Re: [Acegisecurity-developer] avoiding reauthentication?

[Ben Alex]

[EMAIL PROTECTED] wrote:


Hello,

 

  I was told that the CVS distribution now avoided reauthentication if 
a SecurityContextHolder was found by the HttpSessionContextIntegration 
filter,


but this is not the case, it is still calling the authentication dao.

  Could this feature be integrated into acegi? I cannot cache the user 
records because they are modified in the backend without notification. 
I also


would like the user to be able to continue the session without having 
to reauthenticate if he changes his password (via another system) while


he has the application open.

 


Thanks

 


Fernando Mato Mira

 

Is Authentication.isAuthenticated() returning true for your 
Authentication object? This is a requirement to avoid reauthentication 
by AbstractSecurityInterceptor. It doesn't have anything to do with 
HttpSessionContextIntegrationFilter. If you think everything is correct, 
please post a DEBUG log and your configuration XML to a forum support 
post and I'll take a closer look.


Cheers
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] avoiding reauthentication?

[Ben Alex]

[EMAIL PROTECTED] wrote:


It is not the AbstractSecurityInterceptor that is reauthenticating, it
is
the ProviderManager

 

The only two places in Acegi Security that call AuthenticationManager 
(of which ProviderManager is the only concrete implementation) is 
AbstractSecurityInterceptor and the authentication mechanisms (the 
latter being classes like AuthenticationProcessingFilter). So what is 
calling ProviderManager repeatedly? AbstractSecurityInterceptor will not 
call ProviderManager if 
SecurityContextHolder.getContext().getAuthentication().isAuthenticated() 
= true and AbstractSecurityInterceptor.alwaysReauthenticate = false (the 
default).


Cheers
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] avoiding reauthentication?

[Ben Alex]

[EMAIL PROTECTED] wrote:


Hello,
 Doing an authentication against my database takes about half a second,
and we can have dozens of requests for one user operation (eg., getting
each document from a set of XML documents, this is done like this
because it's easier than having one huge XML result that is cut up by
the application into individual documents).
 If we cache, the user cannot login immediately with a new password
after changing it. Also, when the cache is invalidated, the provider
will try to authenticate with the old password in the middle of a
session when the password is changed (always from another application).
 What's the problem with always checking if there's an HttpSession with
a valid Authentication, and only calling the manager if there's none?
That should be super fast. 
 

I don't have a problem with making BASIC and Digest check the 
SecurityContextHolder so people who want to use HttpSession can benefit 
from it. Please add a task to JIRA and I'll get the various 
authentication mechanisms updated.


Best regards
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] thread-local security context access

[Ben Alex]

Peter Kharchenko wrote:

We're working on a large web application, which among other things, 
relies on thread pools shared across multiple servlet sessions. This 
appears to present a problem since the same thread may be used to 
serve different users.


At the start of each HTTP request, HttpSessionContextIntegrationFilter 
will retrieve the SecurityContext from the HttpSession, and then put in 
into the SecurityContextHolder. At the end of the HTTP request, 
HttpSessionContextIntegrationFilter will copy the changed 
SecurityContext from the SecurityContextHolder and put it back into the 
HttpSession ready for next request. It will also set the 
SecurityContextHolder to null, so it is safe and ready for next request.


Because the same thread is used for the duration of the HTTP request, 
and the thread has security information removed from it at the end of 
each request, there should not be any problem in a large web 
application. You may like to confirm this yourself by using a stress 
testing tool such as Grinder.


Best regards
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Authentication.getPrincipal()

[Ben Alex]

Peter Kharchenko wrote:


Hello,
Another small question. I am using both anonymous and dao 
authentication providers. I am using Authentication.getPrincipal() 
method to obtain user name. In the case of anonymous authentication, 
the method returns a String, but DAO authentication returns a User 
object. So to get the user name, I have to check what is being 
returned, and have special clauses for the DAO authentication. I was 
hoping that getName() method would return user name, but it returns a 
serialized version of the User object.
I am wondering if there's another way of getting user name, or if this 
is a bug.


If you'd always like a String to be returned, use 
DaoAuthenticationProvider.setForcePrincipalAsString(true). It defaults 
to false.


Cheers
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Samples / Annotation

[Ben Alex]

Mark St.Godard wrote:


Ben et al,
 
I have checked in the first Annotations sample... basically a 
straightforward port of the samples/attributes -- 
samples/annotations.
Note: This sample project requires the 
acegi-security-tiger-0.9.0-SNAPSHOT.jar, so please ensure its built to 
your local maven repo.

See core-tiger/
 
Ben have a quick look, and let me know if you have any problems with 
your build, etc.
Mine runs through fine, compiles, tests pass, etc..  
 


Good work Mark.  I would suggest that we move MethodDefinitionAttributes 
to the net.sf.acegisecurity.annotation package, and rename the class to 
SecurityCommonsAtributes.


Next I will look at the actual Contacts sample... I think the last we 
talked on this we were possibly going to deprecate the Commons 
Attributes / plugin, etc. ?  (i.e. let the commons-attributes folk 
build by hand ?)
 
I think you mentioned it causes problems with Java 5 sources and the 
attributes plugin.
  


Yes, the commons-attributes-plugin in Maven does not work if you're 
running Java 5 source compatibility. This only impacts the ability to 
run the /samples/attributes/project.xml. I would suggest we remove this 
subproject from the /project.properties' maven.multiproject.includes.


Cheers
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Container Adapter for Sun Java App Server 8.1

[Ben Alex]

Clarence Ho wrote:


Hi all,

I want to deploy Acegi Security System to Sun Java Application Server 8.1 UR
2, but after I deployed the application, I got an class cast exception for
the authentication token. It seems that I should use a Container Adapter for
Sun Java App Server 8.1. Is there any one out there, or any plan to develop
one?

Kindly advice
Clarence
 


Hi Clarence

There are no plans to expand the range of container adapters. If you are 
getting a ClassCastException, something is incorrectly configured. Does 
the Contacts Sample (Filters edition) work OK for you? If so, try 
reconfiguring your application using Contacts as a guide.


Best regards
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi integration with ActiveMQ

[Ben Alex]

Andy Depue wrote:


On Friday 16 September 2005 12:07 pm, Andy Depue wrote:
 


... As soon as it shows up in gmane, I'll post a link to the thread
(as a response to this message).
   



Here is the head of the ActiveMQ thread: 
http://thread.gmane.org/gmane.comp.java.activemq.user/2927


 


Hi Andy

I'm not aware of anyone having done this, but I certainly think it a 
good project to integrate with (I am particularly fond of ActiveMQ's 
non-XA transaction support as per 
http://activemq.codehaus.org/Should+I+use+XA).


Please let us know how your implementation goes. I don't mind which 
project the integration ships with, but hope whichever it is there is a 
maintainer for the code.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Anyone experiencing core tests failing?

[Ben Alex]

Mark St.Godard wrote:


Anyone else having problems with the core project tests failing?
 
Strange thing is all the tests run through, dont see any actual junit 
failures, however

maven complains and says the BUILD FAILED... ?
 
Thoughts?
 


To see which test fails, you need to look in the 
/core/target/test-reports directory. You'll notice one of the .txt files 
has a much larger size than the others. Look in it and you'll see the 
failure reasons.


The JCaptcha tests and BASIC authentication tests were failing. I have 
checked in fixes for both.


Marc-Antoine, would you please take a look at 
CaptchaChannelProcessorTests. I've disabled some of the tests for now, 
and provided comments in the code about how the tests may be improved.


Best regards
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi JSR-168 Portlet Integration

[Ben Alex]

John Lewis wrote:

I'm very interested in your feedback.  When you get a chance to take a 
look at it all, let me know what you think.


Hi John

Thanks for contributing this code. I just had a quick look, and have a 
couple of questions and comments:


- Could you make it compatible with 0.9.0 snapshot? I notice you're 
using the = 0.8.3 context management code, which has been refactored.


- PortletSecurityEnforcementInterceptor and the 
PortletSessionContextIntegrationInterceptor do not appear to be in the 
ZIP file.


- Am I correct in reading the code that the portlet container performs 
the authentication, which yields a String-based username, and your 
classes implement a PortletAuthoritiesPopulator (like CAS and X509)? If 
so, is there scope to plug in Acegi Security so that the portlet 
container can use our AuthenticationManager? Also, is there a default 
implementation of PortletAuthoritiesPopulator?


- Are there any unit tests available?

Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Upgrading problem

[Ben Alex]

mannobug


/j_security_check*=channelProcessingFilter,httpSessionContextIntegrationFilter,authenticationProcessingFilter
/**/*.*=channelProcessingFilter,httpSessionContextIntegrationFilter,securityEnforcementFilter

 


Should be:

/**/*=channelProcessingFilter,httpSessionContextIntegrationFilter,securityEnforcementFilter


If this doesn't work, please post your full web.xml, security 
configuration XML and DEBUG-level log in a forum post at 
http://forum.springframework.org and I'll be pleased to take a closer look.


Best regards
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] regadring Spring + JAAS Problem

[Ben Alex]

Matt DeHoust wrote:

I have found the process outlined in Suggested Steps to be sound 
(http://acegisecurity.sourceforge.net/suggested.html). Also, the 
reference guide is quite good 
(http://acegisecurity.sourceforge.net/reference.html). I'm sure you'll 
find what you need if you read it. Also, you may mine the example 
contacts application for details on how to configure Acegi Security in 
a real application. When/if you run into trouble with a specific use 
case, the folks on this list are quite helpful.


Another thought, you might like to try Luke's Acegifier web site, which 
can convert an existing web.xml into a baseline Acegi Security config. 
The best part is that it doesn't have all the ACLs etc shown in the 
Contacts Sample, and is thus easier to follow. The URL is:


http://monkeymachine.co.uk/acegifier/convert.htm

Best regards
Ben



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Anyone experiencing core tests failing?

[Ben Alex]

marc antoine garrigue wrote:


Hi Ben, All,

I’ve replaced the Thread.sleep(xxx) by a while routine in the test 
instead of breaking the captcha security context api.


I’m not proud of this :(, but it should solve the problem.

I can’t reproduce the build break on my system, is it possible for 
anyone to send a failed test report?


Best Regards

MAG


Hi Marc-Antoine

I have updated from CVS and can now run the revised unit tests without a 
problem.


Thanks
Ben



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Nightly snapshots

[Ben Alex]

Ben Alex wrote:


Luke Taylor wrote:


I think I probably forgot to set the cron job to kick off the script on
SF when I reinstalled my server. If someone could remind me where the
script is again that would be useful :).
 




shell.sourceforge.net:/home/groups/a/ac/acegisecurity/daily.sh


Hi Luke

Did you get a chance to add this? I manually ran the job yesterday to 
get a snapshot built.


Cheers
Ben



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Re: Acegi JSR-168 Portlet Integration

[Ben Alex]

John Lewis wrote:

- You are correct that the portlet container performs the 
authentication and then provides a String username to portlets running 
within the portlet container.  It is very similar to CAS and X509 and 
I modeled the code after those two quite a bit.  Unfortunately, the 
JSR-168 spec completely delegates the authentication to the 
portlet-container and does not provide a standard way to plug an 
authentication mechanism into it.  Of course, a portlet container 
implementation could use Acegi directly (I believe that the Gridsphere 
team is considering this in the near future).  I have not created a 
default implementation of PortletAuthoritiesPopulator at this point.  
The only authorities mechanism in JSR-168 is the same isUserInRole 
method as in the Servlet spec.  I suppose we could create a default 
PortletAuthoritiesPopulator that could be configured with a list of 
roles to check.


It seems a very common requirement for a separate system to authenticate 
a user and provide only a String-based username to an application. This 
is seen with CAS, X509, Portlets and a range of external authentication 
services. Therefore, it would seem desirable to offer a generic 
equivalent to CasAuthoritiesPopulator/X509AuthoritiesPopulator.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Contacts sample app using Annotations

[Ben Alex]

Hi Mark

Mark St.Godard wrote:

I can exclude the samples/attributes project to get around the Java 5 
compile issues, we discussed before.


That is fine. The samples/annotations should also be excluded from the 
auto-build, as we don't want users to be forced to have Java 5 to do a 
basic build of core and the Contacts Sample.


Basically, we will require Java 5 to build from the /samples/contacts 
dir...
 
To do a full build of Acegi, we require Java 5 (for domain and 
core-tiger).. just wanted to make sure that this is ok

for the samples as well.


I believe we need to maintain Java 1.3 compatibility in the base/default 
build. I would therefore prefer if the base Contacts Sample did not use 
annotations.


 
or if this should be in a completely separate project ala..
 
acegisecurity/samples/contacts/

acegisecurity/samples/contacts-annotations/
 


Maybe a Maven expert (Carlos, Luke?) could have a look at how we could 
share the code between the Contacts 1.3 and Contacts 5 Java versions 
more elegantly. A few ideas come to mind, such as a new 
samples/contacts/src/main/webapp/tiger directory to hold the config, and 
the 1.5-compatible ContactManager named in a manner that excludes it 
from the compilation but a separate postGoal will compile it if 1.5 is 
detected.


One thing concerning me about the Contacts Sample more generally is how 
difficult it is for new users to follow. I think there is an argument to 
add a new sample that just uses filter security - without any method or 
ACL security. Such a sample might also double as a performance benchmark 
to compare Acegi Security performance with servlet spec managed constraints.


Cheers
Ben



---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] JaasAuthenticationProvider problems with multiple webapps

[Ben Alex]

Eric Hedström wrote:

So is there ever a reason to set the system property, rather than 
allowing each webapp to add a login.config.url? Am I doing something 
horribly wrong, or shall I open a Jira ticket or two?


Hi Eric

Ray wrote the JAAS provider, so he's probably best to answer. Would you 
please log a JIRA ticket so we ensure this gets looked at...


Thanks
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. 
Download it for free - -and be entered to win a 42 plasma tv or your very

own Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Cobertura reports

[Ben Alex]

Hi Carlos

Carlos Sanchez wrote:


Hi,

I've uploaded the results of the cobertura report for acegi core

 


Thanks for adding Cobertura.



The second one requires maven 1.1, which I plan to support asap
http://opensource2.atlassian.com/projects/spring/browse/SEC-57.


 

Please let the list know when you make the upgrade, as I had some 
difficulty with 1.1 Beta 1 (though note it's now Beta 2).


Any timeline on Maven 2 RC? Is Maven 2 Beta 1 sufficiently stable yet? I 
am really wanting to give it a try. At a stability level, is it even 
worth upgrading Acegi Security to 1.1 Beta 2, or waiting for either a 
newer 2.0 Beta or 1.1 RC? Can they (1.1 and 2) be run side-by-side easily?


Cheers
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Cobertura reports

[Ben Alex]

Carlos Sanchez wrote:


m2 is absolutely faster, but
it still lacks the functionality of all those maven 1 plugins out
there. m2 is absolutelly worth for compiling and running the tests.
 

I am really looking forward to Maven 2, mainly for its speed and native 
plugins. I don't use many non-standard plugins. Indeed I just compile, 
JAR, WAR, test, Clover/Cobertura and build a project web site. If I can 
do that with Maven 2, it certainly meets my needs (and I suggest that of 
80% of the all projects).


Will Maven 2 provide some sort of POM migration tool (from 1.x) or is 
the POM sufficiently generalised that it need not receive major changes?


Please let me know when any sort of newer version is available and 
working with Acegi Security, and I'll be sure to give it a try ASAP.


Cheers
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] How do i create private objects with the ACEGI api?

[Ben Alex]

David Medinets wrote:


I'm trying to use ACEGI to do some method-level access control. I seem
to have everything connected but when I create an object I see a
message saying that the object is public so the access control is not
used.

How do I create a private object?

I can provide the Spring XML configuration file and Java code if
anyone is interested.

-david

 

Acegi Security provides authorization via AOP. So you need a way of 
introducing security advice to the object you create. Generally people 
do this declaratively via the application context. Alternatively, you 
can create an AOP proxy programatically using Spring's standard classes. 
Another approach is to use AspectJ, which will compile the advice in at 
development time and thus you can simply use the Java new operator to 
receive in effect a proxy object.


If you're happy to live with authorization only during services layer 
invocations, you can weave some AOP into those services layer methods 
and then use either a custom AccessDecisionVoter or Acegi Security's 
domain ACL services to achieve security.


Best regards
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] How do i create private objects with the ACEGI api?

[Ben Alex]

David Medinets wrote:


So the obvious question is: How can a private object be created? I see
not Spring or ACEGI documentation regarding private vs pubic objects.

If you can help, I'd be grateful.

 

I see no problem with your configuration. You are obtaining an AOP proxy 
object from the IoC container, which should have the 
MethodSecurityInterceptor weaved into the proxy object. What method are 
you calling on the proxy object? You'll need to call a method that is 
defined as secured, such as getValue(). Simply doing a 
System.out.println() will internally call toString(), which is not secured.


Best regards
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] custom Session Timeout page

[Ben Alex]

Mark St.Godard wrote:



Has anyone done something similar?


Not that I'm aware of.

Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] anonymous authentication

[Ben Alex]

Marco Mistroni wrote:



however, when i go thru login page and i enter blank username and 
blank contact, i receive an error 'invalid username or password'.



Hi Marco

If you attempt to login with a blank username or password, 
AuthenticationProcessingFilter will (quite rightly) throw an exception 
as it can't find a username. If this was a problem, you could easily 
override AuthenticationProcessingFilter.obtainUsername, detect a blank 
String from super.obtainUsername(), and then use a default username. But 
I do wonder whether it's necessary. Generally if a user is hitting the 
j_acegi_security_check they wish to try to authentication - not fallback 
to some default. If they abandon the authentication attempt (as they 
realise they don't have a username etc), they can  return to the rest of 
the application and continue as an anonymous user. No special handling 
should be required for this.


Best regards
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi .Net version

[Ben Alex]

Bill Barr wrote:


I would certainly like to have that conversation.


--- Mark St.Godard [EMAIL PROTECTED] wrote:

 


You'd have to ask Ben and Carlos, (as Ben is the project admin and
Carlos is
all things build related)
however I would assume it would have to be a new project on
sourceforge... completely seperate,
along the same lines as Spring.NET, NHibernate, etc.
   



s suggested, it would probably need to be a separate project with its 
own build infrastructure.


We're working towards getting 1.0.0 out around the time of the Spring 
Experience conference in early December. Any C# effort would probably be 
well-served to wait until 1.0.0 is released, so there is a concrete 
baseline for a port. It probably would also make sense to talk to the 
Spring.NET team to see what they're already doing in terms of security.


Cheers
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi .Net version

[Ben Alex]

Bill Barr wrote:


Thanks for replying, Ben. In a separate thread with the spring.net team,
they would like a .net version of acegi but, they don't have the time for
it so, it's not a high priority for them.

Do you need some help on the Java edition?


 


Hi Bill

There's something like 50 tasks in JIRA, so feel free to take a pick of 
anything that you like the look of and submit some patches.


I hope to go through JIRA later today and determine what will make 
0.9.0, 1.0.0 and post-1.0.0. Then release 0.9.0 in about a fortnight, 
and 1.0.0 in early December. The objective is not to add new features, 
but implement any final changes that will impact backward compatibility 
so that 1.0.0 represents a reasonably stable base.


Best regards
Ben


---
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Preparing for 0.9.0

[Ben Alex]

Patrick Huber wrote:


Works for me, yet my application is pretty small.

I've had to change a call in the authentication tag.
I'm using pretty much every component except for instance-based
security. I use them a described in the docs/tutorials.
 


Hi Patrick

Thanks for the feedback. I've added a note about that step to the 
upgrade instructions.


Anyone else had success with 0.9.0 in CVS?

Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Concurrent session check and username primary key issue

[Ben Alex]

Herryanto Siatono wrote:

Yep Ben, I'm using yesterday's check out. 


Thx for the fast reply.
 



I've checked in a change that I believe will correct it by moving the 
sessionController.checkAuthenticationAllowed(Authentication) to after 
the ProviderManager authenticates successfully, and using the resultant 
Authentication object. This was not done before as ProviderManagers 
published events, but this is no longer the case so the change in 
location has no adverse implications. Please give ProviderManager v 1.9 
a try.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Concurrent session check and username primary key issue

[Ben Alex]

Herryanto Siatono wrote:


Btw, is v1.9 really checked in? coz I'm still seeing 1.8 in the cvs. :)
 


It's just the SF CVS sync delay. It'll show up in a few hours.


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] AuthenticationFailurePasswordEvent - now it's gone, new issue props up

[Ben Alex]

Herryanto Siatono wrote:


Seems like the exceptionMappings does not contain UsernameNotFoundException.
 




Yes, you're correct. I just added it. ProviderManager v 1.10 is in CVS now.


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Proposal: Resolving Eclipse IDE warnings

[Ben Alex]

[EMAIL PROTECTED] wrote:


When using Eclipse 3.1 there are quite a few (520) source code warnings
displayed in the Problems view.

At some point I'd like to resolve as many of these as makes sense (like
unuseed imports) and then to update the .settings/org.eclipse.jdt.core.prefs
file to ignore acceptable issues (perhaps like unused local variables) so
that this view isn't cluttered with noise.
 


+1, after 0.9.0.


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Vote: Release 0.9.0

[Ben Alex]

Hi everyone

The JIRA changelog is now complete, and I've just updated the reference 
guide to reflect the latest changes: 
http://opensource2.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel


I would like to propose we release 0.9.0 at this point. Please let me 
know if you agree.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] AuthenticationException - UserDetails

[Ben Alex]

Herryanto Siatono wrote:


Just a point to ponder, for AuthenticationException thrown after user has
been checked against the database, (e.g. BadCredentialsException), should it
contain the UserDetails generated by the authentication provider?

Reason behind, for cases where the username is converted to user Id by the
authentication provider, when capturing AuthenticationFailureException,
system will have to re-query the database to retrieve the User Id to audit.
 

I have just modified BadCredentialsException to accept an additional 
Object in its constructor, and this is available from 
BadCredentialsException.getExtraInformation(). Further, 
DaoAuthenticationProvider populates this with the UserDetails so you'll 
have access to it via both the exception and the event. Logged as SEC-94.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors

[Ben Alex]

[EMAIL PROTECTED] wrote:

[11/7/05 15:24:43:513 EST] 5a6d5a6d WebGroup  E SRVE0026E: 
[Servlet Error]-[Filter [Acegi Filter Chain Proxy]: filter is 
unavailable.]: java.lang.NullPointerException

at java.lang.Throwable.init(Throwable.java)
at java.lang.Throwable.init(Throwable.java)
at 
java.lang.NullPointerException.init(NullPointerException.java:63)
at 
java.lang.InheritableThreadLocal.set(InheritableThreadLocal.java:95)
at 
net.sf.acegisecurity.context.SecurityContextHolder.setContext(SecurityContextHolder.java:58) 

at 
net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:207) 




Very odd. If you look at the code for SecurityContextHolder:

   private static InheritableThreadLocal contextHolder = new 
InheritableThreadLocal();


   public static void setContext(SecurityContext context) {
   Assert.notNull(context,
   Only non-null SecurityContext instances are permitted);
   contextHolder.set(context);// this line fails (line 58)
   }

Can anyone see any issue with this? The main difference between 0.8.3 
and 0.9.0 is the use of a InheritableThreadLocal instead of a 
ThreadLocal. If you revert to the latter, does it work? What version of 
WebSphere are you running? Does it work if you deploy the same WAR to 
say Tomcat?


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Logic bug with AnonymousProcessingFilter

[Ben Alex]

Tim Kettering wrote:


My gut says this is a bug, but since this code was committed back in
July, I find it strange that nobody else has encountered this by
now... is there something I'm missing?

 

I've modified the AnonymousProcessingFilter to now only clear the 
SecurityContextHolder if the Authentication contained therein has not 
changed from that of a fresh anonymous authentication token. This relies 
on the AnonymousAuthenticationToken.equals(Object) method to work, but 
should be sufficient and accommodate people using MVC Controllers to 
populate the SecurityContextHolder.


The reason nobody else probably encountered this so far is because most 
use the filters for authentication. The filter chain ordering is that 
AnonymousProcessingFilter should appear after the authentication 
filters, so this issue would not ordinarily arise.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Preparing for 0.9.0

[Ben Alex]

Matt Raible wrote:


   // log user in automatically
   Authentication auth = new UsernamePasswordAuthenticationToken 
(user.getUsername(), user.getConfirmPassword());

   auth.sentAuthenticated(true);
   try {
   ProviderManager authenticationManager = (ProviderManager)  
getBean(authenticationManager);

   SecurityContext ctx = SecurityContextHolder.getContext();
   ctx.setAuthentication 
(authenticationManager.doAuthentication(auth));

   } catch (NoSuchBeanDefinitionException n) {
   // ignore, should only happen when testing
   }

You can continue to use the constructor shown above, but don't call 
setAuthenticated(true). This will be performed by the 
UsernamePasswordAuthenticationToken when the AuthenticationProvider 
creates a new Authentication object to return. You don't want to be 
setting it earlier, as the GrantedAuthority[]s haven't been populated.


Whilst not Acegi Security related, you might like to consider dependency 
injecting that authenticationManager rather than performing a lookup.


Maybe try:

Authentication auth = new UsernamePasswordAuthenticationToken 
(user.getUsername(), user.getConfirmPassword());

Authentication response = authenticationManager.authenticate(auth);
SecurityContextHolder.getContext().setAuthentication(response);

If this still doesn't work, try following the debug logs. It might be 
something to do with filters changing the SecurityContextHolder, 
particularly if you're going from an anonymous user. Did you see the 
Logic bug with AnonymousProcessingFilter thread yesterday?


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors

[Ben Alex]

Ben Alex wrote:

I'd prefer to avoid multiple releases floating around. We should 
revert back to a standard ThreadLocal and not an 
InheritableThreadLocal and release 0.9.0. Does anyone really require 
InheritableThreadLocal behaviour?


I've checked in the change to use ThreadLocal. This is consistent with 
Spring's TransactionSynchronizationManager and AopContext (but 
interestingly not with LocaleContextHolder).


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] authentication exception events

[Ben Alex]

Brian Moseley wrote:

in upgrading from 0.8.2 to 0.9.0-SNAPSHOT, i see that the mechanism 
for handling authentication exceptions has changed. specifically, an 
authentication event is now required. what is the justification for 
requiring an event rather than making it optional?


I've just changed CVS HEAD. It'll now log a debug message instead if 
there is no exception to event mapping found.


Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SecurityContext appears to be bound to thread after it's finished

[Ben Alex]

Dunstan Tom wrote:

This is all using basic authentication, with the acegi filters ordered 
thusly (in the filterChainProxy): basicProcessingFilter, 
anonymousProcessingFilter, securityEnforcementFilter.


Hi Tom

HttpSessionContextIntegrationFilter has a finally clause that should 
clear the SecurityContextHolder. It should appear in your 
FilterChainProxy before BasicProcessingFilter.


Cheers
Ben


---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] SF CVS

[Ben Alex]

Hi everyone

As some of you have noticed, the CVS is currently broken.

A few days back I logged a job, 
https://sourceforge.net/tracker/?func=detailatid=21aid=1355843group_id=1, 
to have directories moved around to meet the new package top level 
naming convention. For unclear reasons (although I suspect 
permissioning), something went wrong and CVS no longer shows the Java 
source files.


Today I've logged another job to get this looked at, 
https://sourceforge.net/tracker/?func=detailaid=1356891group_id=1atid=21. 
In the meantime, please do not update from CVS.


I'll send an update to this list when it's corrected.

Cheers
Ben


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] ASre you using Acegi Security?

[Ben Alex]

Hi everyone

http://acegisecurity.org/powering.html now lists projects (open source 
and commercial/internal) that are using Acegi Security. If you're using 
Acegi Security within your application, it'd be great if you emailed me 
off-list a sentence that we can include on this page. No commercial or 
sensitive details are required - we're just trying to give a feel for 
the sort of applications it's being used in.


Thanks!
Ben


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CVS is broken again

[Ben Alex]

Richard Clark wrote:
I'm trying to check out and try ACEGI for the first time, but CVS is 
broken and I can't complete the checkout. Following the instructions 
for checking out via maven, or using the instructions for an anonymous 
CVS checkout (cutting and pasting the commands to be safe), CVS fails:



Works fine for me. I just did an update fine, and a fresh checkout fine. 
I'm using the developer CVS servers, though. I think Luke is logging a 
job with SF about it.


Cheers
Ben


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] locked CVS?

[Ben Alex]

Jettro Coenradie wrote:
I am having problems as well. tried it with maven and eclipse, both 
the same result.


The SF job is now reported as corrected - can someone who was 
experiencing the issue please confirm?


Thanks
Ben


---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] 1.0.0 Progress

[Ben Alex]

Hi everyone

We're making good progress towards releasing 1.0.0 RC 1, the target date 
of which is 4 December 2005 (to coincide with The Spring Experience).


*** Would the community please report any outstanding bugs in JIRA ASAP 
so they are tracked and fixed. Thanks. ***


The outstanding 1.0.0 tasks are in JIRA at 
http://opensource2.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040. 
Would developers please take a look and update the status of their 
respective tasks. Please modify the fix version of your tasks to 
unknown if you won't get time to complete your task before RC 1.


Also regarding SEC-97, is anyone aware of a replacement for Jalopy 
source code formatter? Jalopy fails with Java 1.5 generics, which is an 
issue. We should take advantage of this task to update to a tool that 
supports Java 5.


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] 1.0.0 Progress

[Ben Alex]

Carlos Sanchez wrote:

I believe this can be solved upgrading the jalopy version
http://jalopy.sourceforge.net/
Let me take a look.
  


I should have done more digging before my post.

http://jalopy.sourceforge.net/jalopy/changes-report.html indicates that 
release 1.5b1+ supports Java 5. I just downloaded the 0.2-1.5b5 Eclipse 
plugin and it

successfully formatted classes with both generics and annotations.

Thanks
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] 1.0.0 Progress

[Ben Alex]

Mark St.Godard wrote:

Hey Ben,
 
Have you had any luck getting the latest Jalopy plugin ?
 
When I go to:
 
http://jalopy.sourceforge.net/jalopy/download.html
 
I get 404s will try again.. could be SF
 
I used http://jalopy.sourceforge.net/jalopy-eclipse/downloads.html. 
Alternatively, you could just go to 
http://sourceforge.net/project/showfiles.php?group_id=45216 and access 
them via the SF File Release System.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Building Acegi from CVS HEAD

[Ben Alex]

Samuel Le Berrigaud wrote:

1) the class doesn't compile correctly with maven
org.acegisecurity.intercept.method
MethodDefinitionSourceEditorTigerTests, the cause being that the main
method references the MethodDefinitionSourceEditorTests class (Tiger
is missing). I think it is simply a copy paste error, so I corrected
my local version (addding the Tiger)

  

Thanks for reporting this, Samuel. I have fixed it in CVS.

Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi w/ JSF

[Ben Alex]

Trent wrote:

I’m seeing some odd behaviour using Acegi with JSF. Does anyone know 
what causes Acegi to render the page in the “AuthenticationFailureUrl” 
property from the class “AuthenticationProcessingFilter” when an 
authenticated user navigates back to the login page? Also this page 
doesn’t fully complete the response either.


Any insight would be appreciated

trent

Is this a problem with Acegi Security only with JSF (ie can you see a 
problem when using it natively with JSPs)? Also, which version of Acegi 
Security are you using?


Thanks
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] LDAP Provider

[Ben Alex]

Brandon Keepers wrote:

Is there a good reason for requiring constructor args instead of
setter methods for properties?  I don't intend to start a flame war
about constructor vs. setter injection, but I do think the setters
should at least be an option, especially to be consistent with the
rest of the acegi configuration.
  
In the future more and more of Acegi Security will use constructor 
injection for mandatory properties, and setter injection for optional 
properties (optional meaning null is acceptable, or the class provides 
an acceptable default). We are moving away from having invalid objects 
and requiring InitializingBean to detect missing properties.


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] JSF Components for Acegi

[Ben Alex]

Cagatay Civici wrote:


 http://www.jroller.com/page/cagataycivici

http://horde/services/go.php?url=http%3A%2F%2Fwww.jroller.com%2Fpage%2Fcagataycivici

Thanks for publishing this. I've added a link to it on the Acegi 
Security articles page.


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ACL for massive databases

[Ben Alex]

David Medinets wrote:

I did some developmental work with ACL and large tables at a previous
company. However, I did not use ACEGI. I didn't know about ACEGI at
the time. Instead I used GUID values at keys with various entities
having various permissions to access specific GUiDs. I used
materialized views in Oracle to keep the query response time
managable.
  
I've also used views at a RDBMS level instead of relying on Acegi 
Security to ACL filter very large tables. However, the underlaying 
tables which the views used were structured so that I could also use 
them with an Acegi Security BasicAclDao implementation. This let me use 
the RDBMS where appropriate (large tables) and Acegi Security/Java for 
the rest (including managing the ACL entries in the table).


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ACL for massive databases

[Ben Alex]

David Berkowicz wrote:

 A more probable and managable alternative, I think, will be to
use a better database schema.
  


I agree. The basic schema expected by JdbcDaoImpl is not intended for 
large applications. For large applications we expect people will use a 
schema optimised for their needs, or an existing domain object which 
offers a business-centric view of permissioning data. Either can be 
accessed via an implementation of BasicAclDao.


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] InheritableThreadLocal in SecurityContextHolder

[Ben Alex]

Hi Tom

Dunstan Tom wrote:

 the existing upgrade notes for 0.9.0 are
plain wrong).

  
I have corrected this in CVS, so at the least the public web site 
(acegisecurity.org) will display the correct upgrade instructions for 
those moving to 0.9.0.



 - I see that Oliver Hutchison sent a proposal after the code was
reverted suggesting a strategy interface which didn't get any replies; I
think that idea is also good and would allow configuration using spring
but default to InheritableThreadLocal. It needn't even be as heavy as
Oliver's solution: Simply having a static setThreadLocalImpl(ThreadLocal
tl) would do the trick, and would be reasonably guaranteed to be called
before any user iteraction if done inside a spring config file.

  
I have re-read Oliver's strategy proposal and believe it is probably the 
most elegant at this stage. We have a feature freeze on before we get 
1.0.0 out, though, so we can't change it just yet. Nevertheless, I have 
added it to JIRA as SEC-152. In the meantime you'll need to copy the 
contents of the SecurityContext to new threads as suggested.


On a related note, I spoke with Juergen about this at The Spring 
Experience and we felt it needed more consideration as a standardised 
context duplication approach also needs to also consider (a) other 
ThreadLocals within Spring and (b) the interaction with task executor 
implementations (such as included in Spring 2).


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] LdapAuthenticationProvider and Chaining Providers

[Ben Alex]

Tyler Nelson wrote:
The provider manager seems to only need one provider to authenticate, 
not all . What would be the suggested way to handle this situation. 
besides extending ProviderManager?
Could you subclass LdapAuthenticationProvider and override 
additionalAuthenticationChecks?


For the benefit of the archives, chaining usually means trying one 
AuthenticationProvider and then another if the first fails to 
authenticate. ProviderManager can do this out-of-the-box. What Tyler is 
trying to do involves a single AuthenticationProvider requiring 
information stored in two different places (LDAP and RDBMS), so it needs 
a subclass.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] how to use AnonymousProcessingFilter.applyAnonymousForThisRequest() to filter subnet

[Ben Alex]

Hongbo HE wrote:

My config is like following:

  
The configuration is incorrect. In your case you will require not one 
but two AnonymousProcessingFilters. The first will be the standard 
AnonymousProcessingFilter which will always setup the 
SecurityContextHolder with ROLE_ANONYMOUS. The second will be your 
subclasses AnonymousProcessingFilter which applies IP-specific anonymous 
authentication and has its UserAttribute property set to contain a 
different GrantedAuthority (such as ROLE_PRIVATE_SUBNET_ANONYMOUS as 
well as ROLE_ANONYMOUS). You must ensure the subclassed 
AnonymousProcessingFilter appears before the fallback 
AnonymousProcessingFilter in your FilterChainProxy. You can then use 
ROLE_ANONYMOUS for the login page, and ROLE_PRIVATE_SUBNET_ANONYMOUS 
when only an anonymous user from your restricted subnet is allowed.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Creating the first admin: the chicken and the egg

[Ben Alex]

Patrick Huber wrote:

Hi Mark

I've only used acegi in a relatively small private project where I
have full control over the server. For that project, I added that
first user after creating the database trough another sql script.

  

That's one way. Other ways might be to use an InitializingBean that 
detects an empty database and adds a new administrative user. Or, use 
InMemoryDaoImpl in conjunction with your RDBMS-backed 
AuthenticationProvider, as ProviderManager can try the RDBMS provider 
and then fallback to your in-memory implementation to lookup the 
administrative user. The InMemoryDaoImpl can even source the 
administrative user from an external properties file, so it might be 
worth investigating.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] AbstractProcessingFilter and multiple home pages support

[Ben Alex]

Sergio Bossa wrote:
One implementation could be to add a call to a template method into 
AbstractProcessingFilet.successfulAuthentication(HttpServletRequest 
request, HttpServletResponse response, Authentication authResult) 
method, something like :


You could also write your own custom AuthenticationEntryPoint, which is 
probably preferable to subclassing.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Re: AbstractProcessingFilter and multiple home pages support

[Ben Alex]

Sergio Bossa wrote:
I don't see how implementing a custom AuthenticationEntryPoint would 
solve my problem, which is not related to the login page, but rather 
to the page displayed after successfull login.
It could be done by using the AuthenticationEntryPoint to modify the 
target URL defined by 
AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY. That way, 
irrespective of which authentication entry point you might ultimately 
switch to (CAS, form etc), your AuthenticationEntryPoint will be 
compatible with all of them. You could even store the original target 
URL in a different session attribute, and thus after your post-login 
page is displayed, you could still offer a pass-through to the 
originally requested page.


Best regards
Ben



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Re: Getting a unit test failure error with the latest sync of CVS files...

[Ben Alex]

Vijay Varadan wrote:
Reducing the size of the build output and reattaching so it doesn't 
require moderator approval.


The test failure is occurring as follows:
[junit] Running 
org.acegisecurity.providers.anonymous.AnonymousProcessingFilterTests

[junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 0.265 sec

This class was recently changed. Unit tests are currently all passing, 
so checkout again and you should be fine.


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] making BasicAuthenticationFilter not authenticate

[Ben Alex]

Brian Moseley wrote:

where i'm stumbling is that BasicProcessingFilter immediately
authenticates the credentials it finds in the Authorization header,
and upon failure it commences its configured authentication entry
point. why does it do this? why doesn't it simply set up an
authentication token and let the SecurityEnforcementFilter handle the
authentication? that's what my TicketProcessingFilter does, and it
works fine (when the request contains only ticket credentials).


  

Hi Brian

BasicProcessingFilter proactively attempts authentication (via 
AuthenticationManager) whenever it sees a BASIC authentication header, 
which is consistent with the contract for an authentication mechanism 
and the others included with Acegi Security. The reason they all attempt 
authentication is to give the user early advice there is a problem with 
presented credentials, even in the case the user isn't actually 
requesting a secure object. For example, someone may present a BASIC 
header but request a public home page. In that situation the 
authentication mechanism would notify the user agent as early as 
possible there has been an issue.


In your case we do have a few options:

- Provide a failedAuthentication method in BasicProcessingFilter so 
you could subclass and override the default behavior. You'd probably 
like to leave the SecurityContextHolder null and allow the FilterChain 
to proceed. Your ticket filter would then have a chance to process the 
request.


- Provide an ignoreFailure property, which essentially does the same 
FilterChain continuation as the aforementioned option.


- Write your own authentication mechanism that reflects your particular 
needs. You don't need to use the BasicProcessingFilter.


- Use BASIC authentication as a transport for your tickets. I'd probably 
see this as the most elegant approach, if it were possible. Rather than 
use a dedicated HTTP header, use a specific username to denote a ticket, 
eg TICKET. The password would be the actual ticket itself, 
Base64-encoded as per standard BASIC authentication headers. Then you're 
going to only need deal with all of this in your UserDetailsService 
implementation. So you've also avoided needing to write an 
AuthenticationProvider (and probably an Authentication implementation 
and authentication mechanism as well). Plus you've picked up the benefit 
of allowing migration (one day, if you like) to a form-based 
authentication interface (debugging?), digest or similar authentication 
that can also be carried in a simple username + : + password formatted 
payload.


Thoughts?

Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] making BasicAuthenticationFilter not authenticate

[Ben Alex]

Brian Moseley wrote:

so, i'll work up a patch tomorrow that adds an ignoreFailure
property to BasicAuthenticationFilter (or to its superclass, if
appropriate) and send it in. thanks for the suggestion!
  
I've logged it as 
http://opensource2.atlassian.com/projects/spring/browse/SEC-180 and just 
checked the change and tests into CVS.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Acegi Security - new release 1.0.0 RC2

[Ben Alex]

Dear Spring Community

I'm pleased to announce that Acegi Security release 1.0.0 Release 
Candidate 2 is now available. This release includes over 50 improvements 
and fixes since 1.0.0 RC1, including comprehensive new LDAP 
capabilities. We recommend that users upgrade to 1.0.0 RC2 in order to 
take advantage of these improvements. Upgrading to 1.0.0 will also 
assist us in identifying any issues as we move towards our final 1.0.0 
release.


Please visit 
http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10361 
for a detailed changelog. As always, detailed upgrade instructions are 
included in the release ZIP file.


The project's web site at http://acegisecurity.org provides additional 
information on Acegi Security's features, access to online 
documentation, and links to download the latest release.


We hope you find this new release useful in your projects.

Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] accept both basic and digest authentication?

[Ben Alex]

[EMAIL PROTECTED] wrote:


How can one set up acegi to accept either one of basic or digest 
authentication?


 

Just add them both to the filter chain, and specify your preferred 
default (for unauthenticated requests which attempt to access a secure 
resource) as the ExceptionTranslationFilter.authenticationEntryPoint.


Best regards
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] security filters not executing for custom error page

[Ben Alex]

Brian Moseley wrote:

i've configured a custom error page for 403 responses in my web.xml. i
want that page to use the authz taglib to render itself differently
depending on whether the authentication for the request is anonymous
or represents a known user of my application.


  
This is discussed a few times on the forums. Essentially there is 
nothing we can do about it. Some people have modified the 
ExceptionTranslationFilter (RC2 rename of SecuirtyEnforcementFilter) 
method sendAccessDenied(ServletRequest, ServletResponse, FilterChain, 
AccessDeniedException) to store additional information in HttpSession 
given it's not available from the normal SecurityContextHolder. 
Alternatively, use a JSP-based 403 page and access the HttpSession 
attribute keyed on 
HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY to 
retrieve the user's details. This won't help you with the authz taglib, 
though, as it uses SecurityContextHolder. I suppose it's worth 
considering making it (and other taglibs) revert to checking the 
HttpSession directly if SecurityContextHolder doesn't contain an 
Authentication (such a check could be put into a static utility method 
for use by any taglib or templating system macro).


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Basic Auth and Form-Based Auth

[Ben Alex]

Jeoff Wilks wrote:
It's not immediately obvious to me how you'd do this, since Basic Auth 
normally prompts with a 401 response. However, I could require that 
machine clients proactively send the basic auth info (not waiting for 
a 401), so the server just attempts to process basic auth, and failing 
that, does form auth.
That's exactly how it's done. Please see the Contacts Sample (Filters) 
application, as it demonstrates BASIC + Form authentication being used 
in the same application for different clients.


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SecurityContextHolder javadoc error

[Ben Alex]

Andrey Moiseenko wrote:

Javadoc for org.acegisecurity.context.SecurityContextHolder: Associates a
given SecurityContext with the current execution thread and any new threads
the current execution thread may spawn.
  

Logged as SEC-188 and fixed in CVS.

Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CasPasswordHandler bean setup woes

[Ben Alex]

Scott Battaglia wrote:


If there's interest I can write an AuthenticationHandler that 
delegates to an Acegi AuthenticationManager similar to what the 
current CAS adapter does.



Hi Scott

I think it would be good to have a 3.x-series compatible 
AuthenticationHandler, so that people wanting to try out CAS who already 
have an Acegi Security authentication environment configured can do so 
without trying to configure one of the CAS-included handlers. It just 
makes the testing requirements a little easier on people, so they're 
more likely to try out CAS. Also, I am presuming that given CAS 3.0.4 is 
now stable we could probably move the old CAS 2.x PasswordHandler to the 
sandbox and change our project JAR dependency to 3.x. Any thoughts?


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CasPasswordHandler bean setup woes

[Ben Alex]

Scott Battaglia wrote:

Ben,

I'll work on a CAS3/Acegi AuthenticationHandler this week.  It 
shouldn't be too difficultlt.  Do you think having both the 
PasswordHandler and an AuthenticationHandler will cause problems? We 
are in RC, so I'm not sure we want to remove the handler.
After reading your and Andrew's mails, I think it best to keep CAS 2 
compatibility in Acegi Security's CAS adapter subproject for a while 
longer. I am guessing 2.x and 3.x exist in different package namespaces, 
so having both JARs as dependencies shouldn't represent an issue.


I will also add an option to CAS to create an api jar file to place in 
a Maven repository so that we can include it in Acegi (we don't have 
one yet).


Excellent. In the meantime you are welcome to place them in the 
http://acegisecurity.sourceforge.net/maven repository. FYI you have 
access to 
shell.sourceforge.net:/home/groups/a/ac/acegisecurity/htdocs/maven by 
virtue of your CVS privileges.


Finally, we should update the references to CAS in the project to 
JA-SIG CAS with the URL http://www.ja-sig.org/products/cas/ [we just 
created this site].  Do you want me to do that?


Yes, please. If you could update the reference manual with an 
explanation of CAS 3.x-specific processes and some commentary about 
which version to use, it would be appreciated. If you don't have time to 
do this, would you please add it as a JIRA task so that it's tracked?


Cheers
Ben


---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Acegi, JSF and Spring

[Ben Alex]

Konstantin Shaposhnikov wrote:

I would recommend you to write simple bean with getter method that
returns current logged in user from SecurityContext:

class CurrentUser {
  Object getPrincipal() {
SecurityContext ctx = SecurityContextHolder.getContext();
if (ctx == null)
  return null;
return ctx.getAuthentication().getPrincipal();
  }
}
  
SecurityContextHolder.getContext() is guaranteed to never return null, 
so you can skip that check. Also consider if the getPrincipal() returns 
a UserDetails object, as in that case you'll probably want to cast the 
getPrincipal() Object to UserDetails and use one of its getters instead 
(eg getUsername()).


Cheers
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] ACL for massive databases

[Ben Alex]

Jeoff Wilks wrote:
Ben, can you elaborate a bit on how you structured your DB schema for 
ACLs? I'm facing this problem right now (need ACLs at both app level 
and database level), and I would appreciate understanding a little 
more about the intent of the Acegi design in that respect.  (Apologies 
for resurrecting an old thread).


Unfortunately I cannot provide a generally-useful schema, as it was very 
specific to the application I was working on. However, I would encourage 
you to consider the most efficient way to model, update (via triggers, 
stored procedures etc) and use (via views etc) your data at a DB level - 
don't worry too much about Acegi Security's ACL requirements. This is 
because DBs have specific optimisation considerations, not only in terms 
of normalisation but also in terms of efficient operation of views and 
triggers. Acegi Security can hook into whatever you end up developing 
for the DB via its general-purpose BasicAclDao interface. If needed you 
can always provide a DB view for use by your BasicAclDao implementation.


Best regards
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Scoped Role

[Ben Alex]

Hao Chen wrote:

I thing I can
think of is to change the GrantedAuthorities
dynamically for every request based on which workspace
the user is trying to access. Will this work?
  
That will work, but it means you will be using AuthenticationManager 
again for every request and you will need to be careful not to use the 
normal caching.


It is far simpler in your case to write a custom AccessDecisionVoter 
that can read the current workspace (either from an argument to the 
secure method invocation or from a ThreadLocal) and then only consider 
the GrantedAuthority[]s that are applicable for that workspace. It's 
quite easy to do it, and you can use the existing RoleVoter as a guide.


Best regards
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] setting attributes for remember-me cookie

[Ben Alex]

Tim Kettering wrote:

I scoured the forums and mailing list and did not find anyone bringing
up this issue.   I suspect it's because everyone (?) so far might have
been using the filter based login.  Which we are not, so this would
not be a problem for them.

  

Hi Tim

If you are able to provide a JIRA patch that will provide this 
flexibility, I would be happy to apply it for you.


Cheers
Ben



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Building with maven or maven2

[Ben Alex]

Carlos Sanchez wrote:

- What is the preferred maven version? I think maven2 is easier to tame

1.0.2 is the one I used a few weeks back to successfully build Acegi 
Security 1.0.0 RC2.



- Which repos are to be used?

They are defined in project.properties and you shouldn't need to modify 
them.



- Could I expect the build from CVS to fail or am I doing something wrong

It should build from CVS. Please try again with Maven 1.0.2 from CVS 
HEAD and report any problems on this list.


Thanks
Ben



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] change to Authentication object

[Ben Alex]

Scott Battaglia wrote:
Would it make sense to change the Object getPrincipal() method to 
UserDetails getPrincipal() such that users can swap the providers 
without having to worry whether the Authentication object from one 
provider returns a different Principal from the other Authentication 
objects (or should people always just call UserDetails)?



Hi Scott

I am inclined to leave it as-is, as detecting the type returned by 
getPrincipal() is rather easy to do, and can be encapsulated into a 
static utility method in any event. Also, as we're in the 1.0.0 RC 
phase, changing a relatively central interface like Authentication 
should be viewed with caution.


Cheers
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations

[Ben Alex]

Tim Kettering wrote:

Maybe it'd be useful if those checks found in
DaoAuthenticationProvider be made available as a pluggable component
that other AuthenticationProviders can utilize?


  

Hi Tim

If you please add it to JIRA, I'll make a static method that accepts a 
UserDetails and throws an appropriate AuthenticationException based on 
its state.


Best regards
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Is it possible to secure CGI scripts?

[Ben Alex]

[EMAIL PROTECTED] wrote:

Is it possible to secure perl scripts that are invoked as CGI programs?

  
FilterSecurityInterceptor works at the filter level, so if the filter 
will be called, it should be able to authorize based on URI.


Best regards
Ben



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Subversion?

[Ben Alex]

Hi everyone

SourceForge have recently modified their offering so we can migrate to 
SVN (without losing revision history) - see 
http://sourceforge.net/docman/display_doc.php?docid=31070group_id=1#import.


I have also been using SVN recently and had good results. The Subclipse 
plugin at Update Manager URL http://subclipse.tigris.org/update_1.0.x 
works quite well.


Does anyone have any concerns with the project migrating from CVS to 
SVN? If there aren't any objections, I'll make the change in about a week.


Cheers
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Subversion?

[Ben Alex]

Ben Alex wrote:
Does anyone have any concerns with the project migrating from CVS to 
SVN? If there aren't any objections, I'll make the change in about a 
week.


Last weekend SF had some CVS issues, so I didn't make the switch as 
intended.


I'm now going to hold-off doing this until early May, because I'm 
largely on the road until then and don't want to change things and be 
unavailable if anything goes wrong. Just wanted to let everyone know 
what's happening with the change.


Cheers
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Conferences and Polish article

[Ben Alex]

Hi everyone

Just wanted to let you all know that I'll be attending two conference in 
Europe this June:


* The Second International Conference on Open Source Systems on 8-10 
June in Como, Italy. See http://oss2006.dti.unimi.it/.


* SpringOne on 15-16 June in Antwerp, Belgium. I'll be presenting a 
session on Acegi Security. See http://www.springone.com.


Look forward to meeting some of you there.

On another issue, is there any member of the community interested in 
writing a high-level article on Acegi Security for a Polish computer 
magazine? I've been invited to write one in English (which the magazine 
will translate), but thought I'd extend the offer to anyone who may 
speak Polish natively, or has time to write an article in English with a 
view to translation. If interested, please ping me off-list.


Cheers
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Issue with FilterChainProxy when upgrading from 0.9.0 to 1.0.0-RC2

[Ben Alex]

Konstantin Shaposhnikov wrote:

I think that functionality provided in acegi 0.9.0 was quite useful,
because ant patterns much more flexible then those provided by
servlet-api, so it would be good to restore this behavior - when value
is empty then no filters will be applied to request.
  
Please add this to JIRA as an enhancement request. I think some sort of 
express value would be in order - such as #NONE# - rather than 
allowing the right hand side of the equals to be entirely empty. The 
alternative is to use a NullFilter, but this increases invocation time 
unnecessarily.


Best regards
Ben


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Re: CAS configuration

[Ben Alex]

Marc-Antoine Garrigue wrote:

I see 3 solutions :
  
I will refer this one to Scott, as he maintains the CAS integration 
these days. Scott, your thoughts?


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Is it possible to secure CGI scripts?

[Ben Alex]

[EMAIL PROTECTED] wrote:

I've managed to authorize my perl scripts now as expected.
Now I need to send some data from my java filters i.e. roles possessed by the 
user to the CGI perl script but I don't know how to do this.

Any suggestion?
  

What exact approach are you using to run your Perl scripts?

Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Subversion? (Change completed)

[Ben Alex]

Ben Alex wrote:
Last weekend SF had some CVS issues, so I didn't make the switch as 
intended.


I'm now going to hold-off doing this until early May, because I'm 
largely on the road until then and don't want to change things and be 
unavailable if anything goes wrong. Just wanted to let everyone know 
what's happening with the change.


I have now completed the migration from CVS to SVN. This includes:

- CVS is no longer visible on the SF project page
- SVN is now visible on the SF project page
- All developers have had their CVS permissions revoked (in case they 
don't see this email)

- All developers now have SVN permissions granted
- The Maven POMs have been modified accordingly
- SVN commit messages are now emailed to acegisecurity-cvs, just as CVS 
used to
- The daily script now builds checkouts from SVN only (see 
http://acegisecurity.sourceforge.net/nightly)


As an aside, I had to complete the migration manually (use a SF CVS 
tarball, run cvs2svn on a local Linux box, SSH the resulting dump file, 
then import). The SF process didn't work, and cvs2svn failed locally 
with keyword failure errors. If anyone else has similar difficulties, 
the --use-cvs option on cvs2svn sorted it out.


Would one of our resident Maven experts (Luke, Carlos?) please check 
that the checkout instructions in /docs/xdocs/cvs-usage.html are 
correct, as are the various POM files.


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Roadmap for 1.0.0 final

[Ben Alex]

Hi everyone

Last night I went through all open JIRA tasks. Most are now assigned to 
a target release and a specific developer. I would like to release 1.0.0 
final in around two weeks, and I have set aside some days to work 
exclusively on Acegi Security in this period.


Would developers therefore please take a look at their assigned tasks 
and comment on their present status within the next couple of days. If 
you do not believe you will have time to resolve assigned tasks over the 
next fortnight, please reassign them back to me so that I can either 
action it or defer it until a future release.


Thanks in advance.

BTW, I'll ensure 1.0.0 final includes some extra samples, tutorials, and 
revised reference documentation to help new users. We need to improve 
the quality of support resources for new users, such that forum time can 
be diminished in favor of more development time.


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Subversion? (Change completed)

[Ben Alex]

Carlos Sanchez wrote:

Looks right, only that
https://svn.sourceforge.net/svnroot/acegisecurity/trunk/CVSROOT should
be deleted
  

Thanks for the feedback, Carlos.

Re CVSROOT, that's an artifact of the cvs2svn process. Even 
automatically migrated SF repositories (eg Spring Rich Client) have this 
come across.


On a related issue, what is stopping us using Maven 2 for Acegi Security 
now? I would ideally like to release 1.0.0 final with Maven 2, and 
remove all the old project.xml files. I don't mind if it means we have 
to lose some plugins, just as long as we can do some form of JAR 
creation, unit test execution, code coverage measurement and building a 
PDF and HTML-based DocBook. Are these functions working at present?


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] CAS support in Acegi

[Ben Alex]

Scott Battaglia wrote:


I'm looking at re-working the CAS (some of it based on the new CAS 
client code). Would you prefer I wait until after the Acegi 1.0.0 
Final release (i.e. target 1.1) and just focus on the current open CAS 
issues?


Hi Scott

I am trying to get 1.0.0 final out within a fortnight, and expect 1.0.1 
will follow fairly quickly after that (ie within two or three weeks). It 
would probably be best if you could make any structural changes to be 
included in 1.0.0 final, otherwise 1.0.1 may not be backward compatible.


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] SVN Commit Messages

[Ben Alex]

Hi everyone

For the sake of consistency and ease of reviewing history logs, would 
developers please always format SVN commit messages to begin with the 
JIRA issue number, followed by a colon, then a brief description of the 
check-in. More detailed messages can be placed in the JIRA task. eg:


SEC-123: Constructor no longer requires null.

Thanks very much.

Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Hit roadblock while securing Method AfterInvocation ...

[Ben Alex]

Vikas Sasidharan wrote:
 
I am not so enthusiastic about setting the flag to true. Could anybody 
suggest some other possible alternatives? My last option is to have a 
custom MethodSecurityInterceptor that enables separation of 
before-invocation and after-invocation interception.
The problem is that I have set /allowIfAllAbstain/ to false. 
Consequently, when the method call gets intercepted (before 
invocation) the Role Voter would return ABSTAIN and because of the 
flag not being set, Acegi would deny access to the user.


I'd suggest you investigate the different AccessDecisionManager 
implementations provided out-of-the-box and if needed provide your own. 
You could always use the AuthenticatedVoter so that there is a 
before-invocation authorization decision made for each secure object 
invocation.


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] tentative 1.0 final date

[Ben Alex]

Ben Munat wrote:
I'm using RC-2 and I think I'm having trouble with the 
IllegalStateException problem as detailed in SEC-211. It appears that 
this issue is fixed in CVS, but won't be in a release until 1.0 final. 
Wondering if you guys are close on final (like in the next week or 
so), or if I should use a nightly build? Or maybe I should fall back 
to RC-1 since that didn't have the problem?



We will try to release it on 19 May, although it might slip to 26 May.

Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] how to customize roles

[Ben Alex]

Richard Han wrote:

My question probably is more suitable to user-list, but we don't have one.
Anyway, I am new to acegi, my question is, how do you customize role names,
for instance, if I want to use ROLE_STUDENT, ROLE_PROFESSOR, how would I let
acegi recognize them?

  

In two places:

1. These would be your configuration attributes against 
AbstractSecurityInterceptor.objectDefinitionSource.


2. They would be returned in your UserDetails object from the 
UserDetailsService used by your AuthenticationProvider.


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Final preparation for 1.0.0 final

[Ben Alex]

Hi everyone

I would like to release 1.0.0 final on Friday 26 May. All JIRA issues 
assigned to me are now either completed or marked for a future release.


Please note that source code reformatting with Jalopy has been completed 
(SEC-97) and the /jalopy.xml file revised. One of the changes included 
going from 80 character to 120 character word wrapping (we all have wide 
screens by now, right?). Committers, please re-import this file into 
your IDE Jalopy plugin and ensure that all source code is formatted 
prior to committing.


There are presently eight JIRA issues outstanding for 1.0.0 final, as 
listed in the roadmap:


http://opensource.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel

Would Luke, Scott and Marc Antoine please check these eight issues and 
either close them or assign them to a future release ASAP. None of them 
look critical except for SEC-270.


A number of desired major feature improvements have been deferred to 
1.0.1 or 1.1.0. These most notably include the refactored ACL services 
(SEC-239) and configuration simplification (SEC-271). These are two 
items I would have liked to see in 1.0.0, but we simply ran out of time. 
The sandbox contains some code for the ACL refactoring, so I'd like to 
invite existing ACL users to take a look and provide feedback.


Cheers
Ben


---
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Final preparation for 1.0.0 final

[Ben Alex]

Joern Huxhorn wrote:
 It's possible that I'm missing something but I think it should be 
 removed from the jar.
   

It has already been taken care of. See SEC-240.


___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Final preparation for 1.0.0 final

[Ben Alex]

Angelo Luis wrote:
 this is not fixed: 
 http://opensource.atlassian.com/projects/spring/browse/SEC-99
It isn't fixed for the reasons I provided in the comment, being:

I wish there was a simple way of resolving this issue, but whatever we 
do would inevitably break backward compatibility and represent a risk as 
we try to get 1.0.0 out. A more substantial refactoring of 
MethodDefinitionMap might be in order, particularly if it also allowed 
arguments to be declared.

Best regards
Ben


___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Acegi Security 1.0.0 is released!

[Ben Alex]

Dear Spring Community

After more than two and a half years of development, I am delighted to 
announce that Acegi Security 1.0.0 is now officially released.

In addition to more than 80 improvements and fixes since 1.0.0 RC2, this 
new release also includes several changes to help new users. This 
includes a significant restructure and expansion of the reference guide 
(now more than 90 pages) and a new bare bones tutorial sample 
application. Furthermore, many of the frequently-identified problems 
experienced by new users have been addressed, such as custom 403 
messages (as opposed to using the Servlet Container's error handler), 
detecting corrupt property input following the reformatting of XML 
files, and a new logout filter. We've also refactored our LDAP services, 
made the SecurityContextHolder a pluggable strategy (especially useful 
for rich clients who wish to avoid ThreadLocal), and improved CAS support.

Please visit 
http://opensource.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10360
 
for a detailed changelog. As always, detailed upgrade instructions are 
included in the release ZIP file.

The project's web site at http://acegisecurity.org provides additional 
information on Acegi Security's features, access to online 
documentation, and links to download the latest release. I will also be 
providing a presentation on Acegi Security at SpringOne next month, so I 
hope to see you there.

We trust that you find this new release useful in your projects.

Cheers
Ben


___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] SSO - Cookie, etc

[Ben Alex]

Matthew Holt wrote:
 1. Read SSO cookie username.
 2. Check username against LDAP.

   
You need to write an authentication mechanism that can setup the 
SecurityContextHolder with an Authentication object representing the 
username derived from your SSO cookie. Usually this will be implemented 
as a Servlet Filter, as discussed more fully in the reference guide that 
ships in the release ZIPs or can be accessed from www.acegisecurity.org.

Best regards
Ben


Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Can't find some class for migration

[Ben Alex]

Andrew Perepelytsya wrote:
 1. Where is
 net.sf.acegisecurity.context.ContextInvalidExceptionContextInvalidException
 now? What is the replacement for it?
 2. The SecureContext class had the validate() method, but I can't find it in
 SecurityContext now, neither does SecurityContextImpl contain it.
   

The SecurityContextHolder classes were quite extensively refactored over 
these releases, going from a general-purpose ThreadLocal store to a 
security-specific store. Did you need the above exception and method for 
something in particular? If you provide the usage scenario we can 
perhaps offer some suggestions.

Best regards
Ben

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Enhancements to Siteminder integration for 1.1.0

[Ben Alex]

[EMAIL PROTECTED] wrote:
 Hi All,
 In the Docbook, at the end of Chapter 9: Siteminder  
 Authentication Mechanism, someone added a TODO suggesting that a  
 dedicated AuthenticationProvider be created instead of users having to  
 modify their DaoAuthenticationProvider.  They don't actually, but it  
 does make sense to have a dedicated provider to keep things clean, and  
 I'll go ahead and write this for 1.1.0.
 I'm unclear about the additional line though, Also review the  
 mixed use of SiteminderAuthenticationProcessingFilter, as it's  
 inconsistent with the rest of Acegi Security's authentication  
 mechanisms which are high cohesion.  Could the person who added this  
 Docbook TODO help me understand what is being suggested?
 Thanks,
 Scott
   
Hi Scott

I added the comment to the reference guide, after reading the following 
in the Siteminder section of the Reference Guide:

Normally a |DaoAuthenticationProvider| expects the password property to 
match what it retrieves from the |UserDetailsSource|. In this case, 
authentication has already been handled by Siteminder and you've 
specified the same HTTP header for both username and password. As such, 
you must modify the code of |DaoAuthenticationProvider| to simply make 
sure the username and password values match.

If we don't need users to modify DaoAuthenticationProvider, we should 
modify the Reference Guide accordingly. The second sentence of my 
comment really just reflected taking a closer look at the design, 
primarily because of the DaoAuthenticationProvider handling.

Thanks for volunteering to look at this for 1.1.0 BTW.

Cheers
Ben


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] AJAX support follow up

[Ben Alex]

Brian Pontarelli wrote:
 Hello everyone. I'd like to try one last time to get some backing from 
 the Acegi developers for a patch to include AJAX login support into 
 Acegi. I have written all of the code and just need to finish test 
 cases, but I'd like to commit this back into the main line rather than 
 supporting a fork locally. I think there are enough companies doing AJAX 
 work and using a session (or that would like to use an AJAX style login 
 form) that this is really a valuable patch.

   
Hi Brian

As Ray mentioned, if you could kindly attach your patch to a JIRA issue 
one of us will be able to review and hopefully incorporate it into the 
code base (if you've already put it into JIRA, please let me know the 
issue number).

Best regards
Ben


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Bean initialization, constructor injection etc.

[Ben Alex]

Luke Taylor wrote:
 I agree that reusability is important but I'm not convinced that these
 changes are justified on this basis, or that is just about balancing
 reusability and ease of use. The use of constructor arguments is about
 guaranteeing that objects can only be created with a specific state (the
 dependencies required by their design) and providing a single point for
 checking that state (the constructor). This is a design issue based on
 the requirements as determined by the developer at the time they write
 the class. As time goes on and different requirements become apparent
 from forum posts and so on, compromises are made, access is provided to
 state that was previously immutable or unreadable etc etc. The most
 reusable code may provide no-arg constructors and getters and setters
 for everything, but it is also the least stable.
   
+1

 To summarise, there may be situations where we *do* want to open things
 up in this way for some classes, to provide extra extensibility, but I
 don't think accommodating the inadequacies of plexus is sufficient
 justification for a cross-the-board change. Could it not be argued that
 the changes should be made to plexus rather than Acegi?
   
Acegi Security should not be changed to accommodate limitations in IoC 
containers. If Plexus cannot be modified to support the required 
behaviour, I would encourage the addition of wrapper objects within a 
third party project (whatever is needing to use Acegi Security with 
Plexus) to achieve the required integration. I would hope that 
ultimately the wrapper objects could be removed, when Plexus supports 
constructor injection.

The other issue is that not using Spring for IoC will become a more 
pronounced issue as we move towards 1.1.0, because the namespaces 
feature in Spring 2.0 will be leveraged. As part of this most (if not 
all) classes will be refactored to use [full] constructor injection and 
end users will be encouraged to wire things up with Acegi Security XML 
rather than beans XML. This is partly to make things easier on users 
(XML verbosity and auto-completion), partly to give XML validation, but 
also to provide a level of indirection between the OO implementation 
approach and user configuration approach (thus giving us more 
flexibility to refactor the former without breaking the latter). 
Therefore, perhaps the easiest thing to do would be look at using Spring 
as an internal configuration subsystem for Acegi Security and simply 
wrapping the Spring IoC container inside a bean that is in turn 
registered with Plexus or any other IoC container for that matter.

On another issue, could ask was there a technical reason Plexus was 
selected instead of Spring? Perhaps you could use namespaces with Spring 
in your project, as they do give you a lot of genuine benefits aside 
from simpler Acegi Security integration (as summarized above).

Best regards
Ben


-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] advanced feature

[Ben Alex]

Kirin Eugene wrote:
 I want to allow to watch this link not all users with user permission,
 but only user with concrete ID. Other words, if user has the user role and 
 id = 5,
 then to show link. Do you know how better it to implement?


   
The taglib is designed only to work with roles. You'll need to customize 
it, or perhaps explore using the ACL taglib or approaching your problem 
a different way.

Cheers
Ben

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] Unsigned ACEGI jars

[Ben Alex]

Kujat, Aaron wrote:
 I have downloaded the acegi-security-1.0.1 release from a number of
 mirrors now and I have not been able to find a properly signed jar file.

   
Hi Aaron

The JARs were not signed in 1.0.1 and this is not a problem. You can 
read more at 
http://www.mail-archive.com/acegisecurity-developer@lists.sourceforge.net/msg02009.html.

Cheers
Ben

-
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT  business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer