On Mon, 2005-11-28 at 11:57, Matt Raible wrote: > OK, I committed it - with Acegi 0.9.0 and Spring 1.2.6 (to support > Acegi). As I see it, there's a few more things we need to work on to > make this a polished integration:
I seem to be missing the web/WEB-INF/security.xml file. > > 1. Use the ports from roller.properties to configure SSL Switching. > > This should be configurable with a PortResolverImpl - here's an example: > > http://forum.springframework.org/showthread.php?t=19903 agreed. > > 2. Add the channelProcessFilter to the "filterChainProxy" bean if SSL > should be used to secure certain pages. can we do this programmatically? it would suck if users had to modify the xml file in the webapp just to enable secure logins. > > 3. Add support for switching to SSL based on a header value. this one i have actually tackled in a different way which i think works better than what we have now. i have a solution which can be implemented outside of the application, so we don't need application specific modifications to support this. my guess is that Sun is the only ones using this feature, but maybe i'm wrong? anyone else using the custom header option for ssl switching? > > 4. Add a drop table (and indexes) statement for 2.1 for the user_cookie table. sounds reasonable, however maybe we can leave this until 3.0? the reason being that if someone deploys 2.1 and decides they need to go back to 2.0 for some reason, then that's not possible if the table is gone. 3.0 seems like a good time to do a bunch of table cleanup because i know the old rollerconfig table is obsolete now as well. -- Allen > > Is there anything else I'm missing? Should I enter bugs in JIRA for > these so we don't forget? The nice thing about using Acegi is now > everything is configured in > RollerContext.initializeSecurityFeatures(), instead of LoginServlet > and LoginFilter. > > Matt > > > > > -- Allen > > > > > > > >
