Re: tapestry-spring-security: how to set ASO on successful login?
On Mon, Dec 8, 2008 at 03:59, Jonathan Barker [EMAIL PROTECTED] wrote: you will see where the AnonymousAuthenticationProcessingFilter is hooked in. I've been following this thread, I've just not come up with any good answers before other people :). I was thinking of the AnonymousAuthenticationProcessingFilter, maybe this should be made optional? -- regards, Robin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Responses inline -Original Message- From: rs1050 [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2008 15:27 To: users@tapestry.apache.org Subject: RE: tapestry-spring-security: how to set ASO on successful login? Thank you. You could work with the ASO in the relevant onSuccess method. - i wish i could - my onSuccess method for my Login page is *not* being called b/c tapestry-spring-security filter hijacks the request to that url. Once spring-security's filter (and it is not a Tapestry's filter) start processing the request, i need to be able to do something with the ASO. I'm using tapestry5-acegi, but I don't think it's changed with the update to Spring Security. I AM using a Login page, and my onSuccess() method does get called. I haven't tried to configure any authentication processing filter which may explain why what I do works - I don't get hijacked. Currently I am planning to subclass org.springframework.security.ui.webapp.AuthenticationProcessingFilter and overwrite onSuccessfulAuthentication method to create ASO. In order to do that I need reference to ApplicationStateManager. However, i can't figure out a way of how to get it except for a very ugly one: 1. I create a TapestryExposer eager service, which on construction, remembers ApplicationStateManager passed to the constructor and set itself into a Spring-defined bean called 'TapestryExposerHolder' 2. in my custom spring-security filter's (non-tapestry filter) onSuccessfulAuthentication method I lookup TapestryExposerHolder, and from it get TapestryExposer, and from that I get ApplicationStateManager. ugr. I suggest you follow the link I gave earlier: http://www.nabble.com/Accessing-ApplicationStateManager-from-within-a-Filter -td20274449.html#a20324607 My strategy was simple: You only get a page that uses the ASO if you have been authenticated. Therefore, on any page that asks for the ASO, you know that authentication will already have occurred. You can put all your ASO-building code in a contribution to the ApplicationStateManager, and get the authentication information from the SecurityContext. This also guarantees that any accidental ASO creation will create a properly constructed ASO, and allows things like the RememberMe service to be used (that would not be calling your onSuccess() method) yet still get a properly constructed ASO at the end. I anyone can come up with a cleaner way of doing something with ASO after successful authentication by spring security, it is really appreciated. R. -- View this message in context: http://www.nabble.com/tapestry-spring- security%3A-how-to-set-ASO-on-successful-login--tp20865863p20874204.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tapestry-spring-security: how to set ASO on successful login?
Are you using Spring Security directly or are you using the
tapestry5-acegi library?
I use Sprint Security without using tapestry5-acegi and my Login page is
a fully functional tapestry page (ie it allows you to set ASO's etc.).
The trick is to disable Spring security filtering for the login page (in
de spring config file). In my case:
security:intercept-url pattern=/login/** filters=none/
If you are using tapestry5-acegi you should somehow make the filter not
filter you login page:
Martijn Brinkers
On Fri, 2008-12-05 at 17:58 -0800, rs1050 wrote:
Hi,
I would like to create and set ASO on successful login. Without using
tapestry-spring-security my Login page looked like this:
public class Login {
Object onSuccess() {
boolean authResult = authenticate();
if (authResult) {
// create and set ASO 'myState'
}
}
@ApplicationState(create=false)
private MyState myState;
}
after integrating with tapestry-spring-security, spring security intercepts
submits from the login form, and my Index java page in never called. I was
thinking about providing my own AuthenticationProcessingFilter and there
setting new instance of ASO in http session manually, but it is very ugly
because I will have to invoke this method from
SessionApplicationStatePersistenceStrategy (which is private, so I will need
to use reflection tricks to overcome, and you get the picture - it becomes
really ugly):
private T String buildKey(ClassT asoClass)
{
return PREFIX + asoClass.getName();
}
Any help is appreciated.
R.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: tapestry-spring-security: how to set ASO on successful login?
I was using tapestry-spring-security. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20885666.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
My 'loginform.url' points to /login. I've also looked at the source for
the new tapestry-spring-security and I don't see much for differences.
I noticed a post by Martijn asking how you configured Spring Security. If
you are using tapestry-spring-security, you don't need to do the usual
Spring configuration so I could see you running into problems there if you
did that.
Yes, all un-authenticated requests go to my login page. I also use the
SavedRequest from Acegi to continue on to the desired page with the correct
parameters, if possible.
Here's a chunk of my login page:
public Object onSuccessFromLoginForm(){
UsernamePasswordAuthenticationToken authRequest =
new
UsernamePasswordAuthenticationToken(_username,_password);
Authentication authResult;
try {
authResult =
_authenticationManager.authenticate(authRequest);
logger.info(successful login for: + _username);
} catch (BadCredentialsException failed) {
_form.recordError(_passwordField, Invalid username
or password);
logger.info(bad password for: + _username);
return null;
} catch (AuthenticationException failed) {
_form.recordError(_passwordField, Invalid username
or password);
logger.info(failed login for: + _username);
return null;
}
// get the saved request before we trash the session
SavedRequest savedRequest =
(SavedRequest)
_requestGlobals.getHTTPServletRequest().getSession().getAttribute(AbstractPr
ocessingFilter.ACEGI_SAVED_REQUEST_KEY);
// make sure the user state gets cleared
// and problems with anonymous auth
Session s = _request.getSession(false);
s.invalidate();
s = _request.getSession(true);
SecurityContextHolder.getContext().setAuthentication(authResult);
if(savedRequest != null){
java.net.URL url = null;
try {
url = new URL(savedRequest.getRequestURL());
} catch (MalformedURLException e){
logger.error(malformed url: +
savedRequest.getRequestURI());
}
return url;
}
return Summary.class;
}
-Original Message-
From: rs1050 [mailto:[EMAIL PROTECTED]
Sent: Sunday, December 07, 2008 15:14
To: users@tapestry.apache.org
Subject: RE: tapestry-spring-security: how to set ASO on successful login?
Thank you Jonathan,
My login page is 'user/login', and this is what i have in configuration of
spring-security:
configuration.add(spring-security.loginform.url, /user/login);
configuration.add(spring-security.failure.url,
/user/login/failed);
Then spring-security hijacks all submits from login page. I did not do any
custom filter creation in addition to that. In your application, what is
the
'loginform.url'? Does it point to the actual tapestry login page?
Assuming that in your case spring-security does *not* hijack the submits
from the login page, does it still redirects to login page if a user tries
to access some other secured page without being authenitcated?
Thank you.
R.
--
View this message in context: http://www.nabble.com/tapestry-spring-
security%3A-how-to-set-ASO-on-successful-login--tp20865863p20885230.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Why do you expect that the session already exists so that you have to invalidate it? Does spring-security create it automatically? Session s = _request.getSession(false); s.invalidate(); s = _request.getSession(true); -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888463.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
IIRC, the default configuration for tapestry-acegi resulted in ROLE_ANONYMOUS being given to unauthenticated users. That resulted in the creation of the session. Also, I hit issues in testing where I would go back to the login page and log in as a different user. Unfortunately, I still had page state left over from the original login, so now I invalidate the session to clear any user-specific state. Jonathan -Original Message- From: rs1050 [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2008 20:58 To: users@tapestry.apache.org Subject: RE: tapestry-spring-security: how to set ASO on successful login? Why do you expect that the session already exists so that you have to invalidate it? Does spring-security create it automatically? Session s = _request.getSession(false); s.invalidate(); s = _request.getSession(true); -- View this message in context: http://www.nabble.com/tapestry-spring- security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888463.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Off topic: is there a way of instructing spring-security not to create a session before authentication (kind of 'no role at all' rather than ROLE_ANONYMOUS)? I am thinking about a web site with big traffic - creation of too many sessions for public pages will really slow it down... Jonathan Barker wrote: IIRC, the default configuration for tapestry-acegi resulted in ROLE_ANONYMOUS being given to unauthenticated users. That resulted in the creation of the session. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888633.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Short answer: I don't know. I have, for various reasons, maintained a slightly modified version of the tapestry5-acegi project. I will likely do the same for tapestry-spring-security. If you look at the source for nu.localhost.tapestry5.springsecurity.services.SecurityModule you will see where the AnonymousAuthenticationProcessingFilter is hooked in. You could leave it out. You should also know that the HttpSessionContextIntegrationFilter is responsible for moving SecurityContext information back and forth to the HttpSession. I'm not sure under what circumstances you will cause a session to be created - probably anything that puts something in the SecurityContext. OTOH, that won't solve the issue of Tapestry creating the session to store the validation tracker for the Login form. There have been various conversations about session-less strategies on the list. Jonathan -Original Message- From: rs1050 [mailto:[EMAIL PROTECTED] Sent: Sunday, December 07, 2008 21:23 To: users@tapestry.apache.org Subject: RE: tapestry-spring-security: how to set ASO on successful login? Off topic: is there a way of instructing spring-security not to create a session before authentication (kind of 'no role at all' rather than ROLE_ANONYMOUS)? I am thinking about a web site with big traffic - creation of too many sessions for public pages will really slow it down... Jonathan Barker wrote: IIRC, the default configuration for tapestry-acegi resulted in ROLE_ANONYMOUS being given to unauthenticated users. That resulted in the creation of the session. -- View this message in context: http://www.nabble.com/tapestry-spring- security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888633.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Thank you. You could work with the ASO in the relevant onSuccess method. - i wish i could - my onSuccess method for my Login page is *not* being called b/c tapestry-spring-security filter hijacks the request to that url. Once spring-security's filter (and it is not a Tapestry's filter) start processing the request, i need to be able to do something with the ASO. Currently I am planning to subclass org.springframework.security.ui.webapp.AuthenticationProcessingFilter and overwrite onSuccessfulAuthentication method to create ASO. In order to do that I need reference to ApplicationStateManager. However, i can't figure out a way of how to get it except for a very ugly one: 1. I create a TapestryExposer eager service, which on construction, remembers ApplicationStateManager passed to the constructor and set itself into a Spring-defined bean called 'TapestryExposerHolder' 2. in my custom spring-security filter's (non-tapestry filter) onSuccessfulAuthentication method I lookup TapestryExposerHolder, and from it get TapestryExposer, and from that I get ApplicationStateManager. ugr. I anyone can come up with a cleaner way of doing something with ASO after successful authentication by spring security, it is really appreciated. R. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20874204.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tapestry-spring-security: how to set ASO on successful login?
sorry, instead of and my Index java page in never called i meant and my Login java page is never called. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20865881.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
It is possible to update your old code to bypass traditional Acegi
processing and use the authentication manager directly.
One relevant thread is here:
http://thread.gmane.org/gmane.comp.java.tapestry.user/59931/
(look for the post at 15:33 on Mar 28) with a critical missing bit here:
http://article.gmane.org/gmane.comp.java.tapestry.user/60045
You could work with the ASO in the relevant onSuccess method.
I should also point you to:
http://www.nabble.com/Accessing-ApplicationStateManager-from-within-a-Filter
-td20274449.html#a20324607
Part of this thread flips things around and puts all the ASO creation work
into a contribution to the Application State Manager.
Jonathan
-Original Message-
From: rs1050 [mailto:[EMAIL PROTECTED]
Sent: Friday, December 05, 2008 20:59
To: users@tapestry.apache.org
Subject: tapestry-spring-security: how to set ASO on successful login?
Hi,
I would like to create and set ASO on successful login. Without using
tapestry-spring-security my Login page looked like this:
public class Login {
Object onSuccess() {
boolean authResult = authenticate();
if (authResult) {
// create and set ASO 'myState'
}
}
@ApplicationState(create=false)
private MyState myState;
}
after integrating with tapestry-spring-security, spring security
intercepts
submits from the login form, and my Index java page in never called. I was
thinking about providing my own AuthenticationProcessingFilter and there
setting new instance of ASO in http session manually, but it is very ugly
because I will have to invoke this method from
SessionApplicationStatePersistenceStrategy (which is private, so I will
need
to use reflection tricks to overcome, and you get the picture - it becomes
really ugly):
private T String buildKey(ClassT asoClass)
{
return PREFIX + asoClass.getName();
}
Any help is appreciated.
R.
--
View this message in context: http://www.nabble.com/tapestry-spring-
security%3A-how-to-set-ASO-on-successful-login--tp20865863p20865863.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
