Re: [Acegisecurity-developer] Acegisecurity-developer Digest, Vol 24, Issue 2
In theory an IP address can be faked or the attacker and victim might be behind the same NAT address, so it is not completely reliable. Spring Security's SessionFixationProtectionFilter invalidates the session and creates a new one when the it detects that an authentication has taken place: http://www.owasp.org/index.php/Session_Fixation_in_Java On 24 May 2008, at 21:36, Axel Mendoza Pupo wrote: > What is doing session-fixation-protection??? > I resolved session fixation problem saving the ip address of > authenticated users, and a filter that always check if ipaddress of > the > request Is the same that I was save when the user succefully > authenticate. > Is this method insecure?? > I do this because I still use Acegi 1.0.4 and I never heard about > acegi > session-fixation-protection > > -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How to import acegi source to eclipse?
Please read the documentation on the maven eclipse plugin http://maven.apache.org/plugins/maven-eclipse-plugin/ which discusses its use with multi-module projects. On 25 May 2008, at 15:42, Oliver.Lee wrote: > hi,olivier > thank you for your kindly reply,as you said: > > "Eclipe cannot handle project containing another eclipse project.So > you should not import parent project." > > but i wonder how can each modules knows their parent in eclipse? > M2eclipse handle this or they just can know the parent by themselves? > > if there is no parent exist in eclipse. > > thank you again! > > > -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Form-based login does not work when disabling cookie?
Hi, That is definitely an issue. Thanks for reporting it. I've opened an issue here: http://jira.springframework.org/browse/SEC-834 Luke. 高田 賢 wrote: > Hi all, > > I've just started to learn spring security to migrate from acegi and > faced some url rewriting problem. > My sample tutorial won't let me log in when I disable cookie. > > I changed applicationContext-security.xml like this: > > > access="ROLE_SUPERVISOR"/> > access="IS_AUTHENTICATED_REMEMBERED" /> > > > > session-fixation-protection defaults to 'migrateSession'. > > I also changed some links in index.jsp in order to get jsessionid > appended. > > ">Secure > page > %>">Extremely secure page > > > What happend is that every time I succeeded in authentication, the app > redirected to the login page with a new > session id. > > If you change session-fixation-protection attribute value to 'none', > you can log in as normally. > > Below are the HTTP response headers. Look at 'Set-Cookie' and > 'Location'. The application tries to set a new id to > cookie, whereas the redirection url still holds an old one. > > > Is there a missing configuration point or should I raise a JIRA issue > as a bug? > > Satoshi > > > -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Several additions to Spring Security 2.0-RC1
Hi, I will take a look t them (probably next week). Did you forget the zip attachment to SEC-716 ? Thanks, Luke. On 14 Mar 2008, at 11:20, Ruud Senden wrote: > Hello, > > I've just updated/created three JIRA issues for Spring Security to > add some new features. Any chance that these will be included in > RC1? Code is included and is based on today's SVN, so it should > only be a matter of review and commit into SVN. > > The code includes a map-based Attributes2GrantedAuthoritiesMapper > (SEC-715), non-webspecific AuthenticationDetails, > AuthenticationDetailsSourceImpl and > PreAuthenticatedAuthoritiesAuthenticationDetails classes (SEC-716), > and an IBM WebSphere integration filter based on the pre- > authenticated authentication provider (SEC-477). > > Also, is there any planning on when Spring Security 2.0-RC1 will be > released? We're currently using the M2 release for our (pre- > release) application, but especially with the above mentioned > changes included it would make sense to start using RC1 as soon as > its available and if it fits our own deadlines. > > Kind regards, > Ruud Senden. -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Session Fixation and Default Behaviour
Hi, Thanks a lot for your feedback. That's great that you're thinking of using Acegi/Spring Security in your course. I believe the issue of session fixation attacks has been addressed (at least as far as logins through AbstractProcessingFilter go) by the introduction of the "invalidateSessionOnSuccessfulAuthentication" property (the issue was raised some time ago, and there is a related Jira issue, SEC-399). Admittedly, this was only included in 2.0-m1 code and the default value is "false" to avoid breaking existing code. We should consider making it default to "true" and perhaps backport it to the 1.0.7 release. It may also be a better idea to move the behaviour out of AbstractProcessingFilter in order to offer the same protection to all authentication methods. As you say, HttpSessionContextIntegrationFilter is an obvious place as it has full information on whether a session existed at the start of a request and whether a security context has been created during the request. Thanks again for your comments. We welcome any further suggestions you might have. All the best, Luke. Rohit Lists wrote: > Hello, > > First of all I wanted to thank you all for putting together this > wonderful framework. My name is Rohit Sethi and I work for a company > called Security Compass that specializes in application security. My > field of research is on Java EE web application security, and I'm > currently leading development of a class for the SANS institute that > focuses on how to create secure applications. > > I'm currently developing the "authentication" section of this course > and I am pushing for users to use Acegi over container-based auth, > JAAS, and proprietary protocols. There is one design decision, > however, that I'm having a tough time understanding the rationale > behind with respect to session management. Currently, the default > behavior (i.e. out of the tutorial) is for the session ID to be the > same before and after authentication. This was brought up earlier in > this mailing list in September 2006 under the thread "Changing the > session identifier after a successful login". The response at that > point was from Ben Alex saying "JSESSIONID is only ever sent over > HTTPS, thus avoiding the need to modify the session ID". > > Unfortunately, SSL alone does not protect against "session fixation > attacks". Mitja Kolšek has written an excellent paper outlining > dangers and attack vectors of session fixation[1]. Both Cross-site > Scripting (XSS) and Meta-tag injection are ways to fix another user's > cookie-based session ID regardless of whether or not it's transported > over SSL. Over 84% of websites are vulnerable to XSS [2][3] so this is > a very real threat. > > I ask you to consider having different session IDs before and after > authentication. Right now I am asking my students to use Acegi, and > then telling them to avoid session fixation attacks. While it is > possible to achieve the desired effect with some manual work, I think > everyone who uses Acegi should not have to worry about session > fixation - and I don't imagine it would be a very difficult change to > make (i.e. invalidate the existing JSESSIONID and retrieve a new one > transparently within the httpSessionContextIntegrationFilter). > > Regards, > > -Rohit > > [1] http://www.acros.si/papers/session_fixation.pdf > [2] http://www.webappsec.org/projects/statistics/ > [3] http://www.xssed.com/ > > - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ > ___ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > -- SpringSource http://www.springsource.com Registered in England and Wales: No. 5187766 Registered Office: A2 Yeoman Gate, Yeoman Way, Worthing, West Sussex. BN13 3QZ. - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] build failed
I think these should problems should be easy to fix. One seems to be because a test is checking the message from an exception (which is obviously a bad idea, given that we now support different languages). The other is to do with the equality of two different UserDetails objects - they aren't matching if the authorities are in a different order. I will try and fix things up tonight to prevent this happening. Luke. Candide Kemmler wrote: > Hi Ray, > > I have wiped everything in my working copy directory, then re-co'd > everything and run "mvn install", and still got the same errors. > > Attached is a patch containing the 3 tiny hacks I had to write for the > project to compile. Maybe you have more insight than me to understand what > was going wrong (except for the language issue). > > I'm still stuck with Eclipse. What IDE do you guys use, if any? Any hints > about IDE usage would be very welcomed (.project .classpath anyone?) > > On Jan 12, 2008 9:51 PM, Ray Krueger <[EMAIL PROTECTED]> wrote: > >> I had a bad file or two that was causing trouble. I blew those out and >> got fresh code from SVN and all is well. >> Candide be sure to run "mvn install" first and foremost. >> -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] build failed
Do you have the actual errors for the failing tests and can you post some more information on your environment? Everything seems to be OK here and I haven't noticed any of the automated builds complaining so I'm not sure what could be causing this. Candide Kemmler wrote: > Hi All, > > My name is Candide Kemmler (http://www.palacehotel.org) and I'm very > interested in using OpenID for authenticating users. The code is still in > the sandbox and hence I need to build the code to test it. I told Ray > Krueger about the following error, and he told me to share it with you. > > Thanks for your help > > > I just co'd the code and tried to build it using maven. Got the following > error... It's about ehcache configuration which causes tests to fail. > > Can you please help me to fix these? > > > Failed tests: > testLookupFailsIfUserHasNoGrantedAuthorities(org.s > pringframework.security.user > details.jdbc.JdbcDaoImplTests) > createUserInsertsCorrectData(org.springframework.s > ecurity.userdetails.jdbc.Jdb > cUserDetailsManagerTests) > updateUserChangesDataCorrectlyAndClearsCache(org.s > pringframework.security.user > details.jdbc.JdbcUserDetailsManagerTests) > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] build failed
Hi, The ehcache errors shouldn't be a problem be ignored. They are due to multiple VM shutdown hooks which cause things to mess up when the VM exits. We need to make sure all the tests close application contexts properly to stop these messages but they won't cause the tests to fail. cheers, Luke. Candide Kemmler wrote: > Hi All, > > My name is Candide Kemmler (http://www.palacehotel.org) and I'm very > interested in using OpenID for authenticating users. The code is still in > the sandbox and hence I need to build the code to test it. I told Ray > Krueger about the following error, and he told me to share it with you. > > Thanks for your help > > > I just co'd the code and tried to build it using maven. Got the following > error... It's about ehcache configuration which causes tests to fail. > > Can you please help me to fix these? > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security 1.0.6 and Spring Security 2.0-M1 Released
Hi all, These releases are now available from sourceforge and springframework.org respectively: Acegi Security 1.0.6 Release 1.0.6 is now available from Sourceforge: http://sourceforge.net/project/showfiles.php?group_id=104215 This is a minor bugfix and maintenance release - the changelog can be viewed here: http://jira.springframework.org/secure/ReleaseNote.jspa?version=10671&styleName=Text&projectId=10040 The jar files should also be available from the central maven repository. Spring Security 2.0-M1 -- This is the first milestone release of Spring Security 2.0. You can download it from: http://static.springframework.org/downloads/nightly/milestone-download.php?project=SEC The changelog can be found here: http://jira.springframework.org/secure/ReleaseNote.jspa?projectId=10040&styleName=Html&version=10451 For maven users, the jars are available from the Spring milestone repository. For details on how to add this to your project, read Ben Hale's article here: http://blog.interface21.com/main/2007/09/18/maven-artifacts-2/ Please note that this is very much a preview release and is primarily intended to get feedback and ideas from our users. It isn't suitable for beginners. Many parts of the reference manual will still be relevant but it has not yet been updated to include changes which have occurred for the version 2.0 track, so documentation is limited to the contacts and tutorial sample apps, javadoc, the issue tracker link above and, of course, the code. Feel free to post any questions or issues for discussion here. Feedback is particularly welcome on the new namespace-based configuration syntax which will greatly simplify configuration for simple use cases and for new users. We would like this to be as flexible as possible while keeping it simple and the experiences of end users applying it in different contexts is invaluable in achieving the best balance. Both the tutorial and contacts sample applications have been altered to use namespace configuration where possible. cheers, Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Trunk tests take 30 minutes and then fail.
Great. Thanks for working this out, Ray. I've added support for setting the port via the namespace, but we'll still need a default port value, so I've switched it to 33389. The tests now use 53389 (by setting the port attribute) which is in the dynamic port range (http://www.iana.org/assignments/port-numbers). Ray Krueger wrote: > I found the problem! > > In the LdapBeanDefinitionParser I see this... > > //TODO: Allow port configuration > configuration.setLdapPort(3389); > > The TODO says it all :), the problem is that 3389 is the port that > Windows runs the Remote Desktop service on. I figured this out because > I saw "port already in use" errors in the tests. > > As a test I changed the 3389 (and the ldap urls in the tests and such) > to 3399 and everything passes in 2 minutes. We should definitely make > this a configurable property somehow. > > Can I change this port for now? > > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] how to get online users list from acegi ???? (Ray Krueger)
Please use the support forums for user questions http://forum.springframework.org/showthread.php?t=45907 Mohammad Shamsi wrote: > Thanks Axel, this is exactly what i looking for. > > sorry for bothering you, but another question : > > SessionRegistry is an interface, in it have an implementation > SessionRegistryImpl, this calss is an ApplicationListener, > > I don't know how to access to the instantiated object of this class > from my code. > this object was instantiated during application startup. > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Trunk tests take 30 minutes and then fail.
What tests are failing? And what platform are you running on, JVM, Maven version etc? The stuff about ehcache is something to do with the shutdown hooks in all the application contexts being executed when the VM exits so that's not the problem, though we should be aiming to make sure that existing tests call close() on any created app contexts to avoid this. Both my automated build and the ones on build.springframework.org seem to be running without any problems and I just built on my desktop machine (1min 29s for a "mvn clean test"): Maven version: 2.0.7 Java version: 1.5.0_07 OS name: "mac os x" version: "10.4.10" arch: "i386" Ray Krueger wrote: > I just pulled the latest code from Trunk this morning. I ran the unit > tests in ./core and had the following result... > > 2007-11-03 21:11:26,437 INFO net.sf.ehcache.CacheManager - VM shutting > down with the CacheManager st > ill active. Calling shutdown. > Exception in thread "Thread-77" java.lang.IllegalStateException: The > aclCache Cache is not alive. > at net.sf.ehcache.Cache.checkStatus(Cache.java:1201) > at net.sf.ehcache.Cache.dispose(Cache.java:1081) > at net.sf.ehcache.CacheManager.shutdown(CacheManager.java:702) > at net.sf.ehcache.CacheManager$1.run(CacheManager.java:505) > [INFO] > > [ERROR] BUILD FAILURE > [INFO] > > [INFO] There are test failures. > [INFO] > > [INFO] For more information, run Maven with the -e switch > [INFO] > > [INFO] Total time: 30 minutes 11 seconds > [INFO] Finished at: Sat Nov 03 21:11:26 CDT 2007 > [INFO] Final Memory: 15M/27M > [INFO] > -------- > > > Not cool, I'm not sure what's going on, but it appeared to be spending > all it's time in ldap tests. > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SEC-516 Issue
It was probably assigned because we saw the mention of Cas in there somewhere. Feel free to mark it as unassigned :). Scott Battaglia wrote: > Luke, > > You've assigned JIRA issue SEC-516 to me (maybe believing that it was > specifically CAS-related). Its not CAS related so its not clear to me > whether I should be handling it or not. > > -Scott > > - > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ > ___ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] .classpath file in Subversion
I've been using Intellij 7's maven support to generate the project files then switching back to Intellij 6 to actually use them (still too many bugs in 7). Don't mind what happens with the eclipse files as I'm barely aware they exist :). On the commons logging front, we should probably stick with whatever the main Spring dependency is. I doubt if it matters that much though. Personally I'd scrap it and switch to slf4j to reduce the number of sections in my pom files :). Does anyone know if you can set global exclusions with maven 2? Scott Battaglia wrote: > Ray Krueger wrote: >> Ooh, here's an idea! >> Have Maven generate a new .classpath file and check that in. >> > The plugin nicely doesn't generate one for the parent POM. Otherwise we > wouldn't still be having this discussion ;-) > The way to handle the flat structure is extremely kludgy: > http://maven.apache.org/plugins/maven-eclipse-plugin/reactor.html (its > on the bottom). > > The easiest thing for me to do now is just update the .classpath file > locally and not check it in. I'll let the more core team figure out the > whole Eclipse project issue and then just update to whatever you guys > decide ;-) > > On a completely different side note, in updating the .classpath file, > we're depending on commons-logging 1.0.4. Should we upgrade to 1.1? > > -Scott -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] [ANN] Acegi Security 1.0.5 Released
Thanks Ray. I thought SF would send a release announcement (they have a box for it), but obviously not :). -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Ldap Person example using OpenLDAP
Please use the Acegi forum on the Spring web site. You will find discussions on using LDAP there if you search the forum. PLK Albert wrote: > I am trying to use acegisecurity with OpenLDAP authenication. I feel trouble > on configure of applicationContext-acegi-security.xml and setup_data.ldif. > Do you have any sample source? > > Albert > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Our build is a mess...
Ben Alex wrote: > Hi all > > Carlos and Luke, what's the latest status of the Maven 2 build? Does the > reference documentation build successfully with Maven 2 as-is? I see > acegisecurity.org hasn't built and uploaded since 18 December 2006. > Luke, is that running the Maven 2 build? > No. The Maven 2 build is here: http://monkeymachine.co.uk/acegisecurity/ Maven 2 has different a different approach to documentation and so on - it doesn't like html files for one thing, so the existing site docs would have to be converted. I already started doing this a while back. > We're shooting at releasing 1.0.4 in the next couple of weeks. Vishal > Puri is busily working away on it. In terms of introductions, Vishal > works for Interface21 (the company behind Spring) as a Senior Consultant > and is based here in Sydney with me. So you'll see more of Vishal on > this list, in JIRA and SVN. We're aiming at releasing 1.1.0 final in June. > > For 1.0.4 we will stick with the Maven 1.0.x build. For 1.1.0 we will > refactor the Contacts XML and build (as this is desirable anyway due to > the new namespaces support which will be present in 1.1.0) and switch > entirely to Maven 2. > > I'd be happy to switch to Maven 2 immediately (ie for 1.0.4) if it is > ready, thus the question above for Luke and Carlos. > I think you should stick to things as they are for 1.0.4. Support for docbook seems pretty flaky too, for example. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Problem with md5 passwords
Please use the forum at http://forum.springframework.org/forumdisplay.php?f=33 for user questions. You should also supply debug log output. ranieri.oliveira wrote: > Hello, > > I'm a user of Pentaho, a BI Solution Open Source. It use Acegi to do > authentication, and I'm having problems > with authentication with passwords encoded with MD5. > My problem is that when I try to log in with a user that is password encoded > with md5, it returns "Bad > Credentials", but when I try to log in with a user that is password as clear > text I can log in. I modified my > file application-acegi-security-ldap.xml to use encode md5, but doesn't work. > > My acegi file is attached. > > I appreciate any help. > > Thanks > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Our build is a mess...
Luke Taylor wrote: > I suggested a while back that we refactor the sample app into a simple s/simple/single > webapp which uses the standard authentication filter and leave the other > context files commented out in web.xml so that it's possible to switch > to another version and build it just by changing file. I think we agreed > that was a good idea. That would make the code layout easier to follow > and the build simpler. I got part of the way through doing this but > didn't have time to test all the different versions of the app. > > I dunno what's wrong with the later maven versions. > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Our build is a mess...
I suggested a while back that we refactor the sample app into a simple webapp which uses the standard authentication filter and leave the other context files commented out in web.xml so that it's possible to switch to another version and build it just by changing file. I think we agreed that was a good idea. That would make the code layout easier to follow and the build simpler. I got part of the way through doing this but didn't have time to test all the different versions of the app. I dunno what's wrong with the later maven versions. Ray Krueger wrote: > * Maven 2.0.5 and 2.0.6 both cause the > AuthorizeTagExpressionLanguageTests to fail, whereas 2.0.4 builds it > fine. > > * The contacts sample cannot be built with maven2 from the > instructions on our website, the multiwar plugin doesn't exist. > > * Using 'mvn war' in samples/contacts produces an invalid application. > It doesn't copy in the common and filter directories. > > * We have maven1 instructions up for everything, yet we only seem to > support maven2. We need to update our instructions. I'd gladly do it > if someone can tell me how to build the sample apps with maven2. > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Jalopy?
Last time I looked, I couldn't work out how to configure it. But if you can stop it messing with comments and so on that would be very useful. Ray Krueger wrote: > It might be worthwhile to consider pruning Jalopy down to where it > only fixes those nagging things that Checkstyle finds (spaces around > brackets and such). > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Jalopy?
Ray Krueger wrote: > Yeah, I totally agree. > Applying Jalopy on the new code works well because it adds all the > file header stuff. After that though, checkstyle is much more > effective. Unfortunately we haven't been adhering to the Checkstyle > requirements from the start. That will take some effort to bring the > errors down as you've said. > Hey, I spent ages bringing the errors down a while back :). There are only 34 at the moment in "core" and 12 are due to spaces around brackets. If we can get someone to nail the file down to what we want the code to look like (e.g. our benevolent dictator, Ben?), then we can run from there. At the moment it's just an approximation based on my best guesses. cheers, Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Jalopy?
Hi Ray, I'm against using Jalopy - it's messed up far too much stuff in the past and really chews up comments and makes it hard to follow the commit log properly. I think we should use something like checkstyle to monitor the adherence to code standards and just change stuff that doesn't fit manually. Checkstyle can also be integrated quite easily with IntelliJ and seems to work pretty well. It's very configurable. I put a file into the project a while back, so we just need to make sure it contains the right constraints (which I'm a bit hazy on :) ). The maven report also flags stuff up that doesn't match http://monkeymachine.co.uk/acegisecurity/acegi-security/checkstyle.html It's a gentler approach than Jalopy. If there's concern that nobody will bother then (once we get the list of errors down to zero) I can get the build to mail out a warning when someone commits code that breaks the standards. cheers, Luke. Ray Krueger wrote: > I'm putting the finishing touches on Robin's OpenID contribution. I've > run Jalopy of the code using some busted old IntelliJ plugin a few > times. It complains about all sorts of stuff at this point, and I was > wondering... > > Is Jalopy dead? It sure looks like it at: http://jalopy.sourceforge.net > > Are there other options out there? > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Unresolved dependency problems
Ray Krueger wrote: > This test only fails in Maven 2.0.5 > Executing "mvn clean test" with Maven 2.0.4 passes fine. This test > also passes fine when run directly in the IDE (IntelliJ for me). > > Maven really does not handle test failures well. There is no clue as > to what test failed, you only get "[INFO] There are test failures." > There should be some clue as to what test failed. Can the html report > be generated directly to get a summary? Can I run the > maven-surefire-report-plugin direclty? > Ray, Here's the line from the automated build script (on linux) I use to find test failures: TESTFAILURES=`find -wholename ./*/surefire-reports/*.txt | xargs grep --context=6 -h FAILURE` Brad, Why do you need to build Acegi so desperately? It seems you are ending up getting sidetracked into dealing with maven issues rather than learning to use the framework. Why not just use the distribution or one of the nightly builds and work through the tutorial example? Luke -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Multiple applications and different roles
Sounds more like a storage issue, assuming you are configuring the different applications separately. If the roles are stored in a database, add an extra column for the application or if you're using Ldap, store them under a different context. Then modify the SQL or Ldap search criteria for each application accordingly. This would be more suitably discussed in the user forum, rather than the dev list. Stephane Bailliez wrote: > Hi all, > > I'm trying to see whether there is an easy way to implement roles > (authorities) for several applications. Each application having its own > set of authorities (ie: john being registered as ROLE_SUPERVISOR only > for application A, does not apply to application B and C for example). > > Seems there is no support for this out of the box and the model is > rather flat. > > A potential workaround I was thinking to avoid too much initial code > would be to have a convention such such as: ROLE_A_SUPERVISOR, > ROLE_B_SUPERVISOR respectively for application A and B which will be an > acceptable workaround for half a dozen applications in the short term > even though not extremely elegant. > > Does any one have solve this type of issue differently or any opinion on > the above ? > > Thanks, > > -- stephane > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Switching completely to Maven 2
The web site files that are plain html need to be converted. The site files are stored in PROJECT_DIR/src/site I'm running an automated maven 2 build at the moment which is building the site here http://monkeymachine.co.uk/acegisecurity/ until we get it into shape. Scott McCrory wrote: > Carlos Sanchez wrote: >> Hi, >> >> I'd like to remove the Maven 1 build completely because now we are >> half way. Samples for instance don't build with maven 2. >> >> AFAIK there's still some things that need work in Maven 2, like the >> docbook generation, please raise any concerns, and things that still >> don't work under Maven 2 so I can look into it. >> > Is there corresponding documentation that should change (both within the > project and any posted on the web site)? > Scott > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Switching completely to Maven 2
I suggested to Ben that we refactor the contacts sample to make it a single app, rather than having so many different versions. We could default to having a standard form login app and leave additional context files commented out in the web.xml file. That way people could add them and rebuild if they wanted. At the moment I think it's hard to understand how it fits together anyway because there are so many different parts to it. Carlos Sanchez wrote: > Hi, > > I'd like to remove the Maven 1 build completely because now we are > half way. Samples for instance don't build with maven 2. > > AFAIK there's still some things that need work in Maven 2, like the > docbook generation, please raise any concerns, and things that still > don't work under Maven 2 so I can look into it. > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Jalopy formatting
Hi all,
I have a couple of suggestions for our Jalopy policy. Generally, I'm not
too fussed about the details of code formatting standards but there are
a couple of things about our current Jalopy formatting that I find annoying.
The main one is comments. I usually read comments directly in the source
code rather than as Javadoc, but Jalopy seems happy to throw away any
extra spacing and layout in comments in the assumption that they'll end
up as HTML anyway, making them a lot harder to read in the source. It
also seems happy to trash the contents of tags as illustrated in
the following before and after versions:
http://acegisecurity.svn.sourceforge.net/viewvc/acegisecurity/trunk/acegisecurity/core/src/test/java/org/acegisecurity/providers/x509/X509TestUtils.java?revision=679&view=markup
http://acegisecurity.svn.sourceforge.net/viewvc/acegisecurity/trunk/acegisecurity/core/src/test/java/org/acegisecurity/providers/x509/X509TestUtils.java?view=markup
I'd like to suggest that we disable formatting of comments, or rein it
in a bit.
The other (more minor) thing is that the indentation of the "throws"
clause which I often find makes it hard to immediately pick out the
start of a method body.
public static X509AuthenticationToken createToken()
throws Exception {
return new X509AuthenticationToken(buildTestCertificate());
}
(Ok, not that hard :). I think this would be clearer if it used a
different indentation or a blank line at the start of the method.
What do you guys think (especially on the comment formatting bit) ?
Luke.
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL sanfbox status
"branches/ldap_refactor_08_2006/" is for ldap stuff I was messing about with earlier this year and plan to revisit for 1.1. Why did you want to build this rather than the trunk? Stone, Robert W wrote: > > > Hi, > > I'm lookng into implementing ACL-based security into Liferay-based > portlet. I'm just wondering if code in sandbox mature enough or I better > of using stable packages and wait for release. When I build code from > branches/ldap_refactor_08_2006/ (Windows XP, Java(TM) 2 Runtime > Environment, Standard Edition (build 1.5.0_07-b03) I can compile > springbox project fine, but all but 1 test are failing. > > Thanks, -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi combined with jetty and cocoon: classloader error: root cause ??
The class name is wrong: "acegisecuirty". Please post user questions in the forum: http://forum.springframework.org/forumdisplay.php?f=33 bart remmerie wrote: > Dear all, > > I'm using Cocoon, Hibernate & Spring together with Acegi-security and I > have a problem for which I cannot find the root-cause: > > When starting up jetty, I get the following error message & I cannot > figure out whether it is related to jetty, cocoon, spring or acegi. > Anyone with similar experience / expert knowledge ? > > Previously (other versions), everything worked fine. > > My configuration > cocoon 2.1.9 > hibernate 3.2 > spring-framework 2.0 > acegi-security 1.0.3 > > the output > > Listening for transport dt_socket at address: 8000 > Loading > Processing repository: F:\tools\cocoon-2.1.9\tools\jetty\lib > Adding jar: F:\tools\cocoon- 2.1.9\tools\jetty\lib\acegi > -security-jetty-1.0.3.jar > > Adding jar: F:\tools\cocoon-2.1.9\tools\jetty\lib\jetty-4.2.23.jar > Adding jar: F:\tools\cocoon-2.1.9\tools\jetty\lib\servlet-2.3.jar > Processing repository: F:\tools\cocoon- 2.1.9\lib\endorsed > Adding jar: F:\tools\cocoon-2.1.9\lib\endorsed\jakarta-bcel-20040329.jar > Adding jar: F:\tools\cocoon-2.1.9\lib\endorsed\jakarta-regexp-1.4.jar > Adding jar: F:\tools\cocoon-2.1.9\lib\endorsed\xalan-2.7.0.jar > Adding jar: F:\tools\cocoon-2.1.9\lib\endorsed\xercesImpl-2.8.0.jar > Adding jar: F:\tools\cocoon-2.1.9\lib\endorsed\xml-apis-1.3.03.jar > Executing - > Main Class: org.mortbay.jetty.Server > 11:08:31.103 EVENT Checking Resource aliases > 11:08:31.588 EVENT Starting Jetty/4.2.23 > 11:08:33.525 EVENT Started > WebApplicationContext[/,F:\projects\hrplan\tools\coc > oon\webapp] > 11:08:33.572 EVENT Loading Spring root WebApplicationContext > 11:08:40.228 WARN!! Delete existing temp dir > C:\DOCUME~1\bremmer\LOCALS~1\Temp\J > etty____ for > WebApplicationContext[/,F:\projects\hrplan\tools\cocoon\webapp] > > 11:08:42.838 EVENT Started SocketListener on 0.0.0.0: > <http://0.0.0.0:/> > 11:08:42.838 WARN!! > org.mortbay.util.MultiException[javax.servlet.ServletException: Class of > type or > g.acegisecuirty.intercept.web.FilterSecurityInterceptor not found in > classloader > ] > at org.mortbay.http.HttpServer.start(HttpServer.java:640) > at org.mortbay.jetty.Server.main(Server.java:429) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces > sorImpl.java:25) > at java.lang.reflect.Method.invoke (Method.java:585) > at Loader.invokeMain(Unknown Source) > at Loader.run(Unknown Source) > at Loader.main(Unknown Source) > [0]=javax.servlet.ServletException: Class of type > org.acegisecuirty.intercept.we > b.FilterSecurityInterceptor not found in classloader > at > org.acegisecurity.util.FilterToBeanProxy.doInit(FilterToBeanProxy.jav > a:139) > at > org.acegisecurity.util.FilterToBeanProxy.init(FilterToBeanProxy.java : > 189) > at > org.mortbay.jetty.servlet.FilterHolder.start(FilterHolder.java:162) > at > org.mortbay.jetty.servlet.WebApplicationHandler.initializeServlets(We > bApplicationHandler.java:145) > at > org.mortbay.jetty.servlet.WebApplicationContext.start(WebApplicationC > ontext.java:458) > at org.mortbay.http.HttpServer.start(HttpServer.java:663) > at org.mortbay.jetty.Server.main(Server.java:429) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. > java:39) > at sun.reflect.DelegatingMethodAccessorImpl.invoke > (DelegatingMethodAcces > sorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:585) > at Loader.invokeMain(Unknown Source) > at Loader.run(Unknown Source) > at Loader.main (Unknown Source) > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Maven 2 Build, Site etc.
What's the docbook plugin support like in Maven 2, Carlos? I can probably set something up to generate the docs separately if it's not available yet. Carlos Sanchez wrote: > +1 to m2 > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Maven 2 Build, Site etc.
Hi all, I've set up a new automated build using maven 2 which is temporarily generating a site at http://monkeymachine.eu/acegisecurity/ until I have time to get it licked into shape properly (n.b. I'm not looking for any feedback on issues with site generation). I think the maven 2 build is likely to be a better bet for users who want to build acegi themselves and we should ditch the Maven 1 build files asap, leaving the 1.0.2 site in place for reference. What do you think? Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How to prevent brute force attack
You should still be required to authenticate first to change your password (or at the same time as the change request is submitted), so you should be able to lock the account after 3 failures here too. How is the data stored for password expiry times etc? [EMAIL PROTECTED] wrote: > Hi Gurus! > > How can I prevent a brute force attack on my password change jsp page? > > Background: > I've successfully secured a jsp/perl web application. > Thanks to all acegi developers for this fine piece of software! > > The login jsp page is protected against brute force by leveraging the > application event publishing features so the account is locked for 30 > minutes after three failed logins. > BTW I can't find any documentation for application event publishing in > the 1.0.0 manual. > > My question is how I can do something similar to prevent the password > change page? > > The password change page is open to role anonymous because when a new > user is entered in the system; password expired is set to a past date to > force the user to change the password the first time. > > Are there any best practices to handle changes of passwords? > > Regards > Gunnar > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Releasing 1.0.2 - final 3 issues
SEC-346 is just definitely not urgent - I think it was originally raised because of a misunderstanding - so I've assigned it to 1.1. Ben Alex wrote: > Hi everyone > > 23 issues are now resolved, with 3 more still outstanding. > > The outstanding issues are SEC-304, SEC-348 and SEC-346, assigned to > Marc Antoine, Scott and Luke respectively. > > Would Marc Antoine, Scott and Luke please comment on these tasks, close > them, or assign them to a later release (if you judge them to be > non-urgent, lacking information or non-backward compatible)? > > We need to get 1.0.2 out so that people can benefit from the bug fixes. > > Thanks > Ben > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Spring LDAP
Hi Ray, We weren't using it previously, but I plan to migrate our implementation to use Spring LDAP at some point. I've been looking at it recently. Cheers, Luke. - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] About The Following Acegi Releases
On the branching front, it seems like we could be making more use of branches with subversion. I've just been reading this: http://svnbook.red-bean.com/en/1.0/ch04s07.html and this http://www.onlamp.com/pub/a/onlamp/2004/08/19/subversiontips.html?page=1 and having a look at other repositories like the apacheds one: http://svn.apache.org/repos/asf/directory/ It seems like if I needed to do some work that was intended for a future release I could quite easily create a branch, e.g svn copy -m "Creating branch for ldap template integration" https://svn.sourceforge.net/svnroot/acegisecurity/trunk/acegisecurity https://svn.sourceforge.net/svnroot/acegisecurity/branch/mytempbranch then at some time in the future, merge the changes into the trunk and remove the branch using "svn delete". The apacheds guys maintain a readme.txt file to keep a record of previous "dead code" to allow them to locate it if needed, without having to rad through log files. http://svn.apache.org/repos/asf/directory/sandbox/readme.txt This seems like quite a practical way of working as it allows developers to experiment with changes to the main codebase in isolation from everyone else without cluttering up the repository for future development. Presumably it is also easy to create branches "retrospectively"? i.e. we can create a 1.0.x release "branch/copy" from a previous revision number. I'll try and look at the site generation stuff when I get some time (probably after mid-September). Converting the html files will be a bit of a pain if it has to be done. We could get a trial site up and running before a final move (on a branch, for example :). I think we should ditch the jar signing and use PGP instead. If we sign each other's keys when we get a chance and publish them on the web site then that should be adequate. cheers, Luke. Ben Alex wrote: > Luke Taylor wrote: >> That's good. You'll be an expert on branching with subversion then :-). >> >> I'd like to get the automatic build upgraded to Maven 2 as well (and >> running again). There are a couple of issues I've come across so far: > > I am a BIG fan of moving to Maven 2 ASAP. Acegi Security is the only > application I still have which requires Maven 1.0.2, and every time we > release it requires a slightly different workaround (typically > MAVEN_OPTS parameters for JVM memory/stack allocation). I'd much prefer > the improved robustness of Maven 2, even if it means most of the reports > are lost. The only essential use cases are compile, JAR, test, DocBook, > unit test coverage report, and site build. > >> 1. The new site generation doesn't seem to support html files. Do you >> know if they all have to converted to xdoc, apt or whatever to be part >> of the main site (with the menu etc). >> >> 2. The contacts app is too complicated - I thought about refactoring >> this into a single web-app where people can comment select which >> contexts are included in the web.xml file. > > As discussed on Skype, I am happy for this to proceed. It is more > user-friendly in any event that people wanting to try X509 certificates, > CAS or container adapters be able to do so without the inconvenience of > building from source. > >> There was also some guy in the forum complaining about the fact that the >> jar wasn't signed. We should probably formalize the use of PGP keys, add >> them to the website and arrange to do some key signing when possible. >> The readme file also needs to be changed. > > I have a PGP key these days (ID 0x9BBCD24D) and know that both Luke and > Carlos do, so it's pretty easy to go with ZIP-level signing - plus > there's a lot of precedence for this approach courtesy of Apache. Do > people feel we should continue to sign the JAR using keytool, though, as > well? Does anyone actually rely upon JAR signing? Carlos, has Maven got > any smarts in terms of automatic verification of JARs downloaded from > repositories against the public keys in the repository or similar? I > don't see a lot of value in maintaining two signing approaches, as it > would make life harder for someone else to perform releases. In any > event, I'm a little tired of annually renewing keytool certificates when > PGP keys can be configured to never expire (yet still provide a > revocation approach). > > Cheers > Ben > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Downlo
Re: [Acegisecurity-developer] About The Following Acegi Releases
That's good. You'll be an expert on branching with subversion then :-). I'd like to get the automatic build upgraded to Maven 2 as well (and running again). There are a couple of issues I've come across so far: 1. The new site generation doesn't seem to support html files. Do you know if they all have to converted to xdoc, apt or whatever to be part of the main site (with the menu etc). 2. The contacts app is too complicated - I thought about refactoring this into a single web-app where people can comment select which contexts are included in the web.xml file. There was also some guy in the forum complaining about the fact that the jar wasn't signed. We should probably formalize the use of PGP keys, add them to the website and arrange to do some key signing when possible. The readme file also needs to be changed. Carlos Sanchez wrote: > we've been using this approach in maven. All development goes into > trunk and things that we want in .x releases are merged into a branch. > > On 8/25/06, Luke Taylor <[EMAIL PROTECTED]> wrote: >> Hi Ben, >> >> As I mentioned on skype, I'd be for branching the code in the near >> future, so we can start working on some of the more major changes that >> might be in 1.1 but still allowing for bugfixes and minor additions to >> the 1.0.x releases. >> >> What does everyone think? >> >> Luke. >> >> >> >> Ben Alex wrote: >>> Luo Shifei wrote: >>>> Dear All, >>>> >>>>When about Acegi 1.0.2 will be released? And When >>>> about Acegi 1.1 will be released? The New Domain >>>> Support will be included in Acegi 1.1? >>> Both will be released over the next three months. >>> I'd estimate 1.0.2 in about a month, and 1.1.0 in late November, but >>> make no promises. >>> >>> There won't be any domain support added to the project, and indeed the >>> current domain code in SVN is likely to be removed. I am currently >>> working on improvements to the domain object coding approaches, and will >>> be presenting work (and code) on this at The Spring Experience in December. >>> >>> Cheers >>> Ben >>> >>> - >>> Using Tomcat but need to do more? Need to support web services, security? >>> Get stuff done quickly with pre-integrated technology to make your job >>> easier >>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >>> ___ >>> Home: http://acegisecurity.org >>> Acegisecurity-developer mailing list >>> Acegisecurity-developer@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer >>> >> -- >> Luke Taylor. Monkey Machine Ltd. >> PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk >> >> >> - >> Using Tomcat but need to do more? Need to support web services, security? >> Get stuff done quickly with pre-integrated technology to make your job easier >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 >> ___ >> Home: http://acegisecurity.org >> Acegisecurity-developer mailing list >> Acegisecurity-developer@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer >> > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] About The Following Acegi Releases
Hi Ben, As I mentioned on skype, I'd be for branching the code in the near future, so we can start working on some of the more major changes that might be in 1.1 but still allowing for bugfixes and minor additions to the 1.0.x releases. What does everyone think? Luke. Ben Alex wrote: > Luo Shifei wrote: >> Dear All, >> >>When about Acegi 1.0.2 will be released? And When >> about Acegi 1.1 will be released? The New Domain >> Support will be included in Acegi 1.1? > > Both will be released over the next three months. > I'd estimate 1.0.2 in about a month, and 1.1.0 in late November, but > make no promises. > > There won't be any domain support added to the project, and indeed the > current domain code in SVN is likely to be removed. I am currently > working on improvements to the domain object coding approaches, and will > be presenting work (and code) on this at The Spring Experience in December. > > Cheers > Ben > > - > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > ___ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bean initialization, constructor injection etc.
I agree that reusability is important but I'm not convinced that these changes are justified on this basis, or that is just about balancing reusability and ease of use. The use of constructor arguments is about guaranteeing that objects can only be created with a specific state (the dependencies required by their design) and providing a single point for checking that state (the constructor). This is a design issue based on the requirements as determined by the developer at the time they write the class. As time goes on and different requirements become apparent from forum posts and so on, compromises are made, access is provided to state that was previously immutable or unreadable etc etc. The most reusable code may provide no-arg constructors and getters and setters for everything, but it is also the least stable. To summarise, there may be situations where we *do* want to open things up in this way for some classes, to provide extra extensibility, but I don't think accommodating the inadequacies of plexus is sufficient justification for a cross-the-board change. Could it not be argued that the changes should be made to plexus rather than Acegi? The plexus web site also says on the main page that it supports "Various dependency injection techniques including constructor injection, setter injection, and private field injection." so I find that a bit confusing... Is the web site just plain wrong? Also, is plexus actually used in practice by anyone other than Maven? As I said before, we have deliberately moved towards the use of constructor injection for required dependencies, actually to avoid having to use Spring-specific constructs like the InitializingBean interface and to facilitate use outside of a Spring application context. Removing this will allow users to deploy misconfigured apps which will fail when first used rather than at deploy time, which I don't see as an improvement. What do other people think? I'm always interested in discussions about guaranteeing the state and integrity of objects and have come to see it as more of an important issue as time has passed. Luke Taylor wrote: > Opening this up to the list for discussion > > >> no problem >> I don't think it's just a plexus problem, in general it allows >> extensibility and reuse. For instance you may want to subclass it with >> a different behaviour and the constructor arguments approach is >> limiting. At the end it's a matter of balancing ease of use and >> reusability >> >> On 7/12/06, Luke Taylor wrote: >>> I think these kind of changes should be discussed on the list >>> beforehand. Ben and I talked about this kind of thing a while back and >>> agreed that enforcing initialization of objects with a particular state >>> and being able to guarantee their integrity isn't something to be given >>> up lightly. >>> >>> Do you mind if I forward your reply to the list. If we are going change >>> this approach to accommodate plexus then it should probably be discussed >>> there. >>> >>> Carlos Sanchez wrote: >>>> I'm adding Acegi to Continuum and it uses Plexus as IoC (it wasn't me) >>>> with the small problem that it doesn't accept constructor arguments. >>>> Default constructor+setters are still good to allow extension. I added >>>> javadocs to make clear the need of calling the setters later and >>>> checks to ensure the object is properly initilized. >>>> >>>> On 7/10/06, Luke Taylor wrote: >>>>> What's with adding all these default constructors? There was some >>>>> discussion a while back about using constructor injection for >>>>> initialization where possible for required dependencies and avoiding the >>>>> use of InitializingBean, setter injection etc... >>>>> >>>>> >>>>> > > > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Bean initialization, constructor injection etc.
Opening this up to the list for discussion > no problem > I don't think it's just a plexus problem, in general it allows > extensibility and reuse. For instance you may want to subclass it with > a different behaviour and the constructor arguments approach is > limiting. At the end it's a matter of balancing ease of use and > reusability > > On 7/12/06, Luke Taylor wrote: >> I think these kind of changes should be discussed on the list >> beforehand. Ben and I talked about this kind of thing a while back and >> agreed that enforcing initialization of objects with a particular state >> and being able to guarantee their integrity isn't something to be given >> up lightly. >> >> Do you mind if I forward your reply to the list. If we are going change >> this approach to accommodate plexus then it should probably be discussed >> there. >> >> Carlos Sanchez wrote: >> > I'm adding Acegi to Continuum and it uses Plexus as IoC (it wasn't me) >> > with the small problem that it doesn't accept constructor arguments. >> > Default constructor+setters are still good to allow extension. I added >> > javadocs to make clear the need of calling the setters later and >> > checks to ensure the object is properly initilized. >> > >> > On 7/10/06, Luke Taylor wrote: >> >> What's with adding all these default constructors? There was some >> >> discussion a while back about using constructor injection for >> >> initialization where possible for required dependencies and avoiding the >> >> use of InitializingBean, setter injection etc... >> >> >> >> >> >> -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Java Appliaction + Spring httpinvoker authentication
Please post user questions in the forum, not the dev mailing list. Luke. P.S. Whatever your opinion, if you are asking for help in using an OS project, you are much more likely to get it if you steer clear of terms like "CRAP!" and "rubbish" when describing it. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CAS w/ LDAP authorities?
There are posts on this in the user forum - it should be simple to write an LdapUserDetailsService class which just uses the combination of a search bean and authorities populator. Jason Patterson wrote: > We currently have acegi in place on numerous applications using an > LdapAuthenticationProvider from both authentication and authorization. > We're looking into providing sso via CAS, our acegi filter is wired up > to use CAS, which in turn is wired to use the > LdapAuthenticationProvider, but once authentication passed back we're > stuck with jdbc or in memory dao options to implement the > UserDetailsService for the CasAuthoritiesPopulator even though we > already have all this role information in our ldap store. I'd prefer to > continue pulling it from there. It seems like it could be an elegant > solution allowing all our user data to reside in one store and provide > SSO at the cost of having numerous connection pools open to the ldap > store. Is that more costly than I perceive or is there a better way to > do this? Is an ldap userDetailsService planned? > > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] 1.0.1 patch release?
I'm not sure a release will be possible until Ben gets back from Europe. There are always the nightly builds until then, if people need a quick fix. Ray Krueger wrote: > OK so, 1.0.0 did not release well. The LDAP/Spring compatability > issue, and the NotSerializableException issue both warrant getting a > patch out asap I would think. > > Unfortunately there hasn't been any talk about that. What's the plan here? > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ldap blowing up after upgrade to 1.0 final
That's pretty much the fix that I put in earlier today - the same issue was raised in the forums yesterday http://forum.springframework.org/showthread.php?t=25430 and in Jira as SEC-281. Sorry it wasn't spotted earlier. Perhaps we should change the Spring maven dependency back to 1.2.8 to detect this kind of thing? Luke. Ben Munat wrote: > Thanks for entering the jira issue for me! I pulled from svn and built my own > jar with only two changes and I think it's > working now (the client hasn't called to complain yet :-) ). > > All I did was change two places that use EmptyResultDataAccessException to > use the next superclass up, which is > IncorrectResultSizeDataAccessException. The two classes that I changed were > FilterBasedLdapUserSearch (imports and line > 126) and LdapTemplate (imports and line 248). > > I don't know if this would be a suitable fix for the general population, but > it seems pretty self contained. The > LdapTemplate throws and the FilterBasedLdapUserSearch catches it and rethrows > as a UsernameNotFoundException. I think > this change would be fine for general release, but the author of the code > should definitely make that call. > > Thanks for the quick response. > > Ben > > PS: I just heard from the client and they're back in business with my patched > jar. > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Junit error with Acegi Security
If the test is running in maven, is there some way I can get hold of the
path to the target directory - a system property that maven sets for
example? I remember there was a "maven.build.dir" property. Is that
still available in maven 2 and is it set as a system property?
Carlos Sanchez wrote:
> Right now it seems to work for me. it'd be a good idea if you can, to
> change that temp directory to target/something, so it's deleted during
> clean
>
> On 5/28/06, Luke Taylor <[EMAIL PROTECTED]> wrote:
>> Are you both seeing this error?
>>
>> If not, it may be that the working directory is corrupt. The Ldap server
>> tries to write to {java.io.tmpdir}/apacheds-work. Ideally it should
>> delete the contents of this every time it starts up, or the maven script
>> would, but it doesn't at the moment.
>>
>> Try removing that directory and see if it works.
>>
>> I'll try rebuilding on a couple of different machines too.
>>
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Junit error with Acegi Security
Are you both seeing this error?
If not, it may be that the working directory is corrupt. The Ldap server
tries to write to {java.io.tmpdir}/apacheds-work. Ideally it should
delete the contents of this every time it starts up, or the maven script
would, but it doesn't at the moment.
Try removing that directory and see if it works.
I'll try rebuilding on a couple of different machines too.
Carlos Sanchez wrote:
> I suggest to Luke to wipe out his local repo and try.
> I think it's best to have the initialization in the constructor or
> errors wil lbe hard to debug.
>
>
> On 5/27/06, Ben Alex <[EMAIL PROTECTED]> wrote:
>> Luke Taylor wrote:
>>> I'm not seeing any problems with the latest code... I just rebuilt the
>>> web site and all the tests seems to be passing.
>>>
>>> There's quite a serious overhead in starting up the Ldap server which is
>>> why I made it a static field. Maven 1 seems to reload the class each
>>> time it runs a test so it doesn't an you ke much difference but it's a lot
>>> faster running in IntelliJ or Maven 2.
>>>
>>> Moving it to the constructor would probably be OK, but putting it in the
>>> setUp would slow things down a lot.
>>>
>> Hi Luke
>>
>> Whether I use Maven 1, Maven 2 or Eclipse, running the unit tests is
>> always reporting:
>>
>> jdbm.helper.WrappedRuntimeException:
>> org.apache.ldap.server.partition.impl.btree.jdbm.JdbmMasterTable$1
>> at jdbm.helper.DefaultSerializer.deserialize(DefaultSerializer.java:99) etc
>>
>> Whilst researching this, I noticed someone else on the forum reported
>> exactly the same exception.
>>
>> Given the public site is building fine with Maven 1 - including the LDAP
>> tests
>> (http://acegisecurity.org/multiproject/acegi-security/junit-report.html#org_acegisecurity_providers_ldap)
>> - I am wondering if there is a version issue with one of the Apache
>> Directory JARs at http://acegisecurity.sourceforge.net/maven. I've tried
>> deleting all of my local JARs so they refresh from the public repo, but
>> it still fails. By some chance are you running a different version of
>> the JARs, even though their filenames suggest you are not (perhaps try
>> an md5sum on your local JARs and compare them with an md5sum executed on
>> the SourceForge shell server)?
>>
>> We cannot release 1.0.0 whilst this issue remains. Also, I am also going
>> to Brisbane this afternoon until Thursday night, and on Friday morning I
>> am going to Europe. So we really need this resolved ASAP if there is to
>> be any chance at all of getting 1.0.0 out before I return to Australia
>> in July.
>>
>> Cheers
>> Ben
>>
>>
>> ___
>> Home: http://acegisecurity.org
>> Acegisecurity-developer mailing list
>> Acegisecurity-developer@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
>>
>
>
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Junit error with Acegi Security
I'm not seeing any problems with the latest code... I just rebuilt the web site and all the tests seems to be passing. There's quite a serious overhead in starting up the Ldap server which is why I made it a static field. Maven 1 seems to reload the class each time it runs a test so it doesn't make much difference but it's a lot faster running in IntelliJ or Maven 2. Moving it to the constructor would probably be OK, but putting it in the setUp would slow things down a lot. Carlos Sanchez wrote: > The problem is in > > org.acegisecurity.ldap.AbstractLdapServerTestCase > > private static final LdapTestServer SERVER = new LdapTestServer(); > > This call causes an exception. As it's a static field it happens at > the time the class is loaded, so the class can't be loaded. Static and > junit ant tasks don't play well together. > > The "new LdapTestServer()" should be moved to a setUp() method or the > constructor to see the error. > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Ldap changes
Thanks for the feedback guys. I've already made most of the changes, but haven't checked them in. It'll be rather short notice - Ben is talking about possibly releasing on the 19th. I'll probably make the changes in the next day or so and post something to the forum to warn people about potential issues. Luke. Ray Krueger wrote: The project I work on right now is fast approaching the security phase. We are about 90% sure of LDAP right now. So I'm all for making the LDAP support as solid as possible. The approaches you've described would definitely allow the most flexibility. What Robert mentioned about the diversity of LDAP implementations is definitely the biggest hurdle. I don't know what sort of schedule Ben has put forth for a 1.0 release, but the community is anxious for one. So if the LDAP refactoring can happen without much delay to a release, have at it I say. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Ldap changes
Hi all, I've got some changes I want to make to the LDAP code to address some shortcomings which have come to light. I thought I'd run them past the list so that those who are interested in LDAP in Acegi have a chance to comment. I've moved the main content of this mail into a JIRA issue http://opensource.atlassian.com/projects/spring/browse/SEC-264 Comments, questions or better suggestions are welcome there or here on the list. Luke. P.S. No comments about RC versions please. That boat's already sailed :). I'd like to get the best working API we can come up with in place pre-1.0 rather than have to make changes in future versions. Bugs are another matter and can be fixed in 1.0.1. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
Great, that works. I wasn't aware that you can just use the maven2 style names in maven 1. Thanks Carlos. Carlos Sanchez wrote: Have you tried org.apache.directory.server apacheds-core 1.0-RC1 test -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
OK, but that's the maven2 build. You said that anything that's available for maven 2 is also available for maven 1, but I don't see any way of adding it to the project.xml... Carlos Sanchez wrote: it's already in the core/pom.xml org.apache.directory.server apacheds-core 1.0-RC1 test which means it's here http://www.ibiblio.org/maven2/org/apache/directory/server/apacheds-core/1.0-RC1/ -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
[EMAIL PROTECTED] wrote: I could be wrong, but I suspect that most Acegi developers already have these Maven resources in their repositories from other projects (or populate them manually). This is currently the only OSS project I'm involved with, so I'm depending on Maven to fill my repository with all the things it needs. Is it possible that the Acegi Maven config file could be missing one or more dependancies? It shouldn't be missing dependencies, or the automated build wouldn't have been working. You may have to populate some jars manually though, if they aren't freely available (e.g. because of licensing restrictions). The jta jar is a case in point. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
There seem to be a few classes that have moved to different packages in RC1, and I'm also getting an exception starting an embedded server which wasn't there before. I'll have to look at it over the weekend. Luke Taylor wrote: I would like to, but they don't seem to be visible in the maven 1 repository. If we are upgrading to maven 2 then there shouldn't be a problem with apacheds RC1. Carlos Sanchez wrote: I have committed some changes, now the problems are with ldap dependencies, can somebody check if we can upgrade to a non snapshot dependency? there's alreaddy RC1 of apache directory in ibiblio. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
So what artifact/groupid do we use in the project.xml to get hold of it? Carlos Sanchez wrote: www.ibiblio.org/maven is no longer used. Requests for files are converted to the maven2 repo, if it's in www.ibiblio.org/maven2 then is available for maven1 On 4/26/06, Luke Taylor <[EMAIL PROTECTED]> wrote: I would like to, but they don't seem to be visible in the maven 1 repository. If we are upgrading to maven 2 then there shouldn't be a problem with apacheds RC1. Carlos Sanchez wrote: I have committed some changes, now the problems are with ldap dependencies, can somebody check if we can upgrade to a non snapshot dependency? there's alreaddy RC1 of apache directory in ibiblio. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
The jdbm stuff should be pulled from ibiblio: http://www.ibiblio.org/maven/jdbm/jars/ Can you check you have a copy of it in your repository? [EMAIL PROTECTED] wrote: I'm still getting these errors in the unit tests as well: BUILD FAILED File.. C:\Documents and Settings\smccrory\.maven\cache\maven-multiproject-plugin-1.3.1\plugin.jelly Element... maven:reactor Line.. 217 Column 9 Unable to obtain goal [multiproject:install-callback] -- C:\Documents and Settings\smccrory\.maven\cache\maven-test-plugin-1.6.2\plu gin.jelly:133:41: javax/servlet/ServletRequest Total time: 1 minutes 34 seconds Finished at: Tue Apr 25 21:24:03 EDT 2006 Exception in thread "ApacheDS Shutdown Hook (default)" Exception in thread "ApacheDS Shutdown Hook (default)" Exception in thread "A pacheDS Shutdown Hook (default)" Exception in thread "ApacheDS Shutdown Hook (default)" Exception in thread "ApacheDS Shutdown Hook (default)" Exception in thread "ApacheDS Shutdown Hook (default)" java.lang.NoClassDefFoundError: jdbm/helper/MRUEnumeration java.lang.NoClassDefFoundError: jdbm/helper/MRUEnumeration java.lang.NoClassDefFoundError: jdbm/helper/MRUEnumeration java.lang.NoClassDefFoundError: jdbm/helper/MRUEnumeration java.lang.NoClassDefFoundError: jdbm/helper/MRUEnumeration java.lang.NoClassDefFoundError: jdbm/helper/MRUEnumeration C:\java\eclipse\workspace\acegisecurity\doc> Scott -Original Message- From: Carlos Sanchez [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 25, 2006 3:10 PM To: acegisecurity-developer@lists.sourceforge.net Subject: Re: [Acegisecurity-developer] Subversion? (Change completed) I have committed some changes, now the problems are with ldap dependencies, can somebody check if we can upgrade to a non snapshot dependency? there's alreaddy RC1 of apache directory in ibiblio. --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
I would like to, but they don't seem to be visible in the maven 1 repository. If we are upgrading to maven 2 then there shouldn't be a problem with apacheds RC1. Carlos Sanchez wrote: I have committed some changes, now the problems are with ldap dependencies, can somebody check if we can upgrade to a non snapshot dependency? there's alreaddy RC1 of apache directory in ibiblio. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quest question about using LDAP
Hi Ray, Not sure about that I guess if the roles are based on some sort of organization structure (departments, job titles etc.) then the directory would be an obvious place for that information. If it's more app-specific then it's less obvious. Depends on what access you have to the system too - you can store just about anything in LDAP, so I don't see anything philosophically wrong with putting app-specific info in there. On the other hand, if the app is using a separate database then that may be the obvious place to store the roles, while still allowing centralized management of user accounts and login info for multiple uses. I don't think there's a definite answer either way... By the way, we're planning to move the non-security specific LDAP stuff out of provider package, and using an org.acegisecurity.ldap package instead. Just to let you know :) cheers, Luke. Ray Krueger wrote: > When using LDAP as an authentication source, where do you guys feel > the ROLEs belong? Should they be managed in LDAP by whatever LDAP > admin is in charge, or should the ROLEs be stored in the application > database and associated to some user table based on the LDAP username? > > I thinki it is a design question that could go either way. I just > wanted to get some expert opinions. > -Ray > > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] RE: SecurityContext keeps losing the Authentication
It's part of the language specification that finally blocks are always
executed, so this shouldn't be possible, barring a JVM bug.
Sprangemeijer, Ruben wrote:
> Hi,
>
> I'm experiencing similar behavior on Sun Application Server 7.
> I think it is caused by the finally block in the
> HttpSessionContextIntegrationFilter.doFilter method NOT being executed
> when the CasProcessingFilter (AbstractProcessingFilter) does a
> sendRedirect to my targetUrl in its successfulAuthentication method.
>
> In this finally block the SecurityContextHolder.getContext() is set on
> the HttpSession as the ACEGI_SECURITY_CONTEXT_KEY.
> In this particular case the finally block is not executed and after the
> redirect I do not have a valid context...
>
> I have worked around this by subclassing the CasProcessingFilter and
> implemented the onSuccessfulAuthentication method. There I do a simple
> request.getSession().setAttribute("ACEGI_SECURITY_CONTEXT",
> SecurityContextHolder.getContext());
>
> This works for me, but I am not sure whether I actually analyzed the
> problem correct...
>
> Kind regards,
> Ruben Sprangemeijer
>
>
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SecurityContext keeps losing the Authentication Object
See my reply in the forum. Lucas Opara wrote: > Hello, > > I have an issue with a web app (let's call it A) protected by acegi ( > 1.0.0-RC2) ans CAS authentication manager. > > This web app A is accessed through a proxy web application (let's call it > B). > B transmit a proxy ticket to A which validates this ticket against CAS > server, put the authentication object in SecureContext, then redirect to an > URL transmitted from B. This URL is the starting URL of application A. But > in between, when the redirection happens, the authentication object is lost! > > Any suggestions please? > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LdapAuthenticationProvider and empty password
Hi, I agree it shouldn't be a hasLength check. Probably changing it to an Assert.notNull would do the trick as a null password should indicate a coding error. I've created a couple of Jira issues for these points: http://opensource.atlassian.com/projects/spring/browse/SEC-201 http://opensource.atlassian.com/projects/spring/browse/SEC-202 Thanks for the report, Luke. Teppo Jalava wrote: > Hello > > While migrating our system to use the new LdapAuthenticationProvider, > I noticed that when user tries to login with an empty password, the > provider throws IllegalArgumentException, due to the > Assert.hasLength-check. Is this the right kind of behaviour for the > provider? I mean, I would rather see a BadCredentialsException or some > other AuthenticationException instead so the > AuthenticationProcessingFilter would redirect the user to the > authentication failure page. > > Or is there some other mechanism besides subclassing the provider to > achieve this that I've missed? > > Thank you in advance, > Teppo > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Extending the Default LdapAuthoritiesPopulator
Sorry, I forgot to reply to this. I'll add an accessor method for the context factory. [EMAIL PROTECTED] wrote: > I'd like to extend the Default LdapAuthoritiesPopulator is it possible to > make the: > > private InitialDirContextFactory initialDirContextFactory = null; > > protected? > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Didn't find Ldap Package
I'm afraid it didn't make it into the RC1 release. RC2 should be released pretty soon. Failing that you can try building from source. That should be working OK at the moment. atef kabani wrote: > Hi All > I just want to use LdapAuthenticationProvider, I downloaded the official > release but i didn't fint the whole ldap package.Is there any bugs in Ldap > so the release didn't include ldap or what ? > > Thank You > Eng: Atef Kabani > Nounsware Co. > > > - > Yahoo! Mail - Helps protect you from nasty viruses. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] im fed up -- pls help
Please don't post to the developer list complaining about a lack of good documentation - at least not without first giving some indication that you have made an attempt to find out what already exists and explaining what you don't understand about it. There is a whole page of links to external articles, tutorials and other reference sources about Acegi on the project website. If you want to understand more about Spring then there are excellent books available, and doubtlessly countless articles too. I've only just finished writing the LDAP code and committed the first draft of the docs to the reference manual a couple of days ago. It's taken up a lot of my time, so I don't find this kind of comment very helpful at all. I don't think you should be trying to get LDAP authentication working unless you have managed to use and understand some of the simpler examples first. If you have concrete questions to ask, please post them to the user forum. We're more than happy to help with specific problems where the user can make a clear statement about what they're trying to do and what's going wrong. Karthik V wrote: > > ... > > Please please give me some clue or point me to some document that helps me > accomplish what I want. I've spent too much time on this due to lack of good > docs that give end to end explanation for beginners. > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: Problem with Acegi Maven 2 build
I worked out how to get rid of the problem using Maven 2's "exclusions" tag. That let's me prevent the transitive dependency on nlog4j from being added to the build. I can then replace it manually with slf4j-log4j12 which is log4j compatible. I'll test things and then check in a version of the pom.xml that works with maven 2. Then I'll copy some working versions of the apache-ds jars to our repo so we can use them for the maven 1 build. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CVS build failing due to test failures.
Ray Krueger wrote: > hehe yeah that I knwew :P > I was hoping Maven could be a little clearer on what class. I think > it's the last one it's trying to "Find" NameComponentNormalizer. Would > that be correct? > That's the problem with the apacheds stuff... It's probably best to disable/ignore the LDAP tests for the time being. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: Problem with Acegi Maven 2 build
Hi Carlos, Thanks for getting back to me. The problem happens when I run "maven -X install" from the acegi core directory. log4j definitely appears directly after spring-core in my test classpath, though I don't know exactly how it gets there: [INFO] [surefire:test] [INFO] Setting reports dir: /Users/luke/Work/OpenSrc/acegisecurity/core/target/surefire-reports [DEBUG] Test Classpath : [DEBUG] /Users/luke/Work/OpenSrc/acegisecurity/core/target/test-classes [DEBUG] /Users/luke/Work/OpenSrc/acegisecurity/core/target/classes [DEBUG] /Users/luke/Work/OpenSrc/acegisecurity/core/target/classes [DEBUG] /Users/luke/Work/OpenSrc/acegisecurity/core/target/test-classes [DEBUG] /Users/luke/.m2/repository/org/springframework/spring-mock/1.2.6/spring-mock-1.2.6.jar [DEBUG] /Users/luke/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar [DEBUG] /Users/luke/.m2/repository/javax/transaction/jta/1.0.1B/jta-1.0.1B.jar [DEBUG] /Users/luke/.m2/repository/junit/junit/3.8.1/junit-3.8.1.jar [DEBUG] /Users/luke/.m2/repository/jmock/jmock/1.0.1/jmock-1.0.1.jar [DEBUG] /Users/luke/.m2/repository/javax/servlet/jsp-api/2.0/jsp-api-2.0.jar [DEBUG] /Users/luke/.m2/repository/javax/servlet/servlet-api/2.4/servlet-api-2.4.jar [DEBUG] /Users/luke/.m2/repository/commons-logging/commons-logging/1.0.4/commons-logging-1.0.4.jar [DEBUG] /Users/luke/.m2/repository/org/apache/directory/server/org.apache.ldap.server.core/0.9.4-SNAPSHOT/org.apache.ldap.server.core-0.9.4-SNAPSHOT.jar [DEBUG] /Users/luke/.m2/repository/com/servlets/cos/05Nov2002/cos-05Nov2002.jar [DEBUG] /Users/luke/.m2/repository/logkit/logkit/1.0.1/logkit-1.0.1.jar [DEBUG] /Users/luke/.m2/repository/jdbm/jdbm/1.0/jdbm-1.0.jar [DEBUG] /Users/luke/.m2/repository/commons-collections/commons-collections/3.1/commons-collections-3.1.jar [DEBUG] /Users/luke/.m2/repository/avalon-framework/avalon-framework/4.1.3/avalon-framework-4.1.3.jar [DEBUG] /Users/luke/.m2/repository/org/springframework/spring-remoting/1.2.6/spring-remoting-1.2.6.jar [DEBUG] /Users/luke/.m2/repository/javax/resource/connector/1.0/connector-1.0.jar [DEBUG] /Users/luke/.m2/repository/javax/servlet/jstl/1.0/jstl-1.0.jar [DEBUG] /Users/luke/.m2/repository/quartz/quartz/1.5.1/quartz-1.5.1.jar [DEBUG] /Users/luke/.m2/repository/org/springframework/spring-core/1.2.6/spring-core-1.2.6.jar [DEBUG] /Users/luke/.m2/repository/log4j/log4j/1.2.6/log4j-1.2.6.jar [DEBUG] /Users/luke/.m2/repository/taglibs/standard/1.0.6/standard-1.0.6.jar [DEBUG] /Users/luke/.m2/repository/oro/oro/2.0.8/oro-2.0.8.jar [DEBUG] /Users/luke/.m2/repository/hsqldb/hsqldb/1.7.3.0/hsqldb-1.7.3.0.jar [DEBUG] /Users/luke/.m2/repository/org/apache/directory/server/org.apache.ldap.server.shared/0.9.4-SNAPSHOT/org.apache.ldap.server.shared-0.9.4-SNAPSHOT.jar I'm not sure what you mean by "any other application" - I'm just running the acegi core build. I've attached my "core/pom.xml". I've also added the apache repo in the main pom.xml so that it can pull down the apacheDS jars: acegi-snapshot Acegi snapshot repository http://acegisecurity.sourceforge.net/repository/snapshots default apache-maven-snapshots Apache snapshot repository http://svn.apache.org/maven-snapshot-repository/ default cheers, Luke. Carlos Sanchez wrote: > Sorry for the late response. > > First core was not compiling with m2. I tried now and had to change > the scope of spring-mock to make classes compile. > > Second, if you run mvn -X you can see how transitive dependencies are > obtained, and there's no reference at all to log4j. Are you talking > about any other application that uses other stuff besides acegi? If so > you can run mvn -X, check who is using log4j and add a exclusion to > that dependency. > > Also note that apacheds dependecies in pom.xml are not the snaphots as > they are not available in ibiblio. I added this ones in the meantime. > i imagine tests don't fail because that classes are not tested at all > (http://www.acegisecurity.org/multiproject/acegi-security/clover/index.html). > > The fact that order of dependencies worked in m1 was a coincidence and > was not intended at all, and thus that behaviour can change. > > Regards -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> 4.0.0 org.acegisecurity acegi-security-parent 1.0.0-SNAPSHOT acegi-security Acegi Security System for Spring org.slf4j nlog4j 1.2.19 compile org.springframework spring-remoting 1
Re: [Acegisecurity-developer] Apacheds 0.9.4-SNAPSHOT
Hi, The are available from the apache repository at http://svn.apache.org/repository This should be included in the maven.repo.remote property in the project.properties file. Have you set this property locally somewhere that might be overriding this, e.g. in a build.properties file? There are also some problems with those snapshots for running the tests, but you should be able to build anyway (e.g. by setting maven.test.failure.ignore=true). I'm waiting for the apacheds team to fix some bugs I've reported and make a stable release which we can work with. The earlier versions are too different and have too many issues. If there's a delay on that front, we'll look at building our own versions for the 1.0-RC2 release and making them available from our own repository. Luke. Kelly, Brendon (SAPOL) wrote: > Hi all, > > I'm trying to get started with the new LDAP stuff by building Acegi with > Maven but I get unsatisfied dependecies. > > The build cannot continue because of the following unsatisfied dependencies: > > apacheds-core-0.9.4-SNAPSHOT.jar > apacheds-shared-0.9.4-SNAPSHOT.jar > apacheds-server-0.9.4-SNAPSHOT.jar > asn1-codec-0.3.4-SNAPSHOT.jar > ldap-common-0.9.4-SNAPSHOT.jar > > I can't find how to download or build these jars and the Apache site only > lists 0.9.3 jars and the ApacheDS subproject page seems to be missing. Can > anyone help? > > > Regards > > Brendon Kelly > --- > Application Programmer > Information Systems & Technology Service > South Australia Police > > > > --- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > ___ > Home: http://acegisecurity.org > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] New LDAP stuff
Hi,
I haven't actually used AD in anger and don't have a system to test
against (other than the free ADAM, which I think is a bit different).
However, I don't think you can bind with "sAMAccountName={0},CN=Users"
as this doesn't actually match a DN (as AD sees it).
I've heard of two "alternative" pseudo-DN syntaxes supported by AD. One
is "[EMAIL PROTECTED]" and the other is "domain\username".
I think you can try binding with either of these using the existing
BindAuthenticator. If the user types in the entire name, you could have:
{0}
or if they only type in the username part, you could use something like
[EMAIL PROTECTED]
domain\{0}
The "\" in the domain version may need to be escaped, or you might be
able to use a "/".
Disclaimer: everything I wrote above could be wrong. But I'd be grateful
if you could try it out and let us know if it works.
cheers,
Luke.
Bram Bruneel wrote:
> Hi,
>
> ...
>
> I noticed that, when using MS Active Directoy that setting the userDnPatterns
> property in the ldapAuthenticationProvider had no real effect in
> authenticating
> users. I could only authenticate against their CN and not the sAMAccountName,
> which is the real account name in Active Directory.
>
> ...
>
> And this is what did not work with MS Active Directory
>
> class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
>
>
>
>
>
> sAMAccountName={0},CN=Users
>
>
>
>
>
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] New LDAP stuff
Ray Krueger wrote: > Awesome. > Brandon please have a look at Luke's docs as soon as they are up if > you can, that would be a huge help. > > I have several people from different teams at my company asking me > about Acegi and LDAP right now. They're pretty excited, but > unfortunately I'm stuck yammering and hand-waiving about the LDAP > support hehe. > Tell them my rates are very reasonable ... Could be some time before those docs are available :). -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CVS build failing due to test failures.
Hi, The LDAP tests are failing because of changes in the ApacheDS snaphots which the provider uses as an embedded server for testing. I've been discussing their planned release with them, which should be out this week. Once it appears I'll modify the build to use it so that we have something stable to test against. You can skip the tests by running with "maven -Dmaven.test.skip". Alternatively, you can set up the tests to point to an external server by uncommenting the appropriate lines in the base class for the Ldap tests (AbstractLdapServerTestCase, or whatever). I've attached a copy of the test data. It also expects to have an admin user with username "manager" and password "acegisecurity" available. cheers, Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk version: 1 dn: dc=acegisecurity,dc=org objectClass: dcObject objectClass: organization dc: acegisecurity description: Acegi Security (Test LDAP DIT) o: Monkey Machine Ltd. dn: ou=people,dc=acegisecurity,dc=org objectClass: organizationalUnit description: All people in organisation ou: people dn: cn=Ben Alex,ou=people,dc=acegisecurity,dc=org objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: Ben Alex ou:: 5a6J5YWo sn: Alex uid: Ben userPassword:: e1NIQX1uRkNlYldqeGZhTGJISEcxUWs1VVU0dHJidlE9 dn: uid=bob,ou=people,dc=acegisecurity,dc=org objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: Bob Hamilton sn: Hamilton uid: bob userPassword:: Ym9ic3Bhc3N3b3Jk dn: ou=groups,dc=acegisecurity,dc=org objectClass: top objectClass: organizationalUnit ou: groups dn: cn=developers,ou=groups,dc=acegisecurity,dc=org objectClass: groupOfNames objectClass: top cn: developers description: Acegi Security Developers member: uid=bob,ou=people,dc=acegisecurity,dc=org member: cn=ben alex,ou=people,dc=acegisecurity,dc=org o: Acegi Security System for Spring ou: developer dn: cn=managers,ou=groups,dc=acegisecurity,dc=org objectClass: groupOfNames objectClass: top cn: managers member: cn=ben alex,ou=people,dc=acegisecurity,dc=org ou: manager
Re: [Acegisecurity-developer] New LDAP stuff
Hi, I already have quite a bit of documentation written. I'll let you know when it's in CVS for review and you could perhaps make some suggestions then. it should also appear on the web site via the automated build (easier to read than the XML :) ). Luke. Brandon Keepers wrote: > I would be willing to do this if you wanted some help. I've been using > the new LDAP code extensively in the last month. If anyone else is > already working on this, just let me know. Otherwise I'll get started > on it in the next day or so. > > Brandon > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] New LDAP stuff
Ray Krueger wrote: > Hey guys, where can I point someone to if they wanted to read about > LDAP support? > > I see the org.acegisecurity.providers.ldap package in the javadocs in > the site; but that is the old stuff isn't it? > > Hi Ray, No, the non-sandbox stuff is up-to-date. There's also an example in the contacts directory and quite a bit of information in recent forum posts. cheers, Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] compile error LdapUtils with Sun JDK 1.4.2_04
Thanks, that sounds like a better option. I've changed it accordingly.
cheers,
Luke.
Scott Battaglia wrote:
You can also do:
catch (Exception e) {
final IllegalArgumentException iae = new
IllegalArgumentException(MESSAGE);
iae.initCause(e);
throw iae;
}
If you want I can change them in CVS to reflect that. Its the
equivalent (as far as I know) of new IllegalArgumentException (message,
e) in Tiger.
-Scott
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] help - I need LdapPasswordAuthenticationDao
Hmm. I thought they were in there 'cos they're listed under the RC1 label in CVS http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/core/src/main/java/org/acegisecurity/providers/ldap/?only_with_tag=release_1_0_0_RC1 But it appears that they're not there. Have you tried building from a recent nightly source archive? Karthik V wrote: "RC1 does contain the new LDAP provider. You should use these classes in preference to the ones in the sandbox which will not be supported in future releases. " Gladly. This is the one I was talking about: http://sourceforge.net/project/showfiles.php?group_id=104215 Are we talking about the same thing?? Coz I dont see the ldap package inside providers, in this one. Wondering whats going wrong ... -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] compile error LdapUtils with Sun JDK 1.4.2_04
Ok, I've replaced it with a combination of a log message and an
IllegalArgumentException.
Thanks for reporting it. It's probably worth raising this kind of bug
report in Jira so that it doesn't get missed by accident.
cheers,
Luke.
Sprangemeijer, Ruben wrote:
Hi,
I get a compile error when compiling the HEAD version with Sun JDK 1.4.2_04. On line 63 "throw new IllegalArgumentException("Unable to parse url: " + url, e);" it is using a constructor for IllegalArgumentException that is only available in Java 5. Since I am using this on Sun Application Server 7, I am not able to use Java 5. Can someone change this line to use the jdk 1.4. compatible construct?
I am able to compile when I change it to something like:
throw new IllegalArgumentException("Unable to parse url: " + url + ", e: " + e.getMessage());
kind regards,
Ruben Sprangemeijer
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
--
Luke Taylor. Monkey Machine Ltd.
PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] help - I need LdapPasswordAuthenticationDao
Karthik V wrote: It works once in 10 times or so. But after logging in, I tried cvs co acegisecurity, and its not being recognized. Could you tell me whats wrong? It sounds like a sourceforge cvs problem. What do you mean by "not being recognized". An anonymous checkout works for me too. "Why can't you use the RC1 distro?" As I said in my prev mail, I tried it, but it doesnt contain the ldap package. If it does, it'll be great coz I dont want the pain of building the source with maven. While using the framework seems to be easy, I end up spending too much time sorting out the build issues :( ... RC1 does contain the new LDAP provider. You should use these classes in preference to the ones in the sandbox which will not be supported in future releases. There are some discussions in the forums which may prove helpful. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] help - I need LdapPasswordAuthenticationDao
Karthik V wrote: Running cvs -d :pserver:[EMAIL PROTECTED]:/cvsroot/acegisecurity login I get the error: cvs [login aborted]: Error reading from server cvs.sourceforge.net: 0: No such file or directory Please help. This works for me. You can also download nightly source archives from http://acegisecurity.sourceforge.net/nightly/ Why can't you use the RC1 distro? http://sourceforge.net/project/showfiles.php?group_id=104215 -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] help - I need LdapPasswordAuthenticationDao
Hi, Can you use the new LDAP provider instead, which supersedes the sandbox code? If not, can you please outline your requirements so that we can look at how they can be accommodated in the new provider. Luke. Karthik V wrote: Hi, I'm brand new to acegi and spring, and fairly new to maven. I'm badly in need of LdapPasswordAuthenticationDao. I understand that it needs to be "pulled out of the sandbox and built" but I'm having great trouble doing this. After sorting out the one hundred issues maven listed, I got to the point of building the other folders from a nightly cvs export. But the sandbox folder still complains of errors and never gets built. To give u a sample, here are the last few errors. C:\Documents and Settings\user\Desktop\acegisecurity-2006-01-25_145747\acegi security\sandbox\src\main\java\org\acegisecurity\providers\smb\SmbBasicAuthentic ationProvider.java:[66,12] cannot find symbol symbol : class UniAddress location: class org.acegisecurity.providers.smb.SmbBasicAuthenticationProvider C:\Documents and Settings\user\Desktop\acegisecurity-2006-01-25_145747\acegi security\sandbox\src\main\java\org\acegisecurity\providers\smb\SmbBasicAuthentic ationProvider.java:[66,28] cannot find symbol symbol : variable UniAddress location: class org.acegisecurity.providers.smb.SmbBasicAuthenticationProvider C:\Documents and Settings\user\Desktop\acegisecurity-2006-01-25_145747\acegi security\sandbox\src\main\java\org\acegisecurity\providers\smb\SmbBasicAuthentic ationProvider.java:[92,8] cannot find symbol symbol : class NtlmPasswordAuthentication location: class org.acegisecurity.providers.smb.SmbBasicAuthenticationProvider C:\Documents and Settings\user\Desktop\acegisecurity-2006-01-25_145747\acegi security\sandbox\src\main\java\org\acegisecurity\providers\smb\SmbBasicAuthentic ationProvider.java:[92,46] cannot find symbol symbol : class NtlmPasswordAuthentication location: class org.acegisecurity.providers.smb.SmbBasicAuthenticationProvider C:\Documents and Settings\user\Desktop\acegisecurity-2006-01-25_145747\acegi security\sandbox\src\main\java\org\acegisecurity\providers\smb\SmbNtlmAuthentica tionProvider.java:[47,8] cannot find symbol symbol : class UniAddress location: class org.acegisecurity.providers.smb.SmbNtlmAuthenticationProvider C:\Documents and Settings\user\Desktop\acegisecurity-2006-01-25_145747\acegi security\sandbox\src\main\java\org\acegisecurity\providers\smb\SmbNtlmAuthentica tionProvider.java:[55,8] cannot find symbol symbol : class NtlmPasswordAuthentication location: class org.acegisecurity.providers.smb.SmbNtlmAuthenticationProvider All I need is a jar file with ldap auth classes present. Can someone tell me if I can get a download? Karthik. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Provider
Amad Fida wrote: Luke - In our case we use the role information from our own database repository and only LDAP server for authenticatin. How do you recomment we do that? Provide a implementation for LdapAuthoritiesPopulator? Amad Yes. That would be the best option. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Provider
Brandon Keepers wrote: Luke, One feature that the sandbox LDAP provider had that was extremely useful was the ability to set a default role. In some of my apps, I don't care what groups a user is in. If they're in the directory, then I want them to be in ROLE_USER. Could that be added to the DefaultLdapAuthoritiesPopulator? Brandon Sure. Though it may be something that's not LDAP specific. I'll look into it. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Provider
Thanks a lot for your comments, Brandon. Especially since they are largely positive :). I'm keen to get as much feedback as possible so that we can make the release as stable as possible. Brandon Keepers wrote: ... There isn't an easy way to override which UserDetails implementation is returned. As it is now, I have to extend LdapAuthenticationProvider and override createUserDetails. But since the authenticator and authoritiesPopulator objects are private, I have to call super.createUserDetails() to get a User object with the authorities populated, then create whatever object I wish to return. I don't have a good suggestion for overcomming this. I tried moving createUserDetails (and authoritiesPopulator) into the LdapAuthenticator implementation, then just having authenticate() return a instance of UserDetails, but that didn't feel right either. Would applying the strategy pattern to create the user details be overkill? ... This was pretty much what I intended. It doesn't seem to onerous to have to call super.createUserDetails() and then manipulate the returned data as required to create your new object. One minor comment on the DefaultInitialDirContext: there is no way to enable the useConnectionPool property, that I could see anyway. ... This property was in the previous implementation, and I can't really think of a good reason why anyone would set it to false. At the moment, the implementation uses connection pooling for anonymous connections or for those with the "manager" user's identity, but not when binding as a specific user, so connection pooling isn't actually on or off for everyone - it depends on the user. Most of the Sun provider's connection pooling options are set on a "connection identity" basis so it doesn't seem like a good idea to use pooling for individual users who are only likely to bind once to log in to the system. I'll add a setter method to allow disabling all connection pooling. I guess it might be useful in some cases. Thanks again for the feedback, Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Provider
I agree that it might have been preferable to have had different names, and version numbers would ideally be as rigorously enforced as you say. I think we generally do pretty well on the stability front though compared with a lot of projects. I'm not particularly bothered about what version it is released in. The original plan was to get the support in for 1.0, so it depends on whether people are prepared to allow a slip in naming conventions or not. An RC2 will supersede the previous one in any case. I'll leave it up to Ben's pragmatic mind to decide what's best :). I'm not so sure about a separate module though. All of the new LDAP-related dependencies are only required to get ApacheDS running for testing. None of them are needed at runtime, so there's no reason why they should be required to use Acegi. I'm not familiar enough with Maven 2 to know whether it can discern between runtime and build dependencies, but presumably it can? Carlos Sanchez wrote: Then 1.0.0 should have been called M1 or alpha, when you call something release candidate means that if there no bugs the final jar will be exactly the same (but the version name in the manifest). Is not that i don't like the ldap support, but this will be confusing and a potential problem. It could be released with 1.0.0 as a different acegi-security-ldap module, or you can do the next day a 1.1 M1 if you want. In fact I'd like to see it in a different module because it will facilitate use of transitive dependencies in your build (not only in maven2, in any system), because ldap support introduces a considerable amount of dependencies that are not required for the other parts of the application. just my 2 cents On 12/22/05, Luke Taylor <[EMAIL PROTECTED]> wrote: Hi Carlos, I think the intention is to have LDAP support in 1.0, and since it is an extra feature, largely independent of the rest of the codebase it shouldn't really have any impact on the code in RC1. Luke. Carlos Sanchez wrote: Hi, I've notice that this change was included after the RC1. This goes against the version naming policy, 1.0.0 must be the same as 1.0.0-RC1 except for critical bug fixes. It'd be better to create a branch for 1.0.0 from the 1.0.0-RC1 tag and set HEAD to 1.1, where you could keep development. Regards -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Provider
Hi Carlos, I think the intention is to have LDAP support in 1.0, and since it is an extra feature, largely independent of the rest of the codebase it shouldn't really have any impact on the code in RC1. Luke. Carlos Sanchez wrote: Hi, I've notice that this change was included after the RC1. This goes against the version naming policy, 1.0.0 must be the same as 1.0.0-RC1 except for critical bug fixes. It'd be better to create a branch for 1.0.0 from the 1.0.0-RC1 tag and set HEAD to 1.1, where you could keep development. Regards -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] LDAP Provider
Hi all, Just a short note to say that the new incarnation of the LDAP provider is now available if you want to take a look at it. It's still a work in progress but I'm keen to get feedback and suggestions so that any changes can be nailed down before the 1.0 release. The code is in org.apache.providers.ldap. I haven't written anything for the reference guide yet, but will get round to it soon. The tests are a good place to start and there is quite a bit of Javadoc and a simple LDAP version of the contacts sample app (though you'll need a server with the appropriate data for this to work at the moment). I'll include an embedded apache DS instance in the app later. cheers, Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] First step in Suggested Steps fails -- wasting bucket loads of time
Jaxen is used in the acegifier sample app, though it is currently using version 1.1-beta-8. Check the project.xml file samples/acegifier and see what version is listed in the dependencies there. Also, the jaxen version you mention appears to be available in the ibiblio repository http://www.ibiblio.org/maven/jaxen/jars/ So it ought to be downloadable assuming there are no network problems. What version of Maven are you using (1.0.2 is the most common)? You can also run with "maven -X" to obtain more information on what Maven is doing at the time. Luke. Paul Furbacher wrote: First step 0.5 - 2 hours: hmmm, I'm way passed that just setting up Maven and trying to check out the project from CVS. Here's the problem when I execute the command line maven scm:checkout-project shown on the "Building Acegi Security System" Web page, I get this failure: snipped from the "DOS" console window Directory C:\Documents and Settings\xxx\.maven\repository does not exist. Attempting to create. ... [successful downloads omitted for brevity] ... Attempting to download jaxen-1.0-FCS-full.jar. WARNING: Failed to download jaxen-1.0-FCS-full.jar. The build cannot continue because of the following unsatisfied dependency: jaxen-1.0-FCS-full.jar Total time : 3 seconds Finished at : Sunday, December 11, 2005 1:54:12 AM EST end snip I have no idea why, where, or how maven is looking for such an old version of jaxen, or even why it's looking for *any* version. (I've Googled this to death and found nothing relevant except that the FCS version dates back to 2002. But nothing about what to do when Maven fails like this.) Thanks for any help you can give. Paul Furbacher -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] small patch for LDAP
Hi, I've been working on an updated LDAP authentication provider which is intended to be included in 1.0 RC2. It should be fully extensible - for authentication, searching for users and also for populating roles. At the moment I've got support for direct authentication and password comparison (either locally by retrieving the password or by performing a remote "compare" operation. I hope to have something checked in soon 'cos I'd like to get some decent feedback and comments to get things as stable as possible before the 1.0 release. A major problem is testing, though. My tests run fine so far against an OpenLDAP setup but I've run into what appears to be a bug in apache-ds which causes the password comparison to fail: http://issues.apache.org/jira/browse/DIRLDAP-77 Hopefully it will be fixed soon and a version of apacheds will be available that we can include in the build and successfully run against. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CVS update fails
Matthew E. Porter wrote: Same here Brandon. Not sure what SF.net is doing about it. Ben mentioned that a ticket was filed with them. http://sourceforge.net/tracker/index.php?func=detail&aid=1361819&group_id=1&atid=21 Maybe someone else could add a comment to try to push it along... -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Building Acegi from CVS HEAD
I've added a comment to the previous SF issue on CVS lock is it looks like the same problem that occurred a week or so ago. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Building Acegi from CVS HEAD
t org.apache.commons.jelly.impl.TagScript.run(TagScript.java:247) at org.apache.commons.jelly.impl.ScriptBlock.run(ScriptBlock.java:95) at org.apache.maven.jelly.tags.werkz.MavenGoalTag.runBodyTag(MavenGoalTag.java:78) at org.apache.maven.jelly.tags.werkz.MavenGoalTag$MavenGoalAction.performAction(MavenGoalTag.java:109) at org.apache.maven.werkz.Goal.fire(Goal.java:656) at org.apache.maven.werkz.Goal.attain(Goal.java:592) at org.apache.maven.plugin.PluginManager.attainGoals(PluginManager.java:693) at org.apache.maven.MavenSession.attainGoals(MavenSession.java:263) at org.apache.maven.cli.App.doMain(App.java:511) at org.apache.maven.cli.App.main(App.java:1258) at com.werken.forehead.Forehead.run(Forehead.java:551) at com.werken.forehead.Forehead.main(Forehead.java:581) -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] locked CVS?
Yes. It's working again. Luke. Ben Alex wrote: Jettro Coenradie wrote: I am having problems as well. tried it with maven and eclipse, both the same result. The SF job is now reported as corrected - can someone who was experiencing the issue please confirm? Thanks Ben -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quick Build fails on clean sources (full set from nightly snapshots)
I've submitted a request to SF to have things checked out: http://sourceforge.net/tracker/index.php?func=detail&aid=1361819&group_id=1&atid=200001 Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quick Build fails on clean sources (full set from nightly snapshots)
Yes, CVS seems to have a lock problem at the moment. I've deleted the invalid snapshots and disabled the cron job until things are up and running again. cheers, Luke. Richard Clark wrote: True, I tried the snapshot from the 15th. Going earlier and pulling down the last 700K+ snapshot worked (just now), so it looks like there's one real problem here (the CVS breakage.) I'm glad I could get it to work -- this looks very promising. :) Richard On Nov 19, 2005, at 13:22, Luke Taylor wrote: Do you mean the snapshot from the 15th? That also looks dubious, as the normal archive is over 700k. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Quick Build fails on clean sources (full set from nightly snapshots)
Do you mean the snapshot from the 15th? That also looks dubious, as the normal archive is over 700k. Luke. Richard Clark wrote: Following the "Quick Build" instructions, right after getting the last full nightly snapshot, compilation fails in the "multiwar" step: build:start: multiwar:multiwar: acegisecurity:war: war:init: war:war-resources: [mkdir] Created dir: /Users/rdclark/acegisecurity/samples/contacts/target/acegi-security-sample-contacts [mkdir] Created dir: /Users/rdclark/acegisecurity/samples/contacts/target/acegi-security-sample-contacts/WEB-INF [copy] Copying 16 files to /Users/rdclark/acegisecurity/samples/contacts/target/acegi-security-sample-contacts [copy] Copying 33 files to /Users/rdclark/acegisecurity/samples/contacts/target/acegi-security-sample-contacts java:prepare-filesystem: [mkdir] Created dir: /Users/rdclark/acegisecurity/samples/contacts/target/classes java:compile: [echo] Compiling to /Users/rdclark/acegisecurity/samples/contacts/target/classes [javac] Compiling 18 source files to /Users/rdclark/acegisecurity/samples/contacts/target/classes /Users/rdclark/acegisecurity/samples/contacts/src/main/java/sample/contact/AddPermission.java:18: package net.sf.acegisecurity.acl.basic does not exist import net.sf.acegisecurity.acl.basic.SimpleAclEntry; ^ /Users/rdclark/acegisecurity/samples/contacts/src/main/java/sample/contact/AddPermissionController.java:18: package net.sf.acegisecurity.acl.basic does not exist import net.sf.acegisecurity.acl.basic.SimpleAclEntry; ... and so on, for a total of 52 errors. ...Richard -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Vote: Release 0.9.0
Hola Carlos, When I try the build with Maven 2.0 (with a view to switching the automated build to M2 eventually), I'm getting a problem with tools.jar as a dependency, both running on linux and on OS X (I would have expected it on the latter, 'cos it doesn't have one). When building the CAS adapter module, I get: [INFO] Failed to resolve artifact. GroupId: java ArtifactId: tools Version: 1.4 Reason: Unable to download the artifact from any repository java:tools:1.4:jar from the specified remote repositories: central (http://repo1.maven.org/maven2) Have you any idea where this is coming from? Are there still problems with Maven 2 itself, or are they specific to our Acegi stuff. I'm keen to start using it. cheers, Luke. P.S. +1 I'm all for doing the release if no one has any reported problems. Carlos Sanchez wrote: I'm working on that. You'll have news soon. On 11/7/05, Andreas Brenk <[EMAIL PROTECTED]> wrote: It seems to me the Maven 2 build (SEC-62) is not up-to-date and should be marked as unresolved. Regards, Andreas On 11/7/05, Ben Alex <[EMAIL PROTECTED]> wrote: The JIRA changelog is now complete, and I've just updated the reference guide to reflect the latest changes: http://opensource2.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel I would like to propose we release 0.9.0 at this point. Please let me know if you agree. --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Getting errors building v0.8.3
Vijay Varadan wrote: > Thanks for the info about the maven option and ibiblio - I was looking in > the directory pointed to by Google search which seems to be the wrong place > to look. > > I'm intertested in building the last known good release. There is a small > group of us that is looking to develop ACEGI for the .NET platform - so I > figured we'd start from a LKG release. > > Changing the xjavadoc version in the project.xml file to 1.0.2 allowed the > build to proceed. The sample.attributes.Bank jUnit tests are failing. I'll > post more details if I can't figure it out myself. > > Thanks once again for the valuable pointers. > You're welcome. The attributes tests are failing in the main build too - I'm not sure what the situation is there. http://acegisecurity.sourceforge.net/multiproject/acegi-security-sample-attributes/junit-report.html -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Getting errors building v0.8.3
The CVS head version has the dependency set to version of 1.0.2 for xjavadoc, so you would be better building the latest version. Is there a particular reason why you want version 0.8.3? And are you specifically interested in the attributes example? 1.0 isn't on ibiblio - you can just browse to the directory and check (http://www.ibiblio.org/maven/xjavadoc/jars/). So you can either change the version in samples/attributes/project.xml to 1.0.2, or download a copy of 1.0 manually and put it in your local maven repository. If you want more information on what Maven is doing, run it with the "-X" argument. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Nightly snapshots
Hi Ben, I hadn't set up the cron job. It seems to be running OK now. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Nightly snapshots
I think I probably forgot to set the cron job to kick off the script on SF when I reinstalled my server. If someone could remind me where the script is again that would be useful :). Mark St.Godard wrote: > Ben et al > Just noticed the link on the downloads page: > http://acegisecurity.sourceforge.net/downloads.html > to the nightly snapshots: http://acegisecurity.sourceforge.net/nightly/ > Looks like the latest nightly snapshot tarball is July 26th ? > Anyway, just seemed a little odd.. I assumed it would have July, Aug, up to > Sept, etc. ? > Cheers, > Mark > -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java
At this level (i.e. at the Dao provider level), I'm not sure you can differentiate between a "login" with an existing cache entry and the authentication that takes part as part of each invocation. How would you define a "logout" in the scenario defined above (assuming it didn't involve removing credentials from the cache). The usage might not be tied to an HTTP session, for example, it could be a remote client. Mark St.Godard wrote: Yes definitely, its not as simple as moving the publish event outside of the cache check, as this would trigger it when we really dont want to. Ben et al, (as per your comments) is this the expected behavior of the event model? I would think we need to uniquely identify the 2nd logon and publish accordingly. Cheers, Mark -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Problem when executing the contacts sample
It appears that their is an out of date spring.tld in the common/WEB-INF directory. Removing this before building the war solves the problem. Marco Mistroni wrote: Hello, have you tried NOT to use tags and check programmatically (in the code) for permission and see if that work? i had acegi contact sample working fine (though it was with acegi version 0.8.2), and indeed i had integrated it in my application using StrutsMenu, running on jboss 3.2.5. Since you specify this <%@ taglib prefix="spring" uri="http://www.springframework.org/tags"; %> i don't think you need to declare anything in your web.xml.. HTH marco -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523Chttp://www.monkeymachine.ltd.uk --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
