custom UserDetails implementation in my custom AuthenticationDao and overridden loadUserByUsername method. So, how can get at my custom UserDetails implementation given the SecureContext? Or is this possible? Hi Mike Currently this is not possible. We could modify the returned CasAuthenticationToken to contain the UserDetails, but the problem is how to get the UserDetails in the first place given CasAuthoritiesPopulator only returns GrantedAuthority[]. The decision for CasAuthoritiesPopulator to work with GrantedAuthority[] rather than UserDetails was made so that there was no unnecessary dependency on the DAO authentication provider package. At the time UserDetails was actually User, and nobody was talking about extending User for custom properties. Option 1. We can make CasAuthoritiesPopulator return UserDetails rather than GrantedAuthority[], which is unlikely to cause any real problems for people given most CAS/Acegi users would be using the included DaoCasAuthoritiesPopulator. However, that would force the CAS package to depend on the DAO authentication provider package (for the UserDetails interface). Option 2. We could add an AdditionalDetailsPopulator interface to CasAuthenticationProvider, which could be null if people didn't want to use it. AdditionalDetailsPopulator would obtain an object and put it in the CasAuthenticationToken. We'd write a consolidated DaoAuthenticationPopulator which uses caching and implements both CasAuthoritiesPopulator and AdditionalDetailsPopulator against an AuthenticationDao. Option 3. Do nothing. People requiring additional properties can look them up in whatever way best suits their application, or via their own filter (ie lookup ContextHolder, get Authentication, get principal, look it up from DAO, populate a suitable ThreadLocal or subclassed SecureContextImpl, continue filter chain). Option one is preferable in the likely case most people would use the DAO authentication provider package. In fact I've not heard of anyone using Acegi Security with anything but the DAO authentication provider package. Furthermore, the linkage is not very significant anyway, being only a single interface which could be moved to net.sf.acegisecurity to reflect its more widespread use. Comments? Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: Acegi Security
Hi Mark [EMAIL PROTECTED] wrote: Ben, I have been a Spring user for sometime now and am starting to investigate Acegi Security. I am having trouble replying to the developer-list subscription so I thought that I would email you directly if you do not mind this once. My reply to the subscription keeps bouncing back. I just subscribed you to the list administratively. If you would like to be unsubscribed and have difficulty, just let me know and I can remove your address. I have read the documentation but have a couple of questions. Our application will be web based using Macromedia Flex. Flex creates Flash clients for the browser. The method that I will be communicating with the application server (Tomcat) will be with AMF (Flash remoting) and not the HTTP protocol. I am thinking that I will need to pass a token back and forth so that I do not have to reauthenticate for each request. It there a way that I can do this with some kind of ContextHolder object? I can maintain state in the Flash client with ActionScript objects that get translated to Java objects. Am I bound to HTTP Session Auth or basic auth as decribed in section 1.8.4 of the doco? For web services I always encourage use of BASIC authentication which presents the username/password with each web services request. Acegi Security's DaoAuthenticationProvider includes caching, so it's not a problem re-authenticating on each request. Passing a Context from the client to the server containing an Authentication object would work, but it would probably prove quite difficult to do. I briefly investigated this for Spring's included remoting protocols (SOAP, Burlap, Hessian) but quickly found they were unwilling to deliver an additional object that is not part of the method signature being called. If this sort of issue is easily resolved with AMF, it's perhaps a more elegant way of doing it. You could simply pass a Context to the server, write some object that unwraps the context from the web services request and places it on the server's ContextHolder, and then proceed with the request. Still, it would surprise me if AMF doesn't offer any BASIC authentication approach for simple protection of remote web services, which is going to save you from writing _any_ code. Furthermore, I also see that you can allow a user to run_as someone else. I think that this would be useful for unit testing. Do I just need to configure a user to have RUN_AS_MANAGER privileges to take advantage of the RunAsManagerImpl class. This is a little fuzzy to me. Run-as replacement is designed so a user can call ObjectA which in turn needs to access say a ManagerObject. As the user is not granted authorities to call ManagerObject directly, ObjectA uses a run-as replacement to obtain additional granted authorities required to call ManagerObject. Unit testing is best achieved using the TestingAuthenticationProvder. It accepts a TestingAuthenticationToken, which you populate with granted authorities you want your test case to hold. Then you call your code and Acegi Security can happily live in the server stack that executes the test. You can also ensure more complex situations such as run-as replacement are handled properly. HTH Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Is Authentication not really Serializable?
Hi Shishir Shishir K. Singh wrote: Same goes for forcePrincipalAsString. There is already an isForcePrincipalAsString() method. -Original Message- From: Shishir K. Singh Sent: Tuesday, July 13, 2004 10:15 AM To: '[EMAIL PROTECTED]' Subject: RE: [Acegisecurity-developer] Is Authentication not really Serializable? Ben, I was wondering if the context variable in DaoAuthenticationProvider could be made protected or better yet, have a getContext() method. Sub classes extending the provider then can provide their own custom events if necessary. I just added to CVS HEAD a getter for the context. Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] is there support for Hibernate?
Indra Gunawan wrote: Hi all, I want to implement the security authentication using Hibernate? But seems that I can't find one class that support it should I extends from HibernateDaoSupport class of Spring framework and implements AuthenticationDao ? or do I miss the support class ? TIA Indra Spot on. I've deliberately excluded a Hibernate implementation simply because it's so easy to do and application-specific. Best regards Ben --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Followup: Why am I getting extra requests with Sitemesh?
Patrick Burleson wrote: On Wed, 14 Jul 2004 08:24:25 +1000, Ben Alex [EMAIL PROTECTED] wrote: I'm just wondering why Acegi Security fails on the second pass. Your earlier email mentioned a null gets put into the SecureContext, but I'm not sure how or why you're seeing this. A debug-level log would be great. Best regards Ben Ben, The reason it fails, is Weblogic runs the filters again on the same thread in their current order. So when it starts returning up the chain of filters that have been run, the second invocation of the AbstractIntegrationFilter (which was caused by Weblogic applying the filters a second time because of RequestDispatcher.include()) does its job of moving the Authentication object from the SecureContext to the Session. When the filter chain gets back to the first invocation, there is no Authentication object in the SecureContext, and thus null is put in the Session for ACEGI_SECURITY_AUTHENTICATION_KEY, essentially removing it from the session. This occurs on lines 157-174 of AbstractIntegrationFilter. Of the App Servers I have tested (Resin, Jboss/Jetty, Weblogic) only Weblogic has the behavior of applying the filters again (in the same thread) to RequestDispatcher.include(). If you have the source of Sitemesh 2.0.1 handy and look at com.opensymphony.module.sitemesh.filter.PageFilter, starting at line 44, you can see how they deal with this situation by putting a marker in the session that this filter has already run. Otherwise, they would get caught in an infinite loop, since that filter later calls RequestDispatcher.include(). I can look at adding the same sort of code to Acegi and submitting a patch if you would like. The tricky part will be if someone has more than one IntegrationFilter going and making sure each of them runs at least once. But somehow I see that as being a rare case. Thanks, Patrick Hi Patrick Thanks for the info. People should only be running one AbstractIntegrationFilter subclass, although they might run more than one processing filter, such as BasicProcessingFilter and AuthenticationProcessingFilter (for form-based authentication) in the same web application. If you wouldn't mind submitting a patch, I'd be happy to apply it to CVS. I'd write it myself, but don't have access to Weblogic to give it a full test. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Followup: Why am I getting extra requests with Sitemesh?
Travis wrote: Patrick and Ben, This patch fixed the BEA issues I had with my application as well as the sample contacts application. Thanks! Travis Travis, I'm pleased this fixed your problem. Patrick, thanks very much for your patch and help. I've applied it to CVS HEAD. Thanks again Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Newbie Questions...
[EMAIL PROTECTED] wrote: Ben, I had to force Basic authentication by modifying the BasicProcessingFilter class so that the doFilter method sets the header field is set to Basic if header is null. I know this is ugly, but the SOAP client (Flash component) is not sending this value when the request is made. I do not understand this. Anyways, here is what I had to code to force this to happen. If you know a better way then I would like to know about it. I think that the Flash client is not setting this header field correctly to indicate that it is Basic auth, but I am not sure. If I do not use this code then a subsequent Acegi filter will try to redirect to a login page. Please advise. Mark What is supposed to happen is: 1. SOAP request received, and attempted to be executed. 2. MethodSecurityInterceptor throws AuthenticationException. 3. Wrapping SecurityEnforcementFilter detects AuthenticationException and calls AuthenticationEntryPoint (which must be BasicProcessingFilterEntryPoint). 4. BasicProcessingFilterEntryPoint responds with a challenge like this: WWW-Authenticate: Basic realm=WallyWorld 5. SOAP client reads challenge, and retries request but this time with a header like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== 6. SOAP request received, and attempted to be executed. 7. BasicProcessingFilter detects header and attempts authentication, placing successful Authentication into the HttpSession. 8. AutoIntegrationFilter grabs Authentication from HttpSession and onto ContextHolder. 9. MethodSecurityInterceptor successful this time, as an Authentication object on ContextHolder. Your code change seems to suggest to me your SecurityEnforcementFilter isn't configured properly. It seems as if your BasicProcessingFilter is being used to simulate an attempted authentication, which will cause BasicProcessingFilter to launch BasicProcessingFilterEntryPoint right away (it's designed to do this, as the user might have presented invalid credentials, so they're given a chance to try again). Would you mind copying your application context XML into an email showing the configuration of the security objects? It should look something like this: bean id=securityEnforcementFilter class=net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter property name=filterSecurityInterceptorref bean=filterInvocationInterceptor//property property name=authenticationEntryPointref bean=basicProcessingFilterEntryPoint//property -- NB this line --- /bean bean id=basicProcessingFilter class=net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter property name=authenticationManagerref bean=authenticationManager//property property name=authenticationEntryPointref bean=basicProcessingFilterEntryPoint//property /bean bean id=basicProcessingFilterEntryPoint class=net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint property name=realmNamevalueMy Company's Realm/value/property /bean Thanks Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Newbie Questions...
[EMAIL PROTECTED] wrote: Ben, You were right. It was a problem with my securityEnforcementFilter bean configuration. I see it now. Once I changed to the basicProcessingFilterEntryPoint bean reference it worked. I also needed your great explaination about SOAP authorization. I will be giving a presentation about Spring at AJUG (Atlanta User Group) next Tuesday. I will definitely mention this security plugin for Spring. My next challenge will be to get SSL Basic authentication configured with Acegi. Thank you so much for your attention about this problem. Mark Hi Mark Pleased it was resolved. With your next challenge, do you meaning using BASIC authentication over HTTPS? If so, there's no reason it shouldn't simply work by using https:// as the target URL rather than http://. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Write a rule overriding a less specific one, allowing any user to call a specific url
Carlos Sanchez wrote: Hi, My question is: can I write a rule in filter security interceptor so an URL doesn't need to have a role (needed to override a less specific one)? e.g. in the following bean I want that all *.do except populateDatabase.do need ROLE_USER. populateDatabase.do can be called by any user although he hadn't logged in before. Hi Carlos Take a look at http://article.gmane.org/gmane.comp.java.springframework.acegisecurity.devel/162. Instead of rearranging your application's paths or writing a class like mentioned in the archive, you might be able to change your database setup approach. One way would be to write a filter which detects a request for populateDatabase.do and runs the database setup code. Or you could even automate it via a load-at-startup Servlet which detects an empty database on application startup and sets it up. Or a Quartz job which does the routine database or system management tasks, including initial database configuration. There are other ways too. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Should spring-mock.jar be added to lib/ ?
Francois Beausoleil wrote: Hello all, Ben, I'd like to add Spring's spring-mock.jar to lib/spring. I need MockPageContext for testing new code in AuthorizeTag. This would be a testing dependency only. Hi Francois Go for it. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Suggestions for changes to AbstractProcessingFilter
Hi Wesley Thanks for the contribution. Wesley Hall wrote: Hi Ben, I have made some changes to the attached classes... AbstractProcessingFilter - authenticationServiceFailureUrl - AuthenticationServiceException authenticationCredentialCheckFailureUrl - BadCredentialsException authenticationDisabledFailureUrl - DisabledException authenticationLockedFailureUrl - LockedException authenticationProxyUntrustedFailureUrl - ProxyUntrustedException authenticationUsernameNotFoundFailureUrl - UsernameNotFoundException I've committed this one, minus the UsernameNotFoundException (because it gets re-thrown by DaoAuthenticationProvider in a BadCredentialsException). If people need to support additional application-specific (rather than Acegi Security-specific) exceptions, we could provide a hook method that subclasses can optionally override which returns a target URL. Alternatively, people can perform additional conditional processing in the target URL servlet/filter/page etc based on HttpSession's ACEGI_SECURITY_LAST_EXCEPTION_KEY attribute. AuthenicationException --- I have added an 'Authentication' attribute to the exception. I've also committed this one. ProviderManager --- I have wrapped the calls to provider.authenticate in a try block that catchs AuthenticationException. This is so I can intercept the exception to populate the authentication object into the Exception, it is then rethrown. Also the final ProviderNotFoundException is created first so that the authentication may be set before the instance is thrown. An implication of this approch is that custom implementations of AuthenticationManager will need to do their own work to populate the exception with the authentication object. I did not see this as a major problem as there seems to be little reason to create a custom AuthenticationManager rather than a AuthenticationProvider. An alternative might be to make AuthenticationManager an abstract class and use the template pattern to move the authentication population up into AuthenticationManager but this change was too invasive for my taste. I have performed some tests of these changes by integrating them into my project and doing some functional tests. Everything seems to work ok for me. Perhaps you would like to integrate these changes into the next version of acegi. If not, perhaps somebody on the list has similar requirements to me and would like to include these changes in their project. In either case, please accept these changes as is and distributed under the apache license as the rest of the acegi code. I haven't committed this one because I believe re-throwing the exception loses the all-important lower-down stack trace. I believe it's probably better to change individual AuthenticationProviders to use the enhanced AuthenticationException subclasses properly, rather than relying on ProviderManager to do it for them. Do you agree, or is there some other issue that I haven't considered? Thanks again for your contributions and feedback, Wesley. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Instance based security
Andy Depue wrote: Has any thought been given to adding instance based security support to Acegi? This seems to be a common requirement. There are so many ways of approaching instant-level security, as touched on by the other replies to this thread. The major issues are where to get the domain instance specific ACL information from and how to change any returned value. I've copied this to the RCP list as they probably have some views on the optimal approach, and which they'd like to see demonstrated in Petclinic RCP. Here is a quick summary of the main ways to approach instance-level security from an Acegi Security perspective: BUSINESS METHODS DO SECURITY THEMSELVES. This isn't as bad as it sounds. Business methods can simply access the ContextHolder and obtain the Authentication object. That way they can filter etc as they see fit. Advantages: simple, no infrastructure required, can change the returned object. Disadvantages: couples business code to Acegi, more difficult to test as there is limited separation of concerns (though you can write separate utility classes to help overcome this). VOTERS DETECT OBJECT AS PARAMETER AND QUERY EXISTING GrantedAuthority[]s. In this case you add custom GrantedAuthority[]s to the Authentication object during the original authentication process. Later the voter looks up those authorities and authorizes access to the domain instance accordingly. I'm presently using this approach in the Petclinic RCP sample (still being written, yet to be checked in). Advantages: simple, easy to test. Disadvantages: not scalable to thousands of instances, must customise the AuthenticationProvider (or AuthenticationDao if using DaoAuthenticationProvider), cannot change the returned object. VOTERS DETECT OBJECT AS PARAMETER AND OPEN ACTUAL INSTANCE. This is used in the Contacts sample application. A voter handles detecting a method invocation concerning an identity, opens the domain instance, calls a getter to obtain the ACL (access control list) information, and a comparison is made to the Authentication object. Advantages: fairly simple, easy to test. Disadvantages: opens a domain instance twice (in the voter and again in the business method), cannot change the returned object. VOTERS DETECT OBJECT AS PARAMETER AND QUERY ACL OBJECT. This would be a variation on the above option, but instead of opening the target domain instance twice, an ACL manager object would be consulted to obtain the instance-specific privileges. Advantages: highly decoupled from the domain objects, addresses performance issues, simple to test the parts, easily offers ACL inheritance, administration tools have a central reference point for all application ACL information. Disadvantages: getting complex, cannot change the returned object. MethodSecurityInterceptor CALLS A RESULT PROCESSOR. This would be done so that a list of classes can routinely be applied against the object returned from a method invocation. These classes could do things like Andy needs, such as obfuscate properties etc. If we went with the voter backed with an ACL manager approach on the way into the method invocation, these classes can easily determine which mutations they should perform on the returned object. The only requirement would be the classes should not throw an exception, as the business methods have already taken place. An issue is how mutated values would affect ORM if they were subsequently re-presented for committing. How do you handle this, Andy? Comments? Preferences? Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Correct understanding
[EMAIL PROTECTED] wrote: I have a couple of fundamental questions. 1. it looks like the Adapter for the specific container e.g. net.sf.acegisecurity.adapters.catalina.CatalinaAcegiUserRealm will use whatever provider is setup in Acegi. And the main purpose of this is: that applications can continue to leverage the authentication and authorization capabilities built into containers (such as isUserInRole() and form-based or basic authentication Since this can be done with the AuthorizeTag, is there are reason that we'd need this? 2. If authentication is handled by a third party filter w/ values that are sent on the header, can a Header AuthenticateProvider be created that gets an authenticated userid/username and an AuthorizationProvider that similarly pulls group/role values from the head and creates the corresponding authorities. 3. If a transaction proxy is being used in our code and we use the MethodInvokingProxy, can the Class.MethodName=role syntax be Interface.MethodName=role instead. Thanks for you patience. Hi Brian We don't recommend using container adapters, as they require complex classloader configuration in your web container. They also require you to configure your web container's particular security realm. All-in-all, a non-portable solution that is likely to introduce classloader problems as your WAR needs additional JARs for business-specific functionality. Instead we recommend using the BASIC or form-based authentication provided directly by Acegi Security filters. This means your WAR on its own is handling its security requirements. I'm not too sure of your other two questions. If you take a look at the way the CasAuthenticationProvider and DaoAuthenticationProvider operate, you'll see how authentication requests can be handled with different backend authentication repositories. The net.sf.acegisecurity.ui package contains a variety of classes that create the authentication requests (ie from a BASIC or form-based backend etc). If you could clarify your questions (perhaps a bigger picture overview of what you're trying to accomplish on the security front) I'd be only too happy to provide specific pointers etc. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JAAS integration
[EMAIL PROTECTED] wrote: Hi, Ive been successfully using Acegi for a couple of months (web application), with a setup that includes the DaoAuthenticationProvider and my own user database. Congratulations to all members of the project for the simplicity of the solution. Now im facing a new scenario, within JBOSS, where authentication is containers responsibility. Basically it is a JASS LDAP login module, with users inside a LDAP server. So my WAR must run inside a REALM, whose users credentials are container supplied thru JAAS LDAP login module. Ive carefully read ACEGIs container integration, but as far as I understood it, both JbossIntegrationFilter and AuthByAdapterProvider (inside na AuthenticationManager) expects to deal with an ACEGI Authentication object, which must be provided by an ACEGIs JAAS login module implementation (like JbossAcegiLoginModule). The question is, considering that Im willing to keep all ACEGI features already integrated with my web application (basically ROLE based security enforcement filters) how could ACEGI be integrated with this kind of Authentication scenario ? Thanks, Ricardo Hi Ricardo Probably the simplest approach would be to write an Acegi LDAP-based AuthenticationProvider. That way the JBossIntegrationFilter can be used successfully with JBoss. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance based security
March, Andres wrote: I agree with your assessment Ben. Had many of those thoughts myself as I was pondering our situation. In the end we went with VOTERS DETECT OBJECT AS PARAMETER AND QUERY ACL OBJECT. Seems like the best choice for us since we only want to deny or allow access not mutate or filter properties of the object. I've just added an access control list (ACL) package to CVS HEAD. It offers: - integer bit masking (like Unix's chmod command) - permission inheritance (including blocking) - JDBC ACL repository - caching - pluggable like the rest of Acegi Security - about 99% unit test coverage accordingly to Clover - all classes have Javadocs - covered in the reference guide No sample application yet, but I'm working on that tomorrow as part of Spring RCP's Petclinic. People's comments on the new package are most welcome. Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] help
Sunil Arora wrote: My CAS server is on other system, where as the application which is using Acegi is on another system. After authenticating the user from CAS on another system Acegi is not validating the ticket issue by CAS server, If I share same certificate its giving the following error: java.lang.IllegalArgumentException: Cannot pass null or empty values to constructor net.sf.acegisecurity.providers.cas.CasAuthenticationToken.init(CasAuthenticationToken.java:70) net.sf.acegisecurity.providers.cas.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:217) net.sf.acegisecurity.providers.cas.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:181) net.sf.acegisecurity.providers.ProviderManager.authenticate(ProviderManager.java:126) net.sf.acegisecurity.ui.cas.CasProcessingFilter.attemptAuthentication(CasProcessingFilter.java:107) net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:215) net.sf.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:88) net.sf.acegisecurity.securechannel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:176) net.sf.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:88) Any one can help me in this regard Hi Sunil That looks like the issue detailed in the CAS problem thread earlier this month. You're using Acegi Security release 0.51 and not performing a proxy callback, right? If so, upgrade to CVS HEAD and you'll find the necessary fix has been made. We really must get an 0.6 release out soon...! :-) Best regards Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance based security
March, Andres wrote: I need to implement this anyway, so if you can wait I would be glad to help out. But I won't need to start this effort for awhile. It might be better for you do this until I get comfortable with the code. I am eager to contribute but I have non-instance based security to implement first (product priorities). One other question, were you planning on implementing a voter for this functionality? I know you mentioned this earlier. Hi Andres I just checked into CVS the improvements. The end database schema is now heavily normalised, with plenty of constraints to prevent incorrect data: CREATE TABLE acl_object_identity ( id IDENTITY NOT NULL, object_identity VARCHAR_IGNORECASE(250) NOT NULL, parent_object INTEGER, acl_class VARCHAR_IGNORECASE(250) NOT NULL, CONSTRAINT unique_object_identity UNIQUE(object_identity), FOREIGN KEY (parent_object) REFERENCES acl_object_identity(id) ); CREATE TABLE acl_permission ( id IDENTITY NOT NULL, acl_object_identity INTEGER NOT NULL, recipient VARCHAR_IGNORECASE(100) NOT NULL, mask INTEGER NOT NULL, CONSTRAINT unique_recipient UNIQUE(acl_object_identity, recipient), FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id) ); Do you have any further suggestions/feedback? Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance based security
March, Andres wrote: 3 more things: - I sync'd to cvs and don't see your changes. Got the JAAS ones though. Welcome to SourceForge. AFAIK they have a timed synchronisation from the developer CVS servers to the anonymous access ones. So give it a few hours (I received the commit messages to acegisecurity-cvs, so I know they're there). - What is acl_class for? I don't see it used in your tests. This is the BasicAclEntry instance created. I don't test for it expressly in the unit tests because it has to be successful in order to return anything from the JdbcDaoImpl. - I forgot, below is how I have had to model it. I would think it is to complex for a base implementation but I just wanted you to see what I must handle for our product. Notice we are using integers instead of varchar for all acl lookups. We could make all recipients (roles and users) need an entry in acl_object_identity, then use a FK to it from acl_permission.recipient. The issue is it would require every possible recipient to have an entry in acl_object_identity, when by their nature they already have other tables within an application (usually the users and roles tables). I would assume most applications don't need the flexibility of treating users and roles as both recipients as well as domain object instances for which permissions can be assigned against. Is that what you're trying to do? I couldn't see a FK mapping to acl_object_relationship so I wasn't 100%. Perhaps we should provide an additional JDBC DAO provider with a view to sharing a central table structure between authentication and ACLs. ie: - Recipient table: id IDENTITY, type INTEGER (user or role), name VARCHAR (username or rolename) - Users table: recipient_id INTEGER (FK to Recipient), password VARCHAR, email VARCHAR, lastLogin DATE, unsuccessfulPasswords INTEGER etc - Role_member table: role_recipient_id, user_recipient_id - Acl_permission: change recipient to be an INTEGER (with FK to Recipient table) This would still not address your requirement to also treat recipients as domain object instances. But still, with an appropriate trigger against the Recipient table you shouldn't have much difficulty auto creating/deleting a corresponding row in the acl_object_identity table. Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance based security
March, Andres wrote: Ahh, I see now. This is like a permission type. I debated this idea here but could not find a use for it. I could not see how it would add info to what the permission meant. It seems that the recipient, accessed object, and mask conveyed everything I need to. I was planning on leaving it to the security framework to interpret the class of permission on the fly. In this way it is also polymorphic in nature. Different domain objects are likely to have very different permission meanings. A BankAccount object would have permissions like allowDeposit, allowWithdraw, allowBalanceCheck, allowClosure. A Folder object would have permissions like create, delete, read, write and execute. It's better to provide a concrete class that reflects the possible permissions, which bit represents which permission, and easy getters to whether a permission is granted. Thus relying classes simply call AclManager to get the AclEntry[]s, cast the AclEntry to the appropriate concrete class, and call the respective getters (eg isAllowDeposit, isAllowWithdraw). Enabling this behaviour requires the extra acl_class column. Is this easier to implement than just putting this info into the object_identity table? Or is it better because you have a clear division between recipient and domain objects? This design is constraining to use cases such as mine but I can see the clarity in doing this. I figure on implementing my own dao anyway. I am using hibernate. Indeed. The problem from a security framework design point of view is that fuzzy line between what belongs in the framework and what belongs in the realm of end developer responsibility. I can some applications, like yours and say LDAP directories, do need to treat users and roles as both recipients and domain object instances. The grey line is whether that's mainstream enough to make the base JDBC implementation support it or not. Whether it belongs in the framework or not, we must ensure the base JDBC class is modular enough (in terms of protected methods) such that it _could_ be done without writing a DAO from scratch. Do you believe the existing JDBC DAO provides enough flexibility in this regard? Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Petclinic RCP
Hi everyone I've just checked in some improvements to Petclinic RCP, which I'd appreciate your feedback on. There are now two versions. PetclinicStandalone.java loads the embedded database edition. PetclinicClientServer.java uses remoting protocols to access http://localhost:8080/petclinic-server/ws (web services). There are also Windows BATch files for loading each of these from the command line. Petclinic's Ant warfile target now also creates a WAR file which can be deployed to your servlet container. This is what provides the web services destination mentioned above. Visiting the webapp's home page also provides you two links, to each of the JNLP (Java Web Start) enabled versions. For JNLP to work, I've had to make the Ant script sign the JARs. Check out project.properties for a link to how to obtain and setup a free Thawte certificate for code signing. The PetclinicClientServer edition also correctly checks the presented username and password against the remote server, obtaining the user's granted authorities. When validated, it goes through and sets the username and password on all Spring remoting proxy factory beans. A logout event nulls these factory usernames and passwords. I plan on adding method invocation security to the editions and access control list security later today. It's 95% just using declarative configuration, as Acegi Security provides most of this out-of-the-box. Look forward to your feedback. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: AccessDeniedException
[EMAIL PROTECTED] wrote: Ben, I am still having problems getting messages to the forum... Anyways, here is my latest issue if you could please put it into the forum ,and maybe give advise ;). --- I am having a problem when using basic authentication and my own authentication DAO implementation. I am attempting to interface using Hibernate to the database for authentication which works fine. I was using an InMemoryDaoImpl to do testing with. The InMemoryDaoImpl allows me to authenticate correctly and when the user did not have the required role an AccessDeniedException would be thrown and I could handle this no problem. When I switched to the Hibernate DAO implementation I can authenticate no problem, but when access could not be granted to a resource I got a 403 HTTP error. I really wanted my custom DAO implementation to react the same as the InMemoryDAOImpl and throw the AccessDeniedException. I'm not sure why this is happening. Both DAOs should simply provide a UserDetails to the DaoAuthenticationProvider, which constructs an Authentication object if a valid authentication request was received. Therefore there should be no difference at the authorization stage, unless the created Authentication object is different. I'm tipping your Hibernate DAO implementation is not adding the same GrantedAuthority[]s to the UserDetails as the InMemoryDaoImpl is. I'd add some logging to your Hibernate DAO to see what the returned UserDetails actually contains. I tried to subclass net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter such that it would throw an AccessDeniedException instead of returning a 403, however this did not work. I replaced the securityEnforcement filter to use the subclass that I created and updated the web.xml to use this as well. Any suggestions to use the AccessDeniedException using basic authentication would be appreciated. I need to this because I am using a Flash client and I need to handle an exception/fault at this time instead of an HTTP error code. 403 gets sent in the event of an AccessDeniedException. Alternatively, if it's an AuthenticationException, the AuthenticationEntryPoint gets commenced. You'll probably use BasicProcessingFilterEntryPoint which sends a 401 to request the browser to retry with a BASIC authentication header. I'm really thinking your Hibernate DAO is simply failing to populate the GrantedAuthority[]s of the UserDetails implementation (in most cases User), which is why you're getting AccessDeniedExceptions in the first place. However, I've just checked in a change to SecurityEnforcementFilter so there is a sendAccessDeniedError protected method you can override in a subclass if required. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Preparing for 0.6 release
Hi everyone Today I upgraded Acegi Security CVS to Spring 1.1 RC 1 JARs and the integration tests system has shown no incompatibilities. It's almost time to release version 0.6: - Unit tests and container integration tests pass - The upgrade-05-06.txt file is complete - Unit test coverage is 97.7% (ant clover.html) - There is now a complete maven.xml, so we'll ask for inclusion in Ibiblio - There are no outstanding issues AFAIK - Bug reports have become very infrequent, suggesting any major issues have been fixed Aside from increasing documentation (specifically covering the JAAS provider and EL taglib usage) I think we're pretty much ready to release 0.6. Do people agree we're ready to release, or are there any other comments? Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: AccessDeniedException
[EMAIL PROTECTED] wrote: Ben, *Still having trouble submitting to the forum / keeps bouncing back...* Thanks for your reply. First, you were right about my HibernateDAO. It was not using the same credentials as the in-memory representation. In fact the user that I was pulling back did not have any roles associated with it that began with ROLE_. As soon as I added a fake role (ROLE_NONE) I got the expected behavior that I was looking for with my HibernateDAO object. An AccessDeniedException was thrown to the client which is what I wanted instead of a 403 error. However, now I am a little confused about how I am using this framework. Do I have to supply at least one role for each principal so that role voting can work and throw this exception? Also, I have the following configuration in my spring config file: Hi Mark The User object requires the GrantedAuthority[]s to be non-null. This is just so we have a convenient place to ensure AuthenticationDaos are creating valid objects. The broader content of your email concerns the difference between authentication and authorization. Basically a FilterSecurityInterceptor or MethodSecurityInterceptor will check the ((SecureContext) ContextHolder.getContext()).getAuthentication(), and if null, it will consider a request unauthenticated and throw an AuthenticationException. If an Authentication instance was returned, instead it will delegate to an AccessDecisionManager, which typically iterates the Authentication.getAuthority()s. If the Authentication does not have the required GrantedAuthority, it will throw an AccessDeniedException. Sitting at the filter level, the SecurityEnforcementFilter catches both AccessDeniedException and AuthenticationException. If the latter, it will delegate to an AuthenticationEntryPoint (which in BASIC authentication will send a 401). If the former, it will call: protected void sendAccessDeniedError(ServletRequest request, ServletResponse response) throws IOException The above method was added yesterday to assist fully controlling the behaviour. The default implementation sends a SC_FORBIDDEN response (ie code 403). This approach is analogous to a typical web browser operating with BASIC authentication. You visit a site, and hit a protected resource. You're prompted to login. Then you move around the site and every access decision is made based on that existing login. If you try to access a resource for which you have no permissions, you get a 403 error message. To resolve the 403, you'd need to logout (close your browser) and login again with an appropriate account. Not sure how all of this impacts you, but I hope this explanation of behaviour helps. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Best place to enforce password policies?
Andy Depue wrote: I've implemented security in my web application using Acegi security. I'm in the process now of implementing a very simple password policy (basically, the administrator has the ability to set a flag on the user to force them to change their password the next time they log in). In the grand scheme of Acegi, where would be the best place to implement this? I'm tempted to create my own filter that runs after Acegi's authentication processing filter that checks if the current user has this flag set and, if so, redirects them to the change password page. Is there a better place to do this? Thanks, Andy Hi Andy I'd do it the way you've suggested. There aren't any existing hooks for this behaviour. We could probably add one into AbstractProcessingFilter if you prefer. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.6 release
March, Andres wrote: I am still wondering about the usage of the acl stuff. I see in your test how the GrantedAuthorityEffectiveAclsResolver can be used directly but would it be worthwhile to provide a voter that can perform acl authorization? I will be writing one in about 3 weeks but I am sure 0.6 can't wait for that. Hi Andres The challenge is we'd really need to provide a sample application for the ACL integration to make any sense. An ACL voter without sample data and something people can try probably isn't going to help much more than what is already written up in the reference guide. The existing Contacts sample cannot be used without making it JDBC-backed (it's presently HashMap-backed). I am writing a sample application that will take advantage of the ACL package, but as my time is limited and I'm also involved with the Spring RCP project, I'm killing two birds with the one stone by integrating the ACL sample into Petclinic RCP. This should be done very soon (we have some RCP lifecycle changes to make first). Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Change authentication details / password
Peter Leschev wrote: I'm looking at using acegi with Tapestry for a web application that I'm working on - From initial evaluation, Acegi looks very impressive. I understand that AuthenticationProcessingFilter can be used to integrate with an HTML form for user login, which is easy, but how is changing the user's password possible? (I'm assuming it's something I have to code up manually for now?) Hi Peter Yes, you'll need to code change of password manually. A design decision was made to keep the AuthenticationDao as simple as possible (ie read-only) and as such we don't have the methods to write a new password back to the authentication repository. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - new release 0.6
Dear Spring Community I'm pleased to announce the Acegi Security System for Spring release 0.6 is now available from http://acegisecurity.sourceforge.net. The project provides comprehensive security services for The Spring Framework. FEATURES: * It is ready NOW * Easy to use and deploy (includes a new samples/quick-start directory) * Enterprise-wide single sign on (via Yale Uni's CAS project) * Reuses your Spring expertise * Domain object instance security * Non-intrusive setup * Full (but optional) container integration * Keeps your objects free of security code * Secures your HTTP requests as well (regular expressions, Ant Paths etc) * Channel security (HTTPS/HTTP auto redirection etc) * Supports HTTP BASIC authentication (RFC 1945) * Convenient security taglib * Application context or attribute-based configuration * Various authentication backends (including JDBC) * Event support * Easy integration with existing databases (no schema changes) * Caching (now pluggable, with an EHCACHE implementation) * Pluggable architecture * Startup-time validation * Remoting support (demonstrated in sample application) * Advanced password encoding (SHA, MD5, salts etc) * Run-as replacement * Unit tests (Clover coverage is currently 98%) * Container integration tests * Supports your own unit tests * Peer reviewed * Thorough documentation * Apache license CHANGES IN 0.6: * Added domain object instance access control list (ACL) packages * Added feature so DaoAuthenticationProvider returns User in Authentication * Added AbstractIntegrationFilter.secureContext property for custom contexts * Added stack trace logging to SecurityEnforcementFilter * Added exception-specific target URLs to AbstractProcessingFilter * Added JdbcDaoImpl hook so subclasses can insert custom granted authorities * Added AuthenticationProvider that wraps JAAS login modules * Added support for EL expressions in the authz tag library * Added failed Authentication object to AuthenticationExceptions * Added signed JARs to all official release builds (see readme.txt) * Added remote client authentication validation package * Added protected sendAccessDeniedError method to SecurityEnforcementFilter * Updated Authentication to be serializable (Weblogic support) * Updated JAR to Spring 1.1 RC 1 * Updated to Clover 1.3 * Updated to HSQLDB version 1.7.2 Release Candidate 6D * Refactored User to net.sf.acegisecurity.UserDetails interface * Refactored CAS package to store UserDetails in CasAuthenticationToken * Improved organisation of DaoAuthenticationProvider to facilitate subclassing * Improved test coverage (now 98.3%) * Improved JDBC-based tests to use in-memory database rather than filesystem * Fixed Linux compatibility issues (directory case sensitivity etc) * Fixed AbstractProcessingFilter to handle servlet spec container differences * Fixed AbstractIntegrationFilter to resolve a Weblogic compatibility issue * Fixed CasAuthenticationToken if proxy granting ticket callback not requested * Fixed EH-CACHE handling on web context refresh * Documentation improvements We recommend that all users upgrade to take advantage of these new features and improvements. An upgrade-05-06.txt file is provided in the distribution ZIPs to assist with this. Please visit http://acegisecurity.sourceforge.net to access the latest version or read more about the features. I would also like to take this opportunity to thank the growing team who provide support and improvements to the project. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bug in net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache
Karel Miarka wrote: Hi Ben, with the new release some of my integration test stopped to work with NullPointerException in EhCacheBasedUserCache - the cache variable was null. (Suprisingly it was working when deployed under Tomcat.) I have studied the code and than tried to add this line into afterPropertiesSet() bellow your comment // dont remove the cache : cache = CacheManager.getInstance().getCache(CACHE_NAME); and it seems to be OK. TIA, Karel Hi Karel EH-CACHE strikes again. The last problem was with web context refreshes. Have you tried that with your change? I've just committed your change to the various implementations we use that front EH-CACHE. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Stand up and be counted
Dear Acegi Security users If you're using CAS, you might like to assist Andrew Petro (who maintains CAS itself) with the following. If you do reply to Andrew, I'd appreciate it if you'd cc: me so I too can see where CAS is being used along with Acegi Security. We should think about doing something like this for Acegi Security itself Best regards Ben Original Message Subject:Stand up and be counted Date: Tue, 29 Jun 2004 13:01:28 -0400 From: Andrew Petro [EMAIL PROTECTED] Reply-To: Yale CAS mailing list [EMAIL PROTECTED] To: Yale CAS mailing list [EMAIL PROTECTED] CAS community, I'd like to compile a list of institutions using CAS. If you'd like to be on the list, please reply to me directly (no need to hit the list) with as much of the following information as you would like: 1) Name of institution 2) URL of main web presence of institution 3) Name email address of a technical contact who would like to be available to discuss the experience of installing / using CAS 4) CAS Login URL - so we can compare login page look and feel 5) Whether you're using CAS 2.0 Proxy CAS functionality 6) Any additional information - how many users you have, if you churn through some extraordinary number of tickets, what interesting applications you have CASified; interesting fail-over tricks, load balancing, user authorization solutions -- anything you'd like to share. Provide as much or as little information as you would like. What I will then do is post these submissions in answer to the question Who is using CAS? on the CAS FAQ. Thanks, Andrew microcline at gmail.com [EMAIL PROTECTED] ___ Yale CAS mailing list [EMAIL PROTECTED] http://tp.its.yale.edu/mailman/listinfo/cas --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] hibernate compatability ( blah blah blah )
bryan wrote: Then my methods that are in the orderService class can call systemUserHolder.getSystemUser.getId() and do searches for example where the user is only allowed to see financial data for a certain region. I am very much new to Spring so if I'm completely off the mark here feel free to flame me. I think this code will be a good reference implimentation if I can get it working good. --b Hi Bryan Not sure what you're trying to do, but on first glance there should be no need to have your orderServiceTarget have a reference to systemUserHolder. Typically any security checks would take place within an AccessDecisionVoter, which is handed the Authentication object directly. Should the Authentication object require some custom methods, you'd probably achieve that by implementing a custom AuthenticationDao (assuming you're using DaoAuthenticationProvider, which is most common). Now if the custom methods only relate to access control, you'd be well served to check out the new net.sf.acegisecurity.acl.basic package, as it would probably solve your goals in a more efficient way. If you could let the list know what you're trying to achieve at a functional level, we'd be able to point you to specific classes and interfaces to implement etc. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthByAdaptors and SecurityContext
Sean Radford wrote: Hi, If one is authenticating using JAAS to create an AuthByAdaptor Authentication object (e.g. using JBossAcegiLoginModule), how do you then get the SecureContext populated when not using a web-layer - and thus not able to use an IntegrationFilter such as the JbossIntegrationFilter? Or do I have to create my own MethodInterceptor around all my secure method calls to check for the SecureContext, and if not found, try to retrieve it from its 'well-known location'? Hi Sean There is no way included with Acegi Security to populate the ContextHolder from the JBoss JNDI location except via the JbossIntegrationFilter. So you'll have to experiment with an alternative way (sorry about that). Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - support forum
Hi everyone Colin has kindly setup a forum for Acegi Security support at http://forum.springframework.org. Would end users please use this channel for future support. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] missing BadCredentials AuthenticationEvents
Karel Miarka wrote: Ben, Another issue connected to logging. In my log file reappears Authentication success record with details: null. I think that for the first time a user logs in the details are filled by IP, but later on when the user expires from user cache and is obtained again from DAO this success event is triggered again with null details. I think that if the above assumption is true we should add a condition details != null when triggering the event or at least to the LoggerListener to avoid writing it to the log. What do you think? Karel Hi Karel Authentication.getDetails() is allowed under the interface contract to be null. So we can't decide for DaoAuthenticationProvider to not publish an event if it is simply null. At present DaoAuthenticationProvider publishes AuthenticationSuccessEvent every time an authentication takes place where the cache was not used. Thanks to the AbstractIntegrationFilter.commitToContainer(ServletRequest, Authentication) method we have the HttpSession contain the final Authentication that exists on the ContextHolder at the end of a request. This is then placed back onto the ContextHolder and re-presented on subsequent requests. The DaoAuthenticationProvider builds a response Authentication token upon successful authentication in its createSuccessAuthentication(Object, Authentication, UserDetails) method. So all we need to do is ensure this latter method returns an Authentication which actually contains the original Authentication.getDetails(). I've just committed a change and unit test for DaoAuthenticationProvider that does the above. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] BasicAclProvider
March, Andres wrote: I was trying to set the defaultAclObjectIdentityClass in the application context but am having trouble. Maybe this is because the property is a class. Not sure how to define that bean property in the xml. Is there some other way you recommend setting the defaultAclObjectIdentityClass? Or do you know how to do it in Spring? - Andres March Platform - Apps Engineering Sony Online Entertainment desk: 858.577.3373 cell: 619.519.1519 Hi Andres From the Spring reference manual: Additionally, when talking about the XML based BeanFactory variants (including the ApplicationContext variants), these have built-in support for defining Lists, Maps, Sets, and Properties collection types. Additionally, Spring uses JavaBeans PropertyEditor definitions to be able to convert string values to other, arbitrary types. (You can provide the BeanFactory with your own PropertyEditor definitions to be able to convert your own custom types; more information about PropertyEditors and how to manually add custom ones, can be found in Section 3.9, Registering additional custom PropertyEditors). When a bean property is a Java Class type, Spring allows you to specify the value for that property as a string value which is the name of the class, and the ClassEditor PropertyEditor, which is built-in, will take care of converting that class name to an actual Class instance. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] hibernate compatability ( blah blah blah )
administrator wrote: Thanks Ben, What I'm trying to do on a functional level is quite straightforward. The application that I am writing is intended for the real estate business. In this business a sales agent will only be able to view/edit properties that he/she has been assigned/brought into the company. So when for example an agent does a search for houses they should only be returned those that they are in charge off. Hi Bryan The way I'd approach this is to use as much Acegi Security infrastructure as possible. Whilst you could use your own SystemUser object etc, unless there is a compelling value-add you will have to maintain it when there is likely an already functional alternative maintained as part of Acegi Security. Specifically, the UserDetails interface and the User implementation of same can store your authenticated user information. This will be available from the ((SecureContext) ContextHolder.getContext()).getAuthentication(). Is there any particular reason you wouldn't want to use these classes? As for the access control list (ACL) part, you'd use the new net.sf.acegisecurity.acl.basic package. This is discussed in the 0.6 reference manual, although there still isn't a sample application. Essentially you'd use the JdbcDaoImpl which retrieves ACLs from a JDBC backend. You'd then use the AclProviderManager as your AclManager implementation, which is wired to a BasicAclProvider, and in turn that is wired to the JdbcDaoImpl. You'd then write a custom AccessDecisionVoter which has a reference to the AclManager bean. The AccessDecisionVoter would check with the AclManager to ensure the Authentication object has access to the presented real estate property. If access is denied, the AccessDecisionVoter would throw an AccessDeniedException. That's all fine for working with specific real estate properties, but in terms of getting a list of real estate properties that users have access to, you would probably be best to write a MethodInterceptor which inspects a returned List and mutates it to remove real estate properties to which the user has no access. Thus it could be used with any of your finders, as it is a cross-cutting concern. In relation to the Hibernate filters, yes, it seems like they would work if each real estate property could only have a single salesperson. But for the sake of spending a little time writing the MethodInterceptor and setting up the ACL package, you'd have much more flexibility (eg 1 salesperson per property, hierarchy perhaps based on locations of the real estate properties, hierarchy perhaps based on internal sales teams, allowing clients to edit their property details over the web, permitting limited access to certain real estate properties by other team members and so on). Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] hibernate compatability ( blah blah blah )
Oliver Hutchison wrote: Using hibernate it is possible to do the following ( pseudo code ) SalesPerson salesPerson = hibernate.find( SalesPerson as salesperson where salesperson.id = 1); Why not just use the username (which should be unique) to lookup the SalesPerson? SalesPerson salesPerson = hibernate.find( SalesPerson as salesperson where salesperson.username = ?, user.getUsername()); Assuming there's and index on username performance would not be an issue. Ollie Hi Bryan I am inclined to agree with Ollie. Your other requirement (the last 20 users who signed up) could be equally as effectively addressed by an additional indexed column, createdDate. Acegi Security has no problems with you adding additional columns to the schema (or backend) managed by an AuthenticationDao. You can even return such additional details in the UserDetails implementation returned by the AuthenticationDao. I do not believe any of your use cases could not be effectively and modularly accommodated using the existing Acegi Security packages. Its usefulness for your authentication needs is beyond a doubt. The ACL side is a little grayer, simply because the ACL packages are quite new. Having said that, I am fairly confident they'd meet your needs as described in my earlier email. The ACL packages are reasonably flexible if you really wanted to completely re-engineer the schema: check the list archives for a recent discussion between Andres March and myself about this. In relation to remoting integration, as you may have noticed in the Contacts sample application, Acegi Security provides support for this via its BASIC authentication filter. In addition, there is a new RCP package which can be helpful for ensuring a valid login request has happened at the client end. Check out the Petclinic RCP sample (part of the spring-rcp project) to see this in use. I'd suggest trying to integrate authentication without worrying about the ACL side. Then, once you see that working, review how the included ACL packages work. It will be a lot clearer when you understand the place where the method security interceptors, ContextHolder, AuthenticationDao, and AccessDecisionVoters fit into the bigger picture. Of course we're also happy to continue helping you on-list. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] (no subject)
[EMAIL PROTECTED] wrote: Hello ! I am new to this framework, I have changed the default queries in net.sf.acegisecurity.providers.dao.jdbc.jdbcDaoImpl, and now I want to compile the project again. I guess it should be a simple task to use ant build but It seems that with the distribution file acegi-security-0.6-with-dependencies.zip the project.properties and build.properties are missign, so apparently I cannot compile the project. any ideas or any clues I will highly appreciate your response. Regards, Sami Ather Hi Sami Apologies for that. It's actually not come up so far, as everyone running builds performs a CVS checkout. I've just made a change to the Ant build release target so it's included in future releases. As for the JdbcDaoImpl, any reason you wouldn't subclass it or use its setMapping() or setQuery() methods? We've designed JdbcDaoImpl to be easily customisable through these extension points, so please let us know if it doesn't meet your needs in some way. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] sample.contact Application Authorization question??
[EMAIL PROTECTED] wrote: Hello All ! I am trying to use my Database with Sample contact application. I have added few roles and users in my database and also have subclasses JdbcDaoImpl to authenticate from database. I have added a user with ROLE_SUPERVISOR and a ROLE_ABC. i have also changed my applicationContact.xml file to add ROLE_ABC in security interceptor section. Now when I run the project and log in from a ROLE_SUPERVISOR every thing works fine, but when I try to log in from ROLE_ABC, the authentication is successful and I get a message on console that authentication is successful but I get a 403 error ( access to resource is forbidden ). so If somebody can tell me that straight after authentication the control goes to which class and what happens after authentication Regards, Sami Ather Hi Sami The standard Contacts sample uses AffirmativeBased (AccessDecisionManager) which grants access if _any_ AccessDecisionVoter votes to grant access. Thus if you simply added ROLE_ABC to the security interceptor section (BTW, which one, the MethodSecurityInterceptor or FilterSecurityInterceptor?) it should still work with your user who holds ROLE_SUPERVISOR as the presence of ROLE_ABC is a bonus which is never checked. I'd therefore tip you've either chosen to use a different AccessDecisionManager (like UnanimousBased, although that should still work as the user has both roles!) or perhaps your JdbcDaoImpl has not been correctly subclassed. I would expect it's the latter. Try writing a unit test for your JdbcDaoImpl subclass (or good old System.out.println or logger.debug) to check the UserDetails object it returns does indeed contain all the roles you'd expect via UserDetails.getAuthorities(). Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] removeCache in UserDetails
Shishir K. Singh wrote:
I was wondering if the method
public void removeUserFromCache(String username) {
cache.remove(username);
}
In EhCacheBasedUserCache can be made implement able i.e moved to
UserCache interface.
Hi Shishir
Done. Now in CVS HEAD.
Ben
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: Remember me functionality via cookie
Piotr Maj wrote: Could you give me more precise date of this discuss or direct link to it? Mailman at sourceforge is not for human beings ;-) The new JDBC DAO implementation will ideally support password changing, remember me functionality, lost password support, account lockout (via a listener) and specialised ACL needs such as Andres mentioned in the thread below. Thus people can use the current JdbcDaoImpl (or implement AuthenticationDao), if they just want a KISS read-only provider, or they can use the new enhanced JDBC DAO (or a new MutableAuthenticationDao interface) if they want all the extra functions. As the needs are fairly broad, might I suggest sending the proposed schema to this list so people can discuss before you go to the trouble of implementing it? I know you're volunteering to help - so we'll be happy with whatever you contribute - but it would be great to ensure everything gets covered in this enhanced MutableAuthenticationDao and core implementation schema. While I think of it, we should require (via the interface contract) for MutableAuthenticationDao implementations to call userCache.removeUserFromCache(String username) at appropriate times. The thread is at http://www.mail-archive.com/[EMAIL PROTECTED]/msg00337.html. Best regards Ben --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Problems when trying to deploy contacts.war on JRun
Shishir K. Singh wrote: Ben, Even if I use ContextLoaderServlet, won't the filters get created before ContextLoaderListener. In that case, the init of the filters will be called even before the Spring context is available and thus, the WebApplicationContextUtils.getRequiredWebApplicationContext will fail in the filters. I changed the ContextLoaderListener to ContextLoaderServlet in contacts's web.xml and got the same error when deploying in tomcat now. Yes, you're right. I've just committed to CVS HEAD an enhancement to FilterToBeanProxy which enables it to lazily initialize the proxied Filter (ie on the first HTTP request, not at filter initialization time). Just set initialization property init to lazy. Please let me know if this works OK. Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Sample.contact Context null problem
[EMAIL PROTECTED] wrote: If you have \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER in I want to get rid of this line in filterInvocationInterceptor. If ROLE_ABC is included in this line, then things work out smoothly, but then it means that in future If I will be adding a new role in descriptor I have to restart my context ( tomcat ) , is there any way through which role can be added in secureContext without restarting the server. Sounds to me like you *always* want the ContextHolder to contain a SecureContext which in turn has an Authentication object. That way you'll never get NullPointerExceptions when MethodSecurityInterceptor is called. So you *never* want an unauthenticated user accessing your application. Is that correct? The easiest way to do that is to have a single line in FilterInvocationInterceptor, such as \A/secure/*\Z=ROLE_EVERYBODY. Then ensure you grant ROLE_EVERYBODY to every user, perhaps via an automatic addition to the UserDetails returned from your AuthenticationDao. This will ensure every user is authenticated before they hit your MethodSecurityInterceptor controlled objects, and the ContextHolder contains non-null details. If you disable caching as per my previous emails, you will be ensuring any additional role grants to the logged in user are picked up on each request, because the DaoAuthenticationProvider will always delegate to your AuthenticationDao. The DaoAuthenticationProvider will always be called via the MethodSecurityInterceptor, as its superclass (AbstractSecurityInterceptor) re-checks the ContextHolder.getContext().getAuthentication() on each secured method invocation. Again, a reminder, you're best off with some form of caching that is stale object aware and performs eviction. Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Authz taglibs for freemarker
Shishir K. Singh wrote: Ben, Is there any work going on to port the authorization taglibs to freemarker tags ? Thanks Shishir Not as far as I know. Besides, doesn't everyone use Velocity these days? ;-) Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SecurityEnforcementFilter always executing, even if for login page
Karel Miarka wrote: Ben, You are completely right, but my filter solves one important problem regarding Tapestry: The current SecurityEnforcementFilter doens't allow the login page to be at the same place as the protected pages and because in Tapestry all the pages are accessed using app?service=page/PageName, so it is a problem. My filter is suitable for applications where all the pages should be protected except the login page. That would be nice If the SecurityEnforementFilter could be made to run only once and solve the cyclic problem when the login page is inside the protected area. But because it sends the redirect it is not enough to use the FILTER_APPLIED flag :( (cc: Developer list so there's some history) How about this for an approach We change the AuthenticationEntryPoint.commence argument to also take a FilterChain. ie not just ServletRequest and ServletResponse. Then SecurityEnforcementFilter can be configured to secure all requests (ie *). It will delegate to FilterSecurityInterceptor, which in turn delegates to its superclass, AbstractSecurityInterceptor, which then finds nothing in the ContextHolder and throws AuthenticationCredentialsNotFoundException, which is then caught by SecurityEnforcementFilter (being a subclass of AuthenticationException) and it delegates to the revised AuthenticationEntryPoint. We could then modify AuthenticationProcessingFilterEntryPoint to detect if the request is for itself. Thus it will perform a FilterChain.doFilter rather than redirect again to the login page. This should not only work for Tapestry applications, but also any other situation whereby the user has secured * (including the login page). Do you (or anyone else) see any problems with this approach? Ben --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047alloc_id=10808op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Sandbox LDAP
Hi everyone I've just added a sandbox directory for unsupported and in-development code as per other Spring projects. Currently it contains an LDAP authentication DAO, thanks to Karel Miarka and Daniel Miller. Please feel free to use the sandbox if you want to try things out. Of course, contributions are always welcome. Best regards Ben --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Custom login form
Andy Depue wrote: I'm looking at the spring rich client security package (org.springframework.richclient.security). I would like to customize the login form to include an additional field, but it looks the form fields are hardcoded. I guess at the moment I have to create my own LoginForm and LoginCommand. Not that there is a lot of code in these two classes, but I hate duplicating any amount of code. Even if I could just supply my own LoginForm to LoginCommand that would save a lot of duplication as I could then extend LoginForm. - Andy Hi Andy I'm not using the Spring Rich project at present, so if you wish to make any refactorings of that code, please feel free. Keith, Ollie, Jim or I will be happy to commit improvements. Best regards Ben --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Release 0.61
Scott McCrory wrote: No objections - release early and release often... But are you sure it's just a 0.61 release? I'd recommend 0.7, as most non-programmers (and some bit twiddlers too) consider anything prior to 1.0 not mature enough for production, and I think Acegi is a lot further along that that... Scott I just did a quick Google for version number guidelines. I found quite a few references to Apache's Portable Runtime Project versioning guidelines at http://apr.apache.org/versioning.html. These seem reasonable, but if there is some other guideline people would prefer to follow, please provide a URL. Alternatively, if people are happy with the Apache guidelines, please send a +1 to the list. The current CVS HEAD is directly compatible with 0.6. So people recognise the new release is directly compatible with 0.6 deployments, I favor tagging it 0.61. Or, if we decide to adopt the Apache guidelines above, the new release would be tagged 0.6.1. The 1.0 issue has come up in the forum and been sighted as a reason for not using the project. I can't identify any foreseeable additional features that would require architectural changes, and as stability is pretty good, we should seriously think about whether the next release after this one should be 1.0. The one major issue I would like to resolve before we tag it 1.0 is moving to a Maven-based build rather than Ant, just in case this migration requires changes in the classes contained in each artifact. Comments welcome. Ben --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACEGI and Spring Application Context
Guy Tuberson wrote:
Hi,
Please bare with me I'm new to Hibernate, Spring and Acegi.
I'm using ACEGI to provide the Security framework for my Web Application and
I'm having some issues with my Junit tests.
I'm trying to load the Spring Application Context in a JUnit test and I'm
getting the following errors.
Hi Guy
You should be using TestingAuthenticationToken and have the following
setup in your application context:
!-- This authentication provider accepts any presented
TestingAuthenticationToken --
bean id=testingAuthenticationProvider
class=net.sf.acegisecurity.providers.TestingAuthenticationProvider/
!-- The authentication manager that iterates through our only
authentication provider --
bean id=authenticationManager
class=net.sf.acegisecurity.providers.ProviderManager
property name=providers
list
ref local=testingAuthenticationProvider/
/list
/property
/bean
Having said that, why are you trying to unit test a business object
which even has Acegi Security wired in front of it? Typically unit tests
should focus on only the business logic - not the integration with such
things as security. So I'd recommend you review whether you are even
loading Acegi Security beans in a test-related application content.
Of course, sometimes just _need_ to test with security enabled. A good
example is say your business object has code like this:
public Account getAccount(Long number) {
Account account = accountDao.getAccount(number);
// Check they have access
Authentication authentication = ((SecureContext)
ContextHolder.getContext()).getAuthentication();
if (authentication.getPrincipal().equals(someUser)) {
return account;
} else {
return account.removeSomeProperties();
}
}
In this sort of situation, where your business logic _needs_ Acegi
Security, you'd use the TestingAuthenticationProvider. Thus you can
setup the Authentication object with whatever username and
GrantedAuthority[]s your business logic wants to see. In the above
example you'd run a TestingAuthenticationToken with someUser as the
principal, probably null as the principal, and probably notSomeUser as
the principal.
HTH
Ben
PS: The forums at springframework.org are the best place for user
questions, as it helps develop a long-term searchable archive for new users.
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] AspectJ support now in CVS
Hi everyone
I've just committed experimental AspectJ support to CVS HEAD, which is
documented in the reference guide. The key benefit is domain object
instances can be created outside the bean container and still receive
full security interception.
Refactoring of the AOP Alliance (MethodSecurityInterceptor) and the
ObjectDefinitionSource has also been completed to make it easier to
support additional AOP libraries like AspectWerks in the future (is
there demand for AspectWerks at present?).
On a rich domain object related note, I've written an AspectJ aspect
to autowire domain objects with collaborators from a Spring bean
context. Whilst nothing too exciting, it does the same thing as the
DependencyInjectionInterceptorFactoryBean discussed at
http://forum.springframework.org/viewtopic.php?t=301, except it doesn't
require a Hibernate interceptor (meaning even new SomeDomainObject();
instances are wired). In case anyone is interested, the code follows.
Any feedback etc welcome.
Cheers
Ben
---
public aspect DomainObjectInstanceDependencyInjectionAspect implements
BeanFactoryAware {
private AutowireCapableBeanFactory acbf;
private int autowireMode = AutowireCapableBeanFactory.AUTOWIRE_BY_TYPE;
public int getAutowireMode() {
return autowireMode;
}
public void setAutowireMode(int autowireMode) {
if (autowireMode != AutowireCapableBeanFactory.AUTOWIRE_BY_NAME
autowireMode != AutowireCapableBeanFactory.AUTOWIRE_BY_TYPE)
throw new IllegalArgumentException(Can only
AUTOWIRE_BY_NAME or AUTOWIRE_BY_TYPE);
this.autowireMode = autowireMode;
}
public void setBeanFactory(BeanFactory beanFactory) throws
BeansException {
if (!(beanFactory instanceof AutowireCapableBeanFactory))
throw new IllegalArgumentException(BeanFactory must
implement AutowireCapableBeanFactory);
acbf = (AutowireCapableBeanFactory) beanFactory;
}
pointcut domainObjectInstanceConstruction(Object doi): target(doi)
execution(PersistableEntity.new(..));
before(Object doi): domainObjectInstanceConstruction(doi) {
if (acbf != null)
acbf.autowireBeanProperties(doi, autowireMode, false);
}
}
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi + SSO + custom GrantedAuthority
Amad Fida wrote: Thanks Ben, so would suggest rich client security packakge as starting point? Amad I tend to approach things based on the most risky part of the project first. That way you discover the constraints it will impose on the easier parts of the project, and can have more confidence in the schedule. With that in mind, it depends on what is most critical to your project and what you consider highest impact if it fails: 1. Remoting integration with Brightside (seems low risk to me, but if Brightside is 100% critical, probably start there) 2. Coding additional AuthenticationProviders for your extra SSO implementations 3. Ensuring your AccessDecisionVoters have access to GrantedAuthority implementations with the necessary data to make a decision 4. Ensuring any access control list (domain object instance) security has been properly designed and integrated into the object model 5. Ensuring your Spring Rich actions can be disabled etc based on GrantedAuthoritys #1 isn't particularly difficult, and #2 should theoretically be pretty easy given there are other providers to use as a basis, so I'd be more inclined to look at the greater unknown areas in #3, #4 and #5. #5 in particular could be a lot of work as it has dependencies on Spring Rich architecture. #3 and #4 are pretty standard things, but as you're writing your domain and services layers you need to ensure they're security-friendly in terms of method names, method arguments, how to wire in the security interceptor etc. Best regards Ben --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] The Maven Shuffle
Ray Krueger wrote: Are we done moving all the files around? Is it safe to commit? Hi Ray Yes, go for it. For the record (we'll put this in a readme when the Maven changes are absolutely finalised): *** CONFIGURATION *** - From the project root directory use maven multiproject:artifact to build all the core and adapter artifacts (JARs), and run the tests - From the project root directory use maven multiproject:install to add the artifacts (JARs) to your %HOME%/.maven/repository/acegisecurity/jars directory so they're accessible to other Mavenised projects - To use the Eclipse project, add a MAVEN_HOME variable by selecting Window, Preferences, Java, Build Path, Classpath Variables, New, Name: MAVEN_HOME, Path (use the Folder button): %HOME%/.maven/repository (replacing %HOME% with something like C:/Documents and Settings/your_user_name on a Windows box) *** MAVEN MIGRATION STATUS *** The core and adapters work well. Still outstanding is to remove the old JARs from the lib directory and complete modifying the Eclipse project to use MAVEN_HOME for all JARs instead of the project lib directory. Carlos is currently working on getting the samples Mavenised. The extractor directory still needs to be removed. The Hypersonic SQL directory still needs to be removed. It's unclear what we'll do with the integration test directory, as it's important but a large Ant script. In addition, I'll be refactoring or replacing (haven't decided just yet) the sample in the next few days as part of some documentation I'm writing on Acegi Security. Finally, the main Ant build needs refactoring to remove functionality replaced by the Maven build. Carlos and I have been keeping most of the Maven change discussions off-list to save traffic, but given the bulk is now complete we'll move such discussions back on-list so people can keep informed of progress and provide feedback. Best regards Ben --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] New features now in CVS
Hi everyone I've just committed a (potentially very useful) new feature to Acegi Security. After secure object invocation allows you to throw an AccessDeniedException or modify the Object returned from your secure object invocation. There's a new package, net.sf.acegisecurity.afterinvocation, which contains a couple of related providers. Both use AclManager and the integer bit masking provided by net.sf.acegisecurity.acl.basic. One of the providers throws an AccessDeniedException if the Authentication doesn't have an ACL permission for the returned Object (the required permission is defined in the application context). The other provider removes any item from a Collection if the Authentication doesn't have an ACL permission for that particular Collection element (again, the required permission is defined in the application context). To help with before invocation ACL security, there's also a new AccessDecisionVoter called BasicAclEntryVoter. It votes to deny access if the Authentication doesn't have an ACL permission for a given method argument (the class type of the method argument, the permission required etc are application context defined). The above isn't documented yet, but the Contacts sample application has been extensively refactored to use the above. Contacts are no longer owned by a single principal, but there is an ACL for each Contact. Permissions used include administer, delete and read. If the administer permission is held, the principal can modify the permissions list, adding or deleting ACL entries. I'd be interested in what people think of these changes. In particular, please give Contacts a try and report any bugs to the list. To build it you'll need to CVS checkout, then from core do a maven jar:install, then from samples/contact do a maven war. Best regards Ben --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] New features now in CVS
Tim Kettering wrote: Like say, if I made a method call to return all items in the database between dates A and B. I would need to run the security check on the collection after the data load to ensure that only the allowed objects are loaded. It sure can. The filtering takes place when a Collection is returned from a secured method. For example, in the Contacts sample we now have a ContactManager method: public List getAll(). This just returns all Contacts in the database. We then have the following defined against the MethodSecurityInterceptor: sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ ROLE_USER is a before invocation voter, as you'd know from the normal RoleVoter implementation. AFTER_ACL_COLLECTION_READ calls the following after invocation voter: bean id=afterAclCollectionRead class=net.sf.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider property name=aclManagerref local=aclManager//property property name=requirePermission list value1/value !-- SimpleAclEntry.ADMINISTER -- value2/value !-- SimpleAclEntry.READ -- /list /property /bean This filters the returned Collection so it only contains elements for which an ACL administer or read permission exists (BTW if someone has time to write something or show me a better way of defining an int[] using static variables, it would be great). Best regards Ben --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: AbstractProcessingFilter
Shishir K. Singh wrote: Hi Ben, Tried posting this on [EMAIL PROTECTED] but for some reason it's bouncing back. Therefore sending directly to you. I have not tested it out, but my understanding after going through the contacts sample for cas authorization is that when the authentication fails in CasProcessingFilter, the failure url is /casfailed.jsp. What if the the use case is to go to _https://localhost:8443/cas/login_ directrly instead of /casfailed.jsp. If there is not workaround to the above, I was wondering if it makes sense to check if failureUrl starts with http/https and if so, then just redirect it to the failureUrl, else do as the existing code is doing, instead of always doing httpRequest.getContextPath() + failureUrl. I think I am missing something here ,not sure though . The AbstractProcessingFilter.authenticationFailureUrl (CasProcessingFilter's superclass) will only be used if the ticket provided by the CAS server is invalid for some reason. Typically, the CasProxyTicketValidator delegates to CAS' ProxyTicketValidator.validate() method which returns false to proxyTicketValidator.isAuthenticationSuccessful(). Put differently, you'll only see /casfailed.jps if there is something fundamentally wrong with the ticket. This will usually only happen if the user has attempted to do something invalid, like POSTing a false ticket to /j_acegi_cas_security_check. Normal user interaction takes place on the CAS server, and invalid passwords cause the re-display of the CAS server login page so they can try again. HTH Ben --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] how to build with maven
Patrick Burleson wrote: Peng, What sort of error did you receive? Can you send it along? Also, what version of Maven to do you have installed? Hi Peng This will probably work for you: cd $ACEGISECURITY_ROOT (wherever that is on your system) maven multiproject:install (this will put the JARs into your Maven local repository when they're built) cd samples/contacts maven war (see the samples/contacts/target subdirectory for your acegi-security-sample-contacts-filter.war, which you can try out) If this doesn't work, please send to the list any errors you've received and we'll be more than happy to help. Best regards Ben --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] The Maven Shuffle
Ray Krueger wrote: Ok was just working on getting my stuff commited. I see the .java file in the old location src/net and in core/src/main... What do I do? heh Hi Ray I think you might need to do a CVS update again, as the old /src directory is completely gone these days. From my local build (no /src): $ ls -l total 146 drwxrwxrwx+ 2 Administ None0 Jun 21 23:49 CVS drwxrwxrwx+ 8 Administ None 4096 Nov 10 09:27 adapters -rwxrwxrwx1 Administ None 209 Mar 28 2004 ant.bat -rwxrwxrwx1 Administ None 207 Jun 21 16:03 ant.sh -rwxrwxrwx1 Administ None 3078 Aug 1 09:47 balex.keystore -rwxrwxrwx1 Administ None 112 Nov 14 09:55 build.properties -rwxrwxrwx1 Administ None20996 Aug 24 10:13 build.xml -rwxrwxrwx1 Administ None 9777 Nov 16 00:04 changelog.txt -rwxrwxrwx1 Administ None 1906 Oct 15 10:26 contributors.txt drwxrwxrwx+ 5 Administ None 4096 Nov 16 23:02 core drwxrwxrwx+ 2 Administ None0 Nov 13 07:53 dist drwxrwxrwx+ 5 Administ None 4096 Nov 15 11:33 doc drwxrwxrwx+ 4 Administ None 4096 Jun 21 23:49 extractor drwxrwxrwx+ 3 Administ None 4096 Nov 17 16:30 hsqldb drwxrwxrwx+ 10 Administ None 4096 Sep 25 12:39 integration-test -rwxrwxrwx1 Administ None15734 Mar 23 2004 jalopy.xml drwxrwxrwx+ 20 Administ None 4096 Oct 18 07:47 lib -rwxrwxrwx1 Administ None11558 Mar 23 2004 license.txt -rwxrwxrwx1 Administ None 6344 Nov 15 11:32 maven.xml -rwxrwxrwx1 Administ None 1411 Apr 2 2004 notice.txt -rwxrwxrwx1 Administ None 3915 Nov 15 11:32 project.propertie -rwxrwxrwx1 Administ None10218 Nov 17 00:39 project.xml -rwxrwxrwx1 Administ None 4660 Sep 24 10:00 readme.txt drwxrwxrwx+ 6 Administ None 4096 Nov 14 09:38 samples drwxrwxrwx+ 4 Administ None0 Oct 30 10:48 sandbox drwxrwxrwx+ 9 Administ None0 Nov 16 11:58 target drwxrwxrwx+ 3 Administ None 4096 Oct 30 10:48 test -rwxrwxrwx1 Administ None 2491 Apr 2 2004 upgrade-03-04.txt -rwxrwxrwx1 Administ None 2780 Apr 27 2004 upgrade-04-05.txt -rwxrwxrwx1 Administ None 3219 Aug 3 17:18 upgrade-05-06.txt -rwxrwxrwx1 Administ None 2124 Oct 18 16:41 upgrade-06-07.txt Best regards ben --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] approaches in security checking for fetching collections
Tim Kettering wrote:
Hi all,
I've been working on incorporating acegi with our project, and with
the useful addition of the after invocation stuff that ben added
recently, this will help with methods that need to return a collection
of objects, each of which need to be inspected for security access.
however, im curious if how (if anyone) has approached doing something
like this.
public List getListOfItems(int firstResult, int size) {
...
}
The issue I see here is that if I request a list that is 10 items,
starting at row one, the method will fetch items 1-10 from the
database, then in post invocation, potentially some, or all will be
knocked out by the security framework. So the end result would be
possibly ten or more likely less than 10 items. And a programmer using
the above method would not receive what he/she had been expecting.
So I see a few possible workarounds.. like fetching the next
consecutive resultset if some items are knocked out of the original
result, and repeating it until we have the desired size - maybe to
make things more effiicent, to always fetch a slightly larger set,
like 150% more (just a number i picked off my head), so that way a
successive fetch would be less likely, or what.
I thought I'd query the list for any ideas/suggestions before I went
ahead with this.
-tim
Hi Tim
There's no real way of doing this in Acegi Security. You'll need to use
one of the workarounds you mentioned, the main question being where to
put that successive fetching logic. It would ideally belong in the
services layer, as the same transparency would be required by multiple
client types.
I don't think you'll be able to return a standard List, as you need some
tracking of what is the real ending result number, so it can be used
for the next request's firstResult parameter. We use a PaginatedList for
paginated lists, which implements List, so you'll have no difficulty
with using the BasicAclEntryAfterInvocationCollectionFilteringProvider.
Recall the signature of an AfterInvocationProvider includes:
public Object decide(Authentication authentication, Object object,
ConfigAttributeDefinition config, Object returnedObject);
As such, you have access (via the object argument) to the invocation
that caused the provider to be called. So a possible alternative might
be to write a new AfterInvocationProvider along the lines of
BasicAclEntryAfterInvocationCollectionFilteringProvider, but this time
it will call the MethodInvocation multiple times to obtain the
collection size returned by the original invocation. Off hand I can't
think of any problems with this (you can do a
((MethodInvocation)object).getMethod()), although you might run into
some issue. This would be the ideal approach, as it's putting the
successive fetching logic with the logic that filters the results in the
first place.
Best regards
Ben
---
SF email is sponsored by - The IT Product Guide
Read honest candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Work to Propogate Security Context across Remote Hessian calls?
Seth Ladd wrote: Hello, Has anyone done any work to propogate the security context across remote hessian calls? It seems very straight forward, and wanted to see if previous work had been done. Thanks very much, Seth Hi Seth No, it's not yet done. I was hoping we could automate it so that at the time of invocation, the client proxy would be set the with ContextHolder-obtained username and password. Thus it adopts the same approach as now being used for HttpInvoker and RMI-based invocation. This makes it more useful for run-as replacement as well as generally more user-friendly. If you'd like to contribute something, I'd be pleased to add it. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL Assistance and Questions
Matthew E.Porter wrote: Greetings. I am looking for some guidance on the ACL system and how to integrate it into our application. Furthermore, I plan to get the second article out for Javalobby within the next week or two. Any help is appreciated. In our application, we define domains (i.e. companies). Objects of different types belong to each domain. For example, each domain has a set of servers assigned to it. In addition, there is a set of users assigned to the domain. For example, the Contegix domain contains Server1, Server2, and Server17. Each domain has one or more administrators which should have unrestricted access to any object tied to the domain. Furthermore, domains can be nested. As I am trying to get my head wrapped around the ACL system in Acegi, I am having difficulties finding the best way to apply permissions and restrictions. Cheers, Matthew Hi Matthew As per our Skype session (for the benefit of the list archives): The most important thing is to ensure your real domain object model has a map generated in acl_object_identity, so the ACL services know about the relationships. The most convenient way to build and maintain this map is via your services layer methods (eg DomainManager.create(Domain)) calling a BasicAclExtendedDao implementation. The included implementation, JdbcExtendedDaoImpl, will probably do the trick. Your services layer create and delete methods just call the corresponding BasicAclExtendedDao methods as your domain object instances are created and deleted. With your particular object model, you'd be best off having a single users database. Thus you can use LDAP or CAS etc in the future. Users therefore sign up with the service provider and get added to the single users database. You'd create a root top level acl_object_identity, which you assign the service provider's administrative users against. Every Domain then uses either that top level root as its parent, or another Domain. Thus your service provider administrative users have proper, default access to every Domain. Servers use a Domain as their parent (only so far as the acl_object_identity is concerned - your actual domain object model and its ORM mapping is a matter of your choice). You can then write a separate acl administration use case which deals with giving customers (from your single users database) access to the appropriate acl_object_identity. Again, a BasicAclExtendedDao implementation is your friend and will automate interaction with the backend ACL database. Hope this helps. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Preparing for 0.7.0
Hi everyone
I am happy to report that Ant has now been officially removed from CVS
(along with /lib/*.jar). The Maven build is now performing well, and the
web site at http://acegisecurity.sourceforge.net has been expanded to
include Maven-specific instructions. The only outstanding issue is the
reference guide (when exported to PDF) doesn't look quite right. Carlos
is working on that one...
Now that our build system is production-ready, we should release 0.7.0.
There are lots of new features and fixes in CVS that I think users would
like. If you happen to get any free time over the next few days, please
feel free to try out the latest CVS with your projects. I am
particularly keen to ensure the Maven instructions are correct, and the
0.7.0 refactorings haven't adversely affected backward compatibility.
There is an 0.6 to 0.7.0 upgrade document on the web site, and unit test
coverage is at 95%+. If you have any suggestions or issues, please email
the list.
And, finally...:
public class ItsThatTimeOfYear implements InitializingBean,
ApplicationContextAware {
private ApplicationContext context;
public void setApplicationContext(ApplicationContext applicationContext) {
this.context = applicationContext;
}
public void afterPropertiesSet() throws Exception {
this.context.publishEvent(new MerryChristmas());
}
}
Cheers
Ben
---
SF email is sponsored by - The IT Product Guide
Read honest candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
___
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.7.0
Please checkout again from CVS. The reported problem has been fixed. Ray, you were right: it was related to Maven group names. acegisecurity is the correct group name for all artifacts. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.7.0
Aaron Tang wrote: Figure 4: After Invocation Implementation in section 1.8.1 should be Figure 5 and others in turn :) Thanks Aaron, I've fixed this and made other documentation updates. Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] MSc Thesis on middle tier security
Vladimir Horev wrote: Hello list! I'm planning to write a MSc thesis on the subject of business tier security. My idea was to take part of some open source project (acegi) and develop some component that I could use in my thesis. Could you recommend me something on that? regards, Vladimir Hi Vladimir What exactly would you like to write? A sample application, an extension, something else? There's no shortage of extensions you could write to the security framework if that was your interest. Did you have a particular area you wanted to focus on? I sent an email to the list yesterday with some simple features we'd like to add, but there are also some more complex areas you might like to consider such as add additional single sign on systems, enabling client certificate authentication, and digitally signing change reports (in a browser window) etc. Best regards Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Roadmap towards Aceg Security official 1.0.0 release
Sergio Berna wrote: I have added ExpirationDetails as a separate interface to keep backwards compatibility with existing code that implementes UserDetails. Hi Sergio Good to see backward compatibility is a priority, particular in such a sensitive (ie commonly-deployed and extended) area as DaoAuthenticationProvider and UserDetails. I am just wondering whether it would be simpler, though, to modify the UserDetails interface so it contains the isAccountExpired() and isCredentialsExpired() methods? Then the existing constructor of the User implementation - which is what most people use - could set the properties to false. There would also be an additional constructor which AuthenticationDaos could use if they had access to the additional properties. We should probably also deprecate the existing constructor, to prompt people to consider the change (and move the decision to set the properties to a false default into their AuthenticationDao construction of User). For the small minority of people who have chosen NOT to extend User (which goes against our recommendations, but there are legitimate scenarios such as having a domain object that already represents the user), I don't think adding two methods to their implementation is going to cause much concern - especially as they can simply return false. This alternative would still provide 95% of users with full backwards compatibility, but avoid an extra interface. As the project also provides basic implementations of each interface, it also avoids us needing to write a UserExpirationDetails (for example). It is also cleaner to avoid these extra classes given that people often cast the contents of ((SecureContext)ContextHolder.getContext()).getAuthentication().getPrincipal(). It also makes these new properties and exceptions non-optional concepts in the overall framework, which means we will modify the included AuthenticationDaos (eg in-memory and JDBC), as well as the exception resolvers, to accommodate them. One other thing is the method names. I think it would be better to keep true being consistently returned as the affirmative/positive indication from each isX() method on UserDetails (there is already UserDetails.isEnabled()). So perhaps rename the methods to isCredentialsNonExpired() and isAccountNonExpired(), or something similar. Best regards Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] MSc Thesis on middle tier security
Sergio Berna wrote: Andy, I agree that filtering the method response is a fascinating area. The only problem I have always found on filtering a method response is that it doesn't scale properly when performance is an issue. I'm particularly thinking on Collections here, where the full collection check for permissions would degrade performance on big enough collections. Maybe providing intelligent collections and Iterators that perform the security check when accessed could be a wiser approach for that area (like hibernate for lazy load modification). That would imply that a response from a method would be a proxy on the original object that enforces all the security restrictions specified. A generated object wrapper for collections and POJOs that enforces security would be an interesting extension. The necessary hook to add the wrapper is already provided via the AfterInvocationManager. An alternative approach would be to use AspectWerks, rather than something like CGLIB. The nice thing about AspectWerks is a suitable AbstractSecurityInterceptor subclass could also be written that enforces security on domain object instances. In terms of performance, I would never advocate running the existing ACL-based AfterInvocationProviders against large Collections, because not only is there a performance issue at a JVM level to iterate every Collection element, but far more importantly there is the JDBC cost of obtaining the AclEntry[]s from the AclManager. Whilst they do get cached, the AclEntry[]s obviously need to come from the database at some point. This Collection size issue reminds me of someone who was looking for a solution to paginating their Collection results, where the AfterInvocationManager may remove elements. They wanted to ensure the page size was always honoured, even if certain elements were removed due to security. A solution I think was suggested was to retrieve more elements than needed, knowing the AfterInvocationManager would likely remove some of them. I think an alternative was to use a utility class on the client-side, to recall the relevant method repeatedly until the required Collection size is received. A more elegant approach to this problem might be considered in any improvements to the existing AfterInvocationProviders, or any new implementations thereof. Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: [Springframework-developer] Roadmap towards Aceg Security official 1.0.0 release
Matt Raible wrote: Using container-managed authentication usually only requires a handful of lines in web.xml and a few more in a server-specific deployment descriptor. This makes me wonder if there's a simpler way to configure Acegi (consolidating filters?). Or maybe defaults can be set in an XML file in the JAR and then overridden if/when necessary? Ordering of filters seems to be a common problem - it'd be great to somehow make this issue go away by consolidating to one or two filters. A single filter that wraps the actual filters is a good idea. I've added it to my TODO list. One good approach to minimising XML configuration complexity in Acegi Security is liked to from http://acegisecurity.sourceforge.net/articles.html. Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Roadmap towards Aceg Security official 1.0.0 release
Ben Alex wrote: For the small minority of people who have chosen NOT to extend User (which goes against our recommendations, but there are legitimate scenarios such as having a domain object that already represents the user), I don't think adding two methods to their implementation is going to cause much concern - especially as they can simply return false. I have just written the two additional exceptions, events, DaoAuthenticationProvider integration and PasswordDaoAuthenticationProvider integration. I deprecated the old User constructor. It's now all in CVS HEAD. Best regards Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: [Springframework-user] Acegi Security - new release 0.7.0
Ricardo Marin Matinata wrote: Hi, I (think) you are right about the use of AutoIntegrationFilter. Oops, sorry for the oversight. I've just updated CVS, which Monkey Machine uses for an automatic daily build and publish to SF. Best regards Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Reducing the number of filters needed in web.xml
bryan ( [EMAIL PROTECTED]) wrote: bean id=filterChain class=net.sf.acegisecurity.FilterChain property name=filters value channelProcessingFilter=/* authenticationProcessingFilter=/* basicProcessingFilter=/* sessionIntegrationFilter=/* securityEnforcementFilter=/* /value /property /bean +1, especially using the syntax shown above as it's nice and intuitive. --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi jars at ibiblio
Carlos Sanchez wrote: Hi, I've uploaded all acegi artifacts at http://acegisecurity.sourceforge.net/maven/acegisecurity/ (jars, poms and licenses) to ibiblio. Now they're available http://www.ibiblio.org/maven/acegisecurity Carlos, just re the licenses, I'm not sure of what's normal but I think we should have the notice.txt file in the licenses directory as well, given it's referred to by the license.txt file. I coded some postGoals to add it to the JARs themselves, but given there's a licenses directory we probably should populate it accordingly. Thanks Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Reducing the number of filters needed in web.xml
Ray Krueger wrote: I like the idea as well, my only question is (and I've been wondering this for a while), why do we target the class and not the bean name? init-param param-nametargetClass/param-name param-valuenet.sf.acegisecurity.FilterChain/param-value /init-param Instead of... init-param param-nametargetBean/param-name param-valuefilterChain/param-value /init-param There's no strong reason Ray. It's just most webapps will only have one instance of each class, so using class is a way of delivering better documentation of what the filter is actually doing. This particularly helps with support. Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Reducing the number of filters needed in web.xml
Carlos Sanchez wrote: About the syntax, I looked at map, that would suit here, but Spring application context don't allow beans as keys, maybe a lack of functionality? Just use a custom PropertyEditor that works at a String level. The PropertyEditor would identify name/value pairs, and create its own internal Map. The name part of the pair would be a filter bean name that could be looked up from the application context (sure, you lose XML validation of the beans being present, but it's tolerable compared with a more verbose and confusing syntax). The value part of the pair would be the filter mapping. The filter mapping syntax is one to consider. Most people seem to prefer Ant Paths, so this might be a more suitable default (perhaps the only option?) than regular expressions. Remember this new class will need to make the decision as to which filters to delegate to. Also, I'd vote for it going into net.sf.acegisecurity.util, where FilterToBeanProxy is located. What is the consensus? Cheers Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] method invocation not guarded when SecurityConfiguration forgotten
Joost de Vries wrote: Hi, I'm using acegi to guard the security of our service layer pretty much exactly like the BankManager sample. The annotations declare the authorisations. /** * @@SecurityConfig(ROLE_SUPERVISOR) * @@SecurityConfig(RUN_AS_SERVER) */ public void deleteSomething(int id); If somebody forgets to annotate a method, though, it is accessible to all. I want the reverse: access denied unless granted. How can I change that? Hi Joost Don't forget you'll need to firstly ensure the MethodSecurityInterceptor is actually called for each invocation. You might need to write an advisor to do that, assuming you're not using AspectJSecurityInterceptor and achieving it that way. In terms of once MethodSecurityInterceptor (or AspectJSecurityInterceptor) is invoked, they both delegate to AbstractSecurityInterceptor. Your best bet is therefore to write a replacement MethodDefinitionSource, that guarantees to always return a configuration attribute (never null). This is easy to wire in using the IoC container (set your securityInterceptor's objectDefinitionSource property). It can simply proxy the normal MethodDefinitionSource (MethodDefinitionMap or MethodDefinitionsAttributes), and if it returns null, that is replaced with a new SecurityConfig(UNDEFINED_PROGRAMMER_ERROR). If none of the AccessDecisionVoters support that attribute (which should be the case), AbstractAccessDecisionManager will return false to the access decision and cause a denial of access. HTH Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Proposed change to JaasAuthenticationCallbackHandler
Ray Krueger wrote: This is a concurrency issue. The quick fix is to wrap those two calls in a synchronized block. The real fix is to drop the setAuthentication method and modify the handle method to be handle(Callback, Authentication). As it is a contract change I wanted to check with the team first. What do you guys think? +1 on the real fix. Just please remember to update doc/xdocs/upgrade/upgrade-070-100.html and doc/xdoc/changes.xml. Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Where to find retroweaver-1.0fcs.jar?
Seth Ladd wrote: Hello, I'm trying to build acegi with maven, and now it's time to find and download retroweaver-1.0fcs.jar. Unfortunately, ibiblio doesn't have it, and only version 1.1 is available from sourceforge (or so it seems). Google also doesn't know about it. Does anyone have a tip on where to find the version 1.0fcs of the jar? Thanks very much! Seth Try http://acegisecurity.sourceforge.net/maven, although it should automatically download if building Acegi Security. Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Adding getUserPrincipal to ContextHolderAwareRequestWrapper
Seth Ladd wrote: Seth Ladd wrote: Hello, I'd like to propose we add getUserPrincipal to ContextHolderAwareRequestWrapper. We can return the Authentication, which itself is a Principal. I just checked in something similar to CVS, with consistent handling of nulls and a unit test. Best regards Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL and BeforeInvocationProvider ?
jw wrote: wouldn't it be nice to have a BeforeInvocation - security mechanism, for example to set some User-specific filter properties in a hibernate Query object, so only a specific set of domainobjects is fetched by the database AfterInvocation can only filter-out objects after all are fetched by the database, right? This seems not so efficient Any reason you couldn't use the existing AccessDecisionManager approach to mutate the secure object invocation? The AccessDecisionVoter interface would probably do what you need: public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config); Cheers Ben --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: acegi filters and RequestDispatcher include
Hi Sanjiv
We don't use OncePerRequestFilter as it subclasses GenericFilterBean,
which unfortunately is designed for Filters that are wired by web.xml.
The property setting this class performs I suspect would conflict with
Acegi Security Filters, which are wired directly in the IoC container
and proxied using FilterToBeanProxy.
I have just added once per request checking to
FilterSecurityInterceptor. We already perform once per request checking
for other filters as well. It is very easy to do directly, without
needing to subclass OncePerRequestFilter. Hope this sorts out your
performance issue.
I'll cc: the developers list so there is some record of why this change
was made.
Best regards
Ben
-
Sanjiv Jivan wrote:
Ben,
I'm emailing you directly because I'd like to attach screenshots and
the Spring forum doesn't support uploading files. Will update relevant
thread on forum too.
I ran into an issue where the the response time of any page of the
same web app would be less than a couple of seconds under Tomcat 4.x
while under Weblogic 8.1 it would take over a minute. I tried
examining the logs etc but had to use a profiler to get to the root of
the issue. Please find attached profile screenshots of the same page
request under Weblogic and Tomcat.
Contrary to what is mentioned in the thread
http://forum.springframework.org/viewtopic.php?t=1524, Weblogic
executes servlet filters when a RequestDispatcher.include call is
made. Tomcat does not have this behavior.
If you examine the Weblogic screenshot closely, you'll see all kinds
of redundant calls being made primarily triggered do to the fact that
Sitemesh is in the mix which goes on to calling Acegi which in turns
goes on to calling Sitemesh
See
net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor#proceedWithObject
in call stack.
public Object proceedWithObject(Object object) throws Throwable {
FilterInvocation fi = (FilterInvocation) object;
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
return null;
}
Clearly such response times are unacceptable. While it certainly seems
to be a Weblogic issue, I was wondering if there is any reason the
Acegi filters do no extend
org.springframework.web.filter.OncePerRequestFilter. This would
certainly help reduce the number of times the Acegi filters are
executed and cut down the execution time.
Let me know your thoughts.
Thanks,
Sanjiv
---
SF email is sponsored by - The IT Product Guide
Read honest candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Informative servlet responses and the AuthenticationEntryPoint
Ray Krueger wrote: I spoke with Ben off-list on IM. We'd like some more input on this before I commit all the changes... These are the two overall changes, copy and paste from my notes. Added AuthenticationException to the commence method signature of the AutenticationEntryPoint. The best example of this is the BasicProcessingFilterEntryPoint where the authException.getMessage() is used to send back an informative 401, instead of just the error code. Added AccessDeniedException to the sendAccessDeniedError method signature. The accessDeniedException.getMessage() result is used to send an invormative 403 error back to the servletResponse by default. I've already made all the changes locally. Javadoc, tests, all the usual suspects. All tests pass. Pretty simple really. -Ray Just to elaborate, the goal of adding AuthenticationException and AccessDeniedException to AuthenticationEntryPoint.commence and SecurityEnforcementFilter.sendAccessDeniedError respectively is so that HTTP response codes (eg 403/forbidden and 401/unauthorized) can be populated with a more detailed message if desired. I suspect few people have written an AuthenticationEntryPoint, and even fewer who have subclassed SecurityEnforcementFilter, so the lack of backward compatibility I hope is not much of an issue. People can ignore the exception information if they want, and simply update their method signatures. The trade-off is probably worth it for more descriptive default error responses. Any issues, please let the list know. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bug in Contacts Sample App
Matt Raible wrote: I couldn't seem to find a issue tracker for Acegi Security - I'd be happy to enter this there. acegi-security-sample-contacts-filter.war on OS X (10.3.8) with Tomcat 5.5.7 and Acegi Security 0.7: Adding log4j-1.2.8.jar to WEB-INF/lib fixes the problem. Hi Matt Thanks for that. We picked it up and fixed it a little while ago: http://acegisecurity.sourceforge.net/changes-report.html. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP DAO and Samba+LDAP
Robert r. Sanders wrote: I have a basic OpenLDAP server setup which Samba 2 is authenticating against. My understanding is that Samba 2 is fairly picky about the LDAP scheme it uses, so I don't want to mess with this. The current LdapPasswordAuthenticationDao assumes that the user will be identified by CN=username,... with the scheme we are using the users are identified by uid=username,... I have previously solved this by using a MessageFormat (the way Tomcat's JNDI authenticator does); but am not to particular about how so long as I can get authentication to work, so to stick with what was already in the LdapPasswordAuthenticationDao I added a property userAttribute - which defaults to CN but can be changes. I also took the liberty of adding some getter methods, etc... All is included in the attached diff file (unified format, 3 lines of context). Thanks Robert - patch applied. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Reducing the number of filters needed in web.xml
Robert r. Sanders wrote: While I don't have a huge amount of spare time, I would be glad to look over any list of tasks you have and see if I could fit any of them in. I tried to look on the sourceforge site and see if there were any bug/feature lists but couldn't find any. Hi Robert Given your recent interest in the LDAP module, and its significant usefulness to the wider community, I think that's good feature to move from sandbox to core. Some things that might need doing in that regard include checking the forums for past LDAP contributions (to check the current LDAP DAO provides equivalent features), a description for the reference guide, and a unit test. Re unit testing, the problem is the difficulty of needing an LDAP server to respond to the requests. I see a few approaches that we could investigate: - Expect an LDAP server to be running. A Win32 port of OpenLDAP is available at http://lucas.bergmans.us/hacks/openldap/. I wouldn't mind if it was a prerequisite that the server was already running, with a base schema and users already in the directory. In this case we might make the LDAP module a separate Maven subproject so that it doesn't interfere with core's unit tests. - Look at Apache Directory Server. Maybe it could be loaded in-memory during the test. I haven't looked into it, but this is attractive being an all-Java solution. http://incubator.apache.org/directory/ - Review Olivier Jolly's LDAP support classes at http://www.uportal.org/cgi-bin/viewcvs.cgi/cas3/adaptors/ldap/src/. I took a look and they seem interesting - probably worth using in our LDAP DAO interface anyway just for completeness. Perhaps we could mock one or two of the key interfaces and not use an LDAP server at all. I'm quite keen on getting this LDAP issue sorted out, so any time you could invest in that would be greatly appreciated. Here is the remainder of my TODO list (not all of which will be done before 0.8.0 or even at all). I am working on the three items marked ***: *** Digest authentication (for WebDAV compliance) http://www.ietf.org/rfc/rfc2069.txt *** Anonymous user provider, so there's no need to exclude web URIs http://forum.springframework.org/viewtopic.php?t=1925 *** Remember me functionality http://sourceforge.net/mailarchive/forum.php?thread_id=5177499forum_id=40659 http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice Chain AuthenticationDao / AuthenticationProvider (regular forum question) Eliminate hard-coded exceptions in AbstractProcessingFilter (replace with a pluggable resolver that is wired via a property editor) Certificate integration (seems complicated as exchange happens in container-level SSL/TLS handshake) Prevent concurrent logins via a session listener (committed new WebAuthenticationDetails which stores session ID in Authentication) JMX of cache hits/misses, password failures, prevent user logins not holding certain role http://opensource.atlassian.com/confluence/spring/display/DOC/Exposing+your+Beans Tiger annotations (or just wait for Spring to provide guidance on how it will approach this) DB source ObjectDefinitionSource (or just let Spring do it at container level) JOSSO Integration (good marketing benefit for software developers wanting pluggable SSO solutions) SecureID Integration Any help appreciated! Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Reducing the number of filters needed in web.xml
Dmitriy Kopylenko wrote: Ben, how about start using JIRA for Acegi release/issue management? I could create a project for JIRA in Spring JIRA installation. Would it be appropriate, taking into consideration that Acegi is not the official Spring subproject? Dmitriy. Thanks for the offer, but perhaps just hold off for the moment as I anticipate the subproject status will be sorted out in the very near future. :-) Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP PasswordDao
Scott Battaglia wrote: Robert, There's an official JIRA issue in Spring for the LDAP support. Not sure what's going to happen with it though. I'd like to see it in Spring though ;-) We have a duplicate of them in the CAS CVS tree only because they aren't in the Spring CVS tree anywhere and we made a few minor modifications. I'd rather they weren't there though. Scott, what license was the contributed LDAP code provided under? I didn't realise there weren't unit tests for the LDAP support classes when I wrote my original email mentioning them. Making a copy of the classes into the Acegi Security CVS is unattractive without unit tests, as we need to keep coverage as close to 100% as practical. Whilst we could write unit tests for these classes, it seems a big scope blow-out when our original goal was to simply get coverage for our own LDAP DAO implementation. It's up to you Robert how to approach this, as you've been good enough to donate your time. If you wish to put these LDAP support classes into CVS, do you have time to write some tests for them? If so we could easily make it a Maven subproject with its own JAR (acegi-security-ldap-0.8.0.jar) and that would probably give a nice solution for the wider Spring Community until the code was absorbed into Spring proper. Or would that same time be more effectively spent just focusing on our LDAP DAO, and maybe using some in-memory LDAP server (eg Apache DS) or mock? Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ws-security filter
Mason, Ross wrote: Has anyone written a ws-security filter for acegi? Not that I'm aware of. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Digest Authentication (more secure than Basic Auth) is now in CVS
I think the subject line says it all. :-) Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Digest Authentication (more secure than Basic Auth) is now in CVS
Ray Krueger wrote: Hey! Where's the HttpInvokerRequestExecutor for it! :P I'm making jokes (and no, I'm not gonna write it ha!) Although I may write the Basic Auth CommonsHttpInvokerRequestExecutor Unfortunately I just ran out of time - the unit tests took as long to write as the actual implementation! Tomorrow I am working on anonymous user support, remember-me, and (if time permits) config attribute sensitive AuthenticationEntryPoints. I did have developing additional user agents in mind when writing the server-side implementation. I put a static method in DigestProcessingFilter to correctly compute the digest from passed arguments. There are also useful header string parsing methods in net.sf.acegisecurity.util.StringSplitUtils. The primary challenge to writing a Digest-aware HttpInvokerRequestExecutor will be figuring out how to stop HttpInvoker aborting when a 401 is returned (a requirement of the protocol to receive the nonce, realm etc), and passing the 401 response to the Digest implementation class so that it can prepare the header and store the nonce, realm etc for future requests. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
