Re: [Acegisecurity-developer] Final preparation for 1.0.0 final

2006-05-25 Thread Dunstan Tom 
 
 this is not fixed: 
 http://opensource.atlassian.com/projects/spring/browse/SEC-99
It isn't fixed for the reasons I provided in the comment, being:

I wish there was a simple way of resolving this issue, but 
whatever we do would inevitably break backward compatibility 
and represent a risk as we try to get 1.0.0 out. A more 
substantial refactoring of MethodDefinitionMap might be in 
order, particularly if it also allowed arguments to be declared.

Heh, I thought that looked familiar. I wish I'd had time to have a
proper go at it, as I think it's definitely worth doing, but to do it
properly will be a non-trivial amount of work. At least there are
workarounds, annoying as they are.

Cheers

Tom



The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.  
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.  




___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] small patch for LDAP

2005-12-07 Thread Dunstan Tom 
Hi Brandon

Even with these changes, acegi's LDAP support still feels like a hack.
 I'm not real familiar with JNDI, so I'm going to spend some 
time learning that and hopefully I'll be able to contribute 
more in this area in the near future.  But I definately think 
this piece needs a little more attention.

In my project we're actually using a rather older version of the
LdapPasswordAuthenticationDao, from before Robert 'reverted' his
changes. It requires a few tweaks to compile against current CVS
(probably even more since I last synced, actually), but I found it a far
more featureful version than what's there now. E.g. it can find the
groups for a user when the user's name is stored as an attribute of the
group, not just when the group is stored as an attribute of the user.

The more featureful version is version 1.6, which you can see here:
http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/sandbo
x/src/main/java/org/acegisecurity/providers/dao/ldap/LdapPasswordAuthent
icationDao.java

If you're interested I can send my copy of version 1.6 that I hacked up
here. It shouldn't require much tweakage to compile against CVS. I think
package renames are all that's happened since I got it working.

Cheers

Tom




The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.  
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.  




---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37alloc_id865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] SecurityContext appears to be bound to thread after it's finished

2005-11-10 Thread Dunstan Tom 



Hi Ben and 
all

I've occasionally 
seen some odd behaviour with access to an anonymous client being allowed with 
one request and disallowed with the next, but today I managed to track down what's happening.

Running CVS HEAD 
from a couple of days ago, I can log in to our application as one user, make a 
numberof requests, then log off and log in as a different one. If I manage 
to get the right thread from the thread pool (tomcat), it will still have a SecureContext bound to the thread for the first user, and the request will execute with that context. Eek.

This is all using 
basic authentication, with the acegi filters ordered thusly (in the 
filterChainProxy): basicProcessingFilter, 
anonymousProcessingFilter, securityEnforcementFilter.

Is this by design? I 
would have thought that somewhere in maybe the FilterChainProxy there'd be a 
finally clause that cleared the SecureContext from the 
thread.

Cheers

Tom



The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.  
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.

RE: [Acegisecurity-developer] SecurityContext appears to be bound to thread after it's finished

2005-11-10 Thread Dunstan Tom 
Hi Ben

HttpSessionContextIntegrationFilter has a finally clause that 
should clear the SecurityContextHolder. It should appear in 
your FilterChainProxy before BasicProcessingFilter.

Uh, I'm not using HttpSessionContextIntegrationFilter. Is it necessary
to use it even if you're using basic authentication and never store
anything in the http session? If so, the name is somewhat misleading.

Thanks

Tom




The information in this e-mail together with any attachments is
intended only for the person or entity to which it is addressed
and may contain confidential and/or privileged material.
Any form of review, disclosure, modification, distribution
and/or publication of this e-mail message is prohibited.  
If you have received this message in error, you are asked to
inform the sender as quickly as possible and delete this message
and any copies of this message from your computer and/or your
computer system network.  




---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer