Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

2005-06-22 Thread Ben Alex 

Venkat Sonnathi wrote:


Hi Ben,

Please find attached the patch for AbstractSecurityInterceptor.java,
Basically, it checks to see if the existing authentication is already
autheticated or not and then invoke
authenticationManager.authenticate.
 


Hi Venkat

I have just committed to CVS various changes to the 
Authentication.isAuthenticated() handling.


Effective herein, AbstractSecurityInterceptor will only call the 
AuthenticationManager if the Authentication.isAuthenticated() == false. 
AbstractSecurityInterceptor does not call 
Authentication.setAuthenticated(true) - instead it leaves this choice to 
the AuthenticationProvider and/or Authentication concrete implementation 
to address.


Most Authentication implementations now provide a mutable 
isAuthenticated() property. By mutable, setAuthenticated(false) is 
guaranteed by the Authentication interface contract to always be 
allowed. This is used by the RMI class to ensure a remotely presented 
Authentication is set to untrusted, ensuring the 
AbstractSecurityInterceptor will trigger authentication.


Permitting setAuthenticated(true) (which would therefore bypass further 
checking at time of security interception) is an implementation choice. 
The main implementation used by Acegi Security, 
UsernamePasswordAuthenticationToken, disallows setAuthenticated(true) 
and instead relies upon the constructor to set the property. This means 
that AuthenticationProviders should be the only classes that use the 
UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[]) 
constructor. On the other hand, any class can freely use the 
UsernamePasswordAuthenticationToken(Object, Object) constructor, as the 
resulting authentication token will not be trusted (ie isAuthenticated() 
will always return false).


Unit tests pass.

Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] jar versions not correct in project.xml

2005-06-22 Thread Ben Alex 

George Franciscus wrote:

The build is failing because the following dependency versions are not 
correct in project.xml. In both cases it needs -20040521 in the 
version tag.
 
dependency

  groupIdjspapi/groupId
  artifactIdjsp-api/artifactId
  version2.0-20040521/version
  typejar/type
  urlhttp://java.sun.com/products/jsp/url
  properties
war.bundlefalse/war.bundle
  /properties
/dependency

dependency
  groupIdservletapi/groupId
  artifactIdservletapi/artifactId
  version2.4-20040521/version
  typejar/type
  urlhttp://java.sun.com/products/servlet/url
/dependency
 
 


Hi George

Thanks, fixed in CVS.

Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] JavaDocs for .8.x without building

2005-06-22 Thread Ben Alex 

Patrick Burleson wrote:


Are the JavaDocs shipped with the binary download? I can't seem to
find them. And the JavaDocs on the website are for the .9 release. I
really don't want to have to generate them.

 


Hi Patrick

I think they're in there. I just downloaded acegi-security-0.8.2.zip 
from SourceForge and found the core subproject's JavaDocs in 
/acegi-security-0.8.2/docs/multiproject/acegi-security/apidocs/.


Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ldap LdapPasswordAuthenticationDao

2005-06-22 Thread Ben Alex 

Robert r. Sanders wrote:

If you won't mind sending me you changes, I'll try to get them merged 
with the LDAP DAO stuff. 


Hi Robert and Joseph

How did you end up going with the LDAP changes? What is the present 
status of LDAP and the Apache DS unit tests? LDAP is an important 
feature for a 1.0.0 release.


Thanks
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi population of database tables

2005-06-22 Thread Ben Alex 

Marco Mistroni wrote:


for both contactManagerSecurity and  TransactionInterceptor.
I assume they have something to do with autohrization using
MethodInterceptor, but i cannot figure out the meaning, for example,
of
sample.contact.Contact:1 for object_identity column in
acl_object_identity, and i can't understand what is the purpose of the
acl_permission table, in particular the mask column and acl_object
identity

Can anyone give me some explanation on how the acl_permission and
acl_object_identity should be populated?

 


Hi Marco

Have you had a change to review the reference documentation at 
http://acegisecurity.sourceforge.net/docbook/acegi.html#acls?


If we take the sample data:

INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 
'net.sf.acegisecurity.acl.basic.SimpleAclEntry');

INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1);
INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0);
INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2);
INSERT INTO acl_permission VALUES (null, 3, 'scott', 14);
INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);


What is basically happening is acl_object_identity represents a domain 
object instance. corp.DomainObject:1 is the Java classname + : + 
identifier of the domain object instance. So that inheritance works, the 
acl_object_identity table identifies the parent acl_object_identity 
record (or null if it has no parent). Accordingly, in the above example, 
DomainObject #2 and #3 and #4 all share the same parent, DomainObject #1.


There is a one-to-many relationship between acl_object_identity and 
acl_permission. ie one acl_object_identity has many acl_permissions. In 
the example above, DomainObject #2 has two acl_permissions (for 
ROLE_SUPERVISOR and marissa).


The acl_permission table specifies which acl_object_identity record it 
applies to, the recipient (usually a username or role name), and the 
integer mask that applies. So if we take the last acl_permission example 
above, it applies to acl_object_identity #6, and gives scott the 
permissions identified by integer mask 1.


Hope this clears things up.

Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] non-serializable stuff on the session

2005-06-22 Thread Ben Alex 

Joseph Dane wrote:


[14:07:22.035] Failed storing persistent session attribute 
`ACEGI_SECURITY_LAST_EXCEPTION'.  Persistent session values must extend 
java.io.Serializable.
[14:07:22.035] java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx

my own recommendation, fwiw, would be to just remove this bit.

 


Hi Joseph

Unfortunately a lot of people rely on the exception information to 
display diagnostic information to the user. I've taken the easy-way-out:


   try {
   
request.getSession().setAttribute(ACEGI_SECURITY_LAST_EXCEPTION_KEY, 
failed);

   } catch (Exception ignored) {}

Now in CVS.

Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] RequestDispatcher forwards

2005-06-22 Thread Ben Alex 

Victor Tatai wrote:


Hello,

I posted this doubt to the forum but no one answered it:

http://forum.springframework.org/viewtopic.php?t=5915

My solution was to implement a custom FilterSecurityInterceptor, but I
think that perhaps a better solution would be to add this support to
the FilterSecurityInterceptor itself.

 

My apologies for the delay. I have been overseas consulting and only 
just getting on top of things again.


I haven't yet read your post, but I think we can make the 
once-per-request optional to cater for forwards. I'll  look into this 
change when I answer your forum message


Best regards
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] JdbcDaoImpl overrides queries and mappings in initDao()

2005-06-22 Thread Ben Alex 

Durham David R Jr Ctr 805 CSPTS/SCE wrote:


Am I correct that this will effectively override any property config
that you might have done in Spring?

 

Yes, it will. Most people tend to change the SQL strings or subclass 
JdbcDapImpl, though, as opposed to provide a new 
AuthoritiesByUsernameMapping via a bean property 
name=authoritiesByUsernameMappnig. To avoid confusion I have removed 
the getters and setters for the MappingSqlQuery, so that people are 
forced to either use the query strings or subclass and override the 
MappingSqlQuerys. Committed to CVS.


Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] AuthenticationFailureEvent?

2005-06-22 Thread Ben Alex 

Mark St Godard wrote:


Does it make sense for this to be refactored to have a single
AuthenticationFailureEvent...(class or interface) with the 7 subclasses or
implementors?

i.e.

AuthenticationEvent
 AuthenticationSuccessEvent extends AuthenticationEvent
 AuthenticationFailureEvent extends AuthenticationEvent
   (all auth fail events subclass above  OR make an interface
(marker perhaps) for AuthenticationFailureEvent ?)

 


Hi Mark

I went with a common abstract superclass, AuthenticationFailureEvent. 
Now in CVS.


Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Support for HTTP request memento in Form Authenticator

2005-06-22 Thread Ben Alex 

Curtis Light wrote:


Please let me clarify: the authentication information itself would
never be stored--just the last attempted POST in the event of session
expiration.  I'm looking for a mechanism instead that will save a
memento of the content of a regular HTML form if the user takes too
long to complete and submit the form.  If the user takes 16 minutes to
fill out a form, but the session only lasts 15 minutes, then the
posted form data would be lost.

I've seen this implemented in a hand-rolled fashion before.  The
servlet would check to see if a session exists for each HTTP POST.  If
the session does exist and the user has been authenticated, then the
servlet processes the transaction normally.  However, if the session
does not exist, the servlet would create a new session and store those
parameters in the new session.  The servlet would then display a login
page and prompt for reauthentication.  After reauthenticating, the
servlet would pull the original POST parameters out of the session,
and it would process them just as it would if the reauthentication was
not required.

I realize that this may cause a creation of a session that could open
the door for a denial of service attack, so an alternative to this
method would be encoding the HTTP POST content into a Base64-encoded
string and passing it to the login screen in a hidden field.  That
gets around the need to create a new session upon the receipt of any
post.

 

Most people get around the session timeout issue via these common 
approaches:


- Use the remember-me hooks provided by Acegi Security to send back a 
memento that is subsequently recognised by Acegi Security (see the 
existing remember-me implementation and code in 0.8.2 or CVS)

- Use Digest authentication, so that HTTP sessions are not required
- Use BASIC authentication, so that HTTP sessions are not required

If you were concerned about the user seeing a login page and spending 
too long completing it, as you point out you could store the 
AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY in a request 
parameter that the original login.jsp (or equivalent view) rendered. A 
custom AuthenticationProcessingFilter would then reassociate the 
ACEGI_SECURITY_TARGET_URL_KEY with the HttpSession if it detected the 
HttpSession was new. In effect this moves the only Acegi Security 
related use of the HttpSession during authentication processing to a 
request parameter. Also recall that the 
AbstractProcessingFilter.defaultTargetUrl provides a reasonable solution 
to timeout during completion of login page. Or, am I misunderstanding 
your timeout concern?


HTH
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi population of database tables

2005-06-22 Thread Marco Mistroni 
Hello Ben,
  thanx!! in meantime i read more acegi docs and i managed to figure
out how to populate tables, so things are more or less pretty clear
now..
thanx and regards
 marco

On 6/22/05, Ben Alex [EMAIL PROTECTED] wrote:
 Marco Mistroni wrote:
 
 for both contactManagerSecurity and  TransactionInterceptor.
 I assume they have something to do with autohrization using
 MethodInterceptor, but i cannot figure out the meaning, for example,
 of
 sample.contact.Contact:1 for object_identity column in
 acl_object_identity, and i can't understand what is the purpose of the
 acl_permission table, in particular the mask column and acl_object
 identity
 
 Can anyone give me some explanation on how the acl_permission and
 acl_object_identity should be populated?
 
 
 
 Hi Marco
 
 Have you had a change to review the reference documentation at
 http://acegisecurity.sourceforge.net/docbook/acegi.html#acls?
 
 If we take the sample data:
 
 INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 
 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
 INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 
 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
 INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 
 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
 INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 
 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
 INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 
 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
 INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 
 'net.sf.acegisecurity.acl.basic.SimpleAclEntry');
 
 INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1);
 INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0);
 INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2);
 INSERT INTO acl_permission VALUES (null, 3, 'scott', 14);
 INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);
 
 
 What is basically happening is acl_object_identity represents a domain
 object instance. corp.DomainObject:1 is the Java classname + : +
 identifier of the domain object instance. So that inheritance works, the
 acl_object_identity table identifies the parent acl_object_identity
 record (or null if it has no parent). Accordingly, in the above example,
 DomainObject #2 and #3 and #4 all share the same parent, DomainObject #1.
 
 There is a one-to-many relationship between acl_object_identity and
 acl_permission. ie one acl_object_identity has many acl_permissions. In
 the example above, DomainObject #2 has two acl_permissions (for
 ROLE_SUPERVISOR and marissa).
 
 The acl_permission table specifies which acl_object_identity record it
 applies to, the recipient (usually a username or role name), and the
 integer mask that applies. So if we take the last acl_permission example
 above, it applies to acl_object_identity #6, and gives scott the
 permissions identified by integer mask 1.
 
 Hope this clears things up.
 
 Ben
 
 
 ---
 SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
 from IBM. Find simple to follow Roadmaps, straightforward articles,
 informative Webcasts and more! Get everything you need to get up to
 speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] JIRA Issue Tracking

2005-06-22 Thread Ben Alex 

Hi everyone

Acegi Security is now listed in Spring's JIRA. It's called Spring 
Security in JIRA, and I've added all current known TODO list items. 
Please use JIRA for future issue tracking, features etc.


http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040

Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor

2005-06-22 Thread Venkat Sonnathi 
Hi Ben,

Thanks for the changes. I looked over the changes.

Regards,
--Venkat.

On 6/22/05, Ben Alex [EMAIL PROTECTED] wrote:
 Venkat Sonnathi wrote:
 
 Hi Ben,
 
 Please find attached the patch for AbstractSecurityInterceptor.java,
 Basically, it checks to see if the existing authentication is already
 autheticated or not and then invoke
 authenticationManager.authenticate.
 
 
 Hi Venkat
 
 I have just committed to CVS various changes to the
 Authentication.isAuthenticated() handling.
 
 Effective herein, AbstractSecurityInterceptor will only call the
 AuthenticationManager if the Authentication.isAuthenticated() == false.
 AbstractSecurityInterceptor does not call
 Authentication.setAuthenticated(true) - instead it leaves this choice to
 the AuthenticationProvider and/or Authentication concrete implementation
 to address.
 
 Most Authentication implementations now provide a mutable
 isAuthenticated() property. By mutable, setAuthenticated(false) is
 guaranteed by the Authentication interface contract to always be
 allowed. This is used by the RMI class to ensure a remotely presented
 Authentication is set to untrusted, ensuring the
 AbstractSecurityInterceptor will trigger authentication.
 
 Permitting setAuthenticated(true) (which would therefore bypass further
 checking at time of security interception) is an implementation choice.
 The main implementation used by Acegi Security,
 UsernamePasswordAuthenticationToken, disallows setAuthenticated(true)
 and instead relies upon the constructor to set the property. This means
 that AuthenticationProviders should be the only classes that use the
 UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[])
 constructor. On the other hand, any class can freely use the
 UsernamePasswordAuthenticationToken(Object, Object) constructor, as the
 resulting authentication token will not be trusted (ie isAuthenticated()
 will always return false).
 
 Unit tests pass.
 
 Cheers
 Ben
 
 
 ---
 SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
 from IBM. Find simple to follow Roadmaps, straightforward articles,
 informative Webcasts and more! Get everything you need to get up to
 speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
 ___
 Home: http://acegisecurity.sourceforge.net
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ldap LdapPasswordAuthenticationDao

2005-06-22 Thread Robert r. Sanders 

Go ahead and send me what you've got.

With regards to your proposed changes: I have had a similar thought in 
the past, but put it aside, at least until I can finish the LDAP DAO 
stuff (and become more familiar with the internals of Acegi).  If you 
want, I am willing to go along with you suggestion as an initial way of 
implementing this.  Longer term (probably post 1.0) I would like to see 
a division between validating user credentials and retrieving user 
role/permissio information so that it could be a more generalized 
feature of Acegi, but I really haven't spent any time thinking about how 
to actually do this.



Joseph Dane wrote:


I can go ahead and send you the changes I made.  but before I do that,
I'd like to ask for some advice.

what's needed here is something which will do authentication against
LDAP first, but will also delegate to some other provider in case the
LDAP authentication fails.   my first attempt at this was to use two
totally distinct providers, but it seems that Acegi will only use the
first provider that claims to support a given Authentication.  so that
was out.

since that didn't work, I decided to change loadByUsernameAndPassword
to something like this:

  public UserDetails loadUserByUsernameAndPassword(String username, String pas
sword) throws DataAccessException, BadCredentialsException {

   if ((password == null) || (password.length() == 0)) {
   throw new BadCredentialsException(Empty password);
   }
   
   UserDetails user = null;

   try {
   user = doLdapAuthentication(username, password);
   }
   catch (Exception e) {
   e.printStackTrace();
   }
   
   if (user == null) {

   user = doLocalAuthentication(username, password);
   }
   
   return user;

   }

  protected UserDetails doLdapAuthentication(String username, String password)
{
 // actual LDAP authentication ...
...
 }

  protected UserDetails doLocalAuthentication(String username, String password
) {
   return null;
   }


the idea being that subclasses could override doLocalAuthentication to
do whatever they need to do in that case.

this works, but it means that your LDAP authentcation bean has to also
know about the local authentication details, password encoder, salt
source, etc., which seems less than ideal.

anyhow, if anyone has any suggestions about this (which really has
nothing to do with LDAP) then I can try incorporating them into my
changes before sending them back to you.  if I don't hear anything by
tomorrow, I'll go ahead and send you what I've got.



--
   Robert r. Sanders
   Chief Technologist
   iPOV
   (334) 821-5412
   www.ipov.net



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer