Re: [Acegisecurity-developer] Subversion?
+1 On Mar 25, 2006, at 7:46 AM, Mark St.Godard wrote: +1 On 3/25/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: No concerns here. Scott -Original Message- From: Ben Alex [mailto:[EMAIL PROTECTED] Sent: Saturday, March 25, 2006 5:43 AM To: acegisecurity-developer@lists.sourceforge.net Subject: [Acegisecurity-developer] Subversion? Hi everyone SourceForge have recently modified their offering so we can migrate to SVN (without losing revision history) - see http://sourceforge.net/docman/display_doc.php?docid=31070&grou p_id=1#import. I have also been using SVN recently and had good results. The Subclipse plugin at Update Manager URL http://subclipse.tigris.org/update_1.0.x works quite well. Does anyone have any concerns with the project migrating from CVS to SVN? If there aren't any objections, I'll make the change in about a week. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel? cmd=lnk&kid=110944&bid=241720&dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] knowledge of valid username but incorrect password
One small piece of advice - Set something up to prevent users from entering their username as passwords. The sad fact is that the industry has billions of lines of code and the weakest element is Susie in HR who writes her password down on a Post-It note attached to her monitor. Cheers, Matthew On Dec 7, 2005, at 11:46 AM, Trent wrote: Thanks Ray, I've looked into the code and this looks like the place to start...I'm just a developer; orders take precedence over the evil- doers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ray Krueger Sent: Wednesday, December 07, 2005 9:58 AM To: acegisecurity-developer@lists.sourceforge.net Subject: Re: [Acegisecurity-developer] knowledge of valid username but incorrect password You can set the hideUserNotFoundExceptions property on the AuthenticationDaoProvider to false. Keep in mind that you are giving hackers a hint by doing that though. You are telling any potential evil-doers "Well, you guesed correctly on a username, now just guess the password". On 12/7/05, Trent <[EMAIL PROTECTED]> wrote: Currently we have ACEGI authenticating a web app. However I need to change some current behavior. Right now if a user enters a correct username but incorrect password the error is the same as a user passing an incorrect username. I need to find out how Acegi can notify the application that the username is correct but the password isn't. Could someone point me in the right direction on how to do this? Trent --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=ick ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CVS update fails
Same here Brandon. Not sure what SF.net is doing about it. Ben mentioned that a ticket was filed with them. Cheers, Matthew On Dec 6, 2005, at 12:05 PM, Brandon Keepers wrote: I've been trying to update my CVS checkout of acegi all morning and keep getting the same error: cvs update: failed to create lock directory for `/cvsroot/acegisecurity/acegisecurity/core/src/main/java/org/ acegisecurity/userdetails' (/cvsroot/acegisecurity/acegisecurity/core/src/main/java/org/ acegisecurity/userdetails/#cvs.lock): Permission denied cvs update: failed to obtain dir lock in repository `/cvsroot/acegisecurity/acegisecurity/core/src/main/java/org/ acegisecurity/userdetails' cvs [update aborted]: read lock failed - giving up Brandon --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] pseudo roles?
FWIW, we are handling something similar by using groups. The tend to be easier for users to conceptualize. Cheers, Matthew On Apr 22, 2005, at 12:58 PM, [EMAIL PROTECTED] wrote: I have a situation in which it would be convenient to be able to define pseudo roles in my application. By this I mean a role that exists only in the Acegi Security configuration and not in the back-end datastore. A pseudo role would be defined based on existing real roles. Say the following roles are explicitly defined in the datastore behind a DAO provider: ROLE_A ROLE_B ROLE_C ROLE_D ROLE_E I would like to be able to define a role within Acegi Security that aggregates multiple roles into one. For example: ROLE_X=ROLE_A,ROLE_B,ROLE_C ROLE_Y=ROLE_D,ROLE_E Where ROLE_X means any of the roles on the right hand side. In other words, ROLE_X is equivalent to ROLE_A, ROLE_B or ROLE_C. In my application I only care about whether the user has ROLE_X or ROLE_Y. I understand that this can be accomplished a few different ways in Acegi Security. I am looking for suggestions as to what might be the best approach. Here are a couple possibilities I can think of. 1. Implement an AuthenticationProvider that wraps other providers and adds pseudo roles based on its configuration. 2. Implement a custom RoleVoter that knows about role equivalence. I lean toward the first option. Is there already something out there that does what I need? Is there a better way than what I have suggested above? Thanks, Matt DeHoust Dollar Tree Stores, Inc. 757.321.5668 --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Any thought given to donating FilterToBeanProxy ?
I thought this was discussed before on the Spring-dev mailing list. Anybody remember what happened? Cheers, Matthew On Jan 29, 2005, at 2:53 PM, Scott Battaglia wrote: +1 I'd like to see it as part of the Spring Framework. Luckily so far whenever we've used filters for something we've also been using Acegi for security so we haven't run into any problems of needing it and not using Acegi. :-) Scott Battaglia Application Developer, Architecture and Engineering Team Enterprise Systems and Services, Rutgers University v: 732.445.0097 | f: 732.445.5493 | [EMAIL PROTECTED] François Beausoleil wrote: Hi ! Just wondering if any thought had been given to moving FilterToBeanProxy to the Spring Framework project ? Seems like it would be a good idea, given that it's a general item, and other people would like it ? Bye ! François --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How to implement the following 2 cases in webapp?
+1 for remember me functionality +2 for anonymous user functionality Cheers, Matthew On Jan 8, 2005, at 5:34 PM, Ben Alex wrote: YH Cheng wrote: Anyway, I have a suggestion on this issue: I think the 'remember me' feature is so application-dependent, that it shouldn't be included in the acegi core. I think maybe we can develop a sub-project of acegi, which is intended to give some sort of special features (like 'remember me'). E.g. the current acegi library would be acegi-core, extensions would be acegi-ext, and app-features would be acegi-reference. So that more higher application-level developers can contribute to those subprojects without affecting the core. And more usages/references would be out there. Just wondering why you feel remember-me is application dependent? We can easily provide an implementation that automatically identifies the user from a cookie. People can elect not to use it, simply by not adding the relevant filter to web.xml. In relation to the modularisation of the project, we already use Maven and subprojects extensively. As shown in CVS, there's no difficulty in adding more subprojects as the need arises. Best regards Ben --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] ACL Assistance and Questions
Greetings. I am looking for some guidance on the ACL system and how to integrate it into our application. Furthermore, I plan to get the second article out for Javalobby within the next week or two. Any help is appreciated. In our application, we define domains (i.e. companies). Objects of different types belong to each domain. For example, each domain has a set of servers assigned to it. In addition, there is a set of users assigned to the domain. For example, the "Contegix " domain contains Server1, Server2, and Server17. Each domain has one or more administrators which should have unrestricted access to any object tied to the domain. Furthermore, domains can be nested. As I am trying to get my head wrapped around the ACL system in Acegi, I am having difficulties finding the best way to apply permissions and restrictions. Cheers, Matthew --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security Guidelines?
Mark: Are you looking for a reference guide or tutorial? If it's the former, they are available from the website. The current version can be generated from the cvs source. If it's the tutorial, I wrote an article for Javalobby on Acegi a few weeks ago. There will be a second part coming soon. http://www.javalobby.org/articles/acegisecurity/part1.jsp Cheers, Matthew On Dec 1, 2004, at 11:34 PM, mark bernard wrote: Hello, I was wondering if anyone has a high level security guideline for Acegi? Any sort of pdf or whitepaper will do. I scoured on google for a while and didnt find much. Mark Bernard Webmaster http://www.pet2002.org/ethical_hacking.html http://www.certifiedethicalhacker.com/ Do you Yahoo!? All your favorites on one personal page – Try My Yahoo! --- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer