[Acegisecurity-developer] RainbowCrack service and Acegi
Just found an interesting article over on the Register: http://www.theregister.co.uk/2005/11/10/password_hashes/page2.html It's about a new online service that has built huge rainbow tables containing hashes and the associated passwords that generate those hashes for the most popular hashing algorithms. They talk about how most security systems were not implemented carefully enough, and so become easy to crack with rainbow tables. Now, someone correct me if I'm wrong, and this was even briefly mentioned in the article, but doesn't a good salt algorithm foil this? Acegi has the ability to salt hashes, so I guess the next question is, is Acegi's implementation good enough to thwart such easy cracking? - Andy --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi integration with ActiveMQ
I need to integrate ActiveMQ's JMS security with Acegi. Before I do this, I just want to make sure I'm not solving a problem that has already been solved. Has anyone else integrated ActiveMQ's security with Acegi? It should be fairly straightforward as ActiveMQ provides a single simple adapter interface to implement. Thanks, Andy --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quartz acegi problems
On Friday 16 September 2005 04:17 am, Achmad Arif Rachim wrote: I was thinking like that before. but how do i intercept quartz. This is becouse im using MethodSecurityInterceptor, every time targetMethod invoked by localhost it throws AuthenticationException. Im using MethodDefinitionAttributes using commons-attributes. The idea was to make every method invocation passed security concern. Unfortunately for method that was invoked by localmechine will throw AuthentificationCredentialsNotFoundException :(. I was wondering how to intercept quartz before invoking targetMethod, so i can put AuthenticationObject into ThreadLocal,... but seems doesnt have a clue. :( You will need to authenticate a user in your quartz job before it actually calls your secured method. See this thread: http://article.gmane.org/gmane.comp.java.springframework.acegisecurity.devel/984 In particular, take a look at this message: http://article.gmane.org/gmane.comp.java.springframework.acegisecurity.devel/1000 I'm not yet familiar with Quartz, so it's up to you (or someone else on this list) to figure out how to accomplish this in relation to Quartz, but it should be simple enough to pull off. - Andy --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi integration with ActiveMQ
On Friday 16 September 2005 11:07 am, Andy Depue wrote: I need to integrate ActiveMQ's JMS security with Acegi. Before I do this, I just want to make sure I'm not solving a problem that has already been solved. Has anyone else integrated ActiveMQ's security with Acegi? It should be fairly straightforward as ActiveMQ provides a single simple adapter interface to implement. OK, I'm going to go ahead with this. I've made a snap decision to continue conversation on the ActiveMQ user list. Unless someone tells me otherwise, I plan on contributing the adapter to the ActiveMQ project rather than the Acegi project. I've placed some initial thoughts in the ActiveMQ user list already. As soon as it shows up in gmane, I'll post a link to the thread (as a response to this message). - Andy --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quartz acegi problems
On Friday 16 September 2005 01:26 pm, Achmad Arif Rachim wrote:
Hi andy,
Im using your suggestion to use SecurityFacade. i found very interesting
result, yes its working but not 100% well. Every successfull invocations
theres periode where AuthenticationCredentialsNotFoundException thrown. I
found every 16 successful invocation always have one failed down :(
I think the problem becouse we can only invoke
securityFacade.authenticateUser inside targetMethod. Im using
methodSecurityInterceptor with commons-attributes, so it will intercept any
kind of method before they were being called. the issue will be how to
intercept QUARTZ targetMethod before invoked so i can call
securityFacade.authenticateUser.
Wish Ben can help me on this.
As I said, I'm not yet familiar with Quartz, but it sounds like it is calling
a target method on some object. If I understand your problem correctly, then
you are asking Quartz to invoke a target method that happens to be secured
(MethodSecurityInterceptor?) by Acegi. So, by the time you get inside your
target method, Acegi has already tried to authenticate the user. If this is
all true, then why not have Quartz call some other object that then calls
your target method? For example:
public class SomeOtherObject
{
private ActualObject actualSecuredObject;
private SecurityFacade securityFacade;
public void targetMethod(... args ) {
securityFacade.authenticateUser(subsystemUserName, subsystemCredentials);
try {
actualSecuredObject.actualTargetMethod(... pass in args ...);
} finally {
securityFacade.unauthenticateUser();
}
}
public void setActualSecuredObject(ActualObject ao) { ... }
public ActualObject getActualSecuredObject() { ... }
public void setSecurityFacade(SecurityFacade sf) { ... }
public SecurityFacade getSecurityFacade() { ... }
}
You could instantiate this in Spring:
bean id=quartzObject class=...SomeOtherObject
property name=actualSecuredObject ref=someSecuredObject/
property name=securityFacade ref=securityFacade/
/bean
---
Now, just pass a reference to quartzObject to Quartz instead of
someSecuredObject.
This is, of course, a very concrete example, but it could easily be made
generic by employing interfaces, JDK Proxy, or even Spring's AOP.
- Andy
---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42 plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quartz acegi problems
OK, so my example might look like this for you (again, I'm going to use
concrete code here). First, define the class that will wrap the call to
your actual target method:
public class CustomerReportQuartzAuthenticator
{
private CustomerReport customerReport;
pricate SecurityFacade securityFacade;
public void authenticatedGeneratePerformance() {
securityFacade.authenticateUser(subsystemUserName,
subsystemCredentials);
try {
customerReport.generatePerformance();
} finally {
securityFacade.unauthenticateUser();
}
}
public CustomerReport getCustomeReport() {
return customerReport;
}
public void setCustomerReport(CustomerReport cr) {
customerReport = cr;
}
public SecurityFacade getSecurityFacade() {
return securityFacade;
}
public void setSecurityFacade(SecurityFacade sf) {
securityFacade = sf;
}
}
Declare it in your spring config (note, I'm not familiar with commons
attributes, so I'm showing you what this would look like in XML):
bean id=quartzAuthenticatedCustomerReport
class=...CustomerReportQuartzAuthenticator
property name=customeReport ref=customerReport/
property name=securityFacade ref=securityFacade/
/bean
Note that it references your customerReport bean, which I'm assuming you've
already declared in your Spring config (along with securityFacade) - in other
words, you shouldn't need to change your current configuration of
customerReport at all. In fact, you should now remove any authentication
code you may have put into customerReport. Now, change your
MethodInvokingJobDetailFactoryBean to call
quartzAuthenticatedCustomerReport instead. Something like this:
bean id=quartzCustomerReportJob
class=org.springframework.scheduling.quartz.MethodInvokingJobDetailFactoryBean
property name=targetObject ref=quartzAuthenticatedCustomerReport/
property name=targetMethod value=authenticatedGeneratePerformance/
/bean
- Andy
On Friday 16 September 2005 02:17 pm, Achmad Arif Rachim wrote:
Actually the architecture was like this
First i create target class called CostumerReport which has method named
generatePerformance. So generatePerformance will be called as
targetMethod by acegi, becouse its the method that will be invoked daily.
Then i declare CostumerReport as costumerReport bean in
applicationContexta.xml and i also inject SecurityFacade and other Service
object.
Then costumerReport is wrapped inside MethodInvokingJobDetailFactoryBean by
declaring targetMethod that will be invoked (obviously it is
costumerReport.generateSalesPerformance), basically this is the easiest way
to declare quartz job detail bean.
My last step is creating quartz trigger using simple trigger bean, and set
the interval periode.
Im using commons-attributest to make easy configuration (rather than
editing the xml). I belive this attributeSource (commons-attributes) couse
inspection every time method being called, any kind of method which
registered in applicationContext.xml.
Thats why every time quartz MethodInvokingJobDetailFactoryBean executed,
security concern will check if theres any Authentication in SecureContext.
So the case was like this, CostumerReport automatically becoming secured
object becouse MethodInvocationInterceptor using attributes
commons-attributes. Even if i dont declare
@@net.sf.acegisecurity.SecurityConfig(ROLE_USER)
still acegi check if theres any AuthenticationObject every method
invocation in every bean thats registered in applicationContext.xml
---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download it for free - -and be entered to win a 42 plasma tv or your very
own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] missing voting facilities?
We did something very similar, only chose a more verbose route. We created a SuperiorVoter that can inspect a parameter, determine the owner of that parameter (object), and then only allow the owner or the owner's superior through. We chose this syntax: OWNER_OR_SUPERIOR_OF(PARAM_IDX=#) - Here is an example: com.marathon.workflow.Workflow.getWorkItemsForUser=OWNER_OR_SUPERIOR_OF(PARAM_IDX=0) - Andy On Thursday 04 August 2005 05:56 am, [EMAIL PROTECTED] wrote: Hello, I would have liked to secure all methods in an object by implementing a voter that does if the USERID parameter is present, and the principal does not have superuser role, then USERID must be equal to principal. However, because the Method class only reifies the parameter types and not their names, one if forced to go by argument position, and it would be really bad to do the check for every method on argument #n blindly. So, one needs to go for a the more verbose way of specifying a method definition source with entries for each method in the target class. Now, ideally one could have some more complex configuration attributes that just a token string specifying some access, to allow for some comparisons to be specified just in XML without having to write custom voters. In my case, I could live with some more basic framework which does some basic parsing of the tokens with a determined pattern, much in the same style as the RoleVoter, for example, tokens that start with ARGUMENT_ and a number, eg: ARGUMENT_1_IS_PRINCIPAL. Then one could subclass such an abstract class and just implement the specific check that you want for the argument. Fernando Mato Mira --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How to use Acegi in this situation?
As I originally mentioned, in one particular case we created a special user
just for our background task (because it made sense in this particular
context). So, assuming you have already created a user in your system for
the background task, I can share the code we use to log in as a user.
Note, that this code works with Acegi v. 0.8.2, and I'm not sure if it has
changed for later versions.
First, you are going to need an AuthenticationManager, which is usually setup
in your Spring configuration. In our security facade, we keep a reference to
the AuthenticationManager:
-
...
private AuthenticationManager authenticationManager;
...
public AuthenticationManager getAuthenticationManager()
{
return this.authenticationManager;
}
public void setAuthenticationManager(final AuthenticationManager
authenticationManager)
{
this.authenticationManager = authenticationManager;
}
-
We then use Spring to inject a reference of the AuthenticationManager into our
security facade bean.
We then have an authenticateUser method that goes something like this:
-
public void authenticateUser(final String principal,
final String credentials)
{
final UsernamePasswordAuthenticationToken request = new
UsernamePasswordAuthenticationToken(principal, credentials);
final Authentication result =
getAuthenticationManager().authenticate(request);
// Setup a secure ContextHolder (if required)
if(ContextHolder.getContext() == null || !(ContextHolder.getContext()
instanceof SecureContext)) {
try {
ContextHolder.setContext(new SecureContextImpl());
} catch(Exception e) {
throw new RuntimeException(e);
}
}
// Commit the successful Authentication object to the secure
// ContextHolder
final SecureContext sc = (SecureContext) ContextHolder.getContext();
sc.setAuthentication(result);
ContextHolder.setContext(sc);
}
-
We then have a matching unauthenticateUser() method:
-
public void unauthenticateUser()
{
// Make the Authentication object null if a SecureContext exists
if(ContextHolder.getContext() != null ContextHolder.getContext()
instanceof SecureContext) {
SecureContext sc = (SecureContext) ContextHolder.getContext();
sc.setAuthentication(null);
ContextHolder.setContext(sc);
}
}
-
Note that we wrote this code way back when Acegi will still young, so it might
be the case that Acegi now has utility methods somewhere that do this for
you. I haven't looked recently, so maybe someone can comment.
We also wrote some support interfaces to allow subsystems to authenticate
themselves in a safer manner, but it is a lot of code. So, for now, I will
show you what it all basically boils down to. In your background process,
you would do something like this:
-
securityFacade.authenticateUser(subsystemUserName, subsystemCredentials);
try {
// Background process code goes here
...
} finally {
securityFacade.unauthenticateUser();
}
-
- Andy
On Monday 20 June 2005 09:26 am, Marco Mistroni wrote:
Hello,
few time ago Mr Andy Depue reply tomy message on how to use
acegi in a situation where the user does not log in, (for example in
the case in which a background process - cron like - periodically
executes.
In this situation, how will i create a contextHoldert to associate it
with the call?
how will i create a 'default user' (from javacode) so that i can
safely call my code and being authorized by acegi?
any help?
thanx in advance and regards
marco
---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How to use Acegi in this situation?
I have a very similar situation in my own application where our workflow engine can invoke (Acegi protected) service methods from a background task. This also arises when you are using JMS - your message receiver will execute without any user context, and yet often you need to call into service methods to handle the JMS message. I'm not sure if this is the best approach, but in the case of our workflow engine, we created a specific workflow user. In the case of JMS messages we encrypt the user's credentials into each message. In the message handler we authenticate against those credentials for the duration of the message handler (the user is automatically unauthenticated once the message handler exits). - Andy On Friday 10 June 2005 01:31 am, Marco Mistroni wrote: Hello all, i have a webapp (spring-based) that is used to insert some entries in a MYSQL database via a PersistenceManager. I recently came across Acegi and i want to use it in my application, so proper place in which put permissions will be PersistenceManager. Thtere is however a small problem with that. In my application, i am using Quartz job scheduler, and some of the jobs scheduled use PersistenceManager in order to update my database (yes, i am lazy, i have my code update the database for me automatically).. now, here is the challenge: normally, an user logs in and insert entries in the database via webinterface, and so Acegi can authenticate and authorize the user. But when Quartz launches the Job that updates the database, user does not need to log in since the job is fired automatically. And in this case, i must skip authorization at all, since if a job has been scheduled, that means that the user that did it (via the web interface) had the rights to do that. Thing is that if i user Acegi interceptor and apply it to PersistenceManager, that interceptor will be invoked also from the Quartz Job, since ultimately the Quartz Job calls PersistenceManager. In my view i have two possible solutions: 1 - since i can grab the user that scheduled the job, i can try to 'authenticate' and authorize it via Acegi since in my QuartzJob i can get hold of Spring context 2 - make so that when the Quartz Job invokes PersistenceManager, a special user is used so that the operation on PersistenceManager is allowed But i don't know the code to write for doing either 1 or 2. anyone can help and give me suggestions? thanx in advance and regards marco --- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20 ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi not working with latest (cvs) version of Spring
Just so you know, Acegi is not working with the latest cvs version of Spring. I'm not sure yet how many problems there are, but I'm currently running into the fact that Acegi expects org.springframework.util.PathMatcher to contain a static boolean match(String, String) but PathMatcher is now an interface. I'm currently trying to patch my version of Acegi to use an implementation of PathMatcher (AntPathMatcher). This problem is happening in PathBasedFilterInvocationDefinitionMap. - Andy --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi not working with latest (cvs) version of Spring
Well, I will post the quick and dirty patch I made. Everything compiles and
tests seem to pass. However, this patch will work only with the very latest
version of Spring, and so breaks backward compatibility. I'll leave it to
the powers-that-be to determine how they want to approach this situation. In
the meantime, this patch should allow anyone on the bleeding edge of Spring
to continue using Acegi...
- Andy
On Friday 08 April 2005 04:22 pm, Andy Depue wrote:
Just so you know, Acegi is not working with the latest cvs version of
Spring. I'm not sure yet how many problems there are, but I'm currently
running into the fact that Acegi expects
org.springframework.util.PathMatcher to contain a static boolean
match(String, String) but PathMatcher is now an interface. I'm currently
trying to patch my version of Acegi to use an implementation of PathMatcher
(AntPathMatcher). This problem is happening in
PathBasedFilterInvocationDefinitionMap.
- Andy
Index: PathBasedFilterInvocationDefinitionMap.java
===
RCS file: /cvsroot/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/intercept/web/PathBasedFilterInvocationDefinitionMap.java,v
retrieving revision 1.3
diff -u -r1.3 PathBasedFilterInvocationDefinitionMap.java
--- PathBasedFilterInvocationDefinitionMap.java 28 Feb 2005 22:06:53 - 1.3
+++ PathBasedFilterInvocationDefinitionMap.java 8 Apr 2005 23:38:13 -
@@ -21,6 +21,7 @@
import org.apache.commons.logging.LogFactory;
import org.springframework.util.PathMatcher;
+import org.springframework.util.AntPathMatcher;
import java.util.HashSet;
import java.util.Iterator;
@@ -62,6 +63,7 @@
private List requestMap = new Vector();
private boolean convertUrlToLowercaseBeforeComparison = false;
+private PathMatcher pathMatcher = new AntPathMatcher();
//~ Methods
@@ -77,6 +79,16 @@
return set.iterator();
}
+public PathMatcher getPathMatcher()
+{
+ return this.pathMatcher;
+}
+
+public void setPathMatcher(final PathMatcher pathMatcher)
+{
+ this.pathMatcher = pathMatcher;
+}
+
public void setConvertUrlToLowercaseBeforeComparison(
boolean convertUrlToLowercaseBeforeComparison) {
this.convertUrlToLowercaseBeforeComparison = convertUrlToLowercaseBeforeComparison;
@@ -113,7 +125,7 @@
while (iter.hasNext()) {
EntryHolder entryHolder = (EntryHolder) iter.next();
-boolean matched = PathMatcher.match(entryHolder.getAntPath(), url);
+boolean matched = getPathMatcher().match(entryHolder.getAntPath(), url);
if (logger.isDebugEnabled()) {
logger.debug(Candidate is: ' + url + '; pattern is
Re: [Acegisecurity-developer] PostInvocation and Hibernate Sessions
We utilized a Hibernate interceptor in our solution, though that is only a part of the solution (the interceptor didn't give us everything we needed). - Andy On Wednesday 09 February 2005 09:40 pm, Ben Alex wrote: Gavin Terrill wrote: We recently adopted Acegi Security for one of our enterprise products security requirement, and we will be facing the same issues, so this thread is very useful and timely. Thought out of the blue: instead of mutating the domain objects, would it be possible to wrap them up in a dynamic 'secure' proxy? The proxy would essentially act in the role of a 'caretaker' (http://c2.com/cgi/wiki?CaretakerPattern), preventing access to the secured properties. I guess the downside would be that a dynamic proxy would require your domain objects implementing an interface, which may be cumbersome. Ok, what about utilizing CGLIB to extend the class then (MethodInterceptor)? I have previously played with GCLIBing domain object instances, but that caused some complications with Hibernate. In the end that's what motivated me to write the AspectJ integration, but I was disappointed by the poor incremental compilation reliability in the Eclipse IDE. That's going back probably six months, so it might have improved and using AspectJ is a realistic/viable option for a caretaker-style solution to method invocation. Alternatively, I am just wondering if a Hibernate Interceptor (http://www.hibernate.org/hib_docs/api/net/sf/hibernate/Interceptor.html) might be able to help in this case? It seems to offer the necessary hooks to introspect the object. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] PostInvocation and Hibernate Sessions
In our model, the lazy approach wouldn't have bought us too much since we have rich clients, meaning that all service invocations happen remotely. One of our goals was to prevent sensitive information from even being transmitted to the client. This means that we would have had to apply the lazy ACL before transmitting the objects to the client anyway. We considered the caretaker approach at first, and I think it is a very good idea. The downside is that it would require you to either define a different access strategy for your domain objects (instead of plain POJO get/set methods) or proxy/AOP your domain objects. This is perfectly acceptable in many cases, and again, is a good solution. In our case it would not have interacted well with other requirements. - Andy On Thursday 10 February 2005 07:58 am, Tim Kettering wrote: I am quite relieved to find that I'm not the only person facing this issue. The discussion so far is quite invaluable and I hope we can continue this thread. I have tried looking at Hibernate Interceptor, but I don't think it is the ideal solution because not all of my objects are obtained by Hibernate (most of them are, but not all). So I need whatever solution that I ultimately go with to work outside of Hibernate. To me, it seems the following conditions are important if we are looking at scrubbing the object instance. 1. ability to apply specific security to variable, or method level granularity. 2. persistence strategy independent. 3. ideally participate in the same transaction as the data load itself to guarantee a consistent version of the data. For the last option - however, if a caretaker pattern is applied, then caretaker implementation itself might choose to take a more lazy-load approach, not actually checking ACL permissions until the method is actually invoked. Is that a feasible option? This particular approach would happen outside the transaction though, so there could be a mismatch in the database object graph and the instanced object. -tim I have previously played with GCLIBing domain object instances, but that caused some complications with Hibernate. In the end that's what motivated me to write the AspectJ integration, but I was disappointed by the poor incremental compilation reliability in the Eclipse IDE. That's going back probably six months, so it might have improved and using AspectJ is a realistic/viable option for a caretaker-style solution to method invocation. Alternatively, I am just wondering if a Hibernate Interceptor (http://www.hibernate.org/hib_docs/api/net/sf/hibernate/Interceptor.html) might be able to help in this case? It seems to offer the necessary hooks to introspect the object. --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] PostInvocation and Hibernate Sessions
How would that solve this flow: 1. Get object from service call (the object has been modified by ACL security). 2. Change object. Something like obj.setProperty(newValue) or obj.addSomething(something) or obj.getSomeSet().add(something) 3. Pass changed object to service method for processing (persisting). At step #3 you want to persist the changes that were made by the client but not the changes made by ACL filtering. - Andy On Wednesday 09 February 2005 03:39 pm, March, Andres wrote: Can't all the ACL filtering be done when initially loading the object from the Session/Cache/DB but before the object is part of a transaction? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Depue Sent: Wednesday, February 09, 2005 3:23 PM To: acegisecurity-developer@lists.sourceforge.net Subject: Re: [Acegisecurity-developer] PostInvocation and Hibernate Sessions We developed our current ACL type system before Acegi had its ACL system, and planned for this behavior from the beginning (we work with Hibernate as well). Our system has these abilities: 1. Property level ACLs. If the user does not have read access for a property, then somehow blank it out so that sensitive data is not transmitted on the wire. If the user does not have write access to a property and the client attempts to change a value on the property, then throw a security exception when they attempt to persist the object. 2. Instance level ACLs. If the user does not have read access to an instance, then filter that instance out: a. If the instance is the return value of a service method, throw access denied exception. b. If the instance appears in a collection, remove it from the collection. c. If the instance appears as the value of a property, secure the property (via the same process used in #1). Apply these symantecs to all returned objects wherever they appear in an object graph, which, of course, implies recursion. Now consider the typical usage pattern for our rich client application: 1. Rich client makes remote invocation to server side service via service interface. The interface is a proxy that calls the remote service via HttpInvoker. 2. Enter server side: a. We first encounter the general security proxy that does basic role based security checks against the service method itself. b. Next, we encounter the transaction proxy which establishes a transaction context for the remainder of the method invocation. c. Invoke the actual service method. d. Service method returns object graph. e. Leave transaction proxy, meaning the transaction is committed (or rolled back in case of error/exception). f. If there was no error or exception, then we return back to the security proxy which now performs ACL security on the returned graph (note that this is outside of the transaction). The object graph may be mutated during this securing phase. As you can imagine, this gets real complicated when using POJOs and Hibernate (and your Hibernate model doubles as your DTOs), which is exactly what we use. If you retrieve an object graph from one service method, make modifications, and then persist those changes via another service method invocation you are dealing with two totally separate transactions and Hibernate Sessions. The ACL mechanism performs actual modifications to the POJOs in order to secure them, but you do not want these modifications persisted back to the DB as they were temporary and specific to the purpose of securing transmission of data. This is about when you start longing for the more dynamic nature of some other languages - it would be so much easier if I could set dynamic metadata against a property (a property property), or remove a property altogether. Anyway, you somehow have to merge the allowable mutations made by the client with the original object state before persisting to Hibernate. The version of Hibernate we use ( 3.0) does not make this any easier, though it is possible. There are a lot of various interactions that can bite you if you aren't very careful with your implementation. I don't have time now to elaborate on how we solved these various issues. For now, I'll say that we used a combination of AOP, Hibernate Interceptor, and special secured placeholders for objects. The solution is not optimal at the moment. Our version of Hibernate just does not provide any easy way to optimize things, so we end up reading each and every object from the DB before updating it. This means at the time of update we have two copies of each object: the one passed in from the client (which is mutilated, so to speak, because of the ACL mods), and one we just reloaded from the DB via Hibernate. We end up applying
Re: [Acegisecurity-developer] MSc Thesis on middle tier security
The new model object filtering is a fascinating area in my mind. One thing we've implemented (before Acegi had its own filtering) is the ability to filter down to the property level on an object. In other words, you can secure a specific property and if someone doesn't have clearance then the property will be cleared. This introduces all sorts of interesting problems in some scenarios. For example, in our case the value objects passed back and forth between clients and server side services double as our Hibernate data object model. In other words, we don't have separate value objects but instead use a single data object model for both data access and service invocation. This gets quite tricky when you combine it with property level filtering. Imagine a service method that returns a model object with several properties filtered out. The user then makes some changes to the object and sends it back in another service call to be updated. What the user sends back to the server is a partial object in that some of the properties are blank since they were secured from the client to begin with. If you persisted the object as-is, then Hibernate would blindly write those cleared property values back to the DB - very bad. Oh, and don't forget that some properties could be secured for a particular client so that they are read-only or even write-only. And don't forget to throw a security exception if the client tries to pass a value in a non-writeable field. And then there's recursive data structures to contend with... property values that are themselves collections of securable objects... and if you filtered a collection of securable objects from a property, and the client returns that object to the server to be updated, how do you determine if the client legitimately removed an object from the collection, or if the object was filtered due to security? You wouldn't want to have hibernate persist the collection as-is, or it would remove from the DB objects that were only filtered for security reasons. Fun stuff, eh? - Andy On Thursday 30 December 2004 01:49 pm, Vladimir Horev wrote: Hello list! I'm planning to write a MSc thesis on the subject of business tier security. My idea was to take part of some open source project (acegi) and develop some component that I could use in my thesis. Could you recommend me something on that? regards, Vladimir --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Custom login form
I'm looking at the spring rich client security package (org.springframework.richclient.security). I would like to customize the login form to include an additional field, but it looks the form fields are hardcoded. I guess at the moment I have to create my own LoginForm and LoginCommand. Not that there is a lot of code in these two classes, but I hate duplicating any amount of code. Even if I could just supply my own LoginForm to LoginCommand that would save a lot of duplication as I could then extend LoginForm. - Andy --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Instance based security
Has any thought been given to adding instance based security support to Acegi? This seems to be a common requirement. Basically, what I mean by this is that you can apply security constraints (hopefully in a declarative fashion) to an object class with rules that are capable of discriminating on instance data. As an example, say you have an Employee object with a salary property. Only some roles should be allowed to view the salary. And only some roles should be able to view any information related to a CEO Employee. As an implementation example, I have recently had to implement something similar to this, and I did so by applying aspects to my service instances. As DTOs enter and leave a service, my aspect would inspect the various object instances and apply the declarative security constraints. In our case, it was even more involved, as we needed the ability to actually modify the DTO: if a property was off limits, then its value would be replaced with a secured value. This way, when the DTO is transmitted to a client (via a web service), the sensitive information will not be sent across the wire. Such security constraints also had the ability to enforce data operations: create, read, update, delete. So, for example, I could say that a role can read the salary field, but not be allowed to change the salary field. We also provided a mechanism whereby a client can ask for a security map of an instance (or a class, for more general cases), so that it can know what security constraints are in effect for a particular object. This is useful to dynamically alter a UI based on what is allowed on an instance. Thoughts, comments? - Andy --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
