Re: [Acegisecurity-developer] Preparing for 0.6 release
March, Andres wrote: I am still wondering about the usage of the acl stuff. I see in your test how the GrantedAuthorityEffectiveAclsResolver can be used directly but would it be worthwhile to provide a voter that can perform acl authorization? I will be writing one in about 3 weeks but I am sure 0.6 can't wait for that. Hi Andres The challenge is we'd really need to provide a sample application for the ACL integration to make any sense. An ACL voter without sample data and something people can try probably isn't going to help much more than what is already written up in the reference guide. The existing Contacts sample cannot be used without making it JDBC-backed (it's presently HashMap-backed). I am writing a sample application that will take advantage of the ACL package, but as my time is limited and I'm also involved with the Spring RCP project, I'm killing two birds with the one stone by integrating the ACL sample into Petclinic RCP. This should be done very soon (we have some RCP lifecycle changes to make first). Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Best place to enforce password policies?
Andy Depue wrote: I've implemented security in my web application using Acegi security. I'm in the process now of implementing a very simple password policy (basically, the administrator has the ability to set a flag on the user to force them to change their password the next time they log in). In the grand scheme of Acegi, where would be the best place to implement this? I'm tempted to create my own filter that runs after Acegi's authentication processing filter that checks if the current user has this flag set and, if so, redirects them to the change password page. Is there a better place to do this? Thanks, Andy Hi Andy I'd do it the way you've suggested. There aren't any existing hooks for this behaviour. We could probably add one into AbstractProcessingFilter if you prefer. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] Preparing for 0.6 release
I am still wondering about the usage of the acl stuff. I see in your test how the GrantedAuthorityEffectiveAclsResolver can be used directly but would it be worthwhile to provide a voter that can perform acl authorization? I will be writing one in about 3 weeks but I am sure 0.6 can't wait for that. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Ben Alex > Sent: Tuesday, August 03, 2004 11:46 PM > To: [EMAIL PROTECTED] > Subject: [Acegisecurity-developer] Preparing for 0.6 release > > Hi everyone > > Today I upgraded Acegi Security CVS to Spring 1.1 RC 1 JARs and the > integration tests system has shown no incompatibilities. > > It's almost time to release version 0.6: > > - Unit tests and container integration tests pass > - The upgrade-05-06.txt file is complete > - Unit test coverage is 97.7% (ant clover.html) > - There is now a complete maven.xml, so we'll ask for inclusion in Ibiblio > - There are no outstanding issues AFAIK > - Bug reports have become very infrequent, suggesting any major issues > have been fixed > > Aside from increasing documentation (specifically covering the JAAS > provider and EL taglib usage) I think we're pretty much ready to release > 0.6. > > Do people agree we're ready to release, or are there any other comments? > > Best regards > Ben > > > > --- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > ___ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.6 release
Unfortunately I've been pretty swamped at work as of late, and haven't had the opprotunity to put together any external documenation on the Jaas provider. The classes are pretty heavily javadoc'd, and are not that complex at all really. The only real complexity is Jaas itself, more so than knowing how to use the Acegi Jaas Provider. If someone wanted to extract the javadoc information into the docbook that would be great, and much appreciated :) -Ray Krueger -- Original message -- > Hi everyone > > Today I upgraded Acegi Security CVS to Spring 1.1 RC 1 JARs and the > integration tests system has shown no incompatibilities. > > It's almost time to release version 0.6: > > - Unit tests and container integration tests pass > - The upgrade-05-06.txt file is complete > - Unit test coverage is 97.7% (ant clover.html) > - There is now a complete maven.xml, so we'll ask for inclusion in Ibiblio > - There are no outstanding issues AFAIK > - Bug reports have become very infrequent, suggesting any major issues > have been fixed > > Aside from increasing documentation (specifically covering the JAAS > provider and EL taglib usage) I think we're pretty much ready to release > 0.6. > > Do people agree we're ready to release, or are there any other comments? > > Best regards > Ben > > > > --- > This SF.Net email is sponsored by OSTG. Have you noticed the changes on > Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, > one more big change to announce. We are now OSTG- Open Source Technology > Group. Come see the changes on the new OSTG site. www.ostg.com > ___ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Best place to enforce password policies?
I've implemented security in my web application using Acegi security. I'm in the process now of implementing a very simple password policy (basically, the administrator has the ability to set a flag on the user to force them to change their password the next time they log in). In the grand scheme of Acegi, where would be the best place to implement this? I'm tempted to create my own filter that runs after Acegi's authentication processing filter that checks if the current user has this flag set and, if so, redirects them to the change password page. Is there a better place to do this? Thanks, Andy --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.6 release
+1 (I was waiting for the Websphere patch to the Authentication filter from the HEAD :) Good job Ben. |-+---> | | Ben Alex <[EMAIL PROTECTED]>| | | Sent by:| | | [EMAIL PROTECTED]| | | ceforge.net | | | | | | | | | 08/04/2004 01:46 AM | | | Please respond to | | | acegisecurity-developer | |-+---> >--| | | | To: [EMAIL PROTECTED]| | cc: | | Subject: [Acegisecurity-developer] Preparing for 0.6 release | | | | | >--| Hi everyone Today I upgraded Acegi Security CVS to Spring 1.1 RC 1 JARs and the integration tests system has shown no incompatibilities. It's almost time to release version 0.6: - Unit tests and container integration tests pass - The upgrade-05-06.txt file is complete - Unit test coverage is 97.7% (ant clover.html) - There is now a complete maven.xml, so we'll ask for inclusion in Ibiblio - There are no outstanding issues AFAIK - Bug reports have become very infrequent, suggesting any major issues have been fixed Aside from increasing documentation (specifically covering the JAAS provider and EL taglib usage) I think we're pretty much ready to release 0.6. Do people agree we're ready to release, or are there any other comments? Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: AccessDeniedException
[EMAIL PROTECTED] wrote: Ben, *Still having trouble submitting to the forum / keeps bouncing back...* Thanks for your reply. First, you were right about my HibernateDAO. It was not using the same credentials as the in-memory representation. In fact the user that I was pulling back did not have any roles associated with it that began with ROLE_. As soon as I added a fake role (ROLE_NONE) I got the expected behavior that I was looking for with my HibernateDAO object. An AccessDeniedException was thrown to the client which is what I wanted instead of a 403 error. However, now I am a little confused about how I am using this framework. Do I have to supply at least one role for each principal so that role voting can work and throw this exception? Also, I have the following configuration in my spring config file: Hi Mark The User object requires the GrantedAuthority[]s to be non-null. This is just so we have a convenient place to ensure AuthenticationDaos are creating valid objects. The broader content of your email concerns the difference between authentication and authorization. Basically a FilterSecurityInterceptor or MethodSecurityInterceptor will check the ((SecureContext) ContextHolder.getContext()).getAuthentication(), and if null, it will consider a request unauthenticated and throw an AuthenticationException. If an Authentication instance was returned, instead it will delegate to an AccessDecisionManager, which typically iterates the Authentication.getAuthority()s. If the Authentication does not have the required GrantedAuthority, it will throw an AccessDeniedException. Sitting at the filter level, the SecurityEnforcementFilter catches both AccessDeniedException and AuthenticationException. If the latter, it will delegate to an AuthenticationEntryPoint (which in BASIC authentication will send a 401). If the former, it will call: protected void sendAccessDeniedError(ServletRequest request, ServletResponse response) throws IOException The above method was added yesterday to assist fully controlling the behaviour. The default implementation sends a SC_FORBIDDEN response (ie code 403). This approach is analogous to a typical web browser operating with BASIC authentication. You visit a site, and hit a protected resource. You're prompted to login. Then you move around the site and every access decision is made based on that existing login. If you try to access a resource for which you have no permissions, you get a 403 error message. To resolve the 403, you'd need to logout (close your browser) and login again with an appropriate account. Not sure how all of this impacts you, but I hope this explanation of behaviour helps. Best regards Ben --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
