Re: [Acegisecurity-developer] Final preparation for 1.0.0 final
this is not fixed: http://opensource.atlassian.com/projects/spring/browse/SEC-99 It isn't fixed for the reasons I provided in the comment, being: I wish there was a simple way of resolving this issue, but whatever we do would inevitably break backward compatibility and represent a risk as we try to get 1.0.0 out. A more substantial refactoring of MethodDefinitionMap might be in order, particularly if it also allowed arguments to be declared. Heh, I thought that looked familiar. I wish I'd had time to have a proper go at it, as I think it's definitely worth doing, but to do it properly will be a non-trivial amount of work. At least there are workarounds, annoying as they are. Cheers Tom The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] small patch for LDAP
Hi Brandon Even with these changes, acegi's LDAP support still feels like a hack. I'm not real familiar with JNDI, so I'm going to spend some time learning that and hopefully I'll be able to contribute more in this area in the near future. But I definately think this piece needs a little more attention. In my project we're actually using a rather older version of the LdapPasswordAuthenticationDao, from before Robert 'reverted' his changes. It requires a few tweaks to compile against current CVS (probably even more since I last synced, actually), but I found it a far more featureful version than what's there now. E.g. it can find the groups for a user when the user's name is stored as an attribute of the group, not just when the group is stored as an attribute of the user. The more featureful version is version 1.6, which you can see here: http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/sandbo x/src/main/java/org/acegisecurity/providers/dao/ldap/LdapPasswordAuthent icationDao.java If you're interested I can send my copy of version 1.6 that I hacked up here. It shouldn't require much tweakage to compile against CVS. I think package renames are all that's happened since I got it working. Cheers Tom The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37alloc_id865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SecurityContext appears to be bound to thread after it's finished
Hi Ben and all I've occasionally seen some odd behaviour with access to an anonymous client being allowed with one request and disallowed with the next, but today I managed to track down what's happening. Running CVS HEAD from a couple of days ago, I can log in to our application as one user, make a numberof requests, then log off and log in as a different one. If I manage to get the right thread from the thread pool (tomcat), it will still have a SecureContext bound to the thread for the first user, and the request will execute with that context. Eek. This is all using basic authentication, with the acegi filters ordered thusly (in the filterChainProxy): basicProcessingFilter, anonymousProcessingFilter, securityEnforcementFilter. Is this by design? I would have thought that somewhere in maybe the FilterChainProxy there'd be a finally clause that cleared the SecureContext from the thread. Cheers Tom The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network.
RE: [Acegisecurity-developer] SecurityContext appears to be bound to thread after it's finished
Hi Ben HttpSessionContextIntegrationFilter has a finally clause that should clear the SecurityContextHolder. It should appear in your FilterChainProxy before BasicProcessingFilter. Uh, I'm not using HttpSessionContextIntegrationFilter. Is it necessary to use it even if you're using basic authentication and never store anything in the http session? If so, the name is somewhat misleading. Thanks Tom The information in this e-mail together with any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any form of review, disclosure, modification, distribution and/or publication of this e-mail message is prohibited. If you have received this message in error, you are asked to inform the sender as quickly as possible and delete this message and any copies of this message from your computer and/or your computer system network. --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer