Re: [Acegisecurity-developer] Blog entry acegi. Need review.
Pascal Gehl wrote: I've made an entry in my blog on acegi. Hi Pascal I've added your blog entry to the Acegi Security "articles" page. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webwork2+Acegi j_acegi_security_check redirection problems
Jared Odulio wrote: Hi Mark, Thanks, I've registered already. So while waiting for the activation email to arrive. I am going to post a few more info. I am using Acegi Security version 0.9.0 Snapshot that I build myself. I am running the Contact Sample and my application in Sun Java System Application Server Platform Edition 8.1 Q2 2005 Release, my JDK is 1.5.0_04, my web framework is Webwork 2.1.7 using Velocity, all of which are running on Slackware 10.1 with Linux kernel version 2.4.X. Hi Jared Did you get this sorted out, or did you move it to the forums? If not, please post it over on the forum along with logs and I'll take a look (also Matthew Porter uses WW2 w/ Acegi Security so he might be able to offer some suggestions). Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webwork2+Acegi j_acegi_security_check redirection problems
Hi Ben, Yes, I managed to fix it. I have taken some notes too: http://jaredtech.blogspot.com/2005/08/webworkvelocityacegi-config.html I am if this is case works for others but it worked for me. Ben Alex wrote: Jared Odulio wrote: Hi Mark, Thanks, I've registered already. So while waiting for the activation email to arrive. I am going to post a few more info. I am using Acegi Security version 0.9.0 Snapshot that I build myself. I am running the Contact Sample and my application in Sun Java System Application Server Platform Edition 8.1 Q2 2005 Release, my JDK is 1.5.0_04, my web framework is Webwork 2.1.7 using Velocity, all of which are running on Slackware 10.1 with Linux kernel version 2.4.X. Hi Jared Did you get this sorted out, or did you move it to the forums? If not, please post it over on the forum along with logs and I'll take a look (also Matthew Porter uses WW2 w/ Acegi Security so he might be able to offer some suggestions). Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer -- http://jaredtech.blogspot.com --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Dao Status
Robert r. Sanders wrote: After a couple false starts which in retrospect I shouldn't have checked into the CVS HEAD, I have finally cleaned up the code and gotten an updated version of the LDAPPasswordAuthenticationDao, along with a unit test, into the CVS HEAD. I will post a similar message to the forums, but if anyone is interested in trying out the code and providing feedback, please do; in particular I haven't figured out how to test Active Directory style logins (when the login name is [EMAIL PROTECTED]). After struggling to complete this code I have come to the sad realization that I simply don't have enough time in the day for everything I'd like to do. When I initially began working on the LDAP integration for Acegi, I was anticipating using it in an upcoming project; however that project has continued to be pushed off onto the back burner, and I find the time I am able to work on Acegi severely limited. I am still willing to help out; but I am simply unable to put in any more time than I already am, meaning that if LDAP is to be completed in a reasonable time frame someone else is going to have to work on it. I will help out as much as possible; however those of you monitoring the rate of progress on the LDAP code in recent months can see that that is not much. Hi Robert Thanks for your efforts so far on the LDAP integration. I see that you've implemented Apache DS integration, meaning we now have a fully JUnit (pure Java) testable solution. Is anyone interested in taking over the LDAP effort? Failing volunteers, I will probably take this on when I next do a major batch of changes and hope Robert can give some review/advice as he has collected most of the requirements in recent months. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java
Mark St.Godard wrote: The HttpSessionContextIntegrationFilter should be able to set some sort of indicator that this is the first logon attempt since it generates a new SecurityContext however this wouldnt work for remote client authentication? IMHO we should modify all event-aware AuthenticationProviders to publish an event on every occasion an authentication is processed, irrespective of the cache usage or not. There are three reasons for this: 1. The Authentication.getDetails() *should* provide some sort of identifier (typically a WebAuthenticationDetails, which offers the HttpSession ID in most cases) and this identifier can be used by the ApplicationListener to determine what and when to log. 2. Recent changes to Authentication and AbstractSecurityInterceptor have changed the semantics of Authentication.isAuthenticated(): /** * Used to indicate to AbstractSecurityInterceptor whether it * should present the authentication token to the * AuthenticationManager. Typically an * AuthenticationManager (or, more often, one of its * AuthenticationProviders) will return an immutable * authentication token after successful authentication, in which case * that token can safely return true to this method. * Returning true will improve performance, as calling the * AuthenticationManager for every request will no longer be * necessary. * * * For security reasons, implementations of this interface should be very * careful about returning true to this method unless they * are either immutable, or have some way of ensuring the properties have * not been changed since original creation. * * * @return true if the token has been authenticated and the * AbstractSecurityInterceptor does not need to * represent the token for re-authentication to the * AuthenticationManager */ public boolean isAuthenticated(); As such, a DaoAuthenticationProvider (or any other AuthenticationProvider for that matter) will only be called when a user is genuinely not authenticated - or the use has changed the AbstractSecurityInterceptor.alwaysReauthenticate property to false. 3. Most authentication processing filters (certainly those use for CAS, AuthenticationProcessingFilter/form-based, remember-me, X509) now publish an InteractiveAuthenticationSuccessEvent when a user logs in. I would welcome other opinions on this, but it seems we now have a more comprehensive solution to application event messages than putting then into AuthenticationProviders. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SEC-15 User security context switching
Mark St.Godard wrote: I did some local testing with the Contacts sample and did some simple tests of - logging in (i.e. User 1) - going to /secure/debug.jsp (view User 1 info) - going to a jsp that handles the switch (i.e. switchUser.jsp) - submit request to 'su' to another user (i.e. User 2) - going to /secure/debug.jsp (view User 2 info) - go to exit page (i.e. exitUser.jsp) - display current user logged in as, submit button to exit - going to /secure/debug.jsp (shows User 1 info) So initial simple tests seem to work, need to polish and do alot more testing. I have also added applicable unit tests. Again, feedback welcome. Hi Mark Thanks for taking care of this. It's a good initial implementation. A few ideas/suggestions: - We should publish an event when the administrator performs a "su", such that audit logs and the like are complete. - Make the exitUserUrl and switchUserUrl default to the normal values, and remove the getDefaultXX() getters. - The SWITCH_USER_GRANTED_AUTHORITY probably should be "ROLE_PREVIOUS_ADMINISTRATOR" so it works with the default RoleVoter. - Use Assert.isTrue(boolean) where possible, instead of the if (!request instanceof HttpServletRequest) etc - it will reduce the unit test size. - Let's add the "su" capability to the Contacts Filter Sample, as it is a pretty nice feature to show is available. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] missing voting facilities?
Andy Depue wrote: I wonder, though, if the ACL functionality would be a better solution for this sort of thing? The Voter we created below was just a quick hack, really. The BasicAclVoter is designed to locate the first domain object argument in a method invocation, and then lookup the ACLs from AclManager. You then specify which bit masks are acceptable and these are searched for in the resulting ACLs. I am interested whether this approach would be sufficient to meet Andy and Fernando's needs. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security Annotation support (initial)
Mark St.Godard wrote: Ben et al, Just a note, I have checked in some initial Security annotation support and unit tests. Feedback is always welcome, and please let me know if anyone has any problems with the new subproject. Great work Mark. Are there any users out there using Acegi Security's Commons Attributes support? Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Odd authentication behaviors
Sergio Bossa wrote: Moreover, have you considered my first point? Why does Acegi try to re-authenticate the user, even if it is already authenticated? And why does this happen only sometimes? Hi Sergio Would you please advise if you are using CVS HEAD, as it contains a number of improvements to re-authentication. Would you also please post your filters so I can see what they're doing, and any DEBUG-level logs? Thanks Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] synchronization bug in FilterToBeanProxy: Not yet fixed
Malzahn Volker , Köln wrote: So I would suggest to choose solution 2.). Hi Volker Well spotted, I've fixed in CVS (using solution 2). Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] using long for acegi acl id parameters
Tim Kettering wrote: I’m wondering if there was a reason that most of Acegi’s standard ACL classes use int when dealing with object id values. We usually default to using ‘long’ instead of ‘int’ – and I believe that other places do as well, so it seems to me that it might be simpler to use ‘long’ in the acegi classes, since the java compiler can automatically cast int to long anyway. Hi Tim Which ACL classes are you referring to? AbstractBasicAclEntry uses int because it performs bit masking which shouldn't need the full size of a long. If you mean AclDetailsHolder (protected class within JdbcDaoImpl) I see your point and we should change it. Please feel free to submit a patch or issue to JIRA and I'll get it done. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] cannot access cvs
Tim Kettering wrote: Same here – cannot access CVS since yesterday. I guess SF is messed up… again. SF have been upgrading CVS - again. I had problems last week as well, but it's fine now. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webwork2+Acegi j_acegi_security_check redirection problems
Jared Odulio wrote: Hi Ben, Yes, I managed to fix it. I have taken some notes too: http://jaredtech.blogspot.com/2005/08/webworkvelocityacegi-config.html I am if this is case works for others but it worked for me. Hi Jared I added your blog entry to our "articles" page to help others find it. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi error on Sun Java Enterprise Server 8.1
Clarence Ho wrote: java.lang.ClassCastException: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken Most ClassCastExceptions are caused because there's an extra acegi-security-*.jar on your classpath. It should only be inside your WAR's WEB-INF/lib directory. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SEC-6 Spring Rich integration with Acegi Security
For some time Spring Rich has been using an old version of Acegi Security. I have just updated Spring Rich CVS HEAD to work with Acegi Security 0.9.0-SNAPSHOT. The Petclinic sample demonstrates this. The JIRA issue has been closed: http://opensource.atlassian.com/projects/spring/browse/SEC-6 Best regards Ben --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SEC-15 User security context switching
Ben, Sure thing, thanks for the feedback, will do. Cheers, Mark On 8/21/05, Ben Alex <[EMAIL PROTECTED]> wrote: > Mark St.Godard wrote: > > >I did some local testing with the Contacts sample and did some simple tests > >of > >- logging in (i.e. User 1) > >- going to /secure/debug.jsp (view User 1 info) > >- going to a jsp that handles the switch (i.e. switchUser.jsp) > >- submit request to 'su' to another user (i.e. User 2) > >- going to /secure/debug.jsp (view User 2 info) > >- go to exit page (i.e. exitUser.jsp) > >- display current user logged in as, submit button to exit > >- going to /secure/debug.jsp (shows User 1 info) > > > >So initial simple tests seem to work, need to polish and do alot more > >testing. > > > >I have also added applicable unit tests. > > > >Again, feedback welcome. > > > > > > > Hi Mark > > Thanks for taking care of this. It's a good initial implementation. A > few ideas/suggestions: > > - We should publish an event when the administrator performs a "su", > such that audit logs and the like are complete. > - Make the exitUserUrl and switchUserUrl default to the normal values, > and remove the getDefaultXX() getters. > - The SWITCH_USER_GRANTED_AUTHORITY probably should be > "ROLE_PREVIOUS_ADMINISTRATOR" so it works with the default RoleVoter. > - Use Assert.isTrue(boolean) where possible, instead of the if (!request > instanceof HttpServletRequest) etc - it will reduce the unit test size. > - Let's add the "su" capability to the Contacts Filter Sample, as it is > a pretty nice feature to show is available. > > Cheers > Ben > > > --- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > ___ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java
Hi Ben, (welcome back :) Great, the isAuthenticated() is the exact key we need to determine this particular even, irrespective of the cache. I also agree that it should not be in the AuthenticationProviders... Ben, I created a JIRA entry for this (SEC-50), you can assign to me if you want. Cheers, Mark On 8/21/05, Ben Alex <[EMAIL PROTECTED]> wrote: > Mark St.Godard wrote: > > >The HttpSessionContextIntegrationFilter should be able to set some > >sort of indicator that this is the first logon attempt since it > >generates a new SecurityContext however this wouldnt work for > >remote client authentication? > > > IMHO we should modify all event-aware AuthenticationProviders to publish > an event on every occasion an authentication is processed, irrespective > of the cache usage or not. There are three reasons for this: > > 1. The Authentication.getDetails() *should* provide some sort of > identifier (typically a WebAuthenticationDetails, which offers the > HttpSession ID in most cases) and this identifier can be used by the > ApplicationListener to determine what and when to log. > > 2. Recent changes to Authentication and AbstractSecurityInterceptor have > changed the semantics of Authentication.isAuthenticated(): > >/** > * Used to indicate to AbstractSecurityInterceptor > whether it > * should present the authentication token to the > * AuthenticationManager. Typically an > * AuthenticationManager (or, more often, one of its > * AuthenticationProviders) will return an immutable > * authentication token after successful authentication, in which case > * that token can safely return true to this method. > * Returning true will improve performance, as calling the > * AuthenticationManager for every request will no > longer be > * necessary. > * > * > * For security reasons, implementations of this interface should be > very > * careful about returning true to this method unless they > * are either immutable, or have some way of ensuring the properties > have > * not been changed since original creation. > * > * > * @return true if the token has been authenticated and the > * AbstractSecurityInterceptor does not need to > * represent the token for re-authentication to the > * AuthenticationManager > */ >public boolean isAuthenticated(); > > As such, a DaoAuthenticationProvider (or any other > AuthenticationProvider for that matter) will only be called when a user > is genuinely not authenticated - or the use has changed the > AbstractSecurityInterceptor.alwaysReauthenticate property to false. > > 3. Most authentication processing filters (certainly those use for CAS, > AuthenticationProcessingFilter/form-based, remember-me, X509) now > publish an InteractiveAuthenticationSuccessEvent when a user logs in. > > I would welcome other opinions on this, but it seems we now have a more > comprehensive solution to application event messages than putting then > into AuthenticationProviders. > > Cheers > Ben > > > > --- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > ___ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security Annotation support (initial)
Hey Ben, Just wanted to mention, I have started converting over the "attributes" sample apps over to Java 5 annotations version. (Havent checked in yet) samples/attributes (Commons) samples/annotations (Java 5) Basically, I ported over the BankService code and created tests. Also, I did port over a Contacts sample using Java instead of XML configuration. My questions (prior to checking anything in), are related to packaging. First off, we now have the core-tiger project... and this creates a jar for the java 5 classes. I think we need to package these into a single acegisecurity jar file? I noticed that the Spring @Transactional annotations are packaged in the spring.jar (i.e. there is not JDK 5 vs JDK 1.4 < ) So it looks to be ok to use JDK 1.4 (and lower) loading a jar file that contains Java 5 classes as long as they dont try to use them :) 2ndly - where should the new contacts sample using the annotations reside? Should I recreate a whole new sub-project (ala core-tiger) ? Or can it be included in the existing /samples/contacts/ ? I just wanted to make sure I dont check in code that breaks JDK 1.4 users from building the CVS HEAD examples, etc. Therefore to sum up: - can we package the core-tiger classes into the single acegi security dist? - where should the new samples (for java5) be located? Thoughts? Cheers, Mark Anyway On 8/21/05, Ben Alex <[EMAIL PROTECTED]> wrote: > Mark St.Godard wrote: > > >Ben et al, > > > >Just a note, I have checked in some initial Security annotation > >support and unit tests. > > > >Feedback is always welcome, and please let me know if anyone has > >any problems with the new subproject. > > > > > > > Great work Mark. > > Are there any users out there using Acegi Security's Commons Attributes > support? > > Cheers > Ben > > > > --- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > ___ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security Annotation support (initial)
Mark St.Godard wrote:
I just wanted to make sure I dont check in code that breaks JDK 1.4
users from building the CVS HEAD examples, etc.
Therefore to sum up:
- can we package the core-tiger classes into the single acegi security dist?
- where should the new samples (for java5) be located?
Thoughts?
Yesterday I asked whether anyone was using the Commons Attributes
support. The reason is that when you install commons-attributes-plugin,
you in effect add a plugin to Maven that will throw exceptions if you
are using any Java 1.5 features such as annotations and enums.
http://jakarta.apache.org/commons/attributes/maven_demo.html indicates
that 2.1 is the latest version of the Commons Attributes plugin, so you
install using:
maven plugin:download -DgroupId=commons-attributes-plugin
-DartifactId=commons-attributes-plugin -Dversion=2.1
However, if you install the plugin and then use Java 1.5-specific
features in your build, this is what the Maven build will give you:
(What happens for an enum):
Error parsing File .\CounterEnum.java:Encountered "enum" at line 9,
column 8.
Was expecting one of:
"abstract" ...
"interface" ...
"public" ...
"strictfp" ...
"final" ...
"class" ...
(What happens for a generics declaration):
Error parsing File \RoleDaoHibernate.java:Encountered "<" at line
21, column 51.
Was expecting one of:
"implements" ...
"{" ...
"." ...
According to http://jakarta.apache.org/commons/attributes/faq.html:
*Q: What are the future plans for Commons-Attributes?**
A:* As indicated above, C-A isn't expected to live beyond widespread
adoption of Java 5.0. But until then, the main area of concern is ease
of use
The above issue is therefore only a concern for people wishing to build
the /samples/attributes sample, as then the plugin is required. I think
we should therefore disable the /samples/attributes as part of the /docs
multiproject build, leaving it to users of Commons Attributes to
manually build (and install the problematic plugin) if they so wish.
Does anyone have a concern with that?
Assuming we do the above, I think that having a new sample specifically
for annotations would be appropriate. We can use the same classes as
used in the attributes sample, so that people can compare the two
approaches. Of course, the attributes sample would have in its
project.properties the 1.5-specific source and compile properties.
I have no issue with having the 1.5-specific classes in the
acegi-security-xxx.jar. Achieving that will need some /core/maven.xml
jar:jar pre-goal customisation. Two approaches would be to run the
/core-tiger build if 1.5 is detected and then copy the files across to
/core/target/classes. Alternatively, just copy the
/core-tiger/target/classes if they exist to /core/target/classes and
expect users to first build core-tiger (such that the
/core-tiger/target/classes exists). The latter approach is easier, but
I'm sure the former is achievable with Maven as well.
Cheers
Ben
---
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
