[Acegisecurity-developer] AuthenticationFailureEvent?

2005-06-20 Thread Mark St Godard 




 I would post to the Acegi user list... however this has a framework
implementation question :)


I am looking into a hook point for Acegi, whereby I can  update a users
failed logon attempts.. (on fail) as well
as zero out the users failed logon attempts, on successful authentication.

My first instinct is to register an AuthenticationEvent, as I see Acegi
will send notifications / events at those interesting points.

I do see an event for AuthenticationSuccess...
(AuthenticationSuccessEvent)...

http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/dao/event/AuthenticationEvent.html


However for failed logons.. there are numerous events...more fine-grained
(which is good)..
Account expired, account disabled, account locked, cant find username, bad
credentials,  etc. etc.

My question is then... do I handle all of  the "failed" events.. ?
because there doesnt seem to be a common superclass, or interface
implemented...

Is this by design... or is there something else I can hook into,  ?

Its not bad.. however I would have to look at 7 different failed events
plus ... my other concern.. is if a "new" failure event is created in the
framework..
and I would then need to modify my code again to handle that auth failure
event...

I am curious if I am missing something...?  Is there a single event that I
can handle for all failed authentication events..
or do I have to handle all 7?

Does it make sense for this to be refactored to have a single
AuthenticationFailureEvent...(class or interface) with the 7 subclasses or
implementors?

i.e.

AuthenticationEvent
  AuthenticationSuccessEvent extends AuthenticationEvent
  AuthenticationFailureEvent extends AuthenticationEvent
(all auth fail events subclass above  OR make an interface
(marker perhaps) for AuthenticationFailureEvent ?)


Any thoughts?

Cheers,
Mark



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] How to use Acegi in this situation?

2005-06-20 Thread Marco Mistroni 
Hello,
  few time ago Mr Andy Depue reply tomy message on how to use
acegi in a situation where the user does not log in, (for example in
the case in which a  background process - cron like - periodically
executes.
In this situation, how will i create a contextHoldert to associate it
with the call?
how will i create a 'default user' (from javacode) so that i can
safely call my code and being authorized by acegi?

any help?

thanx in advance and regards
 marco

On 6/10/05, Andy Depue <[EMAIL PROTECTED]> wrote:
> I have a very similar situation in my own application where our workflow
> engine can invoke (Acegi protected) service methods from a background task.
> This also arises when you are using JMS - your message receiver will execute
> without any user context, and yet often you need to call into service methods
> to handle the JMS message.  I'm not sure if this is the best approach, but in
> the case of our workflow engine, we created a specific workflow user.  In the
> case of JMS messages we encrypt the user's credentials into each message.  In
> the message handler we authenticate against those credentials for the
> duration of the message handler (the user is automatically unauthenticated
> once the message handler exits).
> 
>  - Andy
> 
> On Friday 10 June 2005 01:31 am, Marco Mistroni wrote:
> > Hello all,
> >  i have a webapp (spring-based) that is used to insert some entries in
> > a MYSQL database via a PersistenceManager.
> > I recently came across Acegi and i want to use it in my application,
> > so proper place in which put permissions will be PersistenceManager.
> > Thtere is however a small problem with that.
> > In my application, i am using Quartz job scheduler, and some of the
> > jobs scheduled use PersistenceManager in order to update my database
> > (yes, i am lazy, i have my code update the database for me
> > automatically)..
> > now, here is the challenge: normally, an user logs in and insert
> > entries in the database via webinterface, and so Acegi can
> > authenticate and authorize the user.
> > But when Quartz launches the Job that updates the database, user does
> > not need to log in since the job is fired automatically.
> > And in this case, i must skip authorization at all, since if a job has
> > been scheduled, that means that the user that did it (via the web
> > interface) had the rights to do that.
> > Thing is that if i user Acegi interceptor and apply it to
> > PersistenceManager, that interceptor will be invoked also from the
> > Quartz Job, since ultimately the Quartz Job calls PersistenceManager.
> > In my view i have two possible solutions:
> > 1 - since i can grab the user that scheduled the job, i can try to
> > 'authenticate' and authorize it via Acegi  since in my QuartzJob i can
> > get hold of Spring context
> > 2 - make so that when the Quartz Job invokes PersistenceManager, a
> > special user is used so that the operation on PersistenceManager is
> > allowed
> >
> > But i don't know the code to write for doing either 1 or 2.
> > anyone can help and give me suggestions?
> >
> > thanx in advance and regards
> >   marco
> 
> 
> ---
> This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
> a projector? How fast can you ride your desk chair down the office luge track?
> If you want to score the big prize, get to know the little guy.
> Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
> ___
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] How to use Acegi in this situation?

2005-06-20 Thread Andy Depue 
As I originally mentioned, in one particular case we created a special user 
just for our background task (because it made sense in this particular 
context).  So, assuming you have already created a user in your system for 
the background task, I can share the code we use to "log in" as a user.  
Note, that this code works with Acegi v. 0.8.2, and I'm not sure if it has 
changed for later versions.
First, you are going to need an AuthenticationManager, which is usually setup 
in your Spring configuration.  In our security facade, we keep a reference to 
the AuthenticationManager:

-

  ...

  private AuthenticationManager authenticationManager;

  ...

  public AuthenticationManager getAuthenticationManager()
  {
return this.authenticationManager;
  }

  public void setAuthenticationManager(final AuthenticationManager 
authenticationManager)
  {
this.authenticationManager = authenticationManager;
  }

-

We then use Spring to inject a reference of the AuthenticationManager into our 
security facade bean.

We then have an "authenticateUser" method that goes something like this:


-
  public void authenticateUser(final String principal,
   final String credentials)
  {
final UsernamePasswordAuthenticationToken request = new 
UsernamePasswordAuthenticationToken(principal, credentials);
final Authentication result = 
getAuthenticationManager().authenticate(request);

// Setup a secure ContextHolder (if required)
if(ContextHolder.getContext() == null || !(ContextHolder.getContext() 
instanceof SecureContext)) {
  try {
ContextHolder.setContext(new SecureContextImpl());
  } catch(Exception e) {
throw new RuntimeException(e);
  }
}

// Commit the successful Authentication object to the secure
// ContextHolder
final SecureContext sc = (SecureContext) ContextHolder.getContext();
sc.setAuthentication(result);
ContextHolder.setContext(sc);
  }
-


We then have a matching "unauthenticateUser()" method:

-
  public void unauthenticateUser()
  {
// Make the Authentication object null if a SecureContext exists
if(ContextHolder.getContext() != null && ContextHolder.getContext() 
instanceof SecureContext) {
  SecureContext sc = (SecureContext) ContextHolder.getContext();
  sc.setAuthentication(null);
  ContextHolder.setContext(sc);
}
  }
-


Note that we wrote this code way back when Acegi will still young, so it might 
be the case that Acegi now has utility methods somewhere that do this for 
you.  I haven't looked recently, so maybe someone can comment.
We also wrote some support interfaces to allow subsystems to authenticate 
themselves in a safer manner, but it is a lot of code.  So, for now, I will 
show you what it all basically boils down to.  In your background process, 
you would do something like this:

-
  securityFacade.authenticateUser(subsystemUserName, subsystemCredentials);
  try {
// Background process code goes here
...
  } finally {
securityFacade.unauthenticateUser();
  }
-

  - Andy

On Monday 20 June 2005 09:26 am, Marco Mistroni wrote:
> Hello,
>   few time ago Mr Andy Depue reply tomy message on how to use
> acegi in a situation where the user does not log in, (for example in
> the case in which a  background process - cron like - periodically
> executes.
> In this situation, how will i create a contextHoldert to associate it
> with the call?
> how will i create a 'default user' (from javacode) so that i can
> safely call my code and being authorized by acegi?
>
> any help?
>
> thanx in advance and regards
>  marco


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer