[Acegisecurity-developer] acegi & Mysql

2005-05-20 Thread Marco Mistroni 
hello all,
 i am trying to run acegi contacts sample with MySQL, and i am getting
errors during initialization due to dataSourcePopulator.
Looks like MySQL 4.1 does not accept the syntax used by populator.. 
i don't have source files for contacts, so best i can do is to disable
dataSourcePopulator and create tables myself..
anyone has sample sql of tables that need to be created?

thanx and regards
 marco


---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] acegi & Mysql

2005-05-20 Thread Ben Alex 
Marco Mistroni wrote:
hello all,
i am trying to run acegi contacts sample with MySQL, and i am getting
errors during initialization due to dataSourcePopulator.
Looks like MySQL 4.1 does not accept the syntax used by populator.. 
i don't have source files for contacts, so best i can do is to disable
dataSourcePopulator and create tables myself..
anyone has sample sql of tables that need to be created?

thanx and regards
marco
 

Hi Marco
Try:
http://forum.springframework.org/viewtopic.php?t=1346
http://forum.springframework.org/viewtopic.php?t=3750
http://forum.springframework.org/viewtopic.php?t=1061
http://forum.springframework.org/viewtopic.php?t=4665
Cheers
Ben
---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] retrieving users from session after authentication with acegi

2005-05-20 Thread Ben Alex 
Marco Mistroni wrote:
hello all,
 i want to use acegi security framework in my webapp
in my app, after user has logged in, i am storing it into HttpSession,
since i need the username for other part of my app that insert data
into db.
If i let acegi do the  authentication/authorization, how can i
retrieve the user after a successful authentication?
i can get the Authenticated object from ContextHolder, and from there
with getPrincipal i will get the username
but how can i get hold of ContextHOLDER? is it stored into HttpSession?
i plan to use Filters for integrating acegi with my app
anyone can help?
 

If you use ContextHolder.getContext().getAuthentication() you will 
obtain the Authentication generated by your AuthenticationProvider. If 
using DaoAuthenticationProvider, the Authentication will actually 
provide a getPrincipal() method that will return the UserDetails 
instance that is provided by your AuthenticationDao. As such, you have 
an easy way to obtain a customisable user object without resorting to 
the HttpSession. In general, interacting with the HttpSession directly 
is considered poor practice. The HttpSessionContextIntegrationFilter is 
responsible for managing interaction between the ContextHolder and 
HttpSession, so it shouldn't be necessary for most application 
developers to worry about the HttpSession.

Cheers
Ben

---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] retrieving users from session after authentication with acegi

2005-05-20 Thread Marco Mistroni 
hello all,
  i want to use acegi security framework in my webapp
in my app, after user has logged in, i am storing it into HttpSession,
since i need the username for other part of my app that insert data
into db.
If i let acegi do the  authentication/authorization, how can i
retrieve the user after a successful authentication?
i can get the Authenticated object from ContextHolder, and from there
with getPrincipal i will get the username
but how can i get hold of ContextHOLDER? is it stored into HttpSession?

i plan to use Filters for integrating acegi with my app

anyone can help?

regards
  marco


---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] SecurityContextImpl not Serializable

2005-05-20 Thread Tobias Järlund 
Hi!
I'm trying out the latest code from CVS, and came across what seems like 
a bug. The new SecurityContext (and SecurityContextImpl) doesn't extend 
Serializable the way the old Context interface did. This causes problems 
when the SecurityContext is saved to the http session.

You should either have SecurityContext extend Serializable (like before) 
or have SecurityContextImpl implement it.

/4
---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

2005-05-20 Thread Venkat Sonnathi 
Hi Ben,

On 5/19/05, Ben Alex <[EMAIL PROTECTED]> wrote:
> Venkat Sonnathi wrote:
> 
> >I am also a bit puzzled as to why we should reset the flag at the
> >start of each request? In a typical web app, authentication is done
> >once per session.
> >
> >Any pointers to how SecurityContext is propagated for RMI calls?
> >
> >
> >
> I agree, it shouldn't be required. The net.sf.acegisecurity.context.rmi
> package propagates a SecurityContext from the client-side to the
> server-side. The HttpSessionContextIntegrationFilter should not used in
> such deployments, and therefore HttpSessionContextIntegrationFilter will
> not need to reset the flag at the start of each request.

Would this change be in the next release? I would be glad to help if you want.

> 
> In relation to your other email, I don't see the value of
> ProviderManager setting the flag. Doing so would means each
> AuthenticationProvider implementation cannot make its own decision as to
> whether or not the Authentication should be treated as valid for the
> remainder of the request. For consistency with caching, I believe the
> setting of the flag should occur at the AuthenticationProvider level as
> it improves the prospects of as yet unknown authentication systems
> working correctly with Acegi Security. Do you have a specific reason why
> you'd prefer the ProviderManager set the flag?
> 
This is was commented by Mansoor. I agree with you - ProviderManager
is the not right place for this.

Regards,
--Venkat.


---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Re: HttpSessionContextIntegrationFilter using session ID to detect new HttpSessions

2005-05-20 Thread Ben Alex 
Hi Erik
I've tried to subscribe to the mailing list, but sourceforge doesn't like my ISP
for some reason.. I'm looking into it, but in the meantime I thought I would
just e-mail you.
 

I've subscribed you manually. SF recently changed their spam filtering 
rules. Last week I too was unable to post to this list because, when you 
post, their server appears to evaluate the From: address. It connects to 
the From: address' mail server and does a RCPT TO. In my case, my server 
rejected SF's mail server doing a RCPT TO because SF's mail server was 
in the Spamcop real time block list. To get around it, I had to add SF's 
mail server to my whitelist of allowed mail servers. Thus it could RCPT 
TO (despite being blacklisted in Spamcop) and I could send messages. SF 
really need to address the spam issue. Every day I need to manually 
delete at least four spam messages that people try to send to this list. 
Even their new RCPT TO of the From: address isn't a solution, because 
the offending From: addresses are probably valid (being customer service 
addresses from well-known companies like PayPal and eBay). A solution 
that would work is replying to all messages posted by non-members of a 
list, and requiring them to manually confirm via an obfuscated image. 
This would automate a validation step that currently has to be manually 
done by project admins.

There was a local variable added to HttpSessionContextIntegrationFilter called
httpSessionExistedAtStartOfRequest.  This is a great idea, but it wasn't quite
enough for us.  In order to facilitate a proper logout, we found the need to
actually verify the sessionIDs of the session at the start & end of the filter,
to see if they had changed.   When we invalidated the current session, there
were things in place that would cause a new one to be created- then ACEGI would
pick up the new session and store the user in it.  I'm not sure if that's
expected behavior or not, but for us it was undesirable. Here is a patch we
made that catches this scenario and makes sure the user stays logged out. (diff
is against v0.8.1)
 

Could you please explain in a little more detail why the existing 
approach doesn't work properly for you? I am not sure this is an Acegi 
Security issue. The "things in place that would cause a new one to be 
created" probably need addressing instead. If you are invalidating a 
session, and then something else is re-generating it, I don't think 
making Acegi Security detect this and respond in a special way is the 
optimal approach. You'll have superfluous sessions laying around at 
best, so I'd firstly encourage looking at whatever is re-creating the 
session.

Cheers
Ben
---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Velocity security toolbox.

2005-05-20 Thread Achmad Arif Rachim 
Hi guys, is there any plan integrating velocity toolbox into springMacroRequestContext ? like jsp authz tag ? thanx