On 11/28/05, Allen Gilliland <[EMAIL PROTECTED]> wrote: > On Mon, 2005-11-28 at 11:57, Matt Raible wrote: > > OK, I committed it - with Acegi 0.9.0 and Spring 1.2.6 (to support > > Acegi). As I see it, there's a few more things we need to work on to > > make this a polished integration: > > I seem to be missing the web/WEB-INF/security.xml file.
Sorry, it should be there now. > > > > > > 1. Use the ports from roller.properties to configure SSL Switching. > > > > This should be configurable with a PortResolverImpl - here's an example: > > > > http://forum.springframework.org/showthread.php?t=19903 > > agreed. > > > > > 2. Add the channelProcessFilter to the "filterChainProxy" bean if SSL > > should be used to secure certain pages. > > can we do this programmatically? it would suck if users had to modify the > xml file in the webapp just to enable secure logins. We should be able to configure everything programmatically (after initial load). If you look at the new method I added to RollerContext, you'll see that many beans are manipulated after the fact. It should just be a matter of grabbing the existing property and manipulating it, then re-setting it. > > > > > 3. Add support for switching to SSL based on a header value. > > this one i have actually tackled in a different way which i think works > better than what we have now. i have a solution which can be implemented > outside of the application, so we don't need application specific > modifications to support this. > > my guess is that Sun is the only ones using this feature, but maybe i'm > wrong? anyone else using the custom header option for ssl switching? > > > > > 4. Add a drop table (and indexes) statement for 2.1 for the user_cookie > > table. > > sounds reasonable, however maybe we can leave this until 3.0? the reason > being that if someone deploys 2.1 and decides they need to go back to 2.0 for > some reason, then that's not possible if the table is gone. 3.0 seems like a > good time to do a bunch of table cleanup because i know the old rollerconfig > table is obsolete now as well. That's fine - leaving it in there shouldn't hurt anything. We should probably use "drop table if exists" just in case people do drop it. Matt > > -- Allen > > > > > > Is there anything else I'm missing? Should I enter bugs in JIRA for > > these so we don't forget? The nice thing about using Acegi is now > > everything is configured in > > RollerContext.initializeSecurityFeatures(), instead of LoginServlet > > and LoginFilter. > > > > Matt > > > > > > > > -- Allen > > > > > > > > > > > > > >
