RE: [Acegisecurity-developer] ACL interfaces

2005-07-05 Thread March, Andres 
Attached patch to
http://opensource.atlassian.com/projects/spring/browse/SEC-32 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
Of
> March, Andres
> Sent: Tuesday, July 05, 2005 10:05 AM
> To: acegisecurity-developer@lists.sourceforge.net
> Subject: RE: [Acegisecurity-developer] ACL interfaces
> 
> Will do.
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
Behalf
> Of
> > Ben Alex
> > Sent: Friday, July 01, 2005 6:24 PM
> > To: acegisecurity-developer@lists.sourceforge.net
> > Subject: Re: [Acegisecurity-developer] ACL interfaces
> >
> > March, Andres wrote:
> >
> > > Thanks to the acegi team, my ACL implementation is relatively
> simple.
> > > But I have been struggling a little finding the proper extension
> > > points.  The basic implementations are great but I have them hard
to
> > > extend.  In particular, the BasicAclEntryAfterInvocationProvider
> > > requires the use of the AbstractBasicAclEntry, so it can call
> > > isPermitted().  I am wondering why this method cannot be part of
an
> > > interface (maybe BasicAclEntry).  For various reasons, some of
them
> > > hibernate-related, I need to have my own implementation of
> > > BasicAclEntry.   Does this make sense?
> > >
> > >
> >
> > I can't see any problem with this at first glance, but would need to
> > take a closer look. Could you please add it to JIRA?
> >
> > Thanks
> > Ben
> >
> >
> > ---
> > SF.Net email is sponsored by: Discover Easy Linux Migration
Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > ___
> > Home: http://acegisecurity.sourceforge.net
> > Acegisecurity-developer mailing list
> > Acegisecurity-developer@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
> 
> 
> ---
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
> ___
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] why require an ADM

2005-07-05 Thread March, Andres 
I'm sure the overhead would barely register in an app of our size but it
just feels wrong.  Our authorities cannot be represented by a string
that is why we don't have the ROLE_X concept.  It is more of a PITA then
anything else but it seems kind of illogical to have a
NoOperationAccessDecisionManager.  Still it maybe just a unique
situation, so we'll deal with the extra config.  Thanks for the tip.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
Of
> Ben Alex
> Sent: Friday, July 01, 2005 6:20 PM
> To: acegisecurity-developer@lists.sourceforge.net
> Subject: Re: [Acegisecurity-developer] why require an ADM
> 
> March, Andres wrote:
> 
> > When using an afterInvocationManager it may not always be necessary
or
> > possible to provide before invocation security, so why require an
> > ADM?  I just use one that is allows everyone and abstentions to pass
> > but it seems like a bit of overhead when all I really care about is
> > filtering the response data.  Am I missing something?
> >
> You could always write (assuming you haven't already, as it sounds
like
> from your email) a NoOperationAccessDecisionManager which implements
> AccessDecisionManager and just immediately returns from each method.
> Most people check the user has a ROLE_USER or similar in the
> AccessDecisionManager, to ensure the user is logged in before they
> invoke the method. I can't see that invocation adding much overhead to
> be honest - it's not being dynamically proxied or anything, it's just
> calling a method that immediately returns. Do you have some profiling
> that shows it's adding a lot of overhead to your app? If so we could
> possibly make it a switchable parameter on the
> AbstractSecurityInterceptor.
> 
> Cheers
> Ben
> 
> 
> ---
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> ___
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] ACL interfaces

2005-07-05 Thread March, Andres 
Will do.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
Of
> Ben Alex
> Sent: Friday, July 01, 2005 6:24 PM
> To: acegisecurity-developer@lists.sourceforge.net
> Subject: Re: [Acegisecurity-developer] ACL interfaces
> 
> March, Andres wrote:
> 
> > Thanks to the acegi team, my ACL implementation is relatively
simple.
> > But I have been struggling a little finding the proper extension
> > points.  The basic implementations are great but I have them hard to
> > extend.  In particular, the BasicAclEntryAfterInvocationProvider
> > requires the use of the AbstractBasicAclEntry, so it can call
> > isPermitted().  I am wondering why this method cannot be part of an
> > interface (maybe BasicAclEntry).  For various reasons, some of them
> > hibernate-related, I need to have my own implementation of
> > BasicAclEntry.   Does this make sense?
> >
> >
> 
> I can't see any problem with this at first glance, but would need to
> take a closer look. Could you please add it to JIRA?
> 
> Thanks
> Ben
> 
> 
> ---
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> ___
> Home: http://acegisecurity.sourceforge.net
> Acegisecurity-developer mailing list
> Acegisecurity-developer@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] How about enable checking username in JdbcDaoImpl?

2005-07-05 Thread Ben Alex 
Parker Wong wrote:

> If there is a property in JdbcDaoImpl can hold a regular expression,
>JdbcDaoImpl would able to check the username before inserting it to the
>sql template.
>
>  
>
Hi Parker

No, there is no property that does this.

Whilst it would be easy to add, I'm not sure the regular expression
processing would in aggregate save that much CPU time compared with the
RDBMS simply returning no rows. Or was there some other scenario where
the regular expression would help? Don't forget people can write their
own AuthenticationDao that wraps JdbcDaoImpl and performs the regular
expression check prior to delegation to the JdbcDaoImpl if such
performance was required.

Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Adding User/permissions programmatically

2005-07-05 Thread Ben Alex 

Marco Mistroni wrote:


Hello all,
 i am currently using Acegi for security purposes in my application.
Currently, i have populated database tables via SQL, but i was curious
if Acegi provides APIs for populating database programmatically..
i plan to use Hibernate to do that...i was curious to know if acegi
has already its own API for doing that..

thanks in advance and regards
 marco
 


Hi Marco

No, there are no APIs for populating the DB tables with authentication 
or authorization data. The one exception is the ACL services do have a 
mutable DAO, JdbcExtendedDaoImpl: 
http://acegisecurity.sourceforge.net/multiproject/acegi-security/clover/net/sf/acegisecurity/acl/basic/jdbc/JdbcExtendedDaoImpl.html


Cheers
Ben




---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Adding User/permissions programmatically

2005-07-05 Thread Marco Mistroni 
Hello all,
  i am currently using Acegi for security purposes in my application.
Currently, i have populated database tables via SQL, but i was curious
if Acegi provides APIs for populating database programmatically..
i plan to use Hibernate to do that...i was curious to know if acegi
has already its own API for doing that..

thanks in advance and regards
  marco


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Captcha

2005-07-05 Thread Ben Alex 

marc antoine garrigue wrote:


-I can commit my adapter code, under your  license and copyright, as soon as
you give me the access to your  VSC.

 


Hi Marc

I've given you CVS access to the project. Welcome aboard.

Cheers
Ben


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] Captcha

2005-07-05 Thread marc antoine garrigue 
Hello,
> Could you have a look at the code I attached to
> http://opensource.atlassian.com/projects/spring/browse/SEC-2 a little
> while
> ago.

I saw your code Georges, it is great, but it is very tied to JCaptcha and to
the specific use case you implemented (captcha-ize the login page).


> I really don't know too much about JCpatcha, other than the fact that I
> have
> it working with Acegi, but I'm wondering how "Spring friendly" it is - or
> could be. For example, can it be configured by setting JavaBean
> properties?

JCaptcha is fully designed according to IOC principle. We do not use
JavaBean properties injection but constructor injection (IOC type 3). 


> If so, it could be plugged into a Spring context file. This would
> eliminate
> the need to create a JCaptcha singleton, since Spring could manage its
> 'singleton-ness".

You are so right!
As a consequence it is possible to use Spring to instanciate the service
singleton and much more : using spring configuration file allows simple
captcha test configuration.It is also possible to use the Spring JMX handler
to register the JCaptcha MBeans (for statistics collection and monitoring)
and we are working on a new CapthcaEngine that use the Spring/Quartz handler
to schedule asynchronous captcha generation.

Here is a sample spring config file for JCaptcha (contains reference to
unpublished code): 






testBuffered

































 
  0.9
  
  
 


  0.1
  
  
  
 




  

  3000
  1
  500
  1
 
 
























captchas
true




true


true












feedPersistentBuffer
false




swapCaptchasFromPersistentToVolatileMemory
false








0 0 * * * ?









0/5 * * * * ?






> All of this is not directly related to an Acegi adapter
> to
> JCaptcha, since Acegi can be used in non-spring applications. However, I
> expect that people who use Acegi would also be using Spring - so it would
> be
> nice if JCaptcha could be managed from a Spring context file. DWR took
> that
> approach with their AJAX framework (well, sort of) and I think it opens it
> up to a whole new set of people.

I agree.

Best regards.

MAG

> 
> 
> 
> - Original Message -
> From: "marc antoine garrigue" <[EMAIL PROTECTED]>
> To: 
> Sent: Sunday, July 03, 2005 9:59 AM
> Subject: RE: [Acegisecurity-developer] Captcha
> 
> 
> > Hi guys,
> > It took me some time to answer, because I had to talk with my project
> team
> > in order to make a decision, and I also wanted to let people here
> comment
> on
> > this subject.
> >
> > We though the current discussion could be  split