Re: [Acegisecurity-developer] Showing session-timed-out message to the concerned user alone...
Hi Vikas, I have used a Servlet Filter to detect if the session id is present, or if it has changed... to trigger a redirect to a session timeout page. Cheers Mark On 3/21/07, Vikas Sasidharan [EMAIL PROTECTED] wrote: Hi, In our application, we have the (seemingly common) requirement that when the user is redirected to the login page as a result of session timing out, a helpful message should be displayed on the page explaining why he has to login again. Currently, we are using an HttpSessionListener to get notified about the time out but we are facing a challenge in this regard - how do we use the listener to indicate to the user (and that particular user alone) that the session has timed out? We currently use a ServletContext attribute for this, which is then used by the login page to decide whether to show the message or not. However, this obviously means that a different user trying to log in fresh to the app would also get to see this (misleading) message. Any ideas are welcome. :-) Thx Rgds, Vikas - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi Rebranding??
I asked the same question to Rod @ TSE, as well talked with Ben and there is no immediate intention to change the source code packaging, rather its an explicit rebranding to reflect that it is a part of the Spring portfolio. Also this keys into the release train concept discussed at TSE... basically a coordinated release among the Spring projects proper Ben can chime in as well if he would like to add to this.. Cheers Mark On 1/21/07, Krystian [EMAIL PROTECTED] wrote: Karl Moore napisał(a): Raised the question here also http://forum.springframework.org/showthread.php?t=33908 What about package names?, especially that it was changed not so long time ago to org.acegisecurity.*. Touching pakage names again can be a notion of instability for some. And what about non-Spring usage of Acegi? Some non-Spring project (e.g. based on Eclipse RCP - OSS GIS uDIG) think about introducing Acegi, but not necessary Spring. It will make them feel against Acegi, I suppose... Kind regards, Krystian Nowak PSNC -- Krystian Nowak [EMAIL PROTECTED] === Poznan Supercomputing and Networking Center Poland, 60-814 Poznan, Zwierzyniecka 20 tel. (+48 61) 8582159 fax. (+48 61) 8582151 http://www.man.poznan.pl === - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SwitchUserProcessingFilter that doesn't quite switch everything
Hi Jason,Can you clarify what you mean byI want to be able to impersonate another user (i.e. switch user) for a specific authority that I don't want to allow when impersonating.Do you mean that once you switch to a user, you dont actually want to run with that target user's authorities?User A (has) ROLE_ADMINUser B (has) ROLE_CUSTOMER User A switches to User B, what authorities should (he/she) have?CheersMarkOn 10/10/06, Jason Yip [EMAIL PROTECTED] wrote: I want to be able to impersonate another user (i.e. switch user) for a specific authority that I don't want to allow when impersonating. At this point it looks like I need to copy and modify SwitchUserProcessingFilter as it doesn't seem to have the extension points to easily support this. Am I missing something? Is there another way to implement this kind of partial impersonation? NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. -Take Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's Techsay panel and you'll get the chance to share youropinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___Home: http://acegisecurity.org Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SwitchUserProcessingFilter that doesn't quite switch everything
Hi Jason,Thanks for the example... yes, for your case, the switch user filter does not filter the authorities... This would require an improvement to the current implementation to optionally filter target authorities. I would suggest either creating a JIRA entry for this improvement, so we can schedule and plan it http://opensource.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panelOr extending the current Filter for your particular needs.Also if you wanted to submit a patch to JIRA, that would also be more than welcome. CheersMarkOn 10/10/06, Jason Yip [EMAIL PROTECTED] wrote: Hi Mark, Probably should have given an example... so I will now. Alice: ROLE_ADMIN Bob: ROLE_NORMAL_USER, ROLE_USER_ONLY I want to allow Alice to impersonate Bob but not allow her to get specific types of authorities. So if Alice impersonates Bob... Alice: ROLE_NORMAL_USER I want to be able to apply an authority filter to a switch user operation such that an impersonater will run with all the target user's authorities except for any authority that matches a particular pattern. This is because those particular authorities are special, dangerous, etc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark St.GodardSent: Tuesday, 10 October 2006 9:24 PMTo: acegisecurity-developer@lists.sourceforge.netSubject: Re: [Acegisecurity-developer] SwitchUserProcessingFilter that doesn't quite switch everythingHi Jason,Can you clarify what you mean byI want to be able to impersonate another user (i.e. switch user) for a specific authority that I don't want to allow when impersonating.Do you mean that once you switch to a user, you dont actually want to run with that target user's authorities?User A (has) ROLE_ADMINUser B (has) ROLE_CUSTOMERUser A switches to User B, what authorities should (he/she) have?CheersMark On 10/10/06, Jason Yip [EMAIL PROTECTED] wrote: I want to be able to impersonate another user (i.e. switch user) for a specific authority that I don't want to allow when impersonating. At this point it looks like I need to copy and modify SwitchUserProcessingFilter as it doesn't seem to have the extension points to easily support this. Am I missing something? Is there another way to implement this kind of partial impersonation? NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. -Take Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's Techsay panel and you'll get the chance to share youropinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___Home: http://acegisecurity.org Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer -Take Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's Techsay panel and you'll get the chance to share youropinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___Home: http://acegisecurity.org Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Failed to create FilterChainProxy
Yeah, its definitely a Classloading problem Basically a Commons class is being loaded, but the wrong version Application servers / servlet containers sometimes bundle their own version of Commons... so depending on what Classloader picked it up.. thats the class it will use their after. Cheers Mark On 8/8/06, Teemu Lehto [EMAIL PROTECTED] wrote: Hi You should have commons-lang-2.1.jar in your classpath. You should propably check all commons jar versions BR -Teemu- Alkuperäinen viesti Lähettäjä: [EMAIL PROTECTED] Päivämäärä: 08.08.2006 2:13 Vastaanottaja: acegisecurity-developer@lists.sourceforge.net Aihe: [Acegisecurity-developer] Failed to create FilterChainProxy I suspect it is related to upgrating to version 1.0, but I find it very hard to gather anything from the exception output. Did I make an error in the configuration? org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterChainProxy' defined in class path resource [acegi-security.xml]: Initialization of bean failed; nested exception is java.lang.NoSuchMethodError: org.apache.commons.lang.StringUtils.substringBeforeLast (Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; java.lang.NoSuchMethodError: org.apache.commons.lang.StringUtils.substringBeforeLast (Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String; at org.acegisecurity.intercept.web. FilterInvocationDefinitionSourceEditor.setAsText (FilterInvocationDefinitionSourceEditor.java:132) at org.springframework.beans.BeanWrapperImpl.doTypeConversionIfNecessary (BeanWrapperImpl.java:881) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:692) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:572) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:737) at org.springframework.beans.BeanWrapperImpl.setPropertyValues (BeanWrapperImpl.java:764) at org.springframework.beans.BeanWrapperImpl.setPropertyValues (BeanWrapperImpl.java:753) ?xml version=1.0 encoding=UTF-8? !DOCTYPE beans PUBLIC -//SPRING//DTD BEAN//EN http://www.springframework.org/dtd/spring-beans.dtd; !-- - Application context definition for Trails Security Through Acegi. -- beans !-- - Authentication. -- bean id=authenticationManager class=org.acegisecurity.providers.ProviderManager property name=providers list ref bean=daoAuthenticationProvider / ref local=anonymousAuthenticationProvider / /list /property /bean bean id=daoAuthenticationProvider class=org.acegisecurity.providers.dao.DaoAuthenticationProvider property name=userDetailsService ref bean=trailsUserDAO / !-- ref bean=inMemoryUserDetailsService /-- /property /bean bean id=trailsUserDAO class=org.trails.security.TrailsUserDAO property name=persistenceService ref bean=persistenceService/ /property /bean bean id=inMemoryUserDetailsService class=org.acegisecurity.userdetails.memory.InMemoryDaoImpl property name=userMap value user=pwd,ROLE_USER admin=admin,ROLE_USER,ROLE_MANAGER /value /property /bean !-- FILTER CHAIN === -- !-- if you wish to use channel security, add channelProcessingFilter, in front of httpSessionContextIntegrationFilter in the list below -- bean id=filterChainProxy class=org.acegisecurity.util.FilterChainProxy property name=filterInvocationDefinitionSource value CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter, authenticationProcessingFilter,anonymousProcessingFilter, exceptionTranslationFilter /value /property /bean !-- = HTTP REQUEST SECURITY -- bean id=exceptionTranslationFilter class=org.acegisecurity.ui.ExceptionTranslationFilter property name=authenticationEntryPoint ref local=authenticationProcessingFilterEntryPoint / /property /bean bean id=authenticationProcessingFilter class=org.acegisecurity.ui.webapp.AuthenticationProcessingFilter property name=authenticationManagerref bean=authenticationManager//property property name=authenticationFailureUrlvalue/app? page=Loginservice=page/value/property property name=defaultTargetUrlvalue/app/value/property property name=filterProcessesUrl value/j_acegi_security_check/value/property !-- property name=rememberMeServicesref local=rememberMeServices//property -- /bean bean id=authenticationProcessingFilterEntryPoint class=org.acegisecurity.ui.webapp. AuthenticationProcessingFilterEntryPoint property name=loginFormUrlvalue/app? page=Loginservice=page/value/property property name=forceHttps valuefalse/value /property /bean bean id=anonymousProcessingFilter
Re: [Acegisecurity-developer] Acegi Security 1.0.0 is released!
Great job Ben et gang Just a note, Ben I will be updating the contacts-tiger sample project, I noticed it was not converted over. I will create an JIRA entry for myself and update this tomorow. Also with Spring 2.0, I noticed that a jira entry was created for namespace handlers, XSD support, etc.. If you have someone to do this fine... otherwise I can take it up... its something that I would really like to get in... and reduce some of the XML verbosity. Cheers all, Mark On 5/29/06, Ben Alex [EMAIL PROTECTED] wrote: Dear Spring Community After more than two and a half years of development, I am delighted to announce that Acegi Security 1.0.0 is now officially released. In addition to more than 80 improvements and fixes since 1.0.0 RC2, this new release also includes several changes to help new users. This includes a significant restructure and expansion of the reference guide (now more than 90 pages) and a new bare bones tutorial sample application. Furthermore, many of the frequently-identified problems experienced by new users have been addressed, such as custom 403 messages (as opposed to using the Servlet Container's error handler), detecting corrupt property input following the reformatting of XML files, and a new logout filter. We've also refactored our LDAP services, made the SecurityContextHolder a pluggable strategy (especially useful for rich clients who wish to avoid ThreadLocal), and improved CAS support. Please visit http://opensource.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10360 for a detailed changelog. As always, detailed upgrade instructions are included in the release ZIP file. The project's web site at http://acegisecurity.org provides additional information on Acegi Security's features, access to online documentation, and links to download the latest release. I will also be providing a presentation on Acegi Security at SpringOne next month, so I hope to see you there. We trust that you find this new release useful in your projects. Cheers Ben ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi Security 1.0.0 is released!
Hi Ben, The configuration was referencing net.sf... some of the config was moved over to org. however not all. Including the userdetails refactoring. Plus some of the JSPs were also referencing net.sf in page imports. I am running through and testing the app right now, currently failing on a call to getPrincipal from User object... I will fix it up, retest it, run the unit testing and check in the changes. Re: the tutorial app... yeah I noticed that .. very nice... much more concise config. I am usng Spring 2.0 and I am really digging the schema-based config... I am also using MethodSecurityInterceptors using the new Aspect pointcuts. Not sure if we should also include examples of usage using Spring 2.0? I assume we need to wait for it to go final. Uri is on it...Great, I'll keep my eyes posted for acegi:config :) Cheers Mark On 5/30/06, Ben Alex [EMAIL PROTECTED] wrote: Mark St.Godard wrote: Just a note, Ben I will be updating the contacts-tiger sample project, I noticed it was not converted over. I will create an JIRA entry for myself and update this tomorow. I just checked and it looked to me like it was built for 1.0.0. What specifically wasn't converted? Also with Spring 2.0, I noticed that a jira entry was created for namespace handlers, XSD support, etc.. http://opensource.atlassian.com/projects/spring/browse/SEC-271 for those interested. If you have someone to do this fine... otherwise I can take it up... its something that I would really like to get in... and reduce some of the XML verbosity. Uri Boness has volunteered, but I'm unsure whether work has commenced. I am happy for anyone to take a look at it who has sufficient time. As for verbose XML, I'd encourage people to take a look at the new tutorial sample, which is just 148 lines of XML. This includes comments, whitespace and full support for form authentication, remember-me, anonymous and web request authorization. I think that's a pretty good base given the features, but nevertheless it will be even less with SEC-271 improvements. Cheers Ben ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion?
+1 On 3/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: No concerns here. Scott -Original Message- From: Ben Alex [mailto:[EMAIL PROTECTED] Sent: Saturday, March 25, 2006 5:43 AM To: acegisecurity-developer@lists.sourceforge.net Subject: [Acegisecurity-developer] Subversion? Hi everyone SourceForge have recently modified their offering so we can migrate to SVN (without losing revision history) - see http://sourceforge.net/docman/display_doc.php?docid=31070grou p_id=1#import. I have also been using SVN recently and had good results. The Subclipse plugin at Update Manager URL http://subclipse.tigris.org/update_1.0.x works quite well. Does anyone have any concerns with the project migrating from CVS to SVN? If there aren't any objections, I'll make the change in about a week. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] account blocking?
You can write and register a custom ApplicationListener, then check for theauthentication failure event... you can do something to update the failed logon attempts, then on subsequent logon attempts you will probably have to check the logon attempts count something like that. Acegi does not provide something out of the box, mainly because you will need to do something on failed logons... you need to update that user account details... so most of the time you will have a (transactional) service layer for user mgmt. I did the above ... wrote a listener, and injected my user mgmt service into the listener so I could update the users failed logon attempts... then in the logon process if it goes over the desired threshold I make sure the account disabled flag is set. Cheers, Mark On 1/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Iit seems to me or there is no way to set up acegi with an account blocker that is called after a specified number of consecutive failed authentication (not authorization) attemps for the same username?
Re: [Acegisecurity-developer] Where to submit doc edits?
Hi Justin, I would open a JIRA item and attach the details. http://opensource2.atlassian.com/projects/spring/browse/SEC Cheers, Mark On 12/29/05, Justin Garten [EMAIL PROTECTED] wrote: Hi,I haven't been able to find an area for submitting documentation edits.I'm just working through the docs for the first time and have found a couple of typos.By the way, thanks for all the work everyone has putinto this!Justin---This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems?Stop!Download the new AJAX search engine that makessearching your log files as easy as surfing theweb.DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click___Home: http://acegisecurity.orgAcegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Annotations Question
Hi John, The Acegi Java 5 Annotations approach is very similiar to that of the Commons Attributes configuration. (except instead of using doclet, its using Java 5 annotations) Please see the Reference Guide (search for annotations) for example config. i.e. bean id=attributes class=org.acegisecurity.annotation.SecurityAnnotationAttributes/ bean id=objectDefinitionSource class=org.acegisecurity.intercept.method.MethodDefinitionAttributes property name=attributesref local=attributes//property /bean Also, if you download the Acegi distribution there are 2 examples using Annotations. One is a standalone @Secured example... (see samples.annotations.*) as well there is a port of the Contacts example using both Spring @Transactional and @Secured annotations. Please see contacts-tiger example. I will look at beefing up the Documentation on the Java 5 Annotations. There are examples and documentation, however please let me know if there is something in particular you were looking for that you needed. (i.e. example config, etc? ) Cheers, Mark On 12/4/05, John Gibson [EMAIL PROTECTED] wrote: I'm not sure if this is the appropriate place to post a question, if there's a acegisecurity-user list that'd be more appropriate then please point me in the right direction. Anyways, I've been experimenting with Acegi Security and I was interested in using the Java 5 Annotations, however documentation is sparse. In particular I'm not sure what to do besides placing @Secured annotations on methods that I want to protect. Is there an annotation processor that I need to run to generate XML, will Acegi Security create the MethodSecurityInterceptor for me automatically, or am I completely missing something here? Thanks, John Gibson --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37alloc_id865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] possible contribution
Ben M - I would submit an JIRA entry and people could vote on it , plus it would also get more visability. You found a need for it could be useful to other Acegi users. Cheers, Mark On 11/17/05, Scott McCrory [EMAIL PROTECTED] wrote: Quoting Ben Munat [EMAIL PROTECTED]: So, should I take the silence to mean that no one is interested in this? Hi Ben. Very interesting concept, but it doesn't scratch an itch here. Maybe others would be more into a pluggable PasswordDaoAuthenticationProvider implementation. Scott
Re: [Acegisecurity-developer] Proposal: Rename AuthenticationDao interface
Hi Scott, From my perspective, I always saw the AuthenticationDao as just that... a pluggable interface for authentication data access (i.e.in-memory, jdbc, ldap, etc.) I personally dont see this interface at a Service Layer level? The AuthenticationProvider err.. provides a layer ontop of the actual authenticatonDao, so maybe I am missing something. I am all for refactoring / renaming, however I would be a little careful since 0.8.3 to 0.9 was a little API change for Acegi users... albeit minor changes. I would think that renaming the AuthenticationDao would beless of a change, compared to the ContextHolder changes. I think the API needs to stabilize... its less shocking for users :) I do kinda see what you mean Scott... having a service layer implement a DAO... normally doesnt sit well with developers ;) Although I am not sure if your situation is common (3 authentication dao's to build up the user's roles?) Just curious why? So if its a vote... mine would be 'no' ** Although I do like that we are all trying to keep the code clean and concise. Good stuff. Cheers, Mark On 11/15/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi all, I chatted with Ben briefly about this last night and he suggested Ibring it up on the list for others to chime in... I'd like to propose renaming the AuthenticationDao interface toAuthenticationService prior to 1.0.0. Why?It's ultimately just a naming thing, but my feelings are thatAcegi shouldn't delegate authentication to an interface that encourages developers to bypass the business service layer and go straight for the dataaccess layer.And generally, an application's DAOs shouldn't be executingbusiness logic (like role construction) or tapping multiple DB connections, web services and other potential authentication authorization stores. For example, the app I'm currently working on needs to referencethree different DAOs during authentication to build the user's ultimate list of roles.Clearly this multiple-datasource operation needs to occur withinthe boundaries of a distributed transaction, so I did just that by buildingan AuthenticationServiceImpl that implements AuthenticationDao.This is all well and good, but when I first approached this problem I had to get overthe fact that my *service* needed to implement a *dao* interface.This maynot be so obvious to newcomers already in close combat with Acegi's sophisticated terminology and design. The downside of changing AuthenticationDao to AuthenticationService(sorry, AuthenticationManager may be consistent with Spring's nomenclaturebut it's already taken) is that a lot of API code, documentation and example XML files will need to be changed.Users will also have to do the same. Would it be worth it?I don't really know, but the argument couldbe made for making this change now, before 1.0.0 is out, since it's such a core part of Acegi's API.I also believe that it will make the classheirarchy easier to understand and explain, which I think is a challengethat Acegi already faces. I'd be willing to make these changes - Eclipse can easily handle the renaming and dependancy changes, and updating the JavaDoc, reference guide,XML files, etc. is mostly just search-and-replace and validation.But Iwant to know what everyone thinks first. Thanks, Scott---This SF.Net email is sponsored by the JBoss Inc.Get Certified TodayRegister for a JBoss Training Course.Free Certification Exam for All Training Attendees Through End of 2005. For more info visit:http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click ___Home: http://acegisecurity.orgAcegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors
Ben, Scott, Scott what version of Websphere are you running? What JRE/JDK version? Ben the code looks fine... seems abnormal for InheritableThreadLocalto NPE... Scott, try without the InheritableTL or as Ben suggests try a different servlet container / appserver if you can. Cheers, Mark On 11/7/05, Ben Alex [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: [11/7/05 15:24:43:513 EST] 5a6d5a6d WebGroupE SRVE0026E: [Servlet Error]-[Filter [Acegi Filter Chain Proxy]: filter is unavailable.]: java.lang.NullPointerException at java.lang.Throwable.init(Throwable.java) at java.lang.Throwable .init(Throwable.java) at java.lang.NullPointerException.init(NullPointerException.java:63) at java.lang.InheritableThreadLocal.set(InheritableThreadLocal.java :95) at net.sf.acegisecurity.context.SecurityContextHolder.setContext(SecurityContextHolder.java:58) at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter (HttpSessionContextIntegrationFilter.java:207)Very odd. If you look at the code for SecurityContextHolder: private static InheritableThreadLocal contextHolder = newInheritableThreadLocal(); public static void setContext(SecurityContext context) { Assert.notNull(context, Only non-null SecurityContext instances are permitted); contextHolder.set(context);// this line fails (line 58) }Can anyone see any issue with this? The main difference between 0.8.3and 0.9.0 is the use of a InheritableThreadLocal instead of aThreadLocal. If you revert to the latter, does it work? What version of WebSphere are you running? Does it work if you deploy the same WAR tosay Tomcat?CheersBen---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very ownSony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___ Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Vote: Release 0.9.0
+1 On 11/6/05, Ben Alex [EMAIL PROTECTED] wrote: Hi everyoneThe JIRA changelog is now complete, and I've just updated the referenceguide to reflect the latest changes: http://opensource2.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel I would like to propose we release 0.9.0 at this point. Please let meknow if you agree.CheersBen---SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Downloadit for free - -and be entered to win a 42 plasma tv or your very ownSony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Getting errors building v0.8.3
Hi Vijay, I am pretty sure the commons attribute plugin was removed to accomodate the Java 5 annotations samples. Ben mentioned that using Java 5 compiler and the commons-attributes plugin would cause errors. We discussed disabling that plugin so that we could properly build the Java 5 annotations samples. The commons attributes samples would be have to built by hand... see this thread: http://www.mail-archive.com/acegisecurity-developer@lists.sourceforge.net/msg01317.html Cheers Mark On 10/21/05, Vijay Varadan [EMAIL PROTECTED] wrote: The attributes tests worked after I installed the common-attributes plugin. Unfortunately, the command specified on the version of the Building with maven page incorrectly lists the groupId as common-attributes-plugin - the groupId should be common-attributes. The other arguments to maven are correct. Once I did that, the build went through perfectly. To summarize, here are the changes I had to make to get 0.8.3 working: 1. In $ACEGISECURITY/project.xml change the version from 1.2-RC2 to 1.2 for the artifactId spring 2. In $ACEGISECURITY/samples/attributes/project.xml changed the version from 1.0 to 1.0.2 for artifactId xjavadoc 3. Install the common-attributes-plugin using the following command: maven plugin:download -DgroupId=commons-attributes -DartifactId=commons-attributes-plugin -Dversion=2.1 This seems to have been fixed on the version of the page available on the site at http://acegisecurity.sourceforge.net/building.html Hope this helps. Vijay Varadan On 10/20/05, Luke Taylor [EMAIL PROTECTED] wrote: Vijay Varadan wrote: Thanks for the info about the maven option and ibiblio - I was looking in the directory pointed to by Google search which seems to be the wrong place to look. I'm intertested in building the last known good release. There is a small group of us that is looking to develop ACEGI for the .NET platform - so I figured we'd start from a LKG release. Changing the xjavadoc version in the project.xml file to 1.0.2 allowed the build to proceed. The sample.attributes.Bank jUnit tests are failing. I'll post more details if I can't figure it out myself. Thanks once again for the valuable pointers.You're welcome.The attributes tests are failing in the main build too - I'm not sure what the situation is there. http://acegisecurity.sourceforge.net/multiproject/acegi-security-sample-attributes/junit-report.html --Luke Taylor.Monkey Machine Ltd.PGP Key ID: 0x57E9523C http://www.monkeymachine.ltd.uk--- This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi .Net version
You'd have to ask Ben and Carlos, (as Ben is the project admin and Carlos is all things build related) however I would assume it would have to be a new project on sourceforge... completely seperate, along the same lines as Spring.NET, NHibernate, etc. Cheers, Mark On 10/17/05, Bill Barr [EMAIL PROTECTED] wrote: Mark,Thanks for the pointer. I'll be sure to ask over there, too. If I can findsome interested people, would it make sense to add a C# branch to the Acegi project?Bill--- Mark St.Godard [EMAIL PROTECTED] wrote: You might want to check with the Spring .NET team to see if there is any related work on security. http://www.springframework.net__Yahoo! Music UnlimitedAccess over 1 million songs. Try it free. http://music.yahoo.com/unlimited/---This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi .Net version
You might want to check with the Spring .NET team to see if there is any related work on security. http://www.springframework.net Cheers, Mark On 10/17/05, Bill Barr [EMAIL PROTECTED] wrote: Are there any plans for a .Net version of Acegi?Is there even any interest in such a beast? Bill__Start your day with Yahoo! - Make it your home page!http://www.yahoo.com/r/hs--- This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions,and more. http://solutions.newsforge.com/ibmarch.tmpl ___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] custom Session Timeout page
Ben et al, Has anyone implemented a custom session timeout page using Acegi yet? As we all know, the Authentication object is stored in HttpSession between web requests logging out invalidates the session.. and inactivity destroys the session.. I am working on an app and they would like to have it redirected to a custom session timeout page rather than just back to the login page. Has anyone done something similar? Cheers,Mark
Re: [Acegisecurity-developer] Presenting at the Java SIG in Oakland, CA
Hi Chris, I really enjoy doing presentations /talks, however I am located up in Canada ;) Cheers, Mark On 10/2/05, Chris Richardson [EMAIL PROTECTED] wrote: Hello, I organise the Java SIG that meets in Oakland (http://www.ebig.org/sig/sig.aspx?SIGid=21 ), which is in the San Francisco bay area. At a recent meeting, members expressed interest in learning more about ACEGI security. Ben Alex suggested that I post to this mailing list I was wondering whether any of the Acegi security developers are based in the bay area and would be willing to present.Ben said he could supply a presentation if that would help. We meet on the 3rd wednesday of the month. Thanks. Chris-- Consulting - http://www.chrisrichardson.net Author, POJOs in Action - http://www.manning.com/crichardsonEnterprise POJOs blog - http://chris-richardson.blog-city.com
[Acegisecurity-developer] Contacts (@Secured and @Transactional)
Hi Ben et al, I have committed a Contacts example that uses the new @Secured and @Transactionalannotations. I have added a /samples/contacts-tiger project that has a pre goal to also include the original Contacts source for compilation. (so no need to duplicate code). To try the new sample, just run maven multiwar:multiwar in the acegisecurity/samples/contacts-tiger dir. deploy then http://localhost:8080/acegi-security-sample-contacts-tiger-filter/ Feel free to have a look, and let me know if you have any questions, comments, etc. Please let me know if the new samples project causes any issues, build-related, etc. Again, this is in its own project, so it should be more self-contained. If any of the Maven-ites, had any more elegant suggestions to handling Java 5 source code and packaging related to this sample app, let me know. Cheers, Mark
Re: [Acegisecurity-developer] Disable Login.
When you capture a failed login attempt (like in your listener)... you will need to update (i.e. increment) your User's failed login attempts. You would need some sort of user management service in your application.. basically the application code that does the (update user set login_attempt = ? where username = ?) Again this will be application-specific you will need a login attempts column on your schema. Then on the login attempt side.. you will need to translate that if the # of attempts is greater than some number... you will need to set the boolean value for account locked in the UserDetails implementation. Basically capturing the event via the listener will be a way to UPDATE the user.. (i.e. the status or the number of login attempts)... then the regular login process will get the login attempts or status and use it to determine if it is a locked account. Cheers, Mark On 9/23/05, mannobug [EMAIL PROTECTED] wrote: Hi all I red on the web site that it can be easy to lock an account when theuser set password wrong for n times. I define a listener thatimplements ApplicationListener and capture the event AuthenticationFailurePasswordEvent.Can someone give me a good advice to implement a secure way to memorize thefailure and attempt login and lock the user via DAO object? I just read http://forum.springframework.org/viewtopic.php?t=8525 but i cannot find a godimplemetation.Thanks.Kind regardsmannobug ---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Contacts sample app using Annotations
Hi Ben, Yeah I agree.. lets keep the base build and Contacts sample JDK 1.3 compatible. I think I could create another sample subproject and just do some simple Ant build.xml stuff to reuse the actual source code in the (regular) contacts example. Ok thats I need to continue with this... /contacts/ regular contacts JDK 1.3 /contacts-tiger/ Java 5 annotations version How does that sound? Regarding a new sample app.. I agree.. I think we need something easier to follow. To have something that uses some simple filters, config, etc... would ...(get ready for it)... the Spring petstore be too simple (or done to death :) ? Or one of the other Spring samples?... might be a natural progression to show security applied to it. Just a thought. Let me know if you need any help with it. Cheers Mark On 9/24/05, Ben Alex [EMAIL PROTECTED] wrote: Hi MarkMark St.Godard wrote: I can exclude the samples/attributes project to get around the Java 5 compile issues, we discussed before.That is fine. The samples/annotations should also be excluded from theauto-build, as we don't want users to be forced to have Java 5 to do abasic build of core and the Contacts Sample. Basically, we will require Java 5 to build from the /samples/contacts dir... To do a full build of Acegi, we require Java 5 (for domain and core-tiger).. just wanted to make sure that this is ok for the samples as well.I believe we need to maintain Java 1.3 compatibility in the base/defaultbuild. I would therefore prefer if the base Contacts Sample did not useannotations. or if this should be in a completely separate project ala.. acegisecurity/samples/contacts/ acegisecurity/samples/contacts-annotations/Maybe a Maven expert (Carlos, Luke?) could have a look at how we couldshare the code between the Contacts 1.3 and Contacts 5 Java versionsmore elegantly. A few ideas come to mind, such as a newsamples/contacts/src/main/webapp/tiger directory to hold the config, andthe 1.5-compatible ContactManager named in a manner that excludes it from the compilation but a separate postGoal will compile it if 1.5 isdetected.One thing concerning me about the Contacts Sample more generally is howdifficult it is for new users to follow. I think there is an argument to add a new sample that just uses filter security - without any method orACL security. Such a sample might also double as a performance benchmarkto compare Acegi Security performance with servlet spec managed constraints. CheersBen---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Contacts sample app using Annotations
Hi Ben, I have finished the Contacts sample application to use both Spring @Transactional and the new @Secured annotations. However, I currently have it under the same /samples/contacts build structure. I can exclude the samples/attributes project to get around the Java 5 compile issues, we discussed before. I just wanted to confirm (prior to committing) that this is ok... Basically, we will require Java 5 to build from the /samples/contacts dir... To do a full build of Acegi, we require Java 5 (for domain and core-tiger).. just wanted to make sure that this is ok for the samples as well. I didnt want to create a whole new project and duplicate the code just to separate the Java 5 code (1 class really). I just created a different implementation of ContactManager.. one that uses Annotations.. the rest is just replace the implementation in configuration, setup some auto proxies, etc.. and it works great. Again, the original ContactManager using XML configuration for transaction mgmt and security it untouched. So I think its a nice example of comparing and contrasting the two. Right now I just created a new annotated class in the /samples/contacts source dir.. then I reuse the build.xml, etc.. and it just creates an acegi-security-sample-contacts-filter-annotation war file. Anyway, just wanted to confirm if this sounds alright... or if this should be in a completely separate project ala.. acegisecurity/samples/contacts/ acegisecurity/samples/contacts-annotations/ Thoughts? Cheers, Mark
Re: [Acegisecurity-developer] SwitchUserProcessingFilter support for custom UserDetails for exitUser case
Hi Matt, Thanks for the great user feedback I did the initial Switch User implementation this summer, soI appreciate your feedback / experience whenusing yourcustom UserDetails.. I have changed the extracting of the original user to just check based on the interface (UserDetails), since User implements UserDetails. So this should address your scenario... let me know if it works ok for you. I have just committed the code to CVS. Cheers, Mark On 9/19/05, Matt DeHoust [EMAIL PROTECTED] wrote: Once again, thanks for the excellent product and the quick feedback. Abig win in migrating my legacy application security infrastructure to Acegi Security is that the SwitchUser functionality offers morefunctionality out of the box than the legacy implementation. Whereasthe legacy implementation did not remember who switched in the firstplace, I now have exitUser, which allows users to switch multiple times within a session. Very nice.Once again I encountered an issue related to my custom UserDetailsimplementation. When performing the exitUser function, I experiencedstrange behavior. The application would log me out where I expected to receive the switch user prompt. Inspecting the logs I found thefollowing runtime exception.java.lang.IllegalArgumentException: User is required at org.springframework.util.Assert.notNull (Assert.java:90) at net.sf.acegisecurity.providers.dao.event.AuthenticationEvent.init(AuthenticationEvent.java:57) at net.sf.acegisecurity.providers.dao.event.AuthenticationSwitchUserEvent.init( AuthenticationSwitchUserEvent.java:40) at net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.attemptExitUser(SwitchUserProcessingFilter.java:272) at net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter (SwitchUserProcessingFilter.java:213)Upon investigation I learned that the SwitchUserProcessingFilter waspassing a null parameter to the AuthenticationSwitchUserEventconstructor because my UserDetails was not a net.sf.acegisecurity.providers.dao.User. I updated my copy to checkfor UserDetails rather than User and it works great. All the testspass as well without further modification.I have included the patch below. Regards,Matt DeHoustIndex: SwitchUserProcessingFilter.java===RCS file: /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/ui/switchuser/SwitchUserProcessingFilter.java,v retrieving revision 1.5diff -u -r1.5 SwitchUserProcessingFilter.java--- SwitchUserProcessingFilter.java 19 Sep 2005 02:22:43 -1.5+++ SwitchUserProcessingFilter.java 20 Sep 2005 01:38:45 - @@ -26,7 +26,6 @@import net.sf.acegisecurity.context.SecurityContextHolder;import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;import net.sf.acegisecurity.providers.dao.AuthenticationDao ;-import net.sf.acegisecurity.providers.dao.User;import net.sf.acegisecurity.providers.dao.UsernameNotFoundException;import net.sf.acegisecurity.providers.dao.event.AuthenticationSwitchUserEvent;import net.sf.acegisecurity.ui.WebAuthenticationDetails ;@@ -263,8 +262,8 @@UserDetails originalUser = null;Object obj = original.getPrincipal();-if ((obj != null) obj instanceof User) {-originalUser = (User) obj; +if ((obj != null) obj instanceof UserDetails) {+originalUser = (UserDetails) obj;}// publish event--- SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your veryown Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Anyone experiencing core tests failing?
Thanks Ben, Cheers, Mark On 9/18/05, Ben Alex [EMAIL PROTECTED] wrote: Mark St.Godard wrote: Anyone else having problems with the core project tests failing? Strange thing is all the tests run through, dont see any actual junit failures, however maven complains and says the BUILD FAILED... ? Thoughts?To see which test fails, you need to look in the /core/target/test-reports directory. You'll notice one of the .txt fileshas a much larger size than the others. Look in it and you'll see thefailure reasons.The JCaptcha tests and BASIC authentication tests were failing. I have checked in fixes for both.Marc-Antoine, would you please take a look atCaptchaChannelProcessorTests. I've disabled some of the tests for now,and provided comments in the code about how the tests may be improved. Best regardsBen---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SwitchUserProcessingFilter with custom UserDetails?
Thanks Matt, I have committed the changes to CVS. Cheers, Mark On 9/18/05, Matt DeHoust [EMAIL PROTECTED] wrote: I have been using Acegi Security for a few months now with muchsuccess. I am very pleased with the framework. Great job and thanks! Last week I tried the SwitchUserProcessingFilter for the first timeand have everything working with one exception. In order to facilitatemigration of my legacy application I wrote an adapter UserDetails that wraps the legacy User class. There are some areas in the code thatstill rely on the legacy User object. The current implementation ofSwitchUserProcessingFilterwill not allow a custom UserDetails. Thenew Authentication's Principal will always be a String (username). It appears that a simple change would do the trick. I believe it isconsistent with the framework to use a UserDetails by default unlessthe configuration specifically indicates String-only principals (for example DaoAuthenticationProvider.setForcePrincipalAsString).I've included a patch below. It sets the new Authentication'sPrincipal to the UserDetails returned by the configuredAuthenticationDao instead of to the username. This allows applications to continue to leverage custom UserDetails implementations when usingthe switch user functionality.Thanks,Matt DeHoustIndex: SwitchUserProcessingFilter.java=== RCS file: /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/ui/switchuser/SwitchUserProcessingFilter.java,vretrieving revision 1.4diff -u -r1.4 SwitchUserProcessingFilter.java--- SwitchUserProcessingFilter.java3 Sep 2005 21:43:08 -1.4+++ SwitchUserProcessingFilter.java19 Sep 2005 01:06:51 -@@ -462,7 +462,7 @@authorities = (GrantedAuthority[]) newAuths.toArray (authorities);// create the new authentication token-targetUserRequest = new UsernamePasswordAuthenticationToken(username,+targetUserRequest = new UsernamePasswordAuthenticationToken(targetUser, targetUser.getPassword(), authorities);// set details---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your veryown Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___ Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Samples / Annotation
Ben et al, I have checked in the first Annotations sample... basically a straightforward port of the samples/attributes -- samples/annotations. Note: This sample project requires the acegi-security-tiger-0.9.0-SNAPSHOT.jar, so please ensure its built to your local maven repo. See core-tiger/ Ben have a quick look, and let me know if you have any problems with your build, etc. Mine runs through fine, compiles, tests pass, etc.. Next I will look at the actual Contacts sample... I think the last we talked on this we were possibly going to deprecate the Commons Attributes / plugin, etc. ? (i.e. let the commons-attributes folk build by hand ?) I think you mentioned it causes problems with Java 5 sources and the attributes plugin. Cheers, Mark
Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java
Hi Ben, (welcome back :) Great, the isAuthenticated() is the exact key we need to determine this particular even, irrespective of the cache. I also agree that it should not be in the AuthenticationProviders... Ben, I created a JIRA entry for this (SEC-50), you can assign to me if you want. Cheers, Mark On 8/21/05, Ben Alex [EMAIL PROTECTED] wrote: Mark St.Godard wrote: The HttpSessionContextIntegrationFilter should be able to set some sort of indicator that this is the first logon attempt since it generates a new SecurityContext however this wouldnt work for remote client authentication? IMHO we should modify all event-aware AuthenticationProviders to publish an event on every occasion an authentication is processed, irrespective of the cache usage or not. There are three reasons for this: 1. The Authentication.getDetails() *should* provide some sort of identifier (typically a WebAuthenticationDetails, which offers the HttpSession ID in most cases) and this identifier can be used by the ApplicationListener to determine what and when to log. 2. Recent changes to Authentication and AbstractSecurityInterceptor have changed the semantics of Authentication.isAuthenticated(): /** * Used to indicate to codeAbstractSecurityInterceptor/code whether it * should present the authentication token to the * codeAuthenticationManager/code. Typically an * codeAuthenticationManager/code (or, more often, one of its * codeAuthenticationProvider/codes) will return an immutable * authentication token after successful authentication, in which case * that token can safely return codetrue/code to this method. * Returning codetrue/code will improve performance, as calling the * codeAuthenticationManager/code for every request will no longer be * necessary. * * p * For security reasons, implementations of this interface should be very * careful about returning codetrue/code to this method unless they * are either immutable, or have some way of ensuring the properties have * not been changed since original creation. * /p * * @return true if the token has been authenticated and the * codeAbstractSecurityInterceptor/code does not need to * represent the token for re-authentication to the * codeAuthenticationManager/code */ public boolean isAuthenticated(); As such, a DaoAuthenticationProvider (or any other AuthenticationProvider for that matter) will only be called when a user is genuinely not authenticated - or the use has changed the AbstractSecurityInterceptor.alwaysReauthenticate property to false. 3. Most authentication processing filters (certainly those use for CAS, AuthenticationProcessingFilter/form-based, remember-me, X509) now publish an InteractiveAuthenticationSuccessEvent when a user logs in. I would welcome other opinions on this, but it seems we now have a more comprehensive solution to application event messages than putting then into AuthenticationProviders. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security Annotation support (initial)
Hey Ben, Just wanted to mention, I have started converting over the attributes sample apps over to Java 5 annotations version. (Havent checked in yet) samples/attributes (Commons) samples/annotations (Java 5) Basically, I ported over the BankService code and created tests. Also, I did port over a Contacts sample using Java instead of XML configuration. My questions (prior to checking anything in), are related to packaging. First off, we now have the core-tiger project... and this creates a jar for the java 5 classes. I think we need to package these into a single acegisecurity jar file? I noticed that the Spring @Transactional annotations are packaged in the spring.jar (i.e. there is not JDK 5 vs JDK 1.4 ) So it looks to be ok to use JDK 1.4 (and lower) loading a jar file that contains Java 5 classes as long as they dont try to use them :) 2ndly - where should the new contacts sample using the annotations reside? Should I recreate a whole new sub-project (ala core-tiger) ? Or can it be included in the existing /samples/contacts/ ? I just wanted to make sure I dont check in code that breaks JDK 1.4 users from building the CVS HEAD examples, etc. Therefore to sum up: - can we package the core-tiger classes into the single acegi security dist? - where should the new samples (for java5) be located? Thoughts? Cheers, Mark Anyway On 8/21/05, Ben Alex [EMAIL PROTECTED] wrote: Mark St.Godard wrote: Ben et al, Just a note, I have checked in some initial Security annotation support and unit tests. Feedback is always welcome, and please let me know if anyone has any problems with the new subproject. Great work Mark. Are there any users out there using Acegi Security's Commons Attributes support? Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Security Annotation support (initial)
Ben et al, Just a note, I have checked in some initial Security annotation support and unit tests. (see http://opensource.atlassian.com/projects/spring/browse/SEC-4) I will be also checking in a Contacts webapp example, however using Spring @Transaction annotations and the new @Secured annotation. Important Note: Ben and I decided to create a new subproject core-tiger that contains Java 5 core security code. i.e. core-tiger/src/main/java core-tiger/src/test/java etc. I have also created the Maven project files, etc. Again, I am just finishing the Contacts webapp example... so more to follow. Feedback is always welcome, and please let me know if anyone has any problems with the new subproject. Cheers, Mark --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SEC-15 User security context switching
Ben, Re: SEC-15 I have committed the initial draft of the Switch User ('su') functionality. I created a new filter (SwitchUserProcessingFilter) that handles the 'switch' and 'exit' url requests. This filter also uses the authenticationDao to allow access to load users. A few initial assumptions in this version - will only 'su' one level deep - switch url will need to be secured so that only the desired Administrator can do the 'su'. We can probably get more fancy here later, possibly doing more mapping of who can do this, and to which target users. Anyway, starting simple. Example configuration: bean id=switchUserProcessingFilter class=net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter property name=authenticationDao ref=jdbcDaoImpl / property name=switchUserUrl value/j_acegi_switch_user/value /property property name=exitUserUrl value/j_acegi_exit_user/value /property property name=targetUrl value/acegi-security-sample-contacts-filter/secure/debug.jsp/value /property /bean Note: I have the 2 URLs (j_acegi_switch_user, j_acegi_exit_user) configurable and these are the responsible for their respective requests. j_acegi_switch_user - will handle a switch attempt and expects the username of the target user j_acegi_exit_user - will handle the exit attempt and expects that successful switch had taken place. I used your recommendation of using a custom GrantedAuthority (PREVIOUS_ADMINISTRATOR) to capture the original user. This is interrogated in the exit attempt and used to switch the context back. I did some local testing with the Contacts sample and did some simple tests of - logging in (i.e. User 1) - going to /secure/debug.jsp (view User 1 info) - going to a jsp that handles the switch (i.e. switchUser.jsp) - submit request to 'su' to another user (i.e. User 2) - going to /secure/debug.jsp (view User 2 info) - go to exit page (i.e. exitUser.jsp) - display current user logged in as, submit button to exit - going to /secure/debug.jsp (shows User 1 info) So initial simple tests seem to work, need to polish and do alot more testing. I have also added applicable unit tests. Again, feedback welcome. Cheers, Mark --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java
Cameron, this does not sound like the desired semantics. I have also confirmed that this is happening on the contacts sample. Ben, I can create a JIRA entry and fix, test and commit this today. Cheers, Mark Re: -- DaoAuthenticationProvider.java around line 300, publishes an AuthenticationSuccessEvent when the user has logged in. However – it only does this if the cache wasn't used… This seems odd and incorrect to me. Since this sequence of events misses the second event : 1) login as user A – event is fired 2) logout 3) login as user A – event isn't fired It's a simple change – does someone mind to do it ? I would make a patch – but CVS is failing. Thanks Cameron