[Acegisecurity-developer] RememberMe and Cookies
Hi there.
I've recently struggled with the problem with "remember me" service. I use
TokenBasedRememberMeService to enable autologin. However, I've found out that I
can't log out even when invalidation the HttpSession and sending the terminate
cookie.
Here's the code (approximately).
public String logout() {
final FacesContext context = FacesContext.getCurrentInstance();
SecurityContextHolder.clearContext();
if (context != null) {
final Object responseDraft = context.getExternalContext().getResponse();
if (responseDraft instanceof HttpServletResponse) {
final HttpServletResponse response = (HttpServletResponse)
responseDraft;
final Cookie terminate = new
Cookie(ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE_KEY, "");
terminate.setMaxAge(0);
response.addCookie(terminate);
}
final Object sessionDraft =
context.getExternalContext().getSession(false);
if (sessionDraft instanceof HttpSession) {
final HttpSession session = (HttpSession) sessionDraft;
session.invalidate();
}
}
return Navigations.START;
}
The cookie could not be reset. When I've tried simply setting a different value
a valid max age, the browser (Mozilla) sent back _two_
ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookies, one with the old value, one
with new.
Finally, it appeared that browser also considers the path when storing/managing
cookies. And, when path is not set, it takes the "actual" path. So I finally got
two cookies with the same name and different paths (say, /login set from
/loging/login.html and / set from /login/logout.html).
I've implemented a subclass of TokenBasedRememberMeService to set a default path
("/") and used the same path when logging out. This works fine, but I think
that's all is a bit strange. I don't assume it's a bug in ACEGI, but maybe I'm
doing something wrong?
Bye.
/lexi
---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] InvalidateSessionLogoutHandler
Hi folks.
When logging out, I would like the HTTP session to be invalidated as well. I've
written a trivial logout handler:
public void logout(HttpServletRequest request,
HttpServletResponse response, Authentication authentication) {
final HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
}
This functionality seems quite basic to me - should this maybe be included into
ACEGI?
Bye.
/lexi
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] InvalidateSessionLogoutHandler
Hi. > There's a LogoutFilter in 1.0+ > > http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/ui/logout/LogoutFilter.html Of course it is there, but it does not invalidate session on logout per default. Doing something on logout is the task of the LogoutHandlers invoked by the filter. What I'm proposing is just an implementation of the LogoutHandler that invalidates the session. I think this is basic functionality and should be included into ACEGI. Bye. /lexi - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] maven2 dependencies
Hi. > i have a project that uses maven2 and i have some dependencies on agecy > security framework > > can anyone tell me what is the correct dependency to list in my pom.xml? Below are my dependencies. I generaly exclude everything sine my project already depends on the right artifacts and versions. I also don't use a couple of features like ds so I exclude them as well. org.acegisecurity acegi-security 1.0.1 org.springframework spring-remoting org.springframework spring-jdbc org.springframework spring-support org.springframework spring-mock cas casclient aspectj aspectjrt org.apache.directory.server apacheds-core org.slf4j slf4j-log4j12 Bye. /lexi - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Maven 2 Build, Site etc.
Hi.
> What's the docbook plugin support like in Maven 2, Carlos?
>
> I can probably set something up to generate the docs separately if it's
> not available yet.
This is what I use:
http://www.agilejava.com/docbkx/
Here's an example:
com.agilejava.docbkx
docbkx-maven-plugin
1.69.1.7
generate-html
generate-pdf
pre-site
org.docbook
docbook-xml
4.4
runtime
${basedir}/src/reference
${basedir}/target/site/reference
Bye.
/lexi.
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Spring Security and Java Persistence API
Hi. > I am a newbie to Spring Security. > > I am interested to know if anyone has used Spring Security with Java > Persistence API to provide authentication, access control / > authorization to database transactions where db access is via Java > Persistence API. > > My search in the archives did not yield any thing like that so I would > appreciate some guidance. What exactly you are up to? The simplest entry point I can imagine is implementing a JPA-based UserDetailsService. This service returns a user (UserDetails) with his rights (GrantedAuthority[]). But I guess you have something more complex in mind. Could you maybe describe a usage scenario? Bye. /lexi - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
