Re: [Acegisecurity-developer] LDAP instead of DBMS

[Ben Alex]

mannobug wrote:


hello all,
i kindly wanted to submit you a question. I have to decide if my application 
has to make the authentication using the classical method, via jdbc to DBMS, 
or, I would be more directed toward the use of an external component, a LDAP 
server. Someone of you has used this type of solution, maybe using the 
implementation of LdapPasswordAuthenticationDao? I think that this solution 
it's more safety and versatile in an university contest. I thought that 
office (secretary of department, for example) can use LDAP more easily than a 
DBMS; for example using the info of users to send mail or something else 
regard office operation, they just open their mail client (e.g.) and connect 
to LDAP server. 
Do you think it can be a good idea?

thanks everybody.
Kind regards


 

It really depends on whether your users will be requiring access solely 
to webapps that you can integrate with Acegi Security and/or CAS, or 
whether you'd like those same users to be able to access Unix logins, 
mail servers etc via non-HTTP means. If you want the broadest possible 
use of the login information, LDAP is a good base. If you're only 
concerned with a campus-wide series of webapps, using Acegi Security 
with CAS is probably best. Or, if you just want a single application to 
be secured, Acegi Security on its own would be easiest. I'm not sure 
administering an LDAP server would be easier for administrative 
assistants than say using a custom webapp that manages the 
authentication information in a DBMS. Most universities use some form of 
LDAP server, and given it's the most flexible approach, you're probably 
best of putting the authentication data in there, and using Acegi 
Security with its CAS module to handle most or all of your webapps.


Best regards
Ben


---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] acegi & Mysql

[Ben Alex]

Marco Mistroni wrote:


Hello Ben,
 thanks for your reply 
so if i don't use saltSource  or passwordEncoder then i don't need to

encrypt anything, is that correct?
because i want to be able to add my users programmatically via web
interface, and at the same time i want to encrypt their password in
the database..
what i am missing is how to get the encrypted value sorry maybe
it's a little off-topic but i am little new to encryption & security..
 




Hi Macro

When you initially save the password to your database, you'll need to 
perform the one-way hash. Just use the public method provided by your 
chosen PasswordEncoder implementation to do this.


Best regards
Ben


---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

[Venkat Sonnathi]

Hi Ben,

Please find attached the patch for AbstractSecurityInterceptor.java,
Basically, it checks to see if the existing authentication is already
autheticated or not and then invoke
authenticationManager.authenticate.

I am submitting the patch for first time (cvs diff -Nar HEAD
AbstractSecurityInterceptor.java > abstract.patch), so please let me
know if you want me to re-create it in  any other specific way.

Thanks,
--Venkat.

On 5/21/05, Ben Alex <[EMAIL PROTECTED]> wrote:
> Venkat Sonnathi wrote:
> 
> >Would this change be in the next release? I would be glad to help if you 
> >want.
> >
> >
> >
> Yes, it will be in 0.9.0. I have added it to my TODO list. You're
> welcome to email me patches based on current CVS if you would like to.
> 
> >This is was commented by Mansoor. I agree with you - ProviderManager
> >is the not right place for this.
> >
> >
> Thanks for the clarification - my apologies for the confusion.
> 
> Best regards
> Ben
> 
> 
> 
> ---
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> ___
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>


abstract.patch
Description: Binary data

Re: [Acegisecurity-developer] acegi & Mysql

[Marco Mistroni]

Hello Ben,
  thanks for your reply 
so if i don't use saltSource  or passwordEncoder then i don't need to
encrypt anything, is that correct?
because i want to be able to add my users programmatically via web
interface, and at the same time i want to encrypt their password in
the database..
what i am missing is how to get the encrypted value sorry maybe
it's a little off-topic but i am little new to encryption & security..

thanx in advance and regars
  marco



On 5/22/05, Ben Alex <[EMAIL PROTECTED]> wrote:
> Marco Mistroni wrote:
> 
> >Hello Ben,
> >  thanx, following those links i was able to see the 'power' of
> >acegi!! it's simply great!
> >i have one question though..
> >in one of sampe sql files, password were encrypted... and i was
> >wondering how to deal with encryption in acegi
> >1 - which encryption mechanism is used?
> >2 - if i want to add a new user, how do i encrypt its password?
> >3 - how and when (and which parameter is used) for encrypting the
> >passsword provided via the web to acegi so that the validty can be
> >checked against the database?
> >
> >is it hte  saltSource parameter of authenticationManager?
> >
> >
> >
> Acegi Security doesn't have any encryption libraries. Encryption is two
> directional, as in you can take unencrypted input, encrypt it, then
> decrypt it back to the original. Acegi Security uses one-way hash
> algorithms such as MD5 and SHA1, which take unencrypted input and
> generate a hash code. A hash code cannot be used to regenerate the
> original unencrypted input. The DaoAuthenticationProvider offers a
> PasswordEncoder property that handles all of this. It's discussed
> further at
> http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-provider-dao
> and in the JavaDocs.
> 
> >where can i get the sources of the Contacts application?
> >
> >
> CVS. Take a look at http://acegisecurity.sourceforge.net/cvs-usage.html.
> 
> Best regards
> Ben
> 
> 
> ---
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
> ___
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>


---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_idt12&alloc_id344&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer