[Acegisecurity-developer] Security advisory for all Acegi Security users
Dear Spring Community A potentially serious bug has been identified in existing releases of Acegi Security (http://opensource.atlassian.com/projects/spring/browse/SEC-20). New and supported releases (0.7.1 and 0.8.3) are now available that correct this issue. We urge all users to upgrade as soon as possible: * Users of CVS HEAD should rebuild from the current CVS HEAD * Users of releases 0.8.0, 0.8.1 or 0.8.2 should upgrade to release 0.8.3 * Users of release 0.7.0 should upgrade to release 0.7.1, or preferably release 0.8.3 * Users of releases prior to 0.7.0 should upgrade to 0.7.1, or preferably release 0.8.3 You can download these releases directly from https://sourceforge.net/project/showfiles.php?group_id=104215. If anyone has any questions, please email the acegisecuity-developer mailing list. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Ben, Thanks for the quick attention to a security fix release, but I'm getting an error with the upgrade from 0.8.1: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterChainProxy' defined in class path resource [passport/resources/security/securityApplicationContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/springframework/util/AntPathMatcherjava.lang.NoClassDefFoundError: org/springframework/util/AntPathMatcher at net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor.setA sText(FilterInvocationDefinitionSourceEditor.java:70) at org.springframework.beans.BeanWrapperImpl.doTypeConversionIfNecessary (BeanWrapperImpl.java:963) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:779) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:685) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:826) at org.springframework.beans.BeanWrapperImpl.setPropertyValues (BeanWrapperImpl.java:853) at org.springframework.beans.BeanWrapperImpl.setPropertyValues (BeanWrapperImpl.java:842) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.a pplyPropertyValues(AbstractAutowireCapableBeanFactory.java:870) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.p opulateBean(AbstractAutowireCapableBeanFactory.java:688) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.c reateBean(AbstractAutowireCapableBeanFactory.java:325) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.c reateBean(AbstractAutowireCapableBeanFactory.java:260) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean (AbstractBeanFactory.java:221) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean (AbstractBeanFactory.java:145) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstan tiateSingletons(DefaultListableBeanFactory.java:291) at org.springframework.context.support.AbstractApplicationContext.refresh (AbstractApplicationContext.java:317) at org.springframework.context.support.ClassPathXmlApplicationContext. (ClassPathXmlApplicationContext.java:80) at org.springframework.context.support.ClassPathXmlApplicationContext. (ClassPathXmlApplicationContext.java:65) at passport.framework.test.AbstractSpringEnabledTestCase.loadContextLocations (AbstractSpringEnabledTestCase.java:48) at org.springframework.test.AbstractSpringContextTests.getContext (AbstractSpringContextTests.java:95) at org.springframework.test.AbstractDependencyInjectionSpringContextTests.setUp (AbstractDependencyInjectionSpringContextTests.java:114) Does 0.8.3 (or more accurately 0.8.2) require something newer than Spring 1.1.5? Scott --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Wasnt the AntPathMatcher refactored and added to the Spring 1.2 RC2 ? If so, what version of Spring are you using? Mark "Scott McCrory" <[EMAIL PROTECTED] > To Sent by: [EMAIL PROTECTED] acegisecurity-dev eforge.net [EMAIL PROTECTED] cc s.sourceforge.net Subject Re: [Acegisecurity-developer] 07/12/2005 09:04 Security advisory for all Acegi AMSecurity users Please respond to acegisecurity-dev eloper Ben, Thanks for the quick attention to a security fix release, but I'm getting an error with the upgrade from 0.8.1: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterChainProxy' defined in class path resource [passport/resources/security/securityApplicationContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/springframework/util/AntPathMatcherjava.lang.NoClassDefFoundError: org/springframework/util/AntPathMatcher at net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor.setA sText(FilterInvocationDefinitionSourceEditor.java:70) at org.springframework.beans.BeanWrapperImpl.doTypeConversionIfNecessary (BeanWrapperImpl.java:963) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:779) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:685) at org.springframework.beans.BeanWrapperImpl.setPropertyValue (BeanWrapperImpl.java:826) at org.springframework.beans.BeanWrapperImpl.setPropertyValues (BeanWrapperImpl.java:853) at org.springframework.beans.BeanWrapperImpl.setPropertyValues (BeanWrapperImpl.java:842) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.a pplyPropertyValues(AbstractAutowireCapableBeanFactory.java:870) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.p opulateBean(AbstractAutowireCapableBeanFactory.java:688) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.c reateBean(AbstractAutowireCapableBeanFactory.java:325) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.c reateBean(AbstractAutowireCapableBeanFactory.java:260) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean (AbstractBeanFactory.java:221) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean (AbstractBeanFactory.java:145) at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstan tiateSingletons(DefaultListableBeanFactory.java:291) at org.springframework.context.support.AbstractApplicationContext.refresh (AbstractApplicationContext.java:317) at org.springframework.context.support.ClassPathXmlApplicationContext. (ClassPathXmlApplicationContext.java:80) at org.springframework.context.support.ClassPathXmlApplicationContext. (ClassPathXmlApplicationContext.java:65) at passport.framework.test.AbstractSpringEnabledTestCase.loadContextLocations (AbstractSpringEnabledTestCase.java:48) at org.springframework.test.AbstractSpringContextTests.getContext (AbstractSpringContextTests.java:95) at org.springframework.test.AbstractDependencyInjectionSpringContextTests.setUp (AbstractDependencyInjectionSpringContextTests.java:114) Does 0.8.3 (or more accurately 0.8.2) require something newer than Spring 1.1.5? Scott --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourcefo
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Yes, unfortunately it does. Acegi 0.8.2 requires Spring 1.2. -Ray On 7/12/05, Scott McCrory <[EMAIL PROTECTED]> wrote: > Ben, >Thanks for the quick attention to a security fix release, but I'm getting > an error with the upgrade from 0.8.1: > > org.springframework.beans.factory.BeanCreationException: Error creating bean > with name 'filterChainProxy' defined in class path resource > [passport/resources/security/securityApplicationContext.xml]: Initialization > of bean failed; nested exception is java.lang.NoClassDefFoundError: > org/springframework/util/AntPathMatcherjava.lang.NoClassDefFoundError: > org/springframework/util/AntPathMatcher at > net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor.setA > sText(FilterInvocationDefinitionSourceEditor.java:70) at > org.springframework.beans.BeanWrapperImpl.doTypeConversionIfNecessary > (BeanWrapperImpl.java:963) at > org.springframework.beans.BeanWrapperImpl.setPropertyValue > (BeanWrapperImpl.java:779) at > org.springframework.beans.BeanWrapperImpl.setPropertyValue > (BeanWrapperImpl.java:685) at > org.springframework.beans.BeanWrapperImpl.setPropertyValue > (BeanWrapperImpl.java:826) at > org.springframework.beans.BeanWrapperImpl.setPropertyValues > (BeanWrapperImpl.java:853) at > org.springframework.beans.BeanWrapperImpl.setPropertyValues > (BeanWrapperImpl.java:842) at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.a > pplyPropertyValues(AbstractAutowireCapableBeanFactory.java:870) at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.p > opulateBean(AbstractAutowireCapableBeanFactory.java:688) at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.c > reateBean(AbstractAutowireCapableBeanFactory.java:325) at > org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.c > reateBean(AbstractAutowireCapableBeanFactory.java:260) at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean > (AbstractBeanFactory.java:221) at > org.springframework.beans.factory.support.AbstractBeanFactory.getBean > (AbstractBeanFactory.java:145) at > org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstan > tiateSingletons(DefaultListableBeanFactory.java:291) at > org.springframework.context.support.AbstractApplicationContext.refresh > (AbstractApplicationContext.java:317) at > org.springframework.context.support.ClassPathXmlApplicationContext. > (ClassPathXmlApplicationContext.java:80) at > org.springframework.context.support.ClassPathXmlApplicationContext. > (ClassPathXmlApplicationContext.java:65) at > passport.framework.test.AbstractSpringEnabledTestCase.loadContextLocations > (AbstractSpringEnabledTestCase.java:48) at > org.springframework.test.AbstractSpringContextTests.getContext > (AbstractSpringContextTests.java:95) at > org.springframework.test.AbstractDependencyInjectionSpringContextTests.setUp > (AbstractDependencyInjectionSpringContextTests.java:114) > > Does 0.8.3 (or more accurately 0.8.2) require something newer than Spring > 1.1.5? > > Scott > > > --- > This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening > July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual > core and dual graphics technology at this free one hour event hosted by HP, > AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar > ___ > Home: http://acegisecurity.sourceforge.net > Acegisecurity-developer mailing list > Acegisecurity-developer@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
On Tue, 12 Jul 2005 09:18:33 -0500, Ray Krueger wrote > Yes, unfortunately it does. Acegi 0.8.2 requires Spring 1.2. > -Ray Ahh, thought so. No joy for those of us still running in JDK 1.3 containers like Websphere 5. Just a general statement, but there are a LOT of companies running lots of Websphere instances, and switching to Tomcat/JBoss/Weblogic/etc. isn't an easy option by any means. Scott --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Scott McCrory wrote: On Tue, 12 Jul 2005 09:18:33 -0500, Ray Krueger wrote Yes, unfortunately it does. Acegi 0.8.2 requires Spring 1.2. -Ray Ahh, thought so. No joy for those of us still running in JDK 1.3 containers like Websphere 5. Just a general statement, but there are a LOT of companies running lots of Websphere instances, and switching to Tomcat/JBoss/Weblogic/etc. isn't an easy option by any means. Luckily the security fix is available for Acegi 0.7.x. That's still compatible with Spring 1.1.x. Seth --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
On Tue, 12 Jul 2005 08:13:09 -1000, Seth Ladd wrote > Luckily the security fix is available for Acegi 0.7.x. That's still > compatible with Spring 1.1.x. True, but that's a stiff downgrade from 0.8.1, especially considering the filter changes. Scott --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Scott McCrory wrote: On Tue, 12 Jul 2005 09:18:33 -0500, Ray Krueger wrote Yes, unfortunately it does. Acegi 0.8.2 requires Spring 1.2. -Ray Ahh, thought so. No joy for those of us still running in JDK 1.3 containers like Websphere 5. Just a general statement, but there are a LOT of companies running lots of Websphere instances, and switching to Tomcat/JBoss/Weblogic/etc. isn't an easy option by any means. Just for the record, 0.8.2 was motivated as many people were happily on 0.8.1 but then Spring 1.2 came out and this broke Acegi Security 0.8.1. The majority of the community wanted 0.8.2 to be released ASAP which supports Spring 1.2. I will get started on an 0.8.1.1 release to accommodate the 0.8.1 users. Scott does raise an interesting point in that what version of Spring are people actually using? I'd hate to think people are stuck on 0.8.1 with all the goodies (and fixes) added to 0.8.2 and now 0.9.0 and planned for 1.0.0. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
On Wed, 13 Jul 2005 08:28:18 +1000, Ben Alex wrote > Just for the record, 0.8.2 was motivated as many people were happily > on 0.8.1 but then Spring 1.2 came out and this broke Acegi Security > 0.8.1. The majority of the community wanted 0.8.2 to be released > ASAP which supports Spring 1.2. That's fair and if I were able to use a *modern* servlet container instead of Websphere 5 (pejorative intended), I'd be right beside folks asking for Spring 1.2 support, but alas Websphere 5 is my company's prefered product. > I will get started on an 0.8.1.1 release to accommodate the 0.8.1 users. Thank you very much Ben! > Scott does raise an interesting point in that what version of Spring > are people actually using? I'd hate to think people are stuck on > 0.8.1 with all the goodies (and fixes) added to 0.8.2 and now 0.9.0 > and planned for > 1.0.0. I really appreciate the consideration, because if history is any indication, it'll be at least 6 months after Websphere 6 is released before most existing 5.x users will be able to utilize Spring 1.2 & Acegi 0.8.2+. Websphere has a solid footing in the banking and insurance industries (it's the IBM roots that do it), and that's where a heck of a lot of sophisticated J2EE is. Yes, I know this is IBM's fault for being so behind, but it is what it is. When hundreds of millions of dollars are invested in infrastructure, upgrades come more conservatively anyway. In short, I'd be just a tiny voice asking for Spring 1.2+ to maintain JDK 1.3 compatability, but is it too late to decouple Acegi from Spring 1.2+? Scott --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Ben Alex wrote: I will get started on an 0.8.1.1 release to accommodate the 0.8.1 users. I am having difficulty deploying 0.8.1.1 to SourceForge at present. I'll have another go tomorrow. In the meantime, signed 0.8.1.1 JARs can be downloaded from http://acegisecurity.sourceforge.net/maven/acegisecurity/jars. Those wishing to build the JARs themselves can checkout from CVS with the tag "release_0_8_1_1". Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
