[Acegisecurity-developer] response.sendRedirect and lack of response.encodeRedirectURL
Ben, I think we need to change the existing code which does something like: response.sendRedirct(x) to response.sendRedirect(response.encodeRedirectURL()) The existing code is not going to work properly for people who have turned off cookies, or environments (like some Mobile phones) which doesn't support cookies at all. Without the encodeRedirectURL call, the servlet engine will not add the ';jsessionid=' it always needs to add in the initial response before a new session has been created (at that point it doesn't know if cookies are available), and which it also needs to add later in case cookies do in fact turn out to not be available. I'm too busy right now to do this myself, but wanted to mention it here so we don't forget... Colin --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] Standards-based Access Control (XACML, RBAC)
> have you considered providing XACML and RBAC support in Acegi? I did look at similar standards during the design phase of Acegi. Not all of them, but certainly quite a few. I ended up going with a solution that would fit our internal needs but be reasonably extensible/pluggable. I'd certainly welcome code from the community which illustrates these alternative approaches and how they might plug into Acegi Security. Best regards Ben --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] response.sendRedirect and lack of response.encodeRedirectURL
Hi Colin > I think we need to change the existing code which does something like: > response.sendRedirct(x) > to > response.sendRedirect(response.encodeRedirectURL()) I just committed changes that do this. I left out the CAS entry point, as it redirects to a different context or web server. If I've missed any others, please feel free to add... Best regards Ben --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Standards-based Access Control (XACML, RBAC)
Does anyone actually use XACML in practice? It seemed pretty complicated when I looked at it and I couldn't see any benefits for our project. For example, the equivalent of "if (action = 'read' )" expressed in XACML was http://www.w3.org/2001/XMLSchema#string)http://www.w3.org/2001/XMLSchema#string";>read http://www.w3.org/2001/XMLSchema#string)http://www.w3.org/2001/XMLSchema#string"/> Luke. Ben Alex wrote: have you considered providing XACML and RBAC support in Acegi? I did look at similar standards during the design phase of Acegi. Not all of them, but certainly quite a few. I ended up going with a solution that would fit our internal needs but be reasonably extensible/pluggable. I'd certainly welcome code from the community which illustrates these alternative approaches and how they might plug into Acegi Security. Best regards Ben -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] Standards-based Access Control (XACML, RBAC)
> Does anyone actually use XACML in practice? It seemed pretty > complicated when I looked at it and I couldn't see any > benefits for our project. Exactly why I gave it a miss. :-) It's a bit like comparing CAS and Project Liberty. The former is an elegant, simple solution you can get your head around in about an hour, and it meets most real-world needs. Cheers Ben --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
