Re: [Acegisecurity-developer] Showing session-timed-out message to the concerned user alone...

2007-03-21 Thread Mark St.Godard 

Hi Vikas,

I have used a Servlet Filter to detect if the session id is present, or if
it has changed... to trigger a redirect to a session timeout page.

Cheers
Mark


On 3/21/07, Vikas Sasidharan [EMAIL PROTECTED] wrote:


 Hi,



In our application, we have the (seemingly common) requirement that when
the user is redirected to the login page as a result of session timing out,
a helpful message should be displayed on the page explaining why he has to
login again.



Currently, we are using an HttpSessionListener to get notified about the
time out but we are facing a challenge in this regard - how do we use the
listener to indicate to the user (and that particular user alone) that the
session has timed out? We currently use a ServletContext attribute for this,
which is then used by the login page to decide whether to show the message
or not. However, this obviously means that a different user trying to log in
fresh to the app would also get to see this (misleading) message.



Any ideas are welcome. :-)



Thx  Rgds,

Vikas

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share
your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi Rebranding??

2007-01-21 Thread Mark St.Godard 
I asked the same question to Rod @ TSE,  as well talked with Ben
and there is no immediate intention to change the source code
packaging,  rather its an explicit rebranding to reflect that it is a
part of the Spring portfolio.

Also this keys into the release train concept discussed at TSE...
basically a coordinated release among the Spring projects proper

Ben can chime in as well if he would like to add to this..

Cheers
Mark


On 1/21/07, Krystian [EMAIL PROTECTED] wrote:
 Karl Moore napisał(a):
  Raised the question here also
  http://forum.springframework.org/showthread.php?t=33908

 What about package names?, especially that it was changed not so long
 time ago to org.acegisecurity.*. Touching pakage names again can be a
 notion of instability for some. And what about non-Spring usage of
 Acegi? Some non-Spring project (e.g. based on Eclipse RCP - OSS GIS
 uDIG) think about introducing Acegi, but not necessary Spring. It will
 make them feel against Acegi, I suppose...

 Kind regards,
 Krystian Nowak
 PSNC

 --
 Krystian Nowak
 [EMAIL PROTECTED]
 ===
 Poznan Supercomputing and Networking Center
 Poland, 60-814 Poznan, Zwierzyniecka 20
 tel. (+48 61) 8582159 fax. (+48 61) 8582151
 http://www.man.poznan.pl
 ===

 -
 Take Surveys. Earn Cash. Influence the Future of IT
 Join SourceForge.net's Techsay panel and you'll get the chance to share your
 opinions on IT  business topics through brief surveys - and earn cash
 http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SwitchUserProcessingFilter that doesn't quite switch everything

2006-10-10 Thread Mark St.Godard 
Hi Jason,Can you clarify what you mean byI want to be able to impersonate another
user (i.e. switch user) for a specific authority that I don't want to
allow when impersonating.Do you mean that once you switch to a user, you dont actually want to run with that target user's authorities?User A (has) ROLE_ADMINUser B (has) ROLE_CUSTOMER
User A switches to User B, what authorities should (he/she) have?CheersMarkOn 10/10/06, Jason Yip 
[EMAIL PROTECTED] wrote:









I want to be able to impersonate another user (i.e. switch user) for a specific authority that I don't want to allow when impersonating.

At this point it looks like I need to copy and modify SwitchUserProcessingFilter as it doesn't seem to have the extension points to easily support this.

Am I missing something? Is there another way to implement this kind of partial impersonation?



NOTICE

This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.
 


-Take Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's Techsay panel and you'll get the chance to share youropinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___Home: http://acegisecurity.org
Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SwitchUserProcessingFilter that doesn't quite switch everything

2006-10-10 Thread Mark St.Godard 
Hi Jason,Thanks for the example... yes, for your case, the switch user filter does not filter the authorities... This would require an improvement to the current implementation to optionally filter target authorities.
I would suggest either creating a JIRA entry for this improvement, so we can schedule and plan it
http://opensource.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panelOr extending the current Filter for your particular needs.Also if you wanted to submit a patch to JIRA, that would also be more than welcome.
CheersMarkOn 10/10/06, Jason Yip [EMAIL PROTECTED] wrote:







Hi 
Mark,

Probably should have given an example... so I will 
now.

Alice: 
ROLE_ADMIN
Bob: 
ROLE_NORMAL_USER, ROLE_USER_ONLY

I want 
to allow Alice to impersonate Bob but not allow her to get specific types of 
authorities.

So if 
Alice impersonates Bob...

Alice: 
ROLE_NORMAL_USER


I want 
to be able to apply an authority filter to a switch user operation such that 
an impersonater will run with all the target user's authorities except for any 
authority that matches a particular pattern. This is because those 
particular authorities are special, dangerous, etc.

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]On Behalf Of 
  Mark St.GodardSent: Tuesday, 10 October 2006 9:24 
  PMTo: 
  acegisecurity-developer@lists.sourceforge.netSubject: Re: 
  [Acegisecurity-developer] SwitchUserProcessingFilter that doesn't quite switch 
  everythingHi Jason,Can you clarify what you mean 
  byI want to be able to impersonate another 
  user (i.e. switch user) for a specific authority that I don't want to allow 
  when impersonating.Do you mean that once you switch to a user, 
  you dont actually want to run with that target user's authorities?User 
  A (has) ROLE_ADMINUser B (has) ROLE_CUSTOMERUser A switches to 
  User B, what authorities should (he/she) 
  have?CheersMark
  On 10/10/06, Jason 
  Yip  
  [EMAIL PROTECTED] wrote:
  

I want to be able to impersonate another user 
(i.e. switch user) for a specific authority that I don't want to allow when 
impersonating.
At this point it looks like I need to copy and 
modify SwitchUserProcessingFilter as it doesn't seem to have the extension 
points to easily support this.
Am I missing something? Is there another 
way to implement this kind of partial impersonation? 
NOTICE 
This e-mail and any attachments are confidential and 
may contain copyright material of Macquarie Bank or third parties. If you 
are not the intended recipient of this email you should not read, print, 
re-transmit, store or act in reliance on this e-mail or any attachments, and 
should destroy all copies of them. Macquarie Bank does not guarantee the 
integrity of any emails or any attached files. The views or opinions 
expressed are the author's own and may not reflect the views or opinions of 
Macquarie Bank. 
-Take 
Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's 
Techsay panel and you'll get the chance to share youropinions on IT 
 business topics through brief surveys -- and earn cash 
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV 
___Home: http://acegisecurity.org 
Acegisecurity-developer 
mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

-Take Surveys. Earn Cash. Influence the Future of ITJoin SourceForge.net's Techsay panel and you'll get the chance to share youropinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___Home: http://acegisecurity.org
Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Failed to create FilterChainProxy

2006-08-08 Thread Mark St.Godard 
Yeah, its definitely a Classloading problem

Basically a Commons class is being loaded, but the wrong version

Application servers / servlet containers sometimes bundle their own
version of Commons... so depending on what Classloader picked it up..
thats the class it will use their after.

Cheers
Mark

On 8/8/06, Teemu Lehto [EMAIL PROTECTED] wrote:
 Hi

 You should have commons-lang-2.1.jar in your classpath. You should
 propably check all commons jar versions

 BR

 -Teemu-

 Alkuperäinen viesti
 Lähettäjä: [EMAIL PROTECTED]
 Päivämäärä: 08.08.2006 2:13
 Vastaanottaja: acegisecurity-developer@lists.sourceforge.net
 Aihe: [Acegisecurity-developer] Failed to create FilterChainProxy
 
 
 I suspect it is related to upgrating to version 1.0, but I find it
 very hard
 to gather anything from the exception output.
 
 Did I make an error in the configuration?
 
 org.springframework.beans.factory.BeanCreationException: Error
 creating bean
 with name 'filterChainProxy' defined in class path resource
 [acegi-security.xml]: Initialization of bean failed; nested exception
 is
 java.lang.NoSuchMethodError:
 org.apache.commons.lang.StringUtils.substringBeforeLast
 (Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
 
 java.lang.NoSuchMethodError:
 org.apache.commons.lang.StringUtils.substringBeforeLast
 (Ljava/lang/String;Ljava/lang/String;)Ljava/lang/String;
 
 at
 org.acegisecurity.intercept.web.
 FilterInvocationDefinitionSourceEditor.setAsText
 (FilterInvocationDefinitionSourceEditor.java:132)
 
 at
 org.springframework.beans.BeanWrapperImpl.doTypeConversionIfNecessary
 (BeanWrapperImpl.java:881)
 
 at
 org.springframework.beans.BeanWrapperImpl.setPropertyValue
 (BeanWrapperImpl.java:692)
 
 at
 org.springframework.beans.BeanWrapperImpl.setPropertyValue
 (BeanWrapperImpl.java:572)
 
 at
 org.springframework.beans.BeanWrapperImpl.setPropertyValue
 (BeanWrapperImpl.java:737)
 
 at
 org.springframework.beans.BeanWrapperImpl.setPropertyValues
 (BeanWrapperImpl.java:764)
 
 at
 org.springframework.beans.BeanWrapperImpl.setPropertyValues
 (BeanWrapperImpl.java:753)
 
 
 
 
 
 ?xml version=1.0 encoding=UTF-8?
 
 !DOCTYPE beans PUBLIC -//SPRING//DTD BEAN//EN
 http://www.springframework.org/dtd/spring-beans.dtd;
 
 !--
 
 - Application context definition for Trails Security Through Acegi.
 
 --
 
 
 
 beans
 
 !--
 
 - Authentication.
 
 --
 
 bean id=authenticationManager
 
 class=org.acegisecurity.providers.ProviderManager
 
 property name=providers
 
 list
 
 ref bean=daoAuthenticationProvider /
 
 ref local=anonymousAuthenticationProvider /
 
 /list
 
 /property
 
 /bean
 
 bean id=daoAuthenticationProvider
 
 class=org.acegisecurity.providers.dao.DaoAuthenticationProvider
 
 property name=userDetailsService
 
 ref bean=trailsUserDAO /
 
 !-- ref bean=inMemoryUserDetailsService /--
 
 /property
 
 /bean
 
 bean id=trailsUserDAO
 
 class=org.trails.security.TrailsUserDAO
 
 property name=persistenceService
 
 ref bean=persistenceService/
 
 /property
 
 /bean
 
 
 
 bean id=inMemoryUserDetailsService
 
 class=org.acegisecurity.userdetails.memory.InMemoryDaoImpl
 
 property name=userMap
 
 value
 
 user=pwd,ROLE_USER
 
 admin=admin,ROLE_USER,ROLE_MANAGER
 
 /value
 
 /property
 
 /bean
 
 !--  FILTER CHAIN === --
 
 
 !-- if you wish to use channel security, add
 channelProcessingFilter, in
 front
 
 of httpSessionContextIntegrationFilter in the list below --
 
 bean id=filterChainProxy
 
 class=org.acegisecurity.util.FilterChainProxy
 
 property name=filterInvocationDefinitionSource
 
 value
 
 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 
 PATTERN_TYPE_APACHE_ANT
 
 /**=httpSessionContextIntegrationFilter,
 authenticationProcessingFilter,anonymousProcessingFilter,
 exceptionTranslationFilter
 
 /value
 
 /property
 
 /bean
 
 !-- = HTTP REQUEST SECURITY 
 --
 
 bean id=exceptionTranslationFilter
 
 class=org.acegisecurity.ui.ExceptionTranslationFilter
 
 property name=authenticationEntryPoint
 
 ref local=authenticationProcessingFilterEntryPoint /
 
 /property
 
 /bean
 
 bean id=authenticationProcessingFilter
 
 class=org.acegisecurity.ui.webapp.AuthenticationProcessingFilter
 
 property name=authenticationManagerref
 bean=authenticationManager//property
 
 property
 name=authenticationFailureUrlvalue/app?
 page=Loginservice=page/value/property
 
 property name=defaultTargetUrlvalue/app/value/property
 
 property
 name=filterProcessesUrl
 value/j_acegi_security_check/value/property
 
 !-- property name=rememberMeServicesref
 local=rememberMeServices//property --
 
 /bean
 
 bean id=authenticationProcessingFilterEntryPoint
 
 class=org.acegisecurity.ui.webapp.
 AuthenticationProcessingFilterEntryPoint
 
 property
 name=loginFormUrlvalue/app?
 page=Loginservice=page/value/property
 
 property name=forceHttps
 
 valuefalse/value
 
 /property
 
 /bean
 
 
 
 bean id=anonymousProcessingFilter

Re: [Acegisecurity-developer] Acegi Security 1.0.0 is released!

2006-05-30 Thread Mark St.Godard 
Great job Ben et gang

Just a note, Ben I will be updating the contacts-tiger sample project,
I noticed it was not converted over.  I will create an JIRA entry for
myself and update this tomorow.

Also with Spring 2.0, I noticed that a jira entry was created for
namespace handlers, XSD support, etc..

If you have someone to do this fine... otherwise I can take it up...
its something that I would really like to get in...  and reduce some
of the XML verbosity.

Cheers all,

Mark

On 5/29/06, Ben Alex [EMAIL PROTECTED] wrote:
 Dear Spring Community

 After more than two and a half years of development, I am delighted to
 announce that Acegi Security 1.0.0 is now officially released.

 In addition to more than 80 improvements and fixes since 1.0.0 RC2, this
 new release also includes several changes to help new users. This
 includes a significant restructure and expansion of the reference guide
 (now more than 90 pages) and a new bare bones tutorial sample
 application. Furthermore, many of the frequently-identified problems
 experienced by new users have been addressed, such as custom 403
 messages (as opposed to using the Servlet Container's error handler),
 detecting corrupt property input following the reformatting of XML
 files, and a new logout filter. We've also refactored our LDAP services,
 made the SecurityContextHolder a pluggable strategy (especially useful
 for rich clients who wish to avoid ThreadLocal), and improved CAS support.

 Please visit
 http://opensource.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10360
 for a detailed changelog. As always, detailed upgrade instructions are
 included in the release ZIP file.

 The project's web site at http://acegisecurity.org provides additional
 information on Acegi Security's features, access to online
 documentation, and links to download the latest release. I will also be
 providing a presentation on Acegi Security at SpringOne next month, so I
 hope to see you there.

 We trust that you find this new release useful in your projects.

 Cheers
 Ben


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi Security 1.0.0 is released!

2006-05-30 Thread Mark St.Godard 
Hi Ben,

The configuration was referencing net.sf... some of the config was
moved over to org. however not all. Including the userdetails
refactoring. Plus some of the JSPs were also referencing net.sf in
page imports.

I am running through and testing the app right now, currently failing
on a call to getPrincipal from User object... I will fix it up, retest
it, run the unit testing and check in the changes.

Re: the tutorial app... yeah I noticed that .. very nice... much more
concise config.

I am usng Spring 2.0 and I am really digging the schema-based config...

I am also using MethodSecurityInterceptors using the new Aspect pointcuts.
Not sure if we should also include examples of usage using Spring 2.0?
I assume we need to wait for it to go final.

Uri is on it...Great, I'll keep my eyes posted for acegi:config  :)

Cheers
Mark

On 5/30/06, Ben Alex [EMAIL PROTECTED] wrote:
 Mark St.Godard wrote:
  Just a note, Ben I will be updating the contacts-tiger sample project,
  I noticed it was not converted over.  I will create an JIRA entry for
  myself and update this tomorow.
 
 I just checked and it looked to me like it was built for 1.0.0. What
 specifically wasn't converted?

  Also with Spring 2.0, I noticed that a jira entry was created for
  namespace handlers, XSD support, etc..
 
 http://opensource.atlassian.com/projects/spring/browse/SEC-271 for those
 interested.

  If you have someone to do this fine... otherwise I can take it up...
  its something that I would really like to get in...  and reduce some
  of the XML verbosity.
 
 
 Uri Boness has volunteered, but I'm unsure whether work has commenced. I
 am happy for anyone to take a look at it who has sufficient time.

 As for verbose XML, I'd encourage people to take a look at the new
 tutorial sample, which is just 148 lines of XML. This includes comments,
 whitespace and full support for form authentication, remember-me,
 anonymous and web request authorization. I think that's a pretty good
 base given the features, but nevertheless it will be even less with
 SEC-271 improvements.

 Cheers
 Ben


 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Subversion?

2006-03-25 Thread Mark St.Godard 
+1

On 3/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 No concerns here.
 Scott

  -Original Message-
  From: Ben Alex [mailto:[EMAIL PROTECTED]
  Sent: Saturday, March 25, 2006 5:43 AM
  To: acegisecurity-developer@lists.sourceforge.net
  Subject: [Acegisecurity-developer] Subversion?
 
  Hi everyone
 
  SourceForge have recently modified their offering so we can
  migrate to SVN (without losing revision history) - see
  http://sourceforge.net/docman/display_doc.php?docid=31070grou
 p_id=1#import.
 
  I have also been using SVN recently and had good results. The
  Subclipse plugin at Update Manager URL
  http://subclipse.tigris.org/update_1.0.x
  works quite well.
 
  Does anyone have any concerns with the project migrating from
  CVS to SVN? If there aren't any objections, I'll make the
  change in about a week.
 
  Cheers
  Ben



 ---
 This SF.Net email is sponsored by xPML, a groundbreaking scripting language
 that extends applications into web and mobile media. Attend the live webcast
 and join the prime developer group breaking into this new coding territory!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] account blocking?

2006-01-19 Thread Mark St.Godard 
You can write and register a custom ApplicationListener, then check for theauthentication failure event... you can do something to update the failed logon attempts, then on subsequent logon attempts you will probably have to check the logon attempts count something like that.


Acegi does not provide something out of the box, mainly because you will need to do something on failed logons... you need to update that user account details... so most of the time you will have a (transactional) service layer for user mgmt.


I did the above ... wrote a listener, and injected my user mgmt service into the listener so I could update the users failed logon attempts... then in the logon process if it goes over the desired threshold I make sure the account disabled flag is set.


Cheers,
Mark
On 1/19/06, [EMAIL PROTECTED] [EMAIL PROTECTED]
 wrote:


Iit seems to me or there is no way to set up acegi with an account blocker that is called after a specified number of consecutive failed authentication (not authorization) attemps for the same username?

Re: [Acegisecurity-developer] Where to submit doc edits?

2005-12-29 Thread Mark St.Godard 
Hi Justin,

I would open a JIRA item and attach the details.

http://opensource2.atlassian.com/projects/spring/browse/SEC

Cheers,
Mark
On 12/29/05, Justin Garten [EMAIL PROTECTED] wrote:
Hi,I haven't been able to find an area for submitting documentation edits.I'm just working through the docs for the first time and have found a
couple of typos.By the way, thanks for all the work everyone has putinto this!Justin---This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?Stop!Download the new AJAX search engine that makessearching your log files as easy as surfing theweb.DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click___Home: http://acegisecurity.orgAcegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Annotations Question

2005-12-04 Thread Mark St.Godard 
Hi John,

The Acegi Java 5 Annotations approach is very similiar to that of the
Commons Attributes configuration. (except instead of using doclet, its
using Java 5 annotations)

Please see the Reference Guide (search for annotations) for example config.

i.e.
bean id=attributes
class=org.acegisecurity.annotation.SecurityAnnotationAttributes/
bean id=objectDefinitionSource
class=org.acegisecurity.intercept.method.MethodDefinitionAttributes
  property name=attributesref local=attributes//property
/bean

Also, if you download the Acegi distribution there are 2 examples
using Annotations.

One is a standalone @Secured example... (see samples.annotations.*)
as well there is a port of the Contacts example using both Spring @Transactional
and @Secured annotations.

Please see contacts-tiger example.   I will look at beefing up the
Documentation on the Java 5 Annotations.   There are examples and
documentation, however please let me know if there is something in
particular you were looking for that you needed. (i.e. example config,
etc? )

Cheers,
Mark


On 12/4/05, John Gibson [EMAIL PROTECTED] wrote:
 I'm not sure if this is the appropriate place to post a question, if
 there's a acegisecurity-user list that'd be more appropriate then please
 point me in the right direction.

 Anyways, I've been experimenting with Acegi Security and I was
 interested in using the Java 5 Annotations, however documentation is
 sparse.  In particular I'm not sure what to do besides placing @Secured
 annotations on methods that I want to protect.  Is there an annotation
 processor that I need to run to generate XML, will Acegi Security create
 the MethodSecurityInterceptor for me automatically, or am I completely
 missing something here?

 Thanks,

 John Gibson


 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] possible contribution

2005-11-17 Thread Mark St.Godard 
Ben M - I would submit an JIRA entry and people could vote on it , plus it would also get more visability.

You found a need for it could be useful to other Acegi users.

Cheers,
Mark
On 11/17/05, Scott McCrory [EMAIL PROTECTED] wrote:

Quoting Ben Munat [EMAIL PROTECTED]: So, should I take the silence to mean that no one is interested in this?

Hi Ben. Very interesting concept, but it doesn't scratch an itch here. Maybe others would be more into a pluggable PasswordDaoAuthenticationProvider implementation.
Scott

Re: [Acegisecurity-developer] Proposal: Rename AuthenticationDao interface

2005-11-15 Thread Mark St.Godard 
Hi Scott,

From my perspective, I always saw the AuthenticationDao as just that... a pluggable interface for authentication data access (i.e.in-memory, jdbc, ldap, etc.)

I personally dont see this interface at a Service Layer level?

The AuthenticationProvider err.. provides a layer ontop of the actual authenticatonDao, so maybe I am missing something.

I am all for refactoring / renaming, however I would be a little careful since 0.8.3 to 0.9 was a little API change for Acegi users... albeit minor changes.
I would think that renaming the AuthenticationDao would beless of a change, compared to the ContextHolder changes.

I think the API needs to stabilize... its less shocking for users :)

I do kinda see what you mean Scott... having a service layer implement a DAO... normally doesnt sit well with developers ;)
Although I am not sure if your situation is common (3 authentication dao's to build up the user's roles?) Just curious why?

So if its a vote... mine would be 'no'

** Although I do like that we are all trying to keep the code clean and concise. Good stuff.

Cheers,
Mark


On 11/15/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi all, I chatted with Ben briefly about this last night and he suggested Ibring it up on the list for others to chime in...
 I'd like to propose renaming the AuthenticationDao interface toAuthenticationService prior to 1.0.0. Why?It's ultimately just a naming thing, but my feelings are thatAcegi shouldn't delegate authentication to an interface that encourages
developers to bypass the business service layer and go straight for the dataaccess layer.And generally, an application's DAOs shouldn't be executingbusiness logic (like role construction) or tapping multiple DB connections,
web services and other potential authentication  authorization stores. For example, the app I'm currently working on needs to referencethree different DAOs during authentication to build the user's ultimate list
of roles.Clearly this multiple-datasource operation needs to occur withinthe boundaries of a distributed transaction, so I did just that by buildingan AuthenticationServiceImpl that implements AuthenticationDao.This is all
well and good, but when I first approached this problem I had to get overthe fact that my *service* needed to implement a *dao* interface.This maynot be so obvious to newcomers already in close combat with Acegi's
sophisticated terminology and design. The downside of changing AuthenticationDao to AuthenticationService(sorry, AuthenticationManager may be consistent with Spring's nomenclaturebut it's already taken) is that a lot of API code, documentation and example
XML files will need to be changed.Users will also have to do the same. Would it be worth it?I don't really know, but the argument couldbe made for making this change now, before 1.0.0 is out, since it's such a
core part of Acegi's API.I also believe that it will make the classheirarchy easier to understand and explain, which I think is a challengethat Acegi already faces. I'd be willing to make these changes - Eclipse can easily handle the
renaming and dependancy changes, and updating the JavaDoc, reference guide,XML files, etc. is mostly just search-and-replace and validation.But Iwant to know what everyone thinks first. Thanks,
 Scott---This SF.Net email is sponsored by the JBoss Inc.Get Certified TodayRegister for a JBoss Training Course.Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
___Home: http://acegisecurity.orgAcegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors

2005-11-07 Thread Mark St.Godard 
Ben, Scott,

Scott what version of Websphere are you running? What JRE/JDK version?

Ben the code looks fine... seems abnormal for InheritableThreadLocalto NPE...

Scott, try without the InheritableTL or as Ben suggests try a different servlet container / appserver if you can.

Cheers,
Mark
On 11/7/05, Ben Alex [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote: [11/7/05 15:24:43:513 EST] 5a6d5a6d WebGroupE SRVE0026E:
 [Servlet Error]-[Filter [Acegi Filter Chain Proxy]: filter is unavailable.]: java.lang.NullPointerException at java.lang.Throwable.init(Throwable.java) at java.lang.Throwable
.init(Throwable.java) at java.lang.NullPointerException.init(NullPointerException.java:63) at java.lang.InheritableThreadLocal.set(InheritableThreadLocal.java
:95) at net.sf.acegisecurity.context.SecurityContextHolder.setContext(SecurityContextHolder.java:58) at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter
(HttpSessionContextIntegrationFilter.java:207)Very odd. If you look at the code for SecurityContextHolder: private static InheritableThreadLocal contextHolder = newInheritableThreadLocal();
 public static void setContext(SecurityContext context) { Assert.notNull(context, Only non-null SecurityContext instances are permitted); contextHolder.set(context);// this line fails (line 58)
 }Can anyone see any issue with this? The main difference between 0.8.3and 0.9.0 is the use of a InheritableThreadLocal instead of aThreadLocal. If you revert to the latter, does it work? What version of
WebSphere are you running? Does it work if you deploy the same WAR tosay Tomcat?CheersBen---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very ownSony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___
Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Vote: Release 0.9.0

2005-11-06 Thread Mark St.Godard 
+1
On 11/6/05, Ben Alex [EMAIL PROTECTED] wrote:
Hi everyoneThe JIRA changelog is now complete, and I've just updated the referenceguide to reflect the latest changes:
http://opensource2.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel
I would like to propose we release 0.9.0 at this point. Please let meknow if you agree.CheersBen---SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Downloadit for free - -and be entered to win a 42 plasma tv or your very ownSony(tm)PSP.Click here to play: 
http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Getting errors building v0.8.3

2005-10-21 Thread Mark St.Godard 
Hi Vijay,

I am pretty sure the commons attribute plugin was removed to accomodate the Java 5 annotations samples.
Ben mentioned that using Java 5 compiler and the commons-attributes plugin would cause errors.
We discussed disabling that plugin so that we could properly build the Java 5 annotations samples.
The commons attributes samples would be have to built by hand...

see this thread:

http://www.mail-archive.com/acegisecurity-developer@lists.sourceforge.net/msg01317.html

Cheers
Mark
On 10/21/05, Vijay Varadan [EMAIL PROTECTED] wrote:

The attributes tests worked after I installed the common-attributes plugin. Unfortunately, the command specified on the version of the Building with maven page incorrectly lists the groupId as common-attributes-plugin - the groupId should be common-attributes. The other arguments to maven are correct. 


Once I did that, the build went through perfectly.

To summarize, here are the changes I had to make to get 0.8.3 working:
1. In $ACEGISECURITY/project.xml change the version from 1.2-RC2 to 1.2 for the artifactId spring
2. In $ACEGISECURITY/samples/attributes/project.xml changed the version from 1.0 to 1.0.2 for artifactId xjavadoc
3. Install the common-attributes-plugin using the following command:
maven plugin:download
-DgroupId=commons-attributes
-DartifactId=commons-attributes-plugin
-Dversion=2.1
This seems to have been fixed on the version of the page available on the site at http://acegisecurity.sourceforge.net/building.html



Hope this helps.
Vijay Varadan
On 10/20/05, Luke Taylor [EMAIL PROTECTED]
 wrote: 

Vijay Varadan wrote: Thanks for the info about the maven option and ibiblio - I was looking in 
 the directory pointed to by Google search which seems to be the wrong place to look. I'm intertested in building the last known good release. There is a small group of us that is looking to develop ACEGI for the .NET platform - so I 
 figured we'd start from a LKG release. Changing the xjavadoc version in the project.xml file to 1.0.2 allowed the build to proceed. The sample.attributes.Bank jUnit tests are failing. I'll 
 post more details if I can't figure it out myself. Thanks once again for the valuable pointers.You're welcome.The attributes tests are failing in the main build too - I'm not sure 
what the situation is there.
http://acegisecurity.sourceforge.net/multiproject/acegi-security-sample-attributes/junit-report.html --Luke Taylor.Monkey Machine Ltd.PGP Key ID: 0x57E9523C
http://www.monkeymachine.ltd.uk--- This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl ___
Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi .Net version

2005-10-18 Thread Mark St.Godard 
You'd have to ask Ben and Carlos, (as Ben is the project admin and Carlos is all things build related)

however I would assume it would have to be a new project on sourceforge... completely seperate, 
along the same lines as Spring.NET, NHibernate, etc.
Cheers,
Mark
On 10/17/05, Bill Barr [EMAIL PROTECTED] wrote:
Mark,Thanks for the pointer. I'll be sure to ask over there, too. If I can findsome interested people, would it make sense to add a C# branch to the
Acegi project?Bill--- Mark St.Godard [EMAIL PROTECTED] wrote: You might want to check with the Spring .NET team to see if there is any
 related work on security. http://www.springframework.net__Yahoo! Music UnlimitedAccess over 1 million songs. Try it free.
http://music.yahoo.com/unlimited/---This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl___Home: 
http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi .Net version

2005-10-17 Thread Mark St.Godard 
You might want to check with the Spring .NET team to see if there is any related work on security.
http://www.springframework.net

Cheers,
Mark
On 10/17/05, Bill Barr [EMAIL PROTECTED] wrote:
Are there any plans for a .Net version of Acegi?Is there even any interest in such a beast?
Bill__Start your day with Yahoo! - Make it your home page!http://www.yahoo.com/r/hs---
This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions,and more. http://solutions.newsforge.com/ibmarch.tmpl
___Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] custom Session Timeout page

2005-10-12 Thread Mark St.Godard 
Ben et al,

Has anyone implemented a custom session timeout page using Acegi yet?
As we all know, the Authentication object is stored in HttpSession between web requests logging out invalidates the session..
and inactivity destroys the session..
I am working on an app and they would like to have it redirected to a custom session timeout page
rather than just back to the login page.

Has anyone done something similar?

Cheers,Mark

Re: [Acegisecurity-developer] Presenting at the Java SIG in Oakland, CA

2005-10-02 Thread Mark St.Godard 
Hi Chris,

I really enjoy doing presentations /talks, however I am located up in Canada ;)

Cheers,
Mark
On 10/2/05, Chris Richardson [EMAIL PROTECTED] wrote:
Hello,
I organise the Java SIG that meets in Oakland (http://www.ebig.org/sig/sig.aspx?SIGid=21
), which is in the San Francisco bay area. At a recent meeting, members expressed interest in learning more about ACEGI security.
Ben Alex suggested that I post to this mailing list 
I was wondering whether any of the Acegi security developers are based in the bay area and would be willing to present.Ben said he could supply a presentation if that would help.
We meet on the 3rd wednesday of the month.

Thanks.

Chris-- Consulting - http://www.chrisrichardson.net
Author, POJOs in Action - http://www.manning.com/crichardsonEnterprise POJOs blog - 
http://chris-richardson.blog-city.com

[Acegisecurity-developer] Contacts (@Secured and @Transactional)

2005-09-25 Thread Mark St.Godard 
Hi Ben et al,

I have committed a Contacts example that uses the new @Secured and @Transactionalannotations.

I have added a /samples/contacts-tiger project that has a pre goal to also include the original Contacts source for compilation.
(so no need to duplicate code).

To try the new sample, just run maven multiwar:multiwar in the acegisecurity/samples/contacts-tiger dir.
deploy then

http://localhost:8080/acegi-security-sample-contacts-tiger-filter/

Feel free to have a look, and let me know if you have any questions, comments, etc.

Please let me know if the new samples project causes any issues, build-related, etc.

Again, this is in its own project, so it should be more self-contained.
If any of the Maven-ites, had any more elegant suggestions to handling Java 5 source code and packaging 
related to this sample app, let me know.

Cheers,
Mark

Re: [Acegisecurity-developer] Disable Login.

2005-09-24 Thread Mark St.Godard 
When you capture a failed login attempt (like in your listener)... you will need to update (i.e. increment) your User's failed login attempts. 

You would need some sort of user management service in your application.. basically the application code that does the (update user set login_attempt = ? where username = ?)
Again this will be application-specific you will need a login attempts column on your schema.

Then on the login attempt side.. you will need to translate that if the # of attempts is greater than some number... you will need to set the boolean value for account locked in the UserDetails implementation.


Basically capturing the event via the listener will be a way to UPDATE the user.. (i.e. the status or the number of login attempts)... 
then the regular login process will get the login attempts or status and use it to determine if it is a locked account.

Cheers,
Mark


On 9/23/05, mannobug [EMAIL PROTECTED] wrote:
Hi all I red on the web site that it can be easy to lock an account when theuser set password wrong for n times. I define a listener thatimplements
ApplicationListener and capture the event AuthenticationFailurePasswordEvent.Can someone give me a good advice to implement a secure way to memorize thefailure and attempt login and lock the user via DAO object? I just read
http://forum.springframework.org/viewtopic.php?t=8525 but i cannot find a godimplemetation.Thanks.Kind regardsmannobug
---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your very
own Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: 
http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Contacts sample app using Annotations

2005-09-24 Thread Mark St.Godard 
Hi Ben,

Yeah I agree.. lets keep the base build and Contacts sample JDK 1.3 compatible.

I think I could create another sample subproject and just do some simple Ant build.xml stuff to 
reuse the actual source code in the (regular) contacts example.

Ok thats I need to continue with this... 

/contacts/ regular contacts JDK 1.3
/contacts-tiger/ Java 5 annotations version

How does that sound?

Regarding a new sample app.. I agree.. I think we need something easier to follow.
To have something that uses some simple filters, config, etc... 
would ...(get ready for it)... the Spring petstore be too simple (or done to death :) ?
Or one of the other Spring samples?... might be a natural progression to show 
security applied to it. Just a thought.

Let me know if you need any help with it.

Cheers

Mark
On 9/24/05, Ben Alex [EMAIL PROTECTED] wrote:
Hi MarkMark St.Godard wrote: I can exclude the samples/attributes project to get around the Java 5
 compile issues, we discussed before.That is fine. The samples/annotations should also be excluded from theauto-build, as we don't want users to be forced to have Java 5 to do abasic build of core and the Contacts Sample.
 Basically, we will require Java 5 to build from the /samples/contacts dir... To do a full build of Acegi, we require Java 5 (for domain and core-tiger).. just wanted to make sure that this is ok
 for the samples as well.I believe we need to maintain Java 1.3 compatibility in the base/defaultbuild. I would therefore prefer if the base Contacts Sample did not useannotations. or if this should be in a completely separate project ala..
 acegisecurity/samples/contacts/ acegisecurity/samples/contacts-annotations/Maybe a Maven expert (Carlos, Luke?) could have a look at how we couldshare the code between the Contacts 
1.3 and Contacts 5 Java versionsmore elegantly. A few ideas come to mind, such as a newsamples/contacts/src/main/webapp/tiger directory to hold the config, andthe 1.5-compatible ContactManager named in a manner that excludes it
from the compilation but a separate postGoal will compile it if 1.5 isdetected.One thing concerning me about the Contacts Sample more generally is howdifficult it is for new users to follow. I think there is an argument to
add a new sample that just uses filter security - without any method orACL security. Such a sample might also double as a performance benchmarkto compare Acegi Security performance with servlet spec managed constraints.
CheersBen---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your very
own Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: 
http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Contacts sample app using Annotations

2005-09-22 Thread Mark St.Godard 
Hi Ben,

I have finished the Contacts sample application to use both Spring @Transactional and the new @Secured annotations.
However, I currently have it under the same /samples/contacts build structure.

I can exclude the samples/attributes project to get around the Java 5 compile issues, we discussed before.

I just wanted to confirm (prior to committing) that this is ok... 

Basically, we will require Java 5 to build from the /samples/contacts dir... 

To do a full build of Acegi, we require Java 5 (for domain and core-tiger).. just wanted to make sure that this is ok
for the samples as well.

I didnt want to create a whole new project and duplicate the code just to separate the Java 5 code (1 class really).

I just created a different implementation of ContactManager.. one that uses Annotations.. the rest is just 
replace the implementation in configuration, setup some auto proxies, etc.. and it works great.

Again, the original ContactManager using XML configuration for transaction mgmt and security it untouched.

So I think its a nice example of comparing and contrasting the two.



Right now I just created a new annotated class in the /samples/contacts source dir.. then I reuse
the build.xml, etc.. and it just creates an acegi-security-sample-contacts-filter-annotation war file.

Anyway, just wanted to confirm if this sounds alright... 

or if this should be in a completely separate project ala..

acegisecurity/samples/contacts/

acegisecurity/samples/contacts-annotations/

Thoughts?

Cheers,
Mark

Re: [Acegisecurity-developer] SwitchUserProcessingFilter support for custom UserDetails for exitUser case

2005-09-19 Thread Mark St.Godard 
Hi Matt,

Thanks for the great user feedback I did the initial Switch User implementation this summer,
soI appreciate your feedback / experience whenusing yourcustom UserDetails.. 

I have changed the extracting of the original user to just check based on the interface (UserDetails), since User implements UserDetails. 

So this should address your scenario... let me know if it works ok for you.

I have just committed the code to CVS.

Cheers,
Mark

On 9/19/05, Matt DeHoust [EMAIL PROTECTED] wrote:
Once again, thanks for the excellent product and the quick feedback. Abig win in migrating my legacy application security infrastructure to
Acegi Security is that the SwitchUser functionality offers morefunctionality out of the box than the legacy implementation. Whereasthe legacy implementation did not remember who switched in the firstplace, I now have exitUser, which allows users to switch multiple
times within a session. Very nice.Once again I encountered an issue related to my custom UserDetailsimplementation. When performing the exitUser function, I experiencedstrange behavior. The application would log me out where I expected to
receive the switch user prompt. Inspecting the logs I found thefollowing runtime exception.java.lang.IllegalArgumentException: User is required at org.springframework.util.Assert.notNull
(Assert.java:90) at net.sf.acegisecurity.providers.dao.event.AuthenticationEvent.init(AuthenticationEvent.java:57) at net.sf.acegisecurity.providers.dao.event.AuthenticationSwitchUserEvent.init(
AuthenticationSwitchUserEvent.java:40) at net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.attemptExitUser(SwitchUserProcessingFilter.java:272) at net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter
(SwitchUserProcessingFilter.java:213)Upon investigation I learned that the SwitchUserProcessingFilter waspassing a null parameter to the AuthenticationSwitchUserEventconstructor because my UserDetails was not a
net.sf.acegisecurity.providers.dao.User. I updated my copy to checkfor UserDetails rather than User and it works great. All the testspass as well without further modification.I have included the patch below.
Regards,Matt DeHoustIndex: SwitchUserProcessingFilter.java===RCS file: /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/ui/switchuser/SwitchUserProcessingFilter.java,v
retrieving revision 1.5diff -u -r1.5 SwitchUserProcessingFilter.java--- SwitchUserProcessingFilter.java 19 Sep 2005 02:22:43 -1.5+++ SwitchUserProcessingFilter.java 20 Sep 2005 01:38:45 -
@@ -26,7 +26,6 @@import net.sf.acegisecurity.context.SecurityContextHolder;import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;import net.sf.acegisecurity.providers.dao.AuthenticationDao
;-import net.sf.acegisecurity.providers.dao.User;import net.sf.acegisecurity.providers.dao.UsernameNotFoundException;import net.sf.acegisecurity.providers.dao.event.AuthenticationSwitchUserEvent;import net.sf.acegisecurity.ui.WebAuthenticationDetails
;@@ -263,8 +262,8 @@UserDetails originalUser = null;Object obj = original.getPrincipal();-if ((obj != null)  obj instanceof User) {-originalUser = (User) obj;
+if ((obj != null)  obj instanceof UserDetails) {+originalUser = (UserDetails) obj;}// publish event---
SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your veryown Sony(tm)PSP.Click here to play: 
http://sourceforge.net/geronimo.php___Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Anyone experiencing core tests failing?

2005-09-18 Thread Mark St.Godard 
Thanks Ben,

Cheers,
Mark
On 9/18/05, Ben Alex [EMAIL PROTECTED] wrote:
Mark St.Godard wrote: Anyone else having problems with the core project tests failing?
 Strange thing is all the tests run through, dont see any actual junit failures, however maven complains and says the BUILD FAILED... ? Thoughts?To see which test fails, you need to look in the
/core/target/test-reports directory. You'll notice one of the .txt fileshas a much larger size than the others. Look in it and you'll see thefailure reasons.The JCaptcha tests and BASIC authentication tests were failing. I have
checked in fixes for both.Marc-Antoine, would you please take a look atCaptchaChannelProcessorTests. I've disabled some of the tests for now,and provided comments in the code about how the tests may be improved.
Best regardsBen---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.Download it for free - -and be entered to win a 42 plasma tv or your very
own Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___Home: 
http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SwitchUserProcessingFilter with custom UserDetails?

2005-09-18 Thread Mark St.Godard 
Thanks Matt,

I have committed the changes to CVS.

Cheers,
Mark
On 9/18/05, Matt DeHoust [EMAIL PROTECTED] wrote:
I have been using Acegi Security for a few months now with muchsuccess. I am very pleased with the framework. Great job and thanks!
Last week I tried the SwitchUserProcessingFilter for the first timeand have everything working with one exception. In order to facilitatemigration of my legacy application I wrote an adapter UserDetails that
wraps the legacy User class. There are some areas in the code thatstill rely on the legacy User object. The current implementation ofSwitchUserProcessingFilterwill not allow a custom UserDetails. Thenew Authentication's Principal will always be a String (username).
It appears that a simple change would do the trick. I believe it isconsistent with the framework to use a UserDetails by default unlessthe configuration specifically indicates String-only principals (for
example DaoAuthenticationProvider.setForcePrincipalAsString).I've included a patch below. It sets the new Authentication'sPrincipal to the UserDetails returned by the configuredAuthenticationDao instead of to the username. This allows applications
to continue to leverage custom UserDetails implementations when usingthe switch user functionality.Thanks,Matt DeHoustIndex: SwitchUserProcessingFilter.java===
RCS file: /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/ui/switchuser/SwitchUserProcessingFilter.java,vretrieving revision 1.4diff -u -r1.4 SwitchUserProcessingFilter.java--- 
SwitchUserProcessingFilter.java3 Sep 2005 21:43:08 -1.4+++ SwitchUserProcessingFilter.java19 Sep 2005 01:06:51 -@@ -462,7 +462,7 @@authorities = (GrantedAuthority[]) newAuths.toArray
(authorities);// create the new authentication token-targetUserRequest = new UsernamePasswordAuthenticationToken(username,+targetUserRequest = new UsernamePasswordAuthenticationToken(targetUser,
targetUser.getPassword(), authorities);// set details---SF.Net email is sponsored by:Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42 plasma tv or your veryown Sony(tm)PSP.Click here to play: http://sourceforge.net/geronimo.php___
Home: http://acegisecurity.sourceforge.netAcegisecurity-developer mailing listAcegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Samples / Annotation

2005-09-04 Thread Mark St.Godard 
Ben et al,

I have checked in the first Annotations sample... basically a straightforward port of the samples/attributes -- samples/annotations.
Note: This sample project requires the acegi-security-tiger-0.9.0-SNAPSHOT.jar, so please ensure its built to your local maven repo.
See core-tiger/

Ben have a quick look, and let me know if you have any problems with your build, etc.
Mine runs through fine, compiles, tests pass, etc..

Next I will look at the actual Contacts sample... I think the last we talked on this we were possibly going to deprecate the Commons Attributes / plugin, etc. ? (i.e. let the commons-attributes folk build by hand ?)


I think you mentioned it causes problems with Java 5 sources and the attributes plugin.

Cheers,
Mark

Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java

2005-08-21 Thread Mark St.Godard 
Hi Ben,  (welcome back :)

Great, the isAuthenticated() is the exact key we need to determine
this particular even, irrespective of the cache.
I also agree that it should not be in the AuthenticationProviders...

Ben,  I created a JIRA entry for this (SEC-50), you can assign to me
if you want.

Cheers,
Mark

On 8/21/05, Ben Alex [EMAIL PROTECTED] wrote:
 Mark St.Godard wrote:
 
 The HttpSessionContextIntegrationFilter should be able to set some
 sort of indicator that this is the first logon attempt since it
 generates a new SecurityContext   however this wouldnt work for
 remote client authentication?
 
 IMHO we should modify all event-aware AuthenticationProviders to publish
 an event on every occasion an authentication is processed, irrespective
 of the cache usage or not. There are three reasons for this:
 
 1. The Authentication.getDetails() *should* provide some sort of
 identifier (typically a WebAuthenticationDetails, which offers the
 HttpSession ID in most cases) and this identifier can be used by the
 ApplicationListener to determine what and when to log.
 
 2. Recent changes to Authentication and AbstractSecurityInterceptor have
 changed the semantics of Authentication.isAuthenticated():
 
/**
 * Used to indicate to codeAbstractSecurityInterceptor/code
 whether it
 * should present the authentication token to the
 * codeAuthenticationManager/code. Typically an
 * codeAuthenticationManager/code (or, more often, one of its
 * codeAuthenticationProvider/codes) will return an immutable
 * authentication token after successful authentication, in which case
 * that token can safely return codetrue/code to this method.
 * Returning codetrue/code will improve performance, as calling the
 * codeAuthenticationManager/code for every request will no
 longer be
 * necessary.
 *
 * p
 * For security reasons, implementations of this interface should be
 very
 * careful about returning codetrue/code to this method unless they
 * are either immutable, or have some way of ensuring the properties
 have
 * not been changed since original creation.
 * /p
 *
 * @return true if the token has been authenticated and the
 * codeAbstractSecurityInterceptor/code does not need to
 * represent the token for re-authentication to the
 * codeAuthenticationManager/code
 */
public boolean isAuthenticated();
 
 As such, a DaoAuthenticationProvider (or any other
 AuthenticationProvider for that matter) will only be called when a user
 is genuinely not authenticated - or the use has changed the
 AbstractSecurityInterceptor.alwaysReauthenticate property to false.
 
 3. Most authentication processing filters (certainly those use for CAS,
 AuthenticationProcessingFilter/form-based, remember-me, X509) now
 publish an InteractiveAuthenticationSuccessEvent when a user logs in.
 
 I would welcome other opinions on this, but it seems we now have a more
 comprehensive solution to application event messages than putting then
 into AuthenticationProviders.
 
 Cheers
 Ben
 
 
 
 ---
 SF.Net email is Sponsored by the Better Software Conference  EXPO
 September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
 Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
 Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Security Annotation support (initial)

2005-08-21 Thread Mark St.Godard 
Hey Ben,

Just wanted to mention, I have started converting over the
attributes sample apps over to Java 5 annotations version.  (Havent
checked in yet)

samples/attributes (Commons)
samples/annotations (Java 5)

Basically, I ported over the BankService code and created tests.

Also, I did port over a Contacts sample using Java instead of XML configuration.

My questions (prior to checking anything in), are related to packaging.

First off, we now have the core-tiger project... and this creates a
jar for the java 5 classes.
I think we need to package these into a single acegisecurity jar file?
I noticed that the Spring @Transactional annotations are packaged in
the spring.jar (i.e. there is not JDK 5 vs JDK 1.4  )
So it looks to be ok to use JDK 1.4 (and lower) loading a jar file
that contains Java 5 classes as long as they dont try to use them
:)

2ndly - where should the new contacts sample using the annotations reside?
Should I recreate a whole new sub-project (ala core-tiger) ?  Or can
it be included in the existing /samples/contacts/   ?

I just wanted to make sure I dont check in code that breaks JDK 1.4
users from building the CVS HEAD examples, etc.

Therefore to sum up: 

- can we package the core-tiger classes into the single acegi security dist?
- where should the new samples (for java5) be located?

Thoughts?

Cheers,
Mark

Anyway 






On 8/21/05, Ben Alex [EMAIL PROTECTED] wrote:
 Mark St.Godard wrote:
 
 Ben et al,
 
 Just a note, I have checked in some initial Security annotation
 support and unit tests.
 
 Feedback is always welcome, and please let me know if anyone has
 any problems with the new subproject.
 
 
 
 Great work Mark.
 
 Are there any users out there using Acegi Security's Commons Attributes
 support?
 
 Cheers
 Ben
 
 
 
 ---
 SF.Net email is Sponsored by the Better Software Conference  EXPO
 September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
 Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
 Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Security Annotation support (initial)

2005-08-11 Thread Mark St.Godard 
Ben et al,

Just a note, I have checked in some initial Security annotation
support and unit tests.

(see http://opensource.atlassian.com/projects/spring/browse/SEC-4) 

I will be also checking in a Contacts webapp example, however using
Spring @Transaction annotations and the new @Secured annotation.


Important Note:  Ben and I decided to create a new subproject
core-tiger that contains Java 5 core security code.

i.e.
core-tiger/src/main/java
core-tiger/src/test/java
etc.

I have also created the Maven project files, etc.  

Again, I am just finishing the Contacts webapp example... so more to follow.

Feedback is always welcome, and please let me know if anyone has 
any problems with the new subproject.

Cheers,
Mark


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] SEC-15 User security context switching

2005-08-04 Thread Mark St.Godard 
Ben,

Re: SEC-15 

I have committed the initial draft of the Switch User ('su')
functionality. I created a new filter (SwitchUserProcessingFilter)
that handles the 'switch' and 'exit' url requests.
This filter also uses the authenticationDao to allow access to load
users. A few initial assumptions in this version
- will only 'su' one level deep
- switch url will need to be secured so that only the desired
Administrator can do the 'su'.  We can probably get more fancy here
later, possibly doing more mapping of who can do this, and to which
target users. Anyway, starting simple.

Example configuration:

bean id=switchUserProcessingFilter
class=net.sf.acegisecurity.ui.switchuser.SwitchUserProcessingFilter
   property name=authenticationDao ref=jdbcDaoImpl /
  property name=switchUserUrl
 value/j_acegi_switch_user/value
  /property
  property name=exitUserUrl
 value/j_acegi_exit_user/value
  /property
  property name=targetUrl
 value/acegi-security-sample-contacts-filter/secure/debug.jsp/value
  /property
/bean 


Note: I have the 2 URLs (j_acegi_switch_user, j_acegi_exit_user)
configurable and these are the responsible for their respective
requests.

j_acegi_switch_user - will handle a switch attempt and expects the
username of the target user
j_acegi_exit_user - will handle the exit attempt and expects that
successful switch had taken place.

I used your recommendation of using a custom GrantedAuthority
(PREVIOUS_ADMINISTRATOR) to capture the original user. This is
interrogated in the exit attempt and used to switch the context back.

I did some local testing with the Contacts sample and did some simple tests of 
- logging in (i.e. User 1)
- going to /secure/debug.jsp  (view User 1 info)
- going to a jsp that handles the switch (i.e. switchUser.jsp)
- submit request to 'su' to another user (i.e. User 2)
- going to /secure/debug.jsp  (view User 2 info)
- go to exit page (i.e. exitUser.jsp)
- display current user logged in as, submit button to exit
- going to /secure/debug.jsp (shows User 1 info)

So initial simple tests seem to work, need to polish and do alot more testing.

I have also added applicable unit tests.

Again, feedback welcome.

Cheers,
Mark


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java

2005-08-03 Thread Mark St.Godard 
Cameron, this does not sound like the desired semantics.  I have also
confirmed that this is happening on the contacts sample.

Ben, I can create a JIRA entry and fix, test and commit this today.

Cheers,
Mark

Re:
--

DaoAuthenticationProvider.java around line 300, publishes an
AuthenticationSuccessEvent when the user has logged in.  However – it
only does this if the cache wasn't used… This seems odd and incorrect
to me.
 
Since this sequence of events misses the second event :
 
1)   login as user A – event is fired
2)   logout
3)   login as user A – event isn't fired
 
It's a simple change – does someone mind to do it ?
 
I would make a patch – but CVS is failing.
 
Thanks
 
Cameron