Re: [Acegisecurity-developer] LDAP instead of DBMS
mannobug wrote: hello all, i kindly wanted to submit you a question. I have to decide if my application has to make the authentication using the classical method, via jdbc to DBMS, or, I would be more directed toward the use of an external component, a LDAP server. Someone of you has used this type of solution, maybe using the implementation of LdapPasswordAuthenticationDao? I think that this solution it's more safety and versatile in an university contest. I thought that office (secretary of department, for example) can use LDAP more easily than a DBMS; for example using the info of users to send mail or something else regard office operation, they just open their mail client (e.g.) and connect to LDAP server. Do you think it can be a good idea? thanks everybody. Kind regards It really depends on whether your users will be requiring access solely to webapps that you can integrate with Acegi Security and/or CAS, or whether you'd like those same users to be able to access Unix logins, mail servers etc via non-HTTP means. If you want the broadest possible use of the login information, LDAP is a good base. If you're only concerned with a campus-wide series of webapps, using Acegi Security with CAS is probably best. Or, if you just want a single application to be secured, Acegi Security on its own would be easiest. I'm not sure administering an LDAP server would be easier for administrative assistants than say using a custom webapp that manages the authentication information in a DBMS. Most universities use some form of LDAP server, and given it's the most flexible approach, you're probably best of putting the authentication data in there, and using Acegi Security with its CAS module to handle most or all of your webapps. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] acegi & Mysql
Marco Mistroni wrote: Hello Ben, thanks for your reply so if i don't use saltSource or passwordEncoder then i don't need to encrypt anything, is that correct? because i want to be able to add my users programmatically via web interface, and at the same time i want to encrypt their password in the database.. what i am missing is how to get the encrypted value sorry maybe it's a little off-topic but i am little new to encryption & security.. Hi Macro When you initially save the password to your database, you'll need to perform the one-way hash. Just use the public method provided by your chosen PasswordEncoder implementation to do this. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Hi Ben, Please find attached the patch for AbstractSecurityInterceptor.java, Basically, it checks to see if the existing authentication is already autheticated or not and then invoke authenticationManager.authenticate. I am submitting the patch for first time (cvs diff -Nar HEAD AbstractSecurityInterceptor.java > abstract.patch), so please let me know if you want me to re-create it in any other specific way. Thanks, --Venkat. On 5/21/05, Ben Alex <[EMAIL PROTECTED]> wrote: > Venkat Sonnathi wrote: > > >Would this change be in the next release? I would be glad to help if you > >want. > > > > > > > Yes, it will be in 0.9.0. I have added it to my TODO list. You're > welcome to email me patches based on current CVS if you would like to. > > >This is was commented by Mansoor. I agree with you - ProviderManager > >is the not right place for this. > > > > > Thanks for the clarification - my apologies for the confusion. > > Best regards > Ben > > > > --- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click > ___ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > abstract.patch Description: Binary data
Re: [Acegisecurity-developer] acegi & Mysql
Hello Ben, thanks for your reply so if i don't use saltSource or passwordEncoder then i don't need to encrypt anything, is that correct? because i want to be able to add my users programmatically via web interface, and at the same time i want to encrypt their password in the database.. what i am missing is how to get the encrypted value sorry maybe it's a little off-topic but i am little new to encryption & security.. thanx in advance and regars marco On 5/22/05, Ben Alex <[EMAIL PROTECTED]> wrote: > Marco Mistroni wrote: > > >Hello Ben, > > thanx, following those links i was able to see the 'power' of > >acegi!! it's simply great! > >i have one question though.. > >in one of sampe sql files, password were encrypted... and i was > >wondering how to deal with encryption in acegi > >1 - which encryption mechanism is used? > >2 - if i want to add a new user, how do i encrypt its password? > >3 - how and when (and which parameter is used) for encrypting the > >passsword provided via the web to acegi so that the validty can be > >checked against the database? > > > >is it hte saltSource parameter of authenticationManager? > > > > > > > Acegi Security doesn't have any encryption libraries. Encryption is two > directional, as in you can take unencrypted input, encrypt it, then > decrypt it back to the original. Acegi Security uses one-way hash > algorithms such as MD5 and SHA1, which take unencrypted input and > generate a hash code. A hash code cannot be used to regenerate the > original unencrypted input. The DaoAuthenticationProvider offers a > PasswordEncoder property that handles all of this. It's discussed > further at > http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-provider-dao > and in the JavaDocs. > > >where can i get the sources of the Contacts application? > > > > > CVS. Take a look at http://acegisecurity.sourceforge.net/cvs-usage.html. > > Best regards > Ben > > > --- > This SF.Net email is sponsored by Oracle Space Sweepstakes > Want to be the first software developer in space? > Enter now for the Oracle Space Sweepstakes! > http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click > ___ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_idt12&alloc_id344&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer