Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Venkat Sonnathi wrote: Hi Ben, Please find attached the patch for AbstractSecurityInterceptor.java, Basically, it checks to see if the existing authentication is already autheticated or not and then invoke authenticationManager.authenticate. Hi Venkat I have just committed to CVS various changes to the Authentication.isAuthenticated() handling. Effective herein, AbstractSecurityInterceptor will only call the AuthenticationManager if the Authentication.isAuthenticated() == false. AbstractSecurityInterceptor does not call Authentication.setAuthenticated(true) - instead it leaves this choice to the AuthenticationProvider and/or Authentication concrete implementation to address. Most Authentication implementations now provide a mutable isAuthenticated() property. By mutable, setAuthenticated(false) is guaranteed by the Authentication interface contract to always be allowed. This is used by the RMI class to ensure a remotely presented Authentication is set to untrusted, ensuring the AbstractSecurityInterceptor will trigger authentication. Permitting setAuthenticated(true) (which would therefore bypass further checking at time of security interception) is an implementation choice. The main implementation used by Acegi Security, UsernamePasswordAuthenticationToken, disallows setAuthenticated(true) and instead relies upon the constructor to set the property. This means that AuthenticationProviders should be the only classes that use the UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[]) constructor. On the other hand, any class can freely use the UsernamePasswordAuthenticationToken(Object, Object) constructor, as the resulting authentication token will not be trusted (ie isAuthenticated() will always return false). Unit tests pass. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] jar versions not correct in project.xml
George Franciscus wrote: The build is failing because the following dependency versions are not correct in project.xml. In both cases it needs -20040521 in the version tag. dependency groupIdjspapi/groupId artifactIdjsp-api/artifactId version2.0-20040521/version typejar/type urlhttp://java.sun.com/products/jsp/url properties war.bundlefalse/war.bundle /properties /dependency dependency groupIdservletapi/groupId artifactIdservletapi/artifactId version2.4-20040521/version typejar/type urlhttp://java.sun.com/products/servlet/url /dependency Hi George Thanks, fixed in CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JavaDocs for .8.x without building
Patrick Burleson wrote: Are the JavaDocs shipped with the binary download? I can't seem to find them. And the JavaDocs on the website are for the .9 release. I really don't want to have to generate them. Hi Patrick I think they're in there. I just downloaded acegi-security-0.8.2.zip from SourceForge and found the core subproject's JavaDocs in /acegi-security-0.8.2/docs/multiproject/acegi-security/apidocs/. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ldap LdapPasswordAuthenticationDao
Robert r. Sanders wrote: If you won't mind sending me you changes, I'll try to get them merged with the LDAP DAO stuff. Hi Robert and Joseph How did you end up going with the LDAP changes? What is the present status of LDAP and the Apache DS unit tests? LDAP is an important feature for a 1.0.0 release. Thanks Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi population of database tables
Marco Mistroni wrote: for both contactManagerSecurity and TransactionInterceptor. I assume they have something to do with autohrization using MethodInterceptor, but i cannot figure out the meaning, for example, of sample.contact.Contact:1 for object_identity column in acl_object_identity, and i can't understand what is the purpose of the acl_permission table, in particular the mask column and acl_object identity Can anyone give me some explanation on how the acl_permission and acl_object_identity should be populated? Hi Marco Have you had a change to review the reference documentation at http://acegisecurity.sourceforge.net/docbook/acegi.html#acls? If we take the sample data: INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2); INSERT INTO acl_permission VALUES (null, 3, 'scott', 14); INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); What is basically happening is acl_object_identity represents a domain object instance. corp.DomainObject:1 is the Java classname + : + identifier of the domain object instance. So that inheritance works, the acl_object_identity table identifies the parent acl_object_identity record (or null if it has no parent). Accordingly, in the above example, DomainObject #2 and #3 and #4 all share the same parent, DomainObject #1. There is a one-to-many relationship between acl_object_identity and acl_permission. ie one acl_object_identity has many acl_permissions. In the example above, DomainObject #2 has two acl_permissions (for ROLE_SUPERVISOR and marissa). The acl_permission table specifies which acl_object_identity record it applies to, the recipient (usually a username or role name), and the integer mask that applies. So if we take the last acl_permission example above, it applies to acl_object_identity #6, and gives scott the permissions identified by integer mask 1. Hope this clears things up. Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] non-serializable stuff on the session
Joseph Dane wrote: [14:07:22.035] Failed storing persistent session attribute `ACEGI_SECURITY_LAST_EXCEPTION'. Persistent session values must extend java.io.Serializable. [14:07:22.035] java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx my own recommendation, fwiw, would be to just remove this bit. Hi Joseph Unfortunately a lot of people rely on the exception information to display diagnostic information to the user. I've taken the easy-way-out: try { request.getSession().setAttribute(ACEGI_SECURITY_LAST_EXCEPTION_KEY, failed); } catch (Exception ignored) {} Now in CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] RequestDispatcher forwards
Victor Tatai wrote: Hello, I posted this doubt to the forum but no one answered it: http://forum.springframework.org/viewtopic.php?t=5915 My solution was to implement a custom FilterSecurityInterceptor, but I think that perhaps a better solution would be to add this support to the FilterSecurityInterceptor itself. My apologies for the delay. I have been overseas consulting and only just getting on top of things again. I haven't yet read your post, but I think we can make the once-per-request optional to cater for forwards. I'll look into this change when I answer your forum message Best regards Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JdbcDaoImpl overrides queries and mappings in initDao()
Durham David R Jr Ctr 805 CSPTS/SCE wrote: Am I correct that this will effectively override any property config that you might have done in Spring? Yes, it will. Most people tend to change the SQL strings or subclass JdbcDapImpl, though, as opposed to provide a new AuthoritiesByUsernameMapping via a bean property name=authoritiesByUsernameMappnig. To avoid confusion I have removed the getters and setters for the MappingSqlQuery, so that people are forced to either use the query strings or subclass and override the MappingSqlQuerys. Committed to CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationFailureEvent?
Mark St Godard wrote: Does it make sense for this to be refactored to have a single AuthenticationFailureEvent...(class or interface) with the 7 subclasses or implementors? i.e. AuthenticationEvent AuthenticationSuccessEvent extends AuthenticationEvent AuthenticationFailureEvent extends AuthenticationEvent (all auth fail events subclass above OR make an interface (marker perhaps) for AuthenticationFailureEvent ?) Hi Mark I went with a common abstract superclass, AuthenticationFailureEvent. Now in CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Support for HTTP request memento in Form Authenticator
Curtis Light wrote: Please let me clarify: the authentication information itself would never be stored--just the last attempted POST in the event of session expiration. I'm looking for a mechanism instead that will save a memento of the content of a regular HTML form if the user takes too long to complete and submit the form. If the user takes 16 minutes to fill out a form, but the session only lasts 15 minutes, then the posted form data would be lost. I've seen this implemented in a hand-rolled fashion before. The servlet would check to see if a session exists for each HTTP POST. If the session does exist and the user has been authenticated, then the servlet processes the transaction normally. However, if the session does not exist, the servlet would create a new session and store those parameters in the new session. The servlet would then display a login page and prompt for reauthentication. After reauthenticating, the servlet would pull the original POST parameters out of the session, and it would process them just as it would if the reauthentication was not required. I realize that this may cause a creation of a session that could open the door for a denial of service attack, so an alternative to this method would be encoding the HTTP POST content into a Base64-encoded string and passing it to the login screen in a hidden field. That gets around the need to create a new session upon the receipt of any post. Most people get around the session timeout issue via these common approaches: - Use the remember-me hooks provided by Acegi Security to send back a memento that is subsequently recognised by Acegi Security (see the existing remember-me implementation and code in 0.8.2 or CVS) - Use Digest authentication, so that HTTP sessions are not required - Use BASIC authentication, so that HTTP sessions are not required If you were concerned about the user seeing a login page and spending too long completing it, as you point out you could store the AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY in a request parameter that the original login.jsp (or equivalent view) rendered. A custom AuthenticationProcessingFilter would then reassociate the ACEGI_SECURITY_TARGET_URL_KEY with the HttpSession if it detected the HttpSession was new. In effect this moves the only Acegi Security related use of the HttpSession during authentication processing to a request parameter. Also recall that the AbstractProcessingFilter.defaultTargetUrl provides a reasonable solution to timeout during completion of login page. Or, am I misunderstanding your timeout concern? HTH Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi population of database tables
Hello Ben, thanx!! in meantime i read more acegi docs and i managed to figure out how to populate tables, so things are more or less pretty clear now.. thanx and regards marco On 6/22/05, Ben Alex [EMAIL PROTECTED] wrote: Marco Mistroni wrote: for both contactManagerSecurity and TransactionInterceptor. I assume they have something to do with autohrization using MethodInterceptor, but i cannot figure out the meaning, for example, of sample.contact.Contact:1 for object_identity column in acl_object_identity, and i can't understand what is the purpose of the acl_permission table, in particular the mask column and acl_object identity Can anyone give me some explanation on how the acl_permission and acl_object_identity should be populated? Hi Marco Have you had a change to review the reference documentation at http://acegisecurity.sourceforge.net/docbook/acegi.html#acls? If we take the sample data: INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2); INSERT INTO acl_permission VALUES (null, 3, 'scott', 14); INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); What is basically happening is acl_object_identity represents a domain object instance. corp.DomainObject:1 is the Java classname + : + identifier of the domain object instance. So that inheritance works, the acl_object_identity table identifies the parent acl_object_identity record (or null if it has no parent). Accordingly, in the above example, DomainObject #2 and #3 and #4 all share the same parent, DomainObject #1. There is a one-to-many relationship between acl_object_identity and acl_permission. ie one acl_object_identity has many acl_permissions. In the example above, DomainObject #2 has two acl_permissions (for ROLE_SUPERVISOR and marissa). The acl_permission table specifies which acl_object_identity record it applies to, the recipient (usually a username or role name), and the integer mask that applies. So if we take the last acl_permission example above, it applies to acl_object_identity #6, and gives scott the permissions identified by integer mask 1. Hope this clears things up. Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] JIRA Issue Tracking
Hi everyone Acegi Security is now listed in Spring's JIRA. It's called Spring Security in JIRA, and I've added all current known TODO list items. Please use JIRA for future issue tracking, features etc. http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040 Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Hi Ben, Thanks for the changes. I looked over the changes. Regards, --Venkat. On 6/22/05, Ben Alex [EMAIL PROTECTED] wrote: Venkat Sonnathi wrote: Hi Ben, Please find attached the patch for AbstractSecurityInterceptor.java, Basically, it checks to see if the existing authentication is already autheticated or not and then invoke authenticationManager.authenticate. Hi Venkat I have just committed to CVS various changes to the Authentication.isAuthenticated() handling. Effective herein, AbstractSecurityInterceptor will only call the AuthenticationManager if the Authentication.isAuthenticated() == false. AbstractSecurityInterceptor does not call Authentication.setAuthenticated(true) - instead it leaves this choice to the AuthenticationProvider and/or Authentication concrete implementation to address. Most Authentication implementations now provide a mutable isAuthenticated() property. By mutable, setAuthenticated(false) is guaranteed by the Authentication interface contract to always be allowed. This is used by the RMI class to ensure a remotely presented Authentication is set to untrusted, ensuring the AbstractSecurityInterceptor will trigger authentication. Permitting setAuthenticated(true) (which would therefore bypass further checking at time of security interception) is an implementation choice. The main implementation used by Acegi Security, UsernamePasswordAuthenticationToken, disallows setAuthenticated(true) and instead relies upon the constructor to set the property. This means that AuthenticationProviders should be the only classes that use the UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[]) constructor. On the other hand, any class can freely use the UsernamePasswordAuthenticationToken(Object, Object) constructor, as the resulting authentication token will not be trusted (ie isAuthenticated() will always return false). Unit tests pass. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ldap LdapPasswordAuthenticationDao
Go ahead and send me what you've got. With regards to your proposed changes: I have had a similar thought in the past, but put it aside, at least until I can finish the LDAP DAO stuff (and become more familiar with the internals of Acegi). If you want, I am willing to go along with you suggestion as an initial way of implementing this. Longer term (probably post 1.0) I would like to see a division between validating user credentials and retrieving user role/permissio information so that it could be a more generalized feature of Acegi, but I really haven't spent any time thinking about how to actually do this. Joseph Dane wrote: I can go ahead and send you the changes I made. but before I do that, I'd like to ask for some advice. what's needed here is something which will do authentication against LDAP first, but will also delegate to some other provider in case the LDAP authentication fails. my first attempt at this was to use two totally distinct providers, but it seems that Acegi will only use the first provider that claims to support a given Authentication. so that was out. since that didn't work, I decided to change loadByUsernameAndPassword to something like this: public UserDetails loadUserByUsernameAndPassword(String username, String pas sword) throws DataAccessException, BadCredentialsException { if ((password == null) || (password.length() == 0)) { throw new BadCredentialsException(Empty password); } UserDetails user = null; try { user = doLdapAuthentication(username, password); } catch (Exception e) { e.printStackTrace(); } if (user == null) { user = doLocalAuthentication(username, password); } return user; } protected UserDetails doLdapAuthentication(String username, String password) { // actual LDAP authentication ... ... } protected UserDetails doLocalAuthentication(String username, String password ) { return null; } the idea being that subclasses could override doLocalAuthentication to do whatever they need to do in that case. this works, but it means that your LDAP authentcation bean has to also know about the local authentication details, password encoder, salt source, etc., which seems less than ideal. anyhow, if anyone has any suggestions about this (which really has nothing to do with LDAP) then I can try incorporating them into my changes before sending them back to you. if I don't hear anything by tomorrow, I'll go ahead and send you what I've got. -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer