Re: [Acegisecurity-developer] Anonymous principal support now in CVS
Matt Raible wrote: Is ROLE_ANONYMOUS a special key so that you don't have to add it to your user data store? If it has to be added, do all registered users have to have have this role assigned to them? I'm sure it works how I'd expect it to work, just want to clarify. It would be nice if this was possible: The actual GrantedAuthorty[]s assigned to the anonymous principal are defined by the filter: bean id=anonymousProcessingFilter class=net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter property name=keyvaluefoobar/value/property property name=userAttributevalueanonymousUser,ROLE_ANONYMOUS/value/property /bean The first parameter is the username, the rest are by default converted into GrantedAuthorityImpl()s. Because an AnonymousAuthenticationToken is generated by the AnonymousProcessingFilter, it is handled at an AuthenticationProvider level by AnonymousAuthenticationProvider. As such the username and GrantedAuthortiy[]s are not defined in any database at all. property name=objectDefinitionSource value CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /*.jsp=ROLE_ANONYMOUS /*.html*=ROLE_USER /value /property Where anyone could browse *.jsp - whether they're logged in or not. And ROLE_ANONYMOUS doesn't have to exist in my authorities table. That FilterInvocationDefinitionSource would work just fine. As mentioned above, ROLE_ANONYMOUS (or whatever you you chose to call it) is not defined in any database. This approach allows the creation of a ROLE_ANONYMOUS as well as a separate ROLE_EVERYONE that might be assigned to both anonymous and authenticated users. Also, if people don't like this particular model, the AuthenticationTrustResolver interface allows them to make anonymous authentication work in some other way - but still retain compatibility with FilterSecurityInterceptor's special handling of AccesDeniedExceptions when an anonymous user is present. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Turn On Subscribe Request Verification?
On Saturday 26 February 2005 05:49, Seth Ladd wrote: Hello, Ben, is it possible to turn on the Subscribe Request Verification for this mailing list? It would stop the spam we see to this list. It's a mailman parameter, I believe. Thanks! Seth I've switched on member_posting_only, which is the only spam-related parameter I could find which was not already on. Hope this helps. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Patch to fix NPE
On Monday 28 February 2005 20:43, Konstantin Shaposhnikov wrote: Hello all, I am not sure where I should send my patch (I havesn't found any bugtracking system for acegi), so I'll send it to mailing list. If you enable DEBUG log level and define f.e. in FilterChainProxy filterInvocationDefinitionSource pattern without any filter (something like /**/*.css=), then NPE is thrown. Following patch fixes exception. Thanks, committed to CVS. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Remember-me and releasing 0.8.0
Hi everyone I've just added pluggable remember-me services to CVS. You will also find corresponding tests, reference documentation, JavaDocs and a demonstration in the Contacts sample. I believe we've accumulated sufficient additional features, improvements and fixes to warrant a new release. I had hoped to include configuration attribute aware AuthenticationEntryPoints, but I haven't got time to do so at persent. In any event, this feature doesn't pose any backward compatibility constraint. I'd be grateful if people tried out the latest code from CVS (if they get a chance) and report any issues. Assuming there aren't any show-stoppers or other concerns, I'll release 0.8.0 in the next day or two. Thanks Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: Stable LDAP authentication DAO
On Tuesday 01 March 2005 09:36, Baldwin, Richard wrote: Hello, My company's project requires an LDAP connection for access to company credentials. I'd like to test the alpha version of the DAO, but I'm unable to cut through our firewall to CVS using pserver. I wonder if there's a secondary way to access CVS to pick-up files I'd need? (I know I can pick up this stuff from home, but I'd like to fetch these artifacts when I need them.) Thanks. Richard Sorry Richard, LDAP is only in CVS due to it being of sandbox status. Did you try CVSGrab, as per http://acegisecurity.sourceforge.net/cvs-usage.html? Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: Stable LDAP authentication DAO
Ben Alex wrote: Did you try CVSGrab, as per http://acegisecurity.sourceforge.net/cvs-usage.html? I've put a nightly build up at http://acegisecurity.sourceforge.net/nightly/ Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: AW: [Acegisecurity-developer] Using Acegi in distributed environm ent
On Saturday 05 March 2005 00:47, Andreas Prohaska wrote: But even without trusting my client, assume that I have the secured Account instance in the servlet tier. Now imagine a wizard that allows the current user to edit the Account, perhaps in multiple steps. Everyone would agree that it's a common pratice to put the Account instance into the HttpSession until it's finally saved. But since this is an online banking application, we have to use fail-over, load-balancing superwebservers that use HttpSession replication (by serializing sessions between servers) and BANG! I'm unclear _why_ exactly you need Acegi Security (or anything else for that matter) to secure methods and properties on Account domain object instances. As previously mentioned, domain object instances in the UI tier (be they webapp or rich client) are essentially throw-away instances that either (a) get accepted as valid on their return to the services layer and persisted or otherwise operated on, or (b) they are rejected as the principal has insufficient permissions to pass the mutated Account instance to the relevant services layer method. AOP allows you to advise domain object instances, but it's something of a new field and issues such as serialization of advisors from one web container to another is a grey area (I doubt it's done very often or easily). Does the advice look for a local collaborator, or does the container serialize unadvised instances which have advisors re-applied on the target container? It's an area of AOP best practice which sees grey to me; most people are experiencing enough of a paradigm shift getting used to AOP on their services layer. For that reason, if you're keen on using AOP on domain instances, at the very least you should consider which AOP framework you're going to use, which persistence framework, compatibilities between them, and the advice (pardon the pun) of the project team responsible for the AOP framework when it comes to serialization of advisors across containers - particularly in a fail-over-support cluster. For my two cents, I'd focus my energies on using the Acegi Security ACL capabilities properly in this sort of application, enforcing at the services layer boundary. At least you know it's simple, it works, there exists a body of design patterns and samples and people who can critique your architecture, and it is performant. HTH Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: JAAS support
Hi David David Nuescheler wrote: 4. Often alternative OSS security frameworks and home-grown approaches cannot easily be made integrate into a JAAS LoginModule with respect to authentication in jackrabbit i am not creative enough to come up with a usecase that cannot easily be wrapped into a JAAS Login Module. Do you have any examples in mind? authorization is certainly a more complicated issue. I was referring to the fact some OSS security frameworks take a fairly sophisticated approach to authentication management, and dropping them into a LoginModule isn't consistent with their design and architecture. For example, Acegi Security uses a ThreadLocal to store authentication details. It offers a range of ways to populate that ThreadLocal, such as form, basic, digest, anonymous and remember-me authentication. It authenticates the contents of the ThreadLocal at various times, such as when an authentication request is first presented and then at each time a secure object is called. Integration with HttpSession to store the ThreadLocal contents between HTTP requests is also provided, along with run-as replacement and automatic propagation of the ThreadLocal contents from one JVM to another. The entire framework is interface-driven and wired from a Spring IoC container, so it actively encourages customisation and extension (something I'd love to see in Jackrabbit). This type of authentication architecture can be hammered to work within a JAAS LoginModule, with the sacrifice of some functionality, loss of authentication customisation support, introduction of extra container-specific configuration (which equals loss of container portability), and provided that the container collects the credentials over the appropriate authentication mechanism (basic, digest, form etc) and presents it to the LoginModule. These trade-offs are actually why, despite Acegi Security offering this type of integration hook, it is neither recommended nor do many people rush to use it. Indeed the only users I've encountered who actually use this integration are EJB users who are using EJB declarative security. The rest of the community seems to value the 100% container portability, and richer customisable services available by not using JAAS. Despite this, the comparative merit of using Security Framework A over Security Framework B is not really that important. What matters is that not all security frameworks in use today are 100% compatible with LoginModules. Also, Jackrabbit only needs a _minimal_ interface to integrate with _any_ underlaying security system. I can't see any harm in offering such an interface, as it is both OO-friendly and helps develop a stronger Jackrabbit community by encouraging integration into existing applications and developer preferences. Best regards Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] FilterChainProxy and ContextHolderAwareRequestFilter
Matt Raible wrote: I changed both of the places where fi.getRequest() was called. Changing the first one didn't affect anything, but changing the second seems to have solved the problem. Here's the modified file: Checked into CVS. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] session.invalidate() vs. ContextHolder.setContext(null)
Matt Raible wrote: Ben Alex wrote: It seems to work OK for me in Tomcat 5.5 with the Contacts Sample application's logout.jsp. I tried building/deploying the contacts WAR with maven (according to the Building with Maven instructions) - there is no web.xml included in the WAR file. Matt You need to use multiwar:multiwar from samples/contacts to build the Contacts sample. Or from docs using multiproject:artifact. I just checked the 0.8.0 official release ZIP (build with multiproject:artifact from docs) and it includes acegi-security-sample-contacts-filter.war which does include web.xml. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Case insensitive User Cache
Stefaan Destoop wrote: Hi, In the class EhCacheBasedUserCache, one gets the user from the cache by cache.get(username). However, as LDAP is case insensitive, the putUserInCache() can put the user in the case with a different key. I would suggest to add a boolean property caseSensitive, defaulting to true for other people experiencing the same problem. If you guys agree with this, I can send a modified EhCacheBasedUserCache implementation. Cheers, Stefaan. I'd prefer to see the LDAP provider use the cache in a consistent way, than basically making the cache accommodate it. The issue is that other people may have written cache implementations, and every such implementation would have to accommodate case insensitive usernames. It is easier if the providers always use the cache in a consistent way instead. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Release 0.8.1?
Hi everyone There's a series of bug fixes now in CVS, plus Luke's new X509 (certificate-based) authentication module. I'd like to propose we finalise documentation and release 0.8.1 within the next day or two. Any comments, test reports etc are welcome. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] session.invalidate() vs. ContextHolder.setContext(null)
Matt Raible wrote: I updated from CVS and tried the new JAR on AppFuse and the security chapter's sample application. The behavior continues to happen. I'll try it on the Contacts sample app in few days. Maybe anonymous CVS is not in synch. Perhaps... The latest version of HttpSessionContextIntegrationFilter is 1.4. Please let me know how it goes. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - new release 0.8.1
Dear Spring Community I'm pleased to announce that Acegi Security release 0.8.1 is now available. This release fixes a number of non-critical bugs, updates JAR dependencies to match Spring 1.1.5, and introduces X509 (certificate-based) authentication support. As per the Apache APR project versioning guidelines, this is a minor release. Users of release 0.8.0 should be able to simply drop the new 0.8.1 JARs into their applications. For Maven users, Acegi Security's latest JARs are now available from http://acegisecurity.sourceforge.net/maven/acegisecurity/jars. Release 0.8.0 will be added to iBiblio shortly. Please visit http://acegisecurity.sourceforge.net to learn more about Acegi Security's features, browse online documentation, or download the latest release. We hope you find this new release useful in your projects. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationTag setting scoped variable?
Brian Moseley wrote: has there been any discussion of having AuthenticationTag setting a scoped variable rather than writing the principal's username to the output stream? if folks think it's a good idea to offer both usages, and nobody's implemented it somewhere already, i'd be happy to work up a patch. thanks! Extra flexibility can't hurt, so feel free. Ben --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Using MySql database for Contacts Sample
Mike wrote: My questions: - Can we make DataSourcePopulator a generic Populator, in order to support multiple databases for testing ? The goal of Contacts is to give people a non-trivial (in terms of security) and self-contained (ie no external database server required) application. My only concern with offering a generic Populator is people would expect the project to maintain compatibility with multiple databases. It's also not really part of the scope of the application, in that we're not trying to offer a stand-alone product people can deploy and use in their target environment. If you have a way of addressing these concerns, I am happy to offer the extra flexibility. It might be as simple as modifying the SQL to be more portable. - Does anybody know the equivalant of ID INTEGER GENERATED BY DEFAULT AS IDENTITY(START WITH 100) in MYSQL world? Sorry, I use Postgres mostly. Best regards Ben --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] No setter for AbstractProcessingFilter.credentialsExpiredFailureUrl
Alex Burgel wrote: Hi, in 0.8.1, there's no setter for credentialsExpiredFailureUrl in AbstractProcessingFilter. --Alex Fixed in CVS. Ben --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Humanity concerns
magarrigue wrote: Hi, I will post some code here soon concerning the acegi/www.jcaptcha.net http://www.jcaptcha.net/ integration. The whole story is here : http://forum.springframework.org/viewtopic.php?p=17030#17030 Have you some requests concerning the design ? do you agree with the plan ? Thanks again for this great framework. MAG No concerns at all. Having used a channel processing approach, I think you've got the right idea. The only area to consider is how to store state that indicates a human was processed. An extended SecureContext is the most logical way, but equally it might be preferable to not store it at all. Do MethodSecurityInterceptor or FilterSecurityInterceptor really need to know a human user was authenticated? Surely it's more a concern of the channel processing filter configuration, and they shouldn't need to be separately advised of it. I guess we could offer a protected method so applications that need this information can use a custom SecureContext or some other mechanism. Thanks for your offer to share the code. I'll be only too happy to add it. Cheers Ben --- This SF.net email is sponsored by Microsoft Mobile Embedded DevCon 2005 Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows Embedded(r) Windows Mobile(tm) platforms, applications content. Register by 3/29 save $300 http://ads.osdn.com/?ad_id=6883alloc_id=15149op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Just starting
Greg Akins wrote: Thanks for responding. I was missing some parts of the config files.. I got everything cleared up so my web application starts (Yay!!). Now, the problem is.. I get a infinite redirect on web application. I'd image I screwed something up in the Controller setup (I'm not familiar with Spring MVC and am trying to incorporate this in a Struts app) and that is causing my problem. Sounds like your login URL is being protected by FilterSecurityInterceptor, which throws an AccessDeniedException/AuthenticationException and the wrapping SecurityEnforcementFilter re-directs you once more to the login URL. Try checking the debug-level log. Also check your login page URL is set to ROLE_ANONYMOUS (if using anonymous authentication) or it is excluded from the Ant/regular expression paths defined against FilterSecurityInterceptor. Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LdapPasswordAuthenticationDao.getGrantedAuthority
[EMAIL PROTECTED] wrote: If you change line 445 (from the 2005-04-13_070009 snapshot) from String roleName = rolePrefix + ldapRole.toUpperCase() + roleSuffix; to String roleName = rolePrefix + ldapRole.toUpperCase().replaceAll([,= ], _) + roleSuffix; Then that should do it. Hi Matt Robert Sanders looks after the LDAP capabilities, so I'll leave it with him to make the change or get back to you if there's a problem. Cheers Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] remember me
negge wrote: There is something fishy going on with the RememberMe authentication provider. When I log in as a certain user, there are two cookies that are dropped: a RememberMe token cookie, and a JSESSION cookie. If I delete the JSESSION cookie and try to access an page that requires authentication, the RememberMe authentication provider works just fine and I am re-authenticated (in the process a new JSESSION cookie is dropped). However, if I delete the RememberMe token cookie and try to access a page that requires authentication, ACEGI will pull the existing SecureContext out of the session based on the JSESSION token claim I am authenticated. This behavior is fine except that no new RememberMe token cookie was dropped. What gives? Which version of Acegi Security? What exactly is the problem? I don't really understand your last paragraph. Thanks Ben --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595alloc_id=14396op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: [Springframework-developer] Spring 1.2 RC2 and Acegi Security
Juergen Hoeller wrote: I've also taken the two convenience methods in Acegi's StringSplitUtils class and moved them over to Spring's StringUtils. In the course of this, I've transformed the splitEachArrayElementAndCreateMap method into splitArrayElementsIntoProperties, essentially returning a Properties instance instead of a Map (since all we ever get back is String-String pairs). My goal for Spring 1.2 final is that the Acegi util package should only contain Acegi-specific utilities, no general utility stuff anymore. With the addition of DelegatingFilterProxy and the String split methods to core Spring, we should be pretty there... An Acegi release 0.9 alongside Spring 1.2 final would be appropriate, I guess. Opinions welcome, of course :-) Ben, when do you plan to go to 1.0 RC with Acegi? Maybe alongside Spring 1.3 RC, which is currently scheduled for right before JavaOne? I think that would be a great message, to show that Acegi is fully active and supported. (BTW, FilterChainProxy in net.sf.acegisecurity.util has dependencies on the net.sf.acegisecurity and net.sf.acegisecurity.intercept.web packages, so arguably doesn't belong in the low-level util package...) Hi Juergen All of this sounds great. Our general release plan at this stage is: - Release 0.8.2. To release ASAP. It will require Spring 1.2-RC2, and fix the current 0.8.1 to 1.2-RC2 incompatibility. - Release 0.9.0. Refactor to use a dedicated SecurityContext ThreadLocal and also Spring 1.2-Final util package migration. - Release 1.0.0-RC1. A Spring 1.3 pre-JavaOne release sounds like a good target. In terms of your other email's suggestion to use a SecurityContext ThreadLocal instead of ContextHolder, I've given this some more thought and we can do this and still offer a clean migration path for 99% of existing ContextHolder users. Whilst I know some people (myself included) have found ContextHolder's general-purpose approach useful, it seems more important overall to achieve standardization with Spring Core in the ThreadLocal approach, and as such it seems worthwhile refactoring to SecurityContext. Any comments from the community are welcome. Cheers Ben --- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - new release 0.8.2
Dear Spring Community I'm pleased to announce that Acegi Security release 0.8.2 is now available. This release fixes a number of non-critical bugs, resolves an incompatibility with Spring 1.2-RC2 refactorings, updates JAR dependencies to match Spring 1.2-RC2, and refactors AbstractProcessingFilter exception mappings. As per the Apache APR project versioning guidelines, this is a minor release. Users of release 0.8.0 or 0.8.1 should be able to simply drop the new 0.8.2 JARs into their applications, although please be aware: 1. Spring 1.2-RC2 (or above, such as a CVS snapshot) is the minimum requirement for Acegi Security 0.8.2 2. Users of AbstractProcessingFilter (typically AuthenticationProcessingFilter) must modify their exception setters as per http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/AbstractProcessingFilter.html Please note that Acegi Security releases prior to 0.8.2 will not operate with Spring 1.2-RC2. You will need to use the latest Acegi Security release (0.8.2) if you wish to operate with Spring 1.2-RC2. For Maven users, Acegi Security's latest JARs are now available from http://acegisecurity.sourceforge.net/maven/acegisecurity/jars. Release 0.8.2 will be added to iBiblio shortly. Please visit http://acegisecurity.sourceforge.net to learn more about Acegi Security's features, browse online documentation, or download the latest release. We hope you find this new release useful in your projects. Cheers Ben --- This SF.Net email is sponsored by: New Crystal Reports XI. Version 11 adds new functionality designed to reduce time involved in creating, integrating, and deploying reporting solutions. Free runtime info, new features, or free trial, at: http://www.businessobjects.com/devxi/728 ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security's ContextHolder replaced by SecurityContext
Pursuant to Juergen's recommendation (http://article.gmane.org/gmane.comp.java.springframework.devel/8290), Acegi Security CVS has now had its ContextHolder and related classes removed. This functionality has been replaced by SecurityContext, which is an InheritableThreadLocal that provides a single getter/setter pair for Authentication. This is a significant change for end users, but offers a number of benefits: - Consistency with Spring core's use of a concrete ThreadLocal per functional area - SecurityContext is strictly typed (which eliminates the need for casting) - Simplified configuration as no need to specify a Context implementation for HttpSessionContextIntegrationFilter - InheritableThreadLocal used instead of ThreadLocal to simplify rich client usage (see http://forum.springframework.org/viewtopic.php?t=5004) - Elimination of handling the extra Context layer means less end user code is required Unit tests pass and I've updated the upgrade-080-090.txt in some detail. The reference guide has also been updated. It would be appreciated if developers could try the latest CVS with their applications and report any difficulties. General feedback on this change is also welcome. Cheers Ben --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Springframework-developer] Re: [Acegisecurity-developer] Acegi Security's ContextHolder replaced by SecurityContext
Colin Sampaleanu wrote: As a follow-up, from memory (it's been about a year) I believe I used a custom SecureContext to also pass along some EJB related security information (principal name, or the ejb run-as user) between different layers along with the Acegi specific info. The app in question was a mixed EJB and Spring app, using the EJB version of OSWorkflow. Thanks for the feedback Colin. I've just checked into CVS refactorings which adopt the following design: SecurityContextHolder:InheritableThreadLocal - SecurityContext:Interface - Authentication:Interface SecurityContextHolder guarantees to never return a null SecurityContex, so this refactoring delivers extensibility for cases such as Colin mentioned whilst not requiring casting or null checking as had been the case with the old ContextHolder / SecureContext approach. Cheers Ben --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Java 1.5 Compatibility
I've just updated CVS so the Eclipse project is Java 1.5 compatible. This was done because the new domain subproject will use 1.5-specific features. It is also expected a new tiger (or similar) subproject will be added for Acegi Security's 1.5-specific features (ie annotations). This will culminate in an acegi-security-tiger.jar binary, providing access to the 1.5 specific features without affecting the main JARs that will remain 1.3 compatible. Developers: please do not add 1.5-specific features outside the domain (and eventually tiger) subproject. Maven build compatibility has been kept at 1.3 for all subprojects except domain. I've also made some minor improvements to eliminate all warnings shown under Eclipse's 1.5 compiler compatibility level. Unfortunately the generics-related type safety warnings cannot be removed without introducing 1.5-specific code to subprojects that need to remain 1.3 compatible. Therefore, it's recommended that Eclipse users modify their Problems view filter so Description does not contain Type safety:. This will clear up your Problems view to show only warnings that can actually be fixed whilst remaining 1.3 compatible. Any questions, comments etc, please feel free. Cheers Ben --- This SF.Net email is sponsored by: NEC IT Guy Games. Get your fingers limbered up and give it your best shot. 4 great events, 4 opportunities to win big! Highest score wins.NEC IT Guy Games. Play to win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20 ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Protecting part of a JSP
Greg Akins wrote: 3. I don't know Acegi that well, but would be willing to add this if some folks can give me a little handholding (that is, if the to #1 is No. That would be excellent. If you had time to make a similar change to the other taglibs and unit tests (so they maintain some consistency in capability) it would be even better. :-) Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] DaoAuthenticationProvider: Ordering of exceptions...
Wesley Hall wrote: Hello, I hope everyone is well. I wanted to query the ordering of the exceptions thrown by the DaoAuthenticationProvider class. It seems that the authenticate method will first check that the user (with the specified username) can be loaded, next it will check the status of this user, such as whether the account is disabled, locked etc. Then it will check the password. I would propose that maybe the disabled/locked checks should come AFTER the password check. I am currently able to determine the status of an account without knowing the password and I would rather that the system only informs a user that there account is disabled/locked if they provided the correct credentials. Need to know basis I was going to submit a patch for this but I am getting some compile errors with the latest CVS head. It seems net.sf.acegisecurity.util.MockFilterChain is missing. Ben, Colin et al... any objections to such a change? Would you like me to issue the patch? Thanks chaps. Hi Wesley The reason the locked checks occur BEFORE the password comparison is because the main purpose in locking an account is to stop brute force password attacks. If say 5 invalid passwords are received, an ApplicationListener can set that user's account to locked. Then the sixth password attempt will be responded to with LockedException instead of BadCredentialsException. The pairing of disabled checking alongside the locked checking was done because initially we only recognised disabled accounts (not locked accounts). Locking was added to make the exception reporting more granular. Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] runas without authentication
Brian Moseley wrote: it seems like the runas facilities might be able to give me what i want. is there a way to set up acegi security so that the http request itself is not authenticated but runas is used specifically only for the repository login? Hi Brian Run-as replacement is more often used to change the active principal - or their GrantedAuthority[]s - so that methods can invoke remote methods that might require a different security realm. So if your SignUpManager needed to create a DNS domain, and the DnsManager was on a shared system for which the ASP was given an ASP-wide login, run-as replacement would be used so that during execution of SignUpManager the active principal could change to that of the ASP (ready for the remote invocation). I think your use case would be better suited to the anonymous authentication capability. It is especially designed for giving an unauthenticated request an Authentication, and the SecurityEnforcementFilter recognises the fact it is an anonymous Authentication and will redirect to the AuthenticationEntryPoint in the event of an AccessDeniedException (as opposed to returning a 403 / SC_FORBIDDEN). Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Venkat Sonnathi wrote: Hi, I am exploring AcegiSecurity by following the contacts sample application. I observed that in AbstractSecurityInterceptor.beforeInvocation method authenticationManager.authenticate is being called for every request. Why is it? Can it be optimized to check if authentication is already done and skip this step? For every click the above method is called twice: once as part of FilterSecurityInterceptor and once as part of MethodSecurityInterceptor and if we optimize/check for authentication then the call to authenticationManager.authenticate can be avoided. Thanks, --Venkat. Yes, it could be optimised using a range of strategies such as putting a flag into the ContextHolder (SecurityContextHolder in CVS and from 0.9.0). The trouble is then causing that flag to reset at the start of each request so that only the first AbstractSecurityInterceptor invocation causes delegation to the AuthenticationManager. Indeed if the request was actually authenticated during the request by an authentication mechanism (eg BASIC/Digest/form post) we should accept that AuthenticationManager invocation and not require any AbstractSecurityInterceptor to repeat it. We could refresh the SecurityContextHolder flag this in the HttpSessionContextIntegrationFilter, but then we're reducing its focus on simply storing the SecurityContext between HTTP requests. Better yet, we could have startRequest() and finishRequest() methods in the SecurityContext to encapsulate this sort of logic and have the HttpSessionContextIntegrationFilter call them. Indeed that might prove beneficial for Captcha integration, which also needs to set a once-per-request style flag. What do others think? I have not performed any benchmarks, but given that caching is performed in AuthenticationProvider implementations I would not suspect the double-up of AuthenticationManager invocations would represent an urgent performance constraint at this time. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Mansoor, Ghazenfer (EDS) wrote: How about adding this check at one central place, AuthenticationManager? I am doing this and I do not see any problem. I set the authenticate to true after successful authentication, and check for isAuthentication() before every call. What sets your Authentication.isAuthenticated() back to false at the start of each request? I would propose the following: - SecurityContext to provide a startRequest() and finishRequest() method that is called by HttpSessionContextIntegrationFilter. - The startRequest() and finishRequest() set Authentication.isAuthenticated() to false. Do it twice in case the Authentication is being presented from a remote system (eg via RMI) which has set the isAuthenticated() to true. - An AuthenticationProvider may, but is not required to, set Authentication.isAuthenticated() to true. If it does set it to true, it means it does not require further callback and the Authentication can safely be used for the remainder of the request. AuthenticationProviders should provide a property setting so this can be switched off (ie they never set the flag to true) as in special situations (like chained AuthenticationProviders or a cache-aware ProviderManager) it might be undesirable. - AbstractSecurityInterceptor honours the Authentication.isAuthenticated() property by not calling AuthenticationManager if not required. AbstractSecurityInterceptor never sets Authentication.isAuthenticated() (it does at present) This means there are only two actors changing the Authentication.isAuthenticated() flag: HttpSessionContextIntegrationFilter to clear it, and an AuthenticationProvider to set it. You are only considering DAO authentication provider here, how about the other providers that do not have caching? Most AuthenticationProvider implementations use caching. At least the CAS, X.509 and DAO providers do, and they're the main ones people use. Besides, I was supporting that we should address this issue, just noting it isn't a critical performance issue at present. The benefit of these changes is mainly going to be avoiding unnecessary interaction with collections in ProviderManager and the various caches, plus providing a request-specific hook for future expansion. That should improve performance, although today's collection implementations are fairly well-optimised. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] DaoAuthenticationProvider: Ordering of exceptions...
Wesley Hall wrote: So in conclusion, I am suggesting a change of order to... username valid? account locked? password correct? account enabled? account expired? password expired? Does this make sense? Am I missing anything else? I agree, that makes sense. I have made the change in CVS. Thanks Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Suggestion to optimize BasicAclEntryAfterInvocationCollectionFilteringProvider
Paulo Neves wrote: My suggestion is, if we optimize time to remove domain objects we optimize a lot all process. Hi Paulo To make it easier to discuss and reproduce scalability related issues with the ACL packages, I've modified the Contacts sample to automatically create 1,000 extra Contacts and associated ACL records at startup. The DataSourcePopulator also has a createEntities parameter which can be changed to a larger number. This is now checked into CVS. I had DataSourcePopulator create 10,000 entities, and then I did the following: maven multiwar:multiwar deploy acegi-security-sample-contacts-filter.war to Tomcat 5.5 visit the Contacts home page, then login as Marissa to view her contacts maven -Dusername=marissa -Dpassword=koala -DnrOfCalls=3 run maven -Dusername=dianne -Dpassword=emu -DnrOfCalls=3 run Then I repeated the above, but using your change to CollectionFilterer (of course I had to jar:install from /core firstly). Only HttpInvoker was used (this is now the default for Contacts). Initially it took 12,000 ms for Dianne and 12,047 for Marissa. With your changes it took 10,610 for Dianne and 10,687 for Marissa. A good improvement, but the similarity of the original execution times between Dianne and Marissa has me confused as to why your results reported a major difference in execution time between them. Would you please see if you can reproduce my results and perhaps re-check the original time difference between Dianne and Marissa. As an aside, I wouldn't generally be encouraging people to return 10,000 elements inside a Collection and then expect the ACL package to filter out all but 4 or 5 items. That sort of thing is an abuse of an RDBMS platform's inbuilt capabilities! :-) Still, we should aim to optimise the Java code as greatly as possible, so I am happy to explore this benchmarking and squeeze better performance out of it. Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Suggestion to optimize BasicAclEntryAfterInvocationCollectionFilteringProvider
Paulo Neves wrote: Hi, Attachments are being removed by mailing list ? Hi Paulo I received the PDF attachment with your last message. For the benefit of those who might not have seen it, Paulo's changes resulted in significant optimisation for ACL Collection filtering where the principal has access to a small number of Collection elements relative to the overall Collection size. eg a principal having access to 4 elements whilst there are 10,000 elements in the unfiltered Collection resulted in a significant (better than double) performance improvement. The optimisations provide little improvement when a principal has access to most of the elements in the unfiltered Collection. It's clear these optimisations are desirable and I've committed them to CVS. It's good to see some empirical support for changes of this nature. Further optimisations are most welcome. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Venkat Sonnathi wrote: I am also a bit puzzled as to why we should reset the flag at the start of each request? In a typical web app, authentication is done once per session. Any pointers to how SecurityContext is propagated for RMI calls? I agree, it shouldn't be required. The net.sf.acegisecurity.context.rmi package propagates a SecurityContext from the client-side to the server-side. The HttpSessionContextIntegrationFilter should not used in such deployments, and therefore HttpSessionContextIntegrationFilter will not need to reset the flag at the start of each request. In relation to your other email, I don't see the value of ProviderManager setting the flag. Doing so would means each AuthenticationProvider implementation cannot make its own decision as to whether or not the Authentication should be treated as valid for the remainder of the request. For consistency with caching, I believe the setting of the flag should occur at the AuthenticationProvider level as it improves the prospects of as yet unknown authentication systems working correctly with Acegi Security. Do you have a specific reason why you'd prefer the ProviderManager set the flag? Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] runas without authentication
Brian Moseley wrote: Brian Moseley wrote: that sounds right. i don't have any need for access control on this operation, so it looks like i can simply use anonymous authen and then have my jackrabbit access manager use an AuthenticationTrustResolver to see if the Authentication is anonymous. i think that will work. thanks! following up on this... i enabled both anonymous authentication and run-as for my user account signup operation (i need run-as because my jcr repository access manager requires a user account with the root role to perform this particular operation). this setup works fine, but as soon as the user has signed up for his account, he has to explicitly log in to that account. I would probably try to avoid doing the run-as replacement, as it is a little challenging to overcome the issue you've described without creating the user an entirely different way or exposing an internal token used by AbstractSecurityInterceptor (which I would rather not do, as it could pose a lot of problematic behavior if misunderstood/misused). Have you considered using a different FilterChainProxy for the sign-up URL? That different chain could use a different AnonymousProcessingFilter bean that grants the necessary root role that the JCR requires. This would avoid the need to perform run-as replacement and overcome the central problem of modifying the SecurityContextHolder so that it is stored in the HttpSession at the end of the request. Incidentally, I thought you were doing WebDAV stuff with JCR. If so, WebDAV clients are meant to use digest authentication which is nice and convenient as there's no HttpSession required. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] acegi Mysql
Marco Mistroni wrote: hello all, i am trying to run acegi contacts sample with MySQL, and i am getting errors during initialization due to dataSourcePopulator. Looks like MySQL 4.1 does not accept the syntax used by populator.. i don't have source files for contacts, so best i can do is to disable dataSourcePopulator and create tables myself.. anyone has sample sql of tables that need to be created? thanx and regards marco Hi Marco Try: http://forum.springframework.org/viewtopic.php?t=1346 http://forum.springframework.org/viewtopic.php?t=3750 http://forum.springframework.org/viewtopic.php?t=1061 http://forum.springframework.org/viewtopic.php?t=4665 Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] retrieving users from session after authentication with acegi
Marco Mistroni wrote: hello all, i want to use acegi security framework in my webapp in my app, after user has logged in, i am storing it into HttpSession, since i need the username for other part of my app that insert data into db. If i let acegi do the authentication/authorization, how can i retrieve the user after a successful authentication? i can get the Authenticated object from ContextHolder, and from there with getPrincipal i will get the username but how can i get hold of ContextHOLDER? is it stored into HttpSession? i plan to use Filters for integrating acegi with my app anyone can help? If you use ContextHolder.getContext().getAuthentication() you will obtain the Authentication generated by your AuthenticationProvider. If using DaoAuthenticationProvider, the Authentication will actually provide a getPrincipal() method that will return the UserDetails instance that is provided by your AuthenticationDao. As such, you have an easy way to obtain a customisable user object without resorting to the HttpSession. In general, interacting with the HttpSession directly is considered poor practice. The HttpSessionContextIntegrationFilter is responsible for managing interaction between the ContextHolder and HttpSession, so it shouldn't be necessary for most application developers to worry about the HttpSession. Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Re: HttpSessionContextIntegrationFilter using session ID to detect new HttpSessions
Hi Erik I've tried to subscribe to the mailing list, but sourceforge doesn't like my ISP for some reason.. I'm looking into it, but in the meantime I thought I would just e-mail you. I've subscribed you manually. SF recently changed their spam filtering rules. Last week I too was unable to post to this list because, when you post, their server appears to evaluate the From: address. It connects to the From: address' mail server and does a RCPT TO. In my case, my server rejected SF's mail server doing a RCPT TO because SF's mail server was in the Spamcop real time block list. To get around it, I had to add SF's mail server to my whitelist of allowed mail servers. Thus it could RCPT TO (despite being blacklisted in Spamcop) and I could send messages. SF really need to address the spam issue. Every day I need to manually delete at least four spam messages that people try to send to this list. Even their new RCPT TO of the From: address isn't a solution, because the offending From: addresses are probably valid (being customer service addresses from well-known companies like PayPal and eBay). A solution that would work is replying to all messages posted by non-members of a list, and requiring them to manually confirm via an obfuscated image. This would automate a validation step that currently has to be manually done by project admins. There was a local variable added to HttpSessionContextIntegrationFilter called httpSessionExistedAtStartOfRequest. This is a great idea, but it wasn't quite enough for us. In order to facilitate a proper logout, we found the need to actually verify the sessionIDs of the session at the start end of the filter, to see if they had changed. When we invalidated the current session, there were things in place that would cause a new one to be created- then ACEGI would pick up the new session and store the user in it. I'm not sure if that's expected behavior or not, but for us it was undesirable. Here is a patch we made that catches this scenario and makes sure the user stays logged out. (diff is against v0.8.1) Could you please explain in a little more detail why the existing approach doesn't work properly for you? I am not sure this is an Acegi Security issue. The things in place that would cause a new one to be created probably need addressing instead. If you are invalidating a session, and then something else is re-generating it, I don't think making Acegi Security detect this and respond in a special way is the optimal approach. You'll have superfluous sessions laying around at best, so I'd firstly encourage looking at whatever is re-creating the session. Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Velocity security toolbox.
Achmad Arif Rachim wrote: Hi guys, is there any plan integrating velocity toolbox into springMacroRequestContext ? like jsp authz tag ? thanx Hi Achmad There is no plan to do this, as I use FreeMarker (and JSP when unavoidable). FreeMarker can use the existing JSP taglibs. As usual, I welcome people to contribute extensions if there are unit tests and DocBook notes, and/or the person is happy to maintain and support it going forward. Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] just to say hello....
mannobug wrote: hi all, i'm manuel from the Tor Vergata University i wish to say hello to everybody in this list. I chose Acegi to develop my thesis, it's a web portal (i study computer science) based on, Spring, Struts and Hibernate framework. For my work i decide to study and implemet all the things regards security and users privacy. I start to read the reference documentation of acegi two days ago and i think it's to early to ask or response but .i'lll come into speech quickly i hope :-) well thanks for time see ya manuel Welcome Manuel. What portal framework are you using? It will be interesting to hear your experiences using the Struts + Spring + Acegi Security combination in a portal. Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi J2ME client
Marco Mistroni wrote: hello all, i plan to use acegi as security framework for my webapplication... however i want to have also J2ME clients which will communicate using SOAP API.. will i have any problems for that? i want to avoid J2ME client to login all the time has anyone any idea on how can i achieve that? Hi Marco Sorry, I haven't done any work with J2ME, so I'm not in a position to answer your questions. I am actually a little curious about this myself, especially as I had read SOAP was too heavy-weight to use in small footprint devices like J2ME platforms... Does any else on this list have any J2ME experience? Cheers Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SecurityContextImpl not Serializable
Tobias Järlund wrote: You should either have SecurityContext extend Serializable (like before) or have SecurityContextImpl implement it. Fixed in CVS. I made the interface extend Serializable, as all implementations should be serializable into the HttpSession at least. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Venkat Sonnathi wrote: Would this change be in the next release? I would be glad to help if you want. Yes, it will be in 0.9.0. I have added it to my TODO list. You're welcome to email me patches based on current CVS if you would like to. This is was commented by Mansoor. I agree with you - ProviderManager is the not right place for this. Thanks for the clarification - my apologies for the confusion. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi J2ME client
Marco Mistroni wrote: is there a link between acegi and HttpSession? Hi Marco Yes, there is. Internally Acegi Security uses a ContextHolder (SecurityContextHolder from 0.9.0 and current CVS) for all of its interactions. It's just a ThreadLocal. So the various authentication mechanisms (BASIC, Digest, CAS, form etc) put an Authentication object into the ContextHolder, and Acegi Security retrieves it from there whenever required. HttpSessionContextIntegrationFilter is responsible for copying the contents between the ContextHolder and the HttpSession at the start and end of each web request. As such, if your J2ME system is able to maintain the standard jsessionid or cookie-based session identifier, you shouldn't have any problems. HTH Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] acegi Mysql
Marco Mistroni wrote: Hello Ben, thanx, following those links i was able to see the 'power' of acegi!! it's simply great! i have one question though.. in one of sampe sql files, password were encrypted... and i was wondering how to deal with encryption in acegi 1 - which encryption mechanism is used? 2 - if i want to add a new user, how do i encrypt its password? 3 - how and when (and which parameter is used) for encrypting the passsword provided via the web to acegi so that the validty can be checked against the database? is it hte saltSource parameter of authenticationManager? Acegi Security doesn't have any encryption libraries. Encryption is two directional, as in you can take unencrypted input, encrypt it, then decrypt it back to the original. Acegi Security uses one-way hash algorithms such as MD5 and SHA1, which take unencrypted input and generate a hash code. A hash code cannot be used to regenerate the original unencrypted input. The DaoAuthenticationProvider offers a PasswordEncoder property that handles all of this. It's discussed further at http://acegisecurity.sourceforge.net/docbook/acegi.html#security-authentication-provider-dao and in the JavaDocs. where can i get the sources of the Contacts application? CVS. Take a look at http://acegisecurity.sourceforge.net/cvs-usage.html. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] acegi Mysql
Marco Mistroni wrote: Hello Ben, thanks for your reply so if i don't use saltSource or passwordEncoder then i don't need to encrypt anything, is that correct? because i want to be able to add my users programmatically via web interface, and at the same time i want to encrypt their password in the database.. what i am missing is how to get the encrypted value sorry maybe it's a little off-topic but i am little new to encryption security.. Hi Macro When you initially save the password to your database, you'll need to perform the one-way hash. Just use the public method provided by your chosen PasswordEncoder implementation to do this. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP instead of DBMS
mannobug wrote: hello all, i kindly wanted to submit you a question. I have to decide if my application has to make the authentication using the classical method, via jdbc to DBMS, or, I would be more directed toward the use of an external component, a LDAP server. Someone of you has used this type of solution, maybe using the implementation of LdapPasswordAuthenticationDao? I think that this solution it's more safety and versatile in an university contest. I thought that office (secretary of department, for example) can use LDAP more easily than a DBMS; for example using the info of users to send mail or something else regard office operation, they just open their mail client (e.g.) and connect to LDAP server. Do you think it can be a good idea? thanks everybody. Kind regards It really depends on whether your users will be requiring access solely to webapps that you can integrate with Acegi Security and/or CAS, or whether you'd like those same users to be able to access Unix logins, mail servers etc via non-HTTP means. If you want the broadest possible use of the login information, LDAP is a good base. If you're only concerned with a campus-wide series of webapps, using Acegi Security with CAS is probably best. Or, if you just want a single application to be secured, Acegi Security on its own would be easiest. I'm not sure administering an LDAP server would be easier for administrative assistants than say using a custom webapp that manages the authentication information in a DBMS. Most universities use some form of LDAP server, and given it's the most flexible approach, you're probably best of putting the authentication data in there, and using Acegi Security with its CAS module to handle most or all of your webapps. Best regards Ben --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412alloc_id=16344op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bug in FilterToBeanProxy?
George Franciscus wrote: Hmmm. That wasn't too clear. What I'm trying to say is to synch the method AND check for initialized at the top of doInit(). Thanks for the bug report. It's now fixed in CVS as suggested above. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AbstractSecurityInterceptor
Venkat Sonnathi wrote: Hi Ben, Please find attached the patch for AbstractSecurityInterceptor.java, Basically, it checks to see if the existing authentication is already autheticated or not and then invoke authenticationManager.authenticate. Hi Venkat I have just committed to CVS various changes to the Authentication.isAuthenticated() handling. Effective herein, AbstractSecurityInterceptor will only call the AuthenticationManager if the Authentication.isAuthenticated() == false. AbstractSecurityInterceptor does not call Authentication.setAuthenticated(true) - instead it leaves this choice to the AuthenticationProvider and/or Authentication concrete implementation to address. Most Authentication implementations now provide a mutable isAuthenticated() property. By mutable, setAuthenticated(false) is guaranteed by the Authentication interface contract to always be allowed. This is used by the RMI class to ensure a remotely presented Authentication is set to untrusted, ensuring the AbstractSecurityInterceptor will trigger authentication. Permitting setAuthenticated(true) (which would therefore bypass further checking at time of security interception) is an implementation choice. The main implementation used by Acegi Security, UsernamePasswordAuthenticationToken, disallows setAuthenticated(true) and instead relies upon the constructor to set the property. This means that AuthenticationProviders should be the only classes that use the UsernamePasswordAuthenticationToken(Object, Object, GrantedAuthority[]) constructor. On the other hand, any class can freely use the UsernamePasswordAuthenticationToken(Object, Object) constructor, as the resulting authentication token will not be trusted (ie isAuthenticated() will always return false). Unit tests pass. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] jar versions not correct in project.xml
George Franciscus wrote: The build is failing because the following dependency versions are not correct in project.xml. In both cases it needs -20040521 in the version tag. dependency groupIdjspapi/groupId artifactIdjsp-api/artifactId version2.0-20040521/version typejar/type urlhttp://java.sun.com/products/jsp/url properties war.bundlefalse/war.bundle /properties /dependency dependency groupIdservletapi/groupId artifactIdservletapi/artifactId version2.4-20040521/version typejar/type urlhttp://java.sun.com/products/servlet/url /dependency Hi George Thanks, fixed in CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JavaDocs for .8.x without building
Patrick Burleson wrote: Are the JavaDocs shipped with the binary download? I can't seem to find them. And the JavaDocs on the website are for the .9 release. I really don't want to have to generate them. Hi Patrick I think they're in there. I just downloaded acegi-security-0.8.2.zip from SourceForge and found the core subproject's JavaDocs in /acegi-security-0.8.2/docs/multiproject/acegi-security/apidocs/. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ldap LdapPasswordAuthenticationDao
Robert r. Sanders wrote: If you won't mind sending me you changes, I'll try to get them merged with the LDAP DAO stuff. Hi Robert and Joseph How did you end up going with the LDAP changes? What is the present status of LDAP and the Apache DS unit tests? LDAP is an important feature for a 1.0.0 release. Thanks Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi population of database tables
Marco Mistroni wrote: for both contactManagerSecurity and TransactionInterceptor. I assume they have something to do with autohrization using MethodInterceptor, but i cannot figure out the meaning, for example, of sample.contact.Contact:1 for object_identity column in acl_object_identity, and i can't understand what is the purpose of the acl_permission table, in particular the mask column and acl_object identity Can anyone give me some explanation on how the acl_permission and acl_object_identity should be populated? Hi Marco Have you had a change to review the reference documentation at http://acegisecurity.sourceforge.net/docbook/acegi.html#acls? If we take the sample data: INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'net.sf.acegisecurity.acl.basic.SimpleAclEntry'); INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2); INSERT INTO acl_permission VALUES (null, 3, 'scott', 14); INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); What is basically happening is acl_object_identity represents a domain object instance. corp.DomainObject:1 is the Java classname + : + identifier of the domain object instance. So that inheritance works, the acl_object_identity table identifies the parent acl_object_identity record (or null if it has no parent). Accordingly, in the above example, DomainObject #2 and #3 and #4 all share the same parent, DomainObject #1. There is a one-to-many relationship between acl_object_identity and acl_permission. ie one acl_object_identity has many acl_permissions. In the example above, DomainObject #2 has two acl_permissions (for ROLE_SUPERVISOR and marissa). The acl_permission table specifies which acl_object_identity record it applies to, the recipient (usually a username or role name), and the integer mask that applies. So if we take the last acl_permission example above, it applies to acl_object_identity #6, and gives scott the permissions identified by integer mask 1. Hope this clears things up. Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] non-serializable stuff on the session
Joseph Dane wrote: [14:07:22.035] Failed storing persistent session attribute `ACEGI_SECURITY_LAST_EXCEPTION'. Persistent session values must extend java.io.Serializable. [14:07:22.035] java.io.NotSerializableException: com.sun.jndi.ldap.LdapCtx my own recommendation, fwiw, would be to just remove this bit. Hi Joseph Unfortunately a lot of people rely on the exception information to display diagnostic information to the user. I've taken the easy-way-out: try { request.getSession().setAttribute(ACEGI_SECURITY_LAST_EXCEPTION_KEY, failed); } catch (Exception ignored) {} Now in CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] RequestDispatcher forwards
Victor Tatai wrote: Hello, I posted this doubt to the forum but no one answered it: http://forum.springframework.org/viewtopic.php?t=5915 My solution was to implement a custom FilterSecurityInterceptor, but I think that perhaps a better solution would be to add this support to the FilterSecurityInterceptor itself. My apologies for the delay. I have been overseas consulting and only just getting on top of things again. I haven't yet read your post, but I think we can make the once-per-request optional to cater for forwards. I'll look into this change when I answer your forum message Best regards Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JdbcDaoImpl overrides queries and mappings in initDao()
Durham David R Jr Ctr 805 CSPTS/SCE wrote: Am I correct that this will effectively override any property config that you might have done in Spring? Yes, it will. Most people tend to change the SQL strings or subclass JdbcDapImpl, though, as opposed to provide a new AuthoritiesByUsernameMapping via a bean property name=authoritiesByUsernameMappnig. To avoid confusion I have removed the getters and setters for the MappingSqlQuery, so that people are forced to either use the query strings or subclass and override the MappingSqlQuerys. Committed to CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationFailureEvent?
Mark St Godard wrote: Does it make sense for this to be refactored to have a single AuthenticationFailureEvent...(class or interface) with the 7 subclasses or implementors? i.e. AuthenticationEvent AuthenticationSuccessEvent extends AuthenticationEvent AuthenticationFailureEvent extends AuthenticationEvent (all auth fail events subclass above OR make an interface (marker perhaps) for AuthenticationFailureEvent ?) Hi Mark I went with a common abstract superclass, AuthenticationFailureEvent. Now in CVS. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Support for HTTP request memento in Form Authenticator
Curtis Light wrote: Please let me clarify: the authentication information itself would never be stored--just the last attempted POST in the event of session expiration. I'm looking for a mechanism instead that will save a memento of the content of a regular HTML form if the user takes too long to complete and submit the form. If the user takes 16 minutes to fill out a form, but the session only lasts 15 minutes, then the posted form data would be lost. I've seen this implemented in a hand-rolled fashion before. The servlet would check to see if a session exists for each HTTP POST. If the session does exist and the user has been authenticated, then the servlet processes the transaction normally. However, if the session does not exist, the servlet would create a new session and store those parameters in the new session. The servlet would then display a login page and prompt for reauthentication. After reauthenticating, the servlet would pull the original POST parameters out of the session, and it would process them just as it would if the reauthentication was not required. I realize that this may cause a creation of a session that could open the door for a denial of service attack, so an alternative to this method would be encoding the HTTP POST content into a Base64-encoded string and passing it to the login screen in a hidden field. That gets around the need to create a new session upon the receipt of any post. Most people get around the session timeout issue via these common approaches: - Use the remember-me hooks provided by Acegi Security to send back a memento that is subsequently recognised by Acegi Security (see the existing remember-me implementation and code in 0.8.2 or CVS) - Use Digest authentication, so that HTTP sessions are not required - Use BASIC authentication, so that HTTP sessions are not required If you were concerned about the user seeing a login page and spending too long completing it, as you point out you could store the AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY in a request parameter that the original login.jsp (or equivalent view) rendered. A custom AuthenticationProcessingFilter would then reassociate the ACEGI_SECURITY_TARGET_URL_KEY with the HttpSession if it detected the HttpSession was new. In effect this moves the only Acegi Security related use of the HttpSession during authentication processing to a request parameter. Also recall that the AbstractProcessingFilter.defaultTargetUrl provides a reasonable solution to timeout during completion of login page. Or, am I misunderstanding your timeout concern? HTH Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] JIRA Issue Tracking
Hi everyone Acegi Security is now listed in Spring's JIRA. It's called Spring Security in JIRA, and I've added all current known TODO list items. Please use JIRA for future issue tracking, features etc. http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040 Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Captcha
Marc-Antoine Garrigue wrote: Ben Alex told me recently that the API is now stabilized and thus we planned to share our code before two weeks and release it this summer. What is your opinion about the plan? Hi George and Marc-Antoine George, if you post your code against the JIRA task I would be pleased to take a look and explore integration. Marc-Antoine, I believe the Acegi Security-JCaptcha integration would be better maintained within the Acegi Security project, for a few reasons: * I would like to give Acegi Security users the benefits of JCaptcha without having to download it separately. People will like seeing JCaptcha demonstrated in the Contacts sample application included with Acegi Security. Many people cut 'n' copy the sample code into their own application, so many will keep the JCaptcha integration. In reverse, I cannot imagine JCaptcha having a sample application that demonstrates Acegi Security features. * The specific approach to JCaptcha integration with Acegi Security configuration attributes, filter security interceptor, the ThreadLocal and Authentication object is likely to develop over time. As decisions about when to invoke JCaptcha and record the outcome are more concerns of Acegi Security, it seems more desirable the integration be managed in the latter's source code. * Luke is well-progressed on a web.xml to Acegi Security migration tool (http://opensource.atlassian.com/projects/spring/browse/SEC-1). In a later version we will include as part of the wizard process a question, would you like JCaptcha services? or similar. This will allow people addressing their webapp security to adopt JCaptcha. We can only ask this question if JCaptcha is included with Acegi Security. * In terms of exposure by where to bundle, many Spring users who download Acegi Security would be unaware of JCaptcha. So bundling JCaptcha with Acegi Security will increase exposure of JCaptcha. On the other hand, Spring users who download JCaptcha will probably already be aware of Acegi Security (due to the forum, reference documentation, subproject status, several books on it etc). I cannot therefore see Acegi Security increasing its user base by being bundled with JCaptcha, whereas I can see an exposure benefit to JCaptcha by being bundled with Acegi Security. * Acegi Security already bundles the CAS client, so a precedent has been set of placing third party project integration within Acegi Security. The CAS integration demonstrates what I was referring to earlier about the integration being more tightly coupled with Acegi Security than CAS, with the latter offering well-defined protocol standards. * JCaptcha has currently had 4,498 downloads (http://sourceforge.net/project/stats/index.php?group_id=97877ugn=jcaptchatype=mode=alltime) whilst Acegi Security has currently had 21,468 (http://sourceforge.net/project/stats/index.php?group_id=104215ugn=acegisecuritytype=mode=alltime). Both projects have been around for a similar length of time. Given this, it seems reasonable to have greater confidence in my earlier point that JCaptcha exposure would increase through being bundled with Acegi Security, as opposed to the other way around. It would be good to work with you on this. If you wanted to maintain the JCaptcha integration within Acegi Security, I would be pleased to give you CVS access to ensure ongoing integration compatibility. I welcome other people's comments on this. I am just trying to achieve maximum awareness and exposure for both projects, as JCaptcha is a good solution which I know people will use if it's easy for them to do so. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Struts menu with Acegi
Marco Mistroni wrote: Hello all, has anyone ever used Struts Menu together wtih Acegi? Following what's explained in this link http://struts-menu.sourceforge.net/security.html i would like to implement my own PermissionAdapter that uses Acegi in order to load dynamically menu items for my application.. Hi Macro I just read http://struts-menu.sourceforge.net/apidocs/net/sf/navigator/menu/RolesPermissionsAdapter.html and looked at its source at http://struts-menu.sourceforge.net/xref/net/sf/navigator/menu/RolesPermissionsAdapter.html, and it simply uses HttpServletRequest.isUserInRole(String) internally. Thus, you can use the ContextHolderAwareRequestFilter to interface this tool with Acegi Security. It's discussed more at http://acegisecurity.sourceforge.net/docbook/acegi.html#security-container-adapters-overview. Best regards Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Fwd: Adding roles without editing the configuration
Kjetil Paulsen wrote: Thx for the response, I see what you are saying, however, since we don't have roles in the system today and isUserInRole is based on the group the user belongs to I'm not sure how to handle this... could it be a quick fix to add a 'known' role like 'USERS' to all users in the system in the custom AuthenticationDAO? Or am I still missing something? HttpServletRequest.isUserInRole(String), when used with Acegi Security, uses the Authentication.getAuthorities(). In other words, it uses the GrantedAuthority[]s assigned to the Authentication. Your DaoAuthenticationProvider will use an AuthenticationDao to lookup a UserDetails for a given username. The UserDetails your AuthenticationDao generates will be used within the Authentication object, and thus the GrantedAuthority[]s returned by the AuthenticationDao are important as these in turn get used by HttpServletRequest.isUserInRole(String). How your AuthenticationDao reconciles your application's concept of groups and permissions is up to you. There is absolutely no reason to need to express the groups in XML. Your permissions, on the other hand, will need to be referred to by FilterSecurityInterceptor.objectDefinitionSource. So, your earlier example would be modified to: /userlogin/*=ROLE_Admin,ROLE_SuperAdmin /admin/**=ROLE_Admin,ROLE_SuperAdmin /secure.jsp=ROLE_Admin,ROLE_SuperAdmin /**=ROLE_ANONYMOUS,ROLE_Admin,ROLE_SuperAdmin Your AuthenticationDao would deal with returning a UserDetails with GrantedAuthority[]s that contain ROLE_SuperAdmin, and/or ROLE_Admin, for a given username. I have really just gone over what Ray mentioned and is discussed on the forums. If you need further clarification, would you please give some more detail on your question/concern. Thanks Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] why require an ADM
March, Andres wrote: When using an afterInvocationManager it may not always be necessary or possible to provide before invocation security, so why require an ADM? I just use one that is allows everyone and abstentions to pass but it seems like a bit of overhead when all I really care about is filtering the response data. Am I missing something? You could always write (assuming you haven't already, as it sounds like from your email) a NoOperationAccessDecisionManager which implements AccessDecisionManager and just immediately returns from each method. Most people check the user has a ROLE_USER or similar in the AccessDecisionManager, to ensure the user is logged in before they invoke the method. I can't see that invocation adding much overhead to be honest - it's not being dynamically proxied or anything, it's just calling a method that immediately returns. Do you have some profiling that shows it's adding a lot of overhead to your app? If so we could possibly make it a switchable parameter on the AbstractSecurityInterceptor. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL interfaces
March, Andres wrote: Thanks to the acegi team, my ACL implementation is relatively simple. But I have been struggling a little finding the proper extension points. The basic implementations are great but I have them hard to extend. In particular, the BasicAclEntryAfterInvocationProvider requires the use of the AbstractBasicAclEntry, so it can call isPermitted(). I am wondering why this method cannot be part of an interface (maybe BasicAclEntry). For various reasons, some of them hibernate-related, I need to have my own implementation of BasicAclEntry. Does this make sense? I can't see any problem with this at first glance, but would need to take a closer look. Could you please add it to JIRA? Thanks Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Captcha
marc antoine garrigue wrote: -I can commit my adapter code, under your license and copyright, as soon as you give me the access to your VSC. Hi Marc I've given you CVS access to the project. Welcome aboard. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Adding User/permissions programmatically
Marco Mistroni wrote: Hello all, i am currently using Acegi for security purposes in my application. Currently, i have populated database tables via SQL, but i was curious if Acegi provides APIs for populating database programmatically.. i plan to use Hibernate to do that...i was curious to know if acegi has already its own API for doing that.. thanks in advance and regards marco Hi Marco No, there are no APIs for populating the DB tables with authentication or authorization data. The one exception is the ACL services do have a mutable DAO, JdbcExtendedDaoImpl: http://acegisecurity.sourceforge.net/multiproject/acegi-security/clover/net/sf/acegisecurity/acl/basic/jdbc/JdbcExtendedDaoImpl.html Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How about enable checking username in JdbcDaoImpl?
Parker Wong wrote: If there is a property in JdbcDaoImpl can hold a regular expression, JdbcDaoImpl would able to check the username before inserting it to the sql template. Hi Parker No, there is no property that does this. Whilst it would be easy to add, I'm not sure the regular expression processing would in aggregate save that much CPU time compared with the RDBMS simply returning no rows. Or was there some other scenario where the regular expression would help? Don't forget people can write their own AuthenticationDao that wraps JdbcDaoImpl and performs the regular expression check prior to delegation to the JdbcDaoImpl if such performance was required. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi from CVS has failind test
Paulo Neves wrote: testFileConversion(net.sf.acegisecurity.util.WebXmlToAcegiSecurityConverterTests): That test case is associated with work Luke's doing on the web.xml converter tool. Luke, would you please take a look? Thanks Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Captcha
marc antoine garrigue wrote: Hi all, I have some question regarding the development rules: -Where to commit my code? In the sand box or directly in the core -Should I add a new package for captcha related stuff (context, channel, filter ect..) or should I commit it in the existing packages. Hi Marc Yes, just create new packages under core as appropriate for the Captcha design you're implementing. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Any support for multiple login pages ?
Pascal Gehl wrote: Hi guys, Sorry to send to the developper mailing list but I can't get answers from the spring mailing list. I have a requirement to have different login pages depending on which ressource is accessed. I checked the acegi API and found nothing. Is there a hidden way to do that ? thanks Pascal Gehl You'd need your AuthenticationEntryPoint to be customised: public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException; You can check the ServletRequest to determine the URL being requested, and then redirect accordingly. Base it on AuthenticationProcessingFilterEntryPoint. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Struts menu with Acegi
Marco Mistroni wrote: will this be a correct declaration in web.xml? filter filter-nameContextHolderAware Filter/filter-name filter-classnet.sf.acegisecurity.util.FilterToBeanProxy/filter-class init-param param-nametargetClass/param-name param-valuenet.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter/param-value /init-param /filter filter-mapping filter-nameContextHolderAware Filter/filter-name url-pattern/*/url-pattern /filter-mapping This looks correct to me. Are your filter orders correct? See http://acegisecurity.sourceforge.net/docbook/acegi.html#security-filters-order. Best regards Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Contexts left in ThreadLocal, leading to user switching?
March, Andres wrote: We've used acegi in production now for 6 months and have not experienced this behavior. AFAIK the filter correctly clears the thread local upon exit. Filter order could affect this if somehow the filter chain exits before completion and skips this filter. Are you using filter to bean proxy? Can you post your filter order? 0.7.0 used the old well-known-request model, which was dependent on AbstractIntegrationFilter: http://cvs.sourceforge.net/viewcvs.py/acegisecurity/acegisecurity/core/src/main/java/net/sf/acegisecurity/ui/Attic/AbstractIntegrationFilter.java?rev=1.7view=auto Reading the code shows no cleanup handling of IOExceptions or ServletExceptions. Thus, there is a bug, but it is corrected in the current CVS HEAD as others mentioned. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Contexts left in ThreadLocal, leading to user switching?
Seth Ladd wrote: Thanks Ben. How stable is the HEAD? This is a big deal for us, as we're experiencing users having the wrong credentials. We need to upgrade ASAP or take out Acegi (which I'd hate to do). HEAD is stable, I am using it on projects without hesitation. I would encourage you to upgrade. I could checkout the snapshot and do a release for the 0.7.0 series to correct the bug, but it would be a bit of time that seems better applied to getting 0.9.0 formally released. Do others agree? Sorry for the inconvenience. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] maven build from cvs failing
Seth Ladd wrote: [junit] Running net.sf.acegisecurity.util.WebXmlToAcegiSecurityConverterTest s [junit] Tests run: 1, Failures: 0, Errors: 1, Time elapsed: 0.032 sec [junit] [ERROR] TEST net.sf.acegisecurity.util.WebXmlToAcegiSecurityConverte rTests FAILED Hi Seth Please try to checkout again, as that test is passing on the web site generated Maven report, so I think CVS HEAD is now OK: http://acegisecurity.sourceforge.net/multiproject/acegi-security/junit-report.html Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Any support for multiple login page s ?
Joseph Dane wrote: a somewhat related issue that I'm going to need to address soon is multiple default targets. that is, say you've got three classes of users, and you want to provide a different home URL for each. each might hit the same login page (or not) but after the successful login we need to redirect to a different URL for each class. A good example of an extension to AuthenticationProcessingFilter. Again, if you come up with something general-purpose and useful - probably an interface will do in this case like public String getRedirect(Authentication, HttpServletRequest) - I'd be happy to add it to CVS. If you add a JIRA task with your requirements, I can add this feature to 0.9.0 even if you don't get around to doing an implementation. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security advisory for all Acegi Security users
Scott McCrory wrote: On Tue, 12 Jul 2005 09:18:33 -0500, Ray Krueger wrote Yes, unfortunately it does. Acegi 0.8.2 requires Spring 1.2. -Ray Ahh, thought so. No joy for those of us still running in JDK 1.3 containers like Websphere 5. Just a general statement, but there are a LOT of companies running lots of Websphere instances, and switching to Tomcat/JBoss/Weblogic/etc. isn't an easy option by any means. Just for the record, 0.8.2 was motivated as many people were happily on 0.8.1 but then Spring 1.2 came out and this broke Acegi Security 0.8.1. The majority of the community wanted 0.8.2 to be released ASAP which supports Spring 1.2. I will get started on an 0.8.1.1 release to accommodate the 0.8.1 users. Scott does raise an interesting point in that what version of Spring are people actually using? I'd hate to think people are stuck on 0.8.1 with all the goodies (and fixes) added to 0.8.2 and now 0.9.0 and planned for 1.0.0. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Spring 1.2 Support for JDK 1.3
Scott McCrory wrote: In short, I'd be just a tiny voice asking for Spring 1.2+ to maintain JDK 1.3 compatability, but is it too late to decouple Acegi from Spring 1.2+? I'll move this to the Spring Developers mailing list, as it's more related to Spring than Acegi Security. Juergen posted an email in April that gave me the impression Spring's JDK 1.3 support was pretty good: http://thread.gmane.org/gmane.comp.java.springframework.devel/8208. Is this no longer the case? We would have a difficult time maintaining support for multiple Spring versions in Acegi Security. I would prefer to know that Spring 1.2 definitely could not support JDK 1.3 before going down that path. Cheers Ben --- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] FW: Sun moves its secure ID to open source
Colin Sampaleanu wrote: Interesting... Good to see this SSO and identity management code will be available as open source: http://www.techworld.com/security/news/index.cfm?NewsID=4030Page=1pagePos=11 Very good! Shame about the timetable. Quoting https://opensso.dev.java.net/: Complete Open Source availability for all sources - April 2006. We should make a list of SSO implementations we want to provide pluggable interoperability for. JOSSO, CAS, OpenSSO - are there any others we can get access to that people need? Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] FW: Sun moves its secure ID to open source
Joe Shomphe wrote: I second that. On 7/15/05, *Amad Fida* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think SiteMinder integeration would be really beneficial --- Scott McCrory [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I can provide help with Siteminder integration if desired. I followed this up off-list with Scott, who now has CVS access to Acegi Security and has kindly offered to work on this feature. Also, SiteMinder integration now has a new JIRA task so that interested people can keep track: http://opensource.atlassian.com/projects/spring/browse/SEC-35 Welcome aboard, Scott. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] New Developer
Hi all Mark St Godard has just joined the development team, initially to work on switchable user profiles at runtime - a bit like the su command in Unix, but suitable for webapps (http://opensource.atlassian.com/projects/spring/browse/SEC-15). Welcome Mark. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Captcha
marc antoine garrigue wrote: Hi, I've finished to code and test the first version of the acegi captcha adapter. It is all under a new captcha package. I wish to commit it. Do you have any objection? Regards MAG Hi Marc Feel free to commit. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] [PATCH] Prevent AnonymousProcessingFilter from creating HttpSessions
mike perham wrote: Thanks for a great subsystem, guys. The documentation is fantastic, the build as simple as 1-2-3 and the API well designed. This patch is against the latest CVS snapshot. Note also that I removed a huge block of javadoc that doesn't seem to apply - I assume it was a cut and paste error. Hi Mike I have now committed this to CVS, along with a suitable unit test. Please note I made the default true, because I can't see any real reason why people would not desire the new behaviour. There's a comment in the upgrade-080-090.html file so that people are aware of this. Thanks for the contribution. Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Question about AuthenticationProcessingFilterEntryPoint..
Pascal Gehl wrote: In our project we don't have easy access to the apache config files (politics...) and by switching to acegi we have infinite loop because 1. client is accessing a protected ressource 2. acgi tells him to go to login page 3. apache tells him to go to protected ressource 4. go back to 2. We had to subclass the entry point to do a forward instead of a sendRedirect. I don't understand what in Apache is doing step 3. Is this a standard Tomcat feature? If using Acegi Security, the recommended approach is to not use any container security at all - just let Acegi Security do the lot for you. It would be good if you could explain your configuration a little more. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Volonteering for multiple login pages
Pascal Gehl wrote: Hi, I have spare time right now, I would like to volonteer to develop the multiple login pages feature. I'm new to developping in open source world. Can you point me to a link/text/place where your process is explained ? thanks Pascal gehl Hi Pascal We always welcome new contributors. Generally the best approach is to volunteer to work on a particular feature and submit a patch to the relevant JIRA task (or create one if there isn't one already). The patch should be based on the latest CVS HEAD, and contain unit tests that exercise your contribution. After a series of accepted patches, supporting the community members who use them, and reasonable understanding of the project's architecture, I'll generally grant CVS commit rights to avoid the JIRA step. The Acegi Security web site has a Building with Maven page that discusses checking out CVS HEAD and building using Maven. I can also help you get compiling if needed - just email this list. The JIRA database is at http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040. Please feel free to work on anything in JIRA. All the tasks assigned to me, for instance, are up for grabs. Look forward to your involvement. Best regards Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] MethodSecurityInterceptor and objectDefinitionSource property
Maxim Gordienko wrote: Hello, why there is no way to define method with argument parameters via property editor for property MethodSecurityInterceptor.objectDefinitionSource? This should be prety simple to parse argument types along with wildcard (which currently implemented) Thank you. -Maxim Hi Maxim The relevant Property Editor was initially based on Spring's transaction support, which did not offer this feature. I would welcome you to log a JIRA task for this feature so that it doesn't get forgotten. Better still, attach a patch and unit test and we'll get it into CVS quickly. :-) Best regards Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] UsernamePasswordAuthenticationToken.getName() invokes returns toString() of AbstractAuthenticationToken
Lawrence Blanchette wrote: I see I could use getRemoteUser on the request to get the login name and that is what I want. Principal interface does not seem clear on behavior. Just thought i'd point this out Hi Larry Thanks for the info. Good that you've got a solution. Cheers Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] [multiple login form] : code attached to the issue in JIRA.
Pascal Gehl wrote: Hi, I have attached the code and the unit tests for the mutiple login forms entry point to the following jira task : http://opensource.atlassian.com/projects/spring/browse/SEC-33 I'm about to write the doc on how to use it. Remarks, improvment hichly welcome. Hi Pascal Thanks for the contrib - I'll take a look and get back to you. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] IMPORTANT: Project management procedures
Scott McCrory wrote: On Mon, 25 Jul 2005 12:17:29 +1000, Ben Alex wrote Hi everyone Now that we've got 14 developers with CVS rights, and we've recently introduced JIRA, I wish to propose some project management {...} These are good and I'd recommend converting it into a new developer's guide or orientation artifact that can be referenced on the Agegi site. Thanks Scott. Did anyone else have any feedback? I received some off-list support for the proposals, but I'd like to encourage some more discussion before we standardise on anything. Even a +1 if you're in agreement would be good (non-developers are invited to vote or provide feedback as well). Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] FilterToBeanProxy and FilterChainPr oxy
Pascal Gehl wrote: Same thing for net.sf.acegisecurity.util.FilterChainProxy. I really like the net.sf.acegisecurity.util.FilterToBeanProxy, I think it should be promoted to Spring Web because it can be usefull for all kind of filters. I have no problem with Spring Core adopting either class, or any other Acegi Security general-purpose class for that matter. org.springframework.web.filter.DelegatingFilterProxy has been added to Spring Core, providing similar functionality to FilterToBeanProxy. There is no Spring Core equivalent class for FilterChainProxy. Because most Acegi Security configuration now uses this latter class - and we only use FilterToBeanProxy from web.xml to actually delegate to a FilterChainProxy - I haven't changed Acegi Security's samples etc to use DelegatingFilterProxy. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] debug.jsp bug
Jared Odulio wrote: There's no such thing as SecurityContextHolder.getAuthentication(); Hi Jared Thanks, fixed in CVS. Ben --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477alloc_id=16492op=click ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webwork2+Acegi j_acegi_security_check redirection problems
Jared Odulio wrote: Hi Mark, Thanks, I've registered already. So while waiting for the activation email to arrive. I am going to post a few more info. I am using Acegi Security version 0.9.0 Snapshot that I build myself. I am running the Contact Sample and my application in Sun Java System Application Server Platform Edition 8.1 Q2 2005 Release, my JDK is 1.5.0_04, my web framework is Webwork 2.1.7 using Velocity, all of which are running on Slackware 10.1 with Linux kernel version 2.4.X. Hi Jared Did you get this sorted out, or did you move it to the forums? If not, please post it over on the forum along with logs and I'll take a look (also Matthew Porter uses WW2 w/ Acegi Security so he might be able to offer some suggestions). Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Dao Status
Robert r. Sanders wrote: After a couple false starts which in retrospect I shouldn't have checked into the CVS HEAD, I have finally cleaned up the code and gotten an updated version of the LDAPPasswordAuthenticationDao, along with a unit test, into the CVS HEAD. I will post a similar message to the forums, but if anyone is interested in trying out the code and providing feedback, please do; in particular I haven't figured out how to test Active Directory style logins (when the login name is [EMAIL PROTECTED]). After struggling to complete this code I have come to the sad realization that I simply don't have enough time in the day for everything I'd like to do. When I initially began working on the LDAP integration for Acegi, I was anticipating using it in an upcoming project; however that project has continued to be pushed off onto the back burner, and I find the time I am able to work on Acegi severely limited. I am still willing to help out; but I am simply unable to put in any more time than I already am, meaning that if LDAP is to be completed in a reasonable time frame someone else is going to have to work on it. I will help out as much as possible; however those of you monitoring the rate of progress on the LDAP code in recent months can see that that is not much. Hi Robert Thanks for your efforts so far on the LDAP integration. I see that you've implemented Apache DS integration, meaning we now have a fully JUnit (pure Java) testable solution. Is anyone interested in taking over the LDAP effort? Failing volunteers, I will probably take this on when I next do a major batch of changes and hope Robert can give some review/advice as he has collected most of the requirements in recent months. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Event not firing from DaoAuthenticationProvider.java
Mark St.Godard wrote: The HttpSessionContextIntegrationFilter should be able to set some sort of indicator that this is the first logon attempt since it generates a new SecurityContext however this wouldnt work for remote client authentication? IMHO we should modify all event-aware AuthenticationProviders to publish an event on every occasion an authentication is processed, irrespective of the cache usage or not. There are three reasons for this: 1. The Authentication.getDetails() *should* provide some sort of identifier (typically a WebAuthenticationDetails, which offers the HttpSession ID in most cases) and this identifier can be used by the ApplicationListener to determine what and when to log. 2. Recent changes to Authentication and AbstractSecurityInterceptor have changed the semantics of Authentication.isAuthenticated(): /** * Used to indicate to codeAbstractSecurityInterceptor/code whether it * should present the authentication token to the * codeAuthenticationManager/code. Typically an * codeAuthenticationManager/code (or, more often, one of its * codeAuthenticationProvider/codes) will return an immutable * authentication token after successful authentication, in which case * that token can safely return codetrue/code to this method. * Returning codetrue/code will improve performance, as calling the * codeAuthenticationManager/code for every request will no longer be * necessary. * * p * For security reasons, implementations of this interface should be very * careful about returning codetrue/code to this method unless they * are either immutable, or have some way of ensuring the properties have * not been changed since original creation. * /p * * @return true if the token has been authenticated and the * codeAbstractSecurityInterceptor/code does not need to * represent the token for re-authentication to the * codeAuthenticationManager/code */ public boolean isAuthenticated(); As such, a DaoAuthenticationProvider (or any other AuthenticationProvider for that matter) will only be called when a user is genuinely not authenticated - or the use has changed the AbstractSecurityInterceptor.alwaysReauthenticate property to false. 3. Most authentication processing filters (certainly those use for CAS, AuthenticationProcessingFilter/form-based, remember-me, X509) now publish an InteractiveAuthenticationSuccessEvent when a user logs in. I would welcome other opinions on this, but it seems we now have a more comprehensive solution to application event messages than putting then into AuthenticationProviders. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SEC-15 User security context switching
Mark St.Godard wrote: I did some local testing with the Contacts sample and did some simple tests of - logging in (i.e. User 1) - going to /secure/debug.jsp (view User 1 info) - going to a jsp that handles the switch (i.e. switchUser.jsp) - submit request to 'su' to another user (i.e. User 2) - going to /secure/debug.jsp (view User 2 info) - go to exit page (i.e. exitUser.jsp) - display current user logged in as, submit button to exit - going to /secure/debug.jsp (shows User 1 info) So initial simple tests seem to work, need to polish and do alot more testing. I have also added applicable unit tests. Again, feedback welcome. Hi Mark Thanks for taking care of this. It's a good initial implementation. A few ideas/suggestions: - We should publish an event when the administrator performs a su, such that audit logs and the like are complete. - Make the exitUserUrl and switchUserUrl default to the normal values, and remove the getDefaultXX() getters. - The SWITCH_USER_GRANTED_AUTHORITY probably should be ROLE_PREVIOUS_ADMINISTRATOR so it works with the default RoleVoter. - Use Assert.isTrue(boolean) where possible, instead of the if (!request instanceof HttpServletRequest) etc - it will reduce the unit test size. - Let's add the su capability to the Contacts Filter Sample, as it is a pretty nice feature to show is available. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] missing voting facilities?
Andy Depue wrote: I wonder, though, if the ACL functionality would be a better solution for this sort of thing? The Voter we created below was just a quick hack, really. The BasicAclVoter is designed to locate the first domain object argument in a method invocation, and then lookup the ACLs from AclManager. You then specify which bit masks are acceptable and these are searched for in the resulting ACLs. I am interested whether this approach would be sufficient to meet Andy and Fernando's needs. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] using long for acegi acl id parameters
Tim Kettering wrote: I’m wondering if there was a reason that most of Acegi’s standard ACL classes use int when dealing with object id values. We usually default to using ‘long’ instead of ‘int’ – and I believe that other places do as well, so it seems to me that it might be simpler to use ‘long’ in the acegi classes, since the java compiler can automatically cast int to long anyway. Hi Tim Which ACL classes are you referring to? AbstractBasicAclEntry uses int because it performs bit masking which shouldn't need the full size of a long. If you mean AclDetailsHolder (protected class within JdbcDaoImpl) I see your point and we should change it. Please feel free to submit a patch or issue to JIRA and I'll get it done. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Webwork2+Acegi j_acegi_security_check redirection problems
Jared Odulio wrote: Hi Ben, Yes, I managed to fix it. I have taken some notes too: http://jaredtech.blogspot.com/2005/08/webworkvelocityacegi-config.html I am if this is case works for others but it worked for me. Hi Jared I added your blog entry to our articles page to help others find it. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi error on Sun Java Enterprise Server 8.1
Clarence Ho wrote: java.lang.ClassCastException: net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken Most ClassCastExceptions are caused because there's an extra acegi-security-*.jar on your classpath. It should only be inside your WAR's WEB-INF/lib directory. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Security Annotation support (initial)
Mark St.Godard wrote: I just wanted to make sure I dont check in code that breaks JDK 1.4 users from building the CVS HEAD examples, etc. Therefore to sum up: - can we package the core-tiger classes into the single acegi security dist? - where should the new samples (for java5) be located? Thoughts? Yesterday I asked whether anyone was using the Commons Attributes support. The reason is that when you install commons-attributes-plugin, you in effect add a plugin to Maven that will throw exceptions if you are using any Java 1.5 features such as annotations and enums. http://jakarta.apache.org/commons/attributes/maven_demo.html indicates that 2.1 is the latest version of the Commons Attributes plugin, so you install using: maven plugin:download -DgroupId=commons-attributes-plugin -DartifactId=commons-attributes-plugin -Dversion=2.1 However, if you install the plugin and then use Java 1.5-specific features in your build, this is what the Maven build will give you: (What happens for an enum): Error parsing File .\CounterEnum.java:Encountered enum at line 9, column 8. Was expecting one of: abstract ... interface ... public ... strictfp ... final ... class ... (What happens for a generics declaration): Error parsing File \RoleDaoHibernate.java:Encountered at line 21, column 51. Was expecting one of: implements ... { ... . ... According to http://jakarta.apache.org/commons/attributes/faq.html: *Q: What are the future plans for Commons-Attributes?** A:* As indicated above, C-A isn't expected to live beyond widespread adoption of Java 5.0. But until then, the main area of concern is ease of use The above issue is therefore only a concern for people wishing to build the /samples/attributes sample, as then the plugin is required. I think we should therefore disable the /samples/attributes as part of the /docs multiproject build, leaving it to users of Commons Attributes to manually build (and install the problematic plugin) if they so wish. Does anyone have a concern with that? Assuming we do the above, I think that having a new sample specifically for annotations would be appropriate. We can use the same classes as used in the attributes sample, so that people can compare the two approaches. Of course, the attributes sample would have in its project.properties the 1.5-specific source and compile properties. I have no issue with having the 1.5-specific classes in the acegi-security-xxx.jar. Achieving that will need some /core/maven.xml jar:jar pre-goal customisation. Two approaches would be to run the /core-tiger build if 1.5 is detected and then copy the files across to /core/target/classes. Alternatively, just copy the /core-tiger/target/classes if they exist to /core/target/classes and expect users to first build core-tiger (such that the /core-tiger/target/classes exists). The latter approach is easier, but I'm sure the former is achievable with Maven as well. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer