Re: [Acegisecurity-developer] avoiding reauthentication?
[EMAIL PROTECTED] wrote: Hello, I was told that the CVS distribution now avoided reauthentication if a SecurityContextHolder was found by the HttpSessionContextIntegration filter, but this is not the case, it is still calling the authentication dao. Could this feature be integrated into acegi? I cannot cache the user records because they are modified in the backend without notification. I also would like the user to be able to continue the session without having to reauthenticate if he changes his password (via another system) while he has the application open. Thanks Fernando Mato Mira Is Authentication.isAuthenticated() returning true for your Authentication object? This is a requirement to avoid reauthentication by AbstractSecurityInterceptor. It doesn't have anything to do with HttpSessionContextIntegrationFilter. If you think everything is correct, please post a DEBUG log and your configuration XML to a forum support post and I'll take a closer look. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] avoiding reauthentication?
[EMAIL PROTECTED] wrote: It is not the AbstractSecurityInterceptor that is reauthenticating, it is the ProviderManager The only two places in Acegi Security that call AuthenticationManager (of which ProviderManager is the only concrete implementation) is AbstractSecurityInterceptor and the authentication mechanisms (the latter being classes like AuthenticationProcessingFilter). So what is calling ProviderManager repeatedly? AbstractSecurityInterceptor will not call ProviderManager if SecurityContextHolder.getContext().getAuthentication().isAuthenticated() = true and AbstractSecurityInterceptor.alwaysReauthenticate = false (the default). Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] avoiding reauthentication?
[EMAIL PROTECTED] wrote: Hello, Doing an authentication against my database takes about half a second, and we can have dozens of requests for one user operation (eg., getting each document from a set of XML documents, this is done like this because it's easier than having one huge XML result that is cut up by the application into individual documents). If we cache, the user cannot login immediately with a new password after changing it. Also, when the cache is invalidated, the provider will try to authenticate with the old password in the middle of a session when the password is changed (always from another application). What's the problem with always checking if there's an HttpSession with a valid Authentication, and only calling the manager if there's none? That should be super fast. I don't have a problem with making BASIC and Digest check the SecurityContextHolder so people who want to use HttpSession can benefit from it. Please add a task to JIRA and I'll get the various authentication mechanisms updated. Best regards Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] thread-local security context access
Peter Kharchenko wrote: We're working on a large web application, which among other things, relies on thread pools shared across multiple servlet sessions. This appears to present a problem since the same thread may be used to serve different users. At the start of each HTTP request, HttpSessionContextIntegrationFilter will retrieve the SecurityContext from the HttpSession, and then put in into the SecurityContextHolder. At the end of the HTTP request, HttpSessionContextIntegrationFilter will copy the changed SecurityContext from the SecurityContextHolder and put it back into the HttpSession ready for next request. It will also set the SecurityContextHolder to null, so it is safe and ready for next request. Because the same thread is used for the duration of the HTTP request, and the thread has security information removed from it at the end of each request, there should not be any problem in a large web application. You may like to confirm this yourself by using a stress testing tool such as Grinder. Best regards Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Authentication.getPrincipal()
Peter Kharchenko wrote: Hello, Another small question. I am using both anonymous and dao authentication providers. I am using Authentication.getPrincipal() method to obtain user name. In the case of anonymous authentication, the method returns a String, but DAO authentication returns a User object. So to get the user name, I have to check what is being returned, and have special clauses for the DAO authentication. I was hoping that getName() method would return user name, but it returns a serialized version of the User object. I am wondering if there's another way of getting user name, or if this is a bug. If you'd always like a String to be returned, use DaoAuthenticationProvider.setForcePrincipalAsString(true). It defaults to false. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Samples / Annotation
Mark St.Godard wrote: Ben et al, I have checked in the first Annotations sample... basically a straightforward port of the samples/attributes -- samples/annotations. Note: This sample project requires the acegi-security-tiger-0.9.0-SNAPSHOT.jar, so please ensure its built to your local maven repo. See core-tiger/ Ben have a quick look, and let me know if you have any problems with your build, etc. Mine runs through fine, compiles, tests pass, etc.. Good work Mark. I would suggest that we move MethodDefinitionAttributes to the net.sf.acegisecurity.annotation package, and rename the class to SecurityCommonsAtributes. Next I will look at the actual Contacts sample... I think the last we talked on this we were possibly going to deprecate the Commons Attributes / plugin, etc. ? (i.e. let the commons-attributes folk build by hand ?) I think you mentioned it causes problems with Java 5 sources and the attributes plugin. Yes, the commons-attributes-plugin in Maven does not work if you're running Java 5 source compatibility. This only impacts the ability to run the /samples/attributes/project.xml. I would suggest we remove this subproject from the /project.properties' maven.multiproject.includes. Cheers Ben --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Container Adapter for Sun Java App Server 8.1
Clarence Ho wrote: Hi all, I want to deploy Acegi Security System to Sun Java Application Server 8.1 UR 2, but after I deployed the application, I got an class cast exception for the authentication token. It seems that I should use a Container Adapter for Sun Java App Server 8.1. Is there any one out there, or any plan to develop one? Kindly advice Clarence Hi Clarence There are no plans to expand the range of container adapters. If you are getting a ClassCastException, something is incorrectly configured. Does the Contacts Sample (Filters edition) work OK for you? If so, try reconfiguring your application using Contacts as a guide. Best regards Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi integration with ActiveMQ
Andy Depue wrote: On Friday 16 September 2005 12:07 pm, Andy Depue wrote: ... As soon as it shows up in gmane, I'll post a link to the thread (as a response to this message). Here is the head of the ActiveMQ thread: http://thread.gmane.org/gmane.comp.java.activemq.user/2927 Hi Andy I'm not aware of anyone having done this, but I certainly think it a good project to integrate with (I am particularly fond of ActiveMQ's non-XA transaction support as per http://activemq.codehaus.org/Should+I+use+XA). Please let us know how your implementation goes. I don't mind which project the integration ships with, but hope whichever it is there is a maintainer for the code. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Anyone experiencing core tests failing?
Mark St.Godard wrote: Anyone else having problems with the core project tests failing? Strange thing is all the tests run through, dont see any actual junit failures, however maven complains and says the BUILD FAILED... ? Thoughts? To see which test fails, you need to look in the /core/target/test-reports directory. You'll notice one of the .txt files has a much larger size than the others. Look in it and you'll see the failure reasons. The JCaptcha tests and BASIC authentication tests were failing. I have checked in fixes for both. Marc-Antoine, would you please take a look at CaptchaChannelProcessorTests. I've disabled some of the tests for now, and provided comments in the code about how the tests may be improved. Best regards Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi JSR-168 Portlet Integration
John Lewis wrote: I'm very interested in your feedback. When you get a chance to take a look at it all, let me know what you think. Hi John Thanks for contributing this code. I just had a quick look, and have a couple of questions and comments: - Could you make it compatible with 0.9.0 snapshot? I notice you're using the = 0.8.3 context management code, which has been refactored. - PortletSecurityEnforcementInterceptor and the PortletSessionContextIntegrationInterceptor do not appear to be in the ZIP file. - Am I correct in reading the code that the portlet container performs the authentication, which yields a String-based username, and your classes implement a PortletAuthoritiesPopulator (like CAS and X509)? If so, is there scope to plug in Acegi Security so that the portlet container can use our AuthenticationManager? Also, is there a default implementation of PortletAuthoritiesPopulator? - Are there any unit tests available? Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Upgrading problem
mannobug /j_security_check*=channelProcessingFilter,httpSessionContextIntegrationFilter,authenticationProcessingFilter /**/*.*=channelProcessingFilter,httpSessionContextIntegrationFilter,securityEnforcementFilter Should be: /**/*=channelProcessingFilter,httpSessionContextIntegrationFilter,securityEnforcementFilter If this doesn't work, please post your full web.xml, security configuration XML and DEBUG-level log in a forum post at http://forum.springframework.org and I'll be pleased to take a closer look. Best regards Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] regadring Spring + JAAS Problem
Matt DeHoust wrote: I have found the process outlined in Suggested Steps to be sound (http://acegisecurity.sourceforge.net/suggested.html). Also, the reference guide is quite good (http://acegisecurity.sourceforge.net/reference.html). I'm sure you'll find what you need if you read it. Also, you may mine the example contacts application for details on how to configure Acegi Security in a real application. When/if you run into trouble with a specific use case, the folks on this list are quite helpful. Another thought, you might like to try Luke's Acegifier web site, which can convert an existing web.xml into a baseline Acegi Security config. The best part is that it doesn't have all the ACLs etc shown in the Contacts Sample, and is thus easier to follow. The URL is: http://monkeymachine.co.uk/acegifier/convert.htm Best regards Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Anyone experiencing core tests failing?
marc antoine garrigue wrote: Hi Ben, All, I’ve replaced the Thread.sleep(xxx) by a while routine in the test instead of breaking the captcha security context api. I’m not proud of this :(, but it should solve the problem. I can’t reproduce the build break on my system, is it possible for anyone to send a failed test report? Best Regards MAG Hi Marc-Antoine I have updated from CVS and can now run the revised unit tests without a problem. Thanks Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Nightly snapshots
Ben Alex wrote: Luke Taylor wrote: I think I probably forgot to set the cron job to kick off the script on SF when I reinstalled my server. If someone could remind me where the script is again that would be useful :). shell.sourceforge.net:/home/groups/a/ac/acegisecurity/daily.sh Hi Luke Did you get a chance to add this? I manually ran the job yesterday to get a snapshot built. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: Acegi JSR-168 Portlet Integration
John Lewis wrote: - You are correct that the portlet container performs the authentication and then provides a String username to portlets running within the portlet container. It is very similar to CAS and X509 and I modeled the code after those two quite a bit. Unfortunately, the JSR-168 spec completely delegates the authentication to the portlet-container and does not provide a standard way to plug an authentication mechanism into it. Of course, a portlet container implementation could use Acegi directly (I believe that the Gridsphere team is considering this in the near future). I have not created a default implementation of PortletAuthoritiesPopulator at this point. The only authorities mechanism in JSR-168 is the same isUserInRole method as in the Servlet spec. I suppose we could create a default PortletAuthoritiesPopulator that could be configured with a list of roles to check. It seems a very common requirement for a separate system to authenticate a user and provide only a String-based username to an application. This is seen with CAS, X509, Portlets and a range of external authentication services. Therefore, it would seem desirable to offer a generic equivalent to CasAuthoritiesPopulator/X509AuthoritiesPopulator. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Contacts sample app using Annotations
Hi Mark Mark St.Godard wrote: I can exclude the samples/attributes project to get around the Java 5 compile issues, we discussed before. That is fine. The samples/annotations should also be excluded from the auto-build, as we don't want users to be forced to have Java 5 to do a basic build of core and the Contacts Sample. Basically, we will require Java 5 to build from the /samples/contacts dir... To do a full build of Acegi, we require Java 5 (for domain and core-tiger).. just wanted to make sure that this is ok for the samples as well. I believe we need to maintain Java 1.3 compatibility in the base/default build. I would therefore prefer if the base Contacts Sample did not use annotations. or if this should be in a completely separate project ala.. acegisecurity/samples/contacts/ acegisecurity/samples/contacts-annotations/ Maybe a Maven expert (Carlos, Luke?) could have a look at how we could share the code between the Contacts 1.3 and Contacts 5 Java versions more elegantly. A few ideas come to mind, such as a new samples/contacts/src/main/webapp/tiger directory to hold the config, and the 1.5-compatible ContactManager named in a manner that excludes it from the compilation but a separate postGoal will compile it if 1.5 is detected. One thing concerning me about the Contacts Sample more generally is how difficult it is for new users to follow. I think there is an argument to add a new sample that just uses filter security - without any method or ACL security. Such a sample might also double as a performance benchmark to compare Acegi Security performance with servlet spec managed constraints. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JaasAuthenticationProvider problems with multiple webapps
Eric Hedström wrote: So is there ever a reason to set the system property, rather than allowing each webapp to add a login.config.url? Am I doing something horribly wrong, or shall I open a Jira ticket or two? Hi Eric Ray wrote the JAAS provider, so he's probably best to answer. Would you please log a JIRA ticket so we ensure this gets looked at... Thanks Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Cobertura reports
Hi Carlos Carlos Sanchez wrote: Hi, I've uploaded the results of the cobertura report for acegi core Thanks for adding Cobertura. The second one requires maven 1.1, which I plan to support asap http://opensource2.atlassian.com/projects/spring/browse/SEC-57. Please let the list know when you make the upgrade, as I had some difficulty with 1.1 Beta 1 (though note it's now Beta 2). Any timeline on Maven 2 RC? Is Maven 2 Beta 1 sufficiently stable yet? I am really wanting to give it a try. At a stability level, is it even worth upgrading Acegi Security to 1.1 Beta 2, or waiting for either a newer 2.0 Beta or 1.1 RC? Can they (1.1 and 2) be run side-by-side easily? Cheers Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Cobertura reports
Carlos Sanchez wrote: m2 is absolutely faster, but it still lacks the functionality of all those maven 1 plugins out there. m2 is absolutelly worth for compiling and running the tests. I am really looking forward to Maven 2, mainly for its speed and native plugins. I don't use many non-standard plugins. Indeed I just compile, JAR, WAR, test, Clover/Cobertura and build a project web site. If I can do that with Maven 2, it certainly meets my needs (and I suggest that of 80% of the all projects). Will Maven 2 provide some sort of POM migration tool (from 1.x) or is the POM sufficiently generalised that it need not receive major changes? Please let me know when any sort of newer version is available and working with Acegi Security, and I'll be sure to give it a try ASAP. Cheers Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do i create private objects with the ACEGI api?
David Medinets wrote: I'm trying to use ACEGI to do some method-level access control. I seem to have everything connected but when I create an object I see a message saying that the object is public so the access control is not used. How do I create a private object? I can provide the Spring XML configuration file and Java code if anyone is interested. -david Acegi Security provides authorization via AOP. So you need a way of introducing security advice to the object you create. Generally people do this declaratively via the application context. Alternatively, you can create an AOP proxy programatically using Spring's standard classes. Another approach is to use AspectJ, which will compile the advice in at development time and thus you can simply use the Java new operator to receive in effect a proxy object. If you're happy to live with authorization only during services layer invocations, you can weave some AOP into those services layer methods and then use either a custom AccessDecisionVoter or Acegi Security's domain ACL services to achieve security. Best regards Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How do i create private objects with the ACEGI api?
David Medinets wrote: So the obvious question is: How can a private object be created? I see not Spring or ACEGI documentation regarding private vs pubic objects. If you can help, I'd be grateful. I see no problem with your configuration. You are obtaining an AOP proxy object from the IoC container, which should have the MethodSecurityInterceptor weaved into the proxy object. What method are you calling on the proxy object? You'll need to call a method that is defined as secured, such as getValue(). Simply doing a System.out.println() will internally call toString(), which is not secured. Best regards Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] custom Session Timeout page
Mark St.Godard wrote: Has anyone done something similar? Not that I'm aware of. Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] anonymous authentication
Marco Mistroni wrote: however, when i go thru login page and i enter blank username and blank contact, i receive an error 'invalid username or password'. Hi Marco If you attempt to login with a blank username or password, AuthenticationProcessingFilter will (quite rightly) throw an exception as it can't find a username. If this was a problem, you could easily override AuthenticationProcessingFilter.obtainUsername, detect a blank String from super.obtainUsername(), and then use a default username. But I do wonder whether it's necessary. Generally if a user is hitting the j_acegi_security_check they wish to try to authentication - not fallback to some default. If they abandon the authentication attempt (as they realise they don't have a username etc), they can return to the rest of the application and continue as an anonymous user. No special handling should be required for this. Best regards Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi .Net version
Bill Barr wrote: I would certainly like to have that conversation. --- Mark St.Godard [EMAIL PROTECTED] wrote: You'd have to ask Ben and Carlos, (as Ben is the project admin and Carlos is all things build related) however I would assume it would have to be a new project on sourceforge... completely seperate, along the same lines as Spring.NET, NHibernate, etc. s suggested, it would probably need to be a separate project with its own build infrastructure. We're working towards getting 1.0.0 out around the time of the Spring Experience conference in early December. Any C# effort would probably be well-served to wait until 1.0.0 is released, so there is a concrete baseline for a port. It probably would also make sense to talk to the Spring.NET team to see what they're already doing in terms of security. Cheers Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi .Net version
Bill Barr wrote: Thanks for replying, Ben. In a separate thread with the spring.net team, they would like a .net version of acegi but, they don't have the time for it so, it's not a high priority for them. Do you need some help on the Java edition? Hi Bill There's something like 50 tasks in JIRA, so feel free to take a pick of anything that you like the look of and submit some patches. I hope to go through JIRA later today and determine what will make 0.9.0, 1.0.0 and post-1.0.0. Then release 0.9.0 in about a fortnight, and 1.0.0 in early December. The objective is not to add new features, but implement any final changes that will impact backward compatibility so that 1.0.0 represents a reasonably stable base. Best regards Ben --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.9.0
Patrick Huber wrote: Works for me, yet my application is pretty small. I've had to change a call in the authentication tag. I'm using pretty much every component except for instance-based security. I use them a described in the docs/tutorials. Hi Patrick Thanks for the feedback. I've added a note about that step to the upgrade instructions. Anyone else had success with 0.9.0 in CVS? Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Concurrent session check and username primary key issue
Herryanto Siatono wrote: Yep Ben, I'm using yesterday's check out. Thx for the fast reply. I've checked in a change that I believe will correct it by moving the sessionController.checkAuthenticationAllowed(Authentication) to after the ProviderManager authenticates successfully, and using the resultant Authentication object. This was not done before as ProviderManagers published events, but this is no longer the case so the change in location has no adverse implications. Please give ProviderManager v 1.9 a try. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Concurrent session check and username primary key issue
Herryanto Siatono wrote: Btw, is v1.9 really checked in? coz I'm still seeing 1.8 in the cvs. :) It's just the SF CVS sync delay. It'll show up in a few hours. --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationFailurePasswordEvent - now it's gone, new issue props up
Herryanto Siatono wrote: Seems like the exceptionMappings does not contain UsernameNotFoundException. Yes, you're correct. I just added it. ProviderManager v 1.10 is in CVS now. --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Proposal: Resolving Eclipse IDE warnings
[EMAIL PROTECTED] wrote: When using Eclipse 3.1 there are quite a few (520) source code warnings displayed in the Problems view. At some point I'd like to resolve as many of these as makes sense (like unuseed imports) and then to update the .settings/org.eclipse.jdt.core.prefs file to ignore acceptable issues (perhaps like unused local variables) so that this view isn't cluttered with noise. +1, after 0.9.0. --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Vote: Release 0.9.0
Hi everyone The JIRA changelog is now complete, and I've just updated the reference guide to reflect the latest changes: http://opensource2.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel I would like to propose we release 0.9.0 at this point. Please let me know if you agree. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationException - UserDetails
Herryanto Siatono wrote: Just a point to ponder, for AuthenticationException thrown after user has been checked against the database, (e.g. BadCredentialsException), should it contain the UserDetails generated by the authentication provider? Reason behind, for cases where the username is converted to user Id by the authentication provider, when capturing AuthenticationFailureException, system will have to re-query the database to retrieve the User Id to audit. I have just modified BadCredentialsException to accept an additional Object in its constructor, and this is available from BadCredentialsException.getExtraInformation(). Further, DaoAuthenticationProvider populates this with the UserDetails so you'll have access to it via both the exception and the event. Logged as SEC-94. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors
[EMAIL PROTECTED] wrote: [11/7/05 15:24:43:513 EST] 5a6d5a6d WebGroup E SRVE0026E: [Servlet Error]-[Filter [Acegi Filter Chain Proxy]: filter is unavailable.]: java.lang.NullPointerException at java.lang.Throwable.init(Throwable.java) at java.lang.Throwable.init(Throwable.java) at java.lang.NullPointerException.init(NullPointerException.java:63) at java.lang.InheritableThreadLocal.set(InheritableThreadLocal.java:95) at net.sf.acegisecurity.context.SecurityContextHolder.setContext(SecurityContextHolder.java:58) at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:207) Very odd. If you look at the code for SecurityContextHolder: private static InheritableThreadLocal contextHolder = new InheritableThreadLocal(); public static void setContext(SecurityContext context) { Assert.notNull(context, Only non-null SecurityContext instances are permitted); contextHolder.set(context);// this line fails (line 58) } Can anyone see any issue with this? The main difference between 0.8.3 and 0.9.0 is the use of a InheritableThreadLocal instead of a ThreadLocal. If you revert to the latter, does it work? What version of WebSphere are you running? Does it work if you deploy the same WAR to say Tomcat? Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Logic bug with AnonymousProcessingFilter
Tim Kettering wrote: My gut says this is a bug, but since this code was committed back in July, I find it strange that nobody else has encountered this by now... is there something I'm missing? I've modified the AnonymousProcessingFilter to now only clear the SecurityContextHolder if the Authentication contained therein has not changed from that of a fresh anonymous authentication token. This relies on the AnonymousAuthenticationToken.equals(Object) method to work, but should be sufficient and accommodate people using MVC Controllers to populate the SecurityContextHolder. The reason nobody else probably encountered this so far is because most use the filters for authentication. The filter chain ordering is that AnonymousProcessingFilter should appear after the authentication filters, so this issue would not ordinarily arise. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Preparing for 0.9.0
Matt Raible wrote: // log user in automatically Authentication auth = new UsernamePasswordAuthenticationToken (user.getUsername(), user.getConfirmPassword()); auth.sentAuthenticated(true); try { ProviderManager authenticationManager = (ProviderManager) getBean(authenticationManager); SecurityContext ctx = SecurityContextHolder.getContext(); ctx.setAuthentication (authenticationManager.doAuthentication(auth)); } catch (NoSuchBeanDefinitionException n) { // ignore, should only happen when testing } You can continue to use the constructor shown above, but don't call setAuthenticated(true). This will be performed by the UsernamePasswordAuthenticationToken when the AuthenticationProvider creates a new Authentication object to return. You don't want to be setting it earlier, as the GrantedAuthority[]s haven't been populated. Whilst not Acegi Security related, you might like to consider dependency injecting that authenticationManager rather than performing a lookup. Maybe try: Authentication auth = new UsernamePasswordAuthenticationToken (user.getUsername(), user.getConfirmPassword()); Authentication response = authenticationManager.authenticate(auth); SecurityContextHolder.getContext().setAuthentication(response); If this still doesn't work, try following the debug logs. It might be something to do with filters changing the SecurityContextHolder, particularly if you're going from an anonymous user. Did you see the Logic bug with AnonymousProcessingFilter thread yesterday? Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi 0.8.3 to 0.9.0 errors
Ben Alex wrote: I'd prefer to avoid multiple releases floating around. We should revert back to a standard ThreadLocal and not an InheritableThreadLocal and release 0.9.0. Does anyone really require InheritableThreadLocal behaviour? I've checked in the change to use ThreadLocal. This is consistent with Spring's TransactionSynchronizationManager and AopContext (but interestingly not with LocaleContextHolder). Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] authentication exception events
Brian Moseley wrote: in upgrading from 0.8.2 to 0.9.0-SNAPSHOT, i see that the mechanism for handling authentication exceptions has changed. specifically, an authentication event is now required. what is the justification for requiring an event rather than making it optional? I've just changed CVS HEAD. It'll now log a debug message instead if there is no exception to event mapping found. Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SecurityContext appears to be bound to thread after it's finished
Dunstan Tom wrote: This is all using basic authentication, with the acegi filters ordered thusly (in the filterChainProxy): basicProcessingFilter, anonymousProcessingFilter, securityEnforcementFilter. Hi Tom HttpSessionContextIntegrationFilter has a finally clause that should clear the SecurityContextHolder. It should appear in your FilterChainProxy before BasicProcessingFilter. Cheers Ben --- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42 plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SF CVS
Hi everyone As some of you have noticed, the CVS is currently broken. A few days back I logged a job, https://sourceforge.net/tracker/?func=detailatid=21aid=1355843group_id=1, to have directories moved around to meet the new package top level naming convention. For unclear reasons (although I suspect permissioning), something went wrong and CVS no longer shows the Java source files. Today I've logged another job to get this looked at, https://sourceforge.net/tracker/?func=detailaid=1356891group_id=1atid=21. In the meantime, please do not update from CVS. I'll send an update to this list when it's corrected. Cheers Ben --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] ASre you using Acegi Security?
Hi everyone http://acegisecurity.org/powering.html now lists projects (open source and commercial/internal) that are using Acegi Security. If you're using Acegi Security within your application, it'd be great if you emailed me off-list a sentence that we can include on this page. No commercial or sensitive details are required - we're just trying to give a feel for the sort of applications it's being used in. Thanks! Ben --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CVS is broken again
Richard Clark wrote: I'm trying to check out and try ACEGI for the first time, but CVS is broken and I can't complete the checkout. Following the instructions for checking out via maven, or using the instructions for an anonymous CVS checkout (cutting and pasting the commands to be safe), CVS fails: Works fine for me. I just did an update fine, and a fresh checkout fine. I'm using the developer CVS servers, though. I think Luke is logging a job with SF about it. Cheers Ben --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] locked CVS?
Jettro Coenradie wrote: I am having problems as well. tried it with maven and eclipse, both the same result. The SF job is now reported as corrected - can someone who was experiencing the issue please confirm? Thanks Ben --- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] 1.0.0 Progress
Hi everyone We're making good progress towards releasing 1.0.0 RC 1, the target date of which is 4 December 2005 (to coincide with The Spring Experience). *** Would the community please report any outstanding bugs in JIRA ASAP so they are tracked and fixed. Thanks. *** The outstanding 1.0.0 tasks are in JIRA at http://opensource2.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040. Would developers please take a look and update the status of their respective tasks. Please modify the fix version of your tasks to unknown if you won't get time to complete your task before RC 1. Also regarding SEC-97, is anyone aware of a replacement for Jalopy source code formatter? Jalopy fails with Java 1.5 generics, which is an issue. We should take advantage of this task to update to a tool that supports Java 5. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] 1.0.0 Progress
Carlos Sanchez wrote: I believe this can be solved upgrading the jalopy version http://jalopy.sourceforge.net/ Let me take a look. I should have done more digging before my post. http://jalopy.sourceforge.net/jalopy/changes-report.html indicates that release 1.5b1+ supports Java 5. I just downloaded the 0.2-1.5b5 Eclipse plugin and it successfully formatted classes with both generics and annotations. Thanks Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] 1.0.0 Progress
Mark St.Godard wrote: Hey Ben, Have you had any luck getting the latest Jalopy plugin ? When I go to: http://jalopy.sourceforge.net/jalopy/download.html I get 404s will try again.. could be SF I used http://jalopy.sourceforge.net/jalopy-eclipse/downloads.html. Alternatively, you could just go to http://sourceforge.net/project/showfiles.php?group_id=45216 and access them via the SF File Release System. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Building Acegi from CVS HEAD
Samuel Le Berrigaud wrote: 1) the class doesn't compile correctly with maven org.acegisecurity.intercept.method MethodDefinitionSourceEditorTigerTests, the cause being that the main method references the MethodDefinitionSourceEditorTests class (Tiger is missing). I think it is simply a copy paste error, so I corrected my local version (addding the Tiger) Thanks for reporting this, Samuel. I have fixed it in CVS. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi w/ JSF
Trent wrote: I’m seeing some odd behaviour using Acegi with JSF. Does anyone know what causes Acegi to render the page in the “AuthenticationFailureUrl” property from the class “AuthenticationProcessingFilter” when an authenticated user navigates back to the login page? Also this page doesn’t fully complete the response either. Any insight would be appreciated trent Is this a problem with Acegi Security only with JSF (ie can you see a problem when using it natively with JSPs)? Also, which version of Acegi Security are you using? Thanks Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LDAP Provider
Brandon Keepers wrote: Is there a good reason for requiring constructor args instead of setter methods for properties? I don't intend to start a flame war about constructor vs. setter injection, but I do think the setters should at least be an option, especially to be consistent with the rest of the acegi configuration. In the future more and more of Acegi Security will use constructor injection for mandatory properties, and setter injection for optional properties (optional meaning null is acceptable, or the class provides an acceptable default). We are moving away from having invalid objects and requiring InitializingBean to detect missing properties. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] JSF Components for Acegi
Cagatay Civici wrote: http://www.jroller.com/page/cagataycivici http://horde/services/go.php?url=http%3A%2F%2Fwww.jroller.com%2Fpage%2Fcagataycivici Thanks for publishing this. I've added a link to it on the Acegi Security articles page. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL for massive databases
David Medinets wrote: I did some developmental work with ACL and large tables at a previous company. However, I did not use ACEGI. I didn't know about ACEGI at the time. Instead I used GUID values at keys with various entities having various permissions to access specific GUiDs. I used materialized views in Oracle to keep the query response time managable. I've also used views at a RDBMS level instead of relying on Acegi Security to ACL filter very large tables. However, the underlaying tables which the views used were structured so that I could also use them with an Acegi Security BasicAclDao implementation. This let me use the RDBMS where appropriate (large tables) and Acegi Security/Java for the rest (including managing the ACL entries in the table). Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL for massive databases
David Berkowicz wrote: A more probable and managable alternative, I think, will be to use a better database schema. I agree. The basic schema expected by JdbcDaoImpl is not intended for large applications. For large applications we expect people will use a schema optimised for their needs, or an existing domain object which offers a business-centric view of permissioning data. Either can be accessed via an implementation of BasicAclDao. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] InheritableThreadLocal in SecurityContextHolder
Hi Tom Dunstan Tom wrote: the existing upgrade notes for 0.9.0 are plain wrong). I have corrected this in CVS, so at the least the public web site (acegisecurity.org) will display the correct upgrade instructions for those moving to 0.9.0. - I see that Oliver Hutchison sent a proposal after the code was reverted suggesting a strategy interface which didn't get any replies; I think that idea is also good and would allow configuration using spring but default to InheritableThreadLocal. It needn't even be as heavy as Oliver's solution: Simply having a static setThreadLocalImpl(ThreadLocal tl) would do the trick, and would be reasonably guaranteed to be called before any user iteraction if done inside a spring config file. I have re-read Oliver's strategy proposal and believe it is probably the most elegant at this stage. We have a feature freeze on before we get 1.0.0 out, though, so we can't change it just yet. Nevertheless, I have added it to JIRA as SEC-152. In the meantime you'll need to copy the contents of the SecurityContext to new threads as suggested. On a related note, I spoke with Juergen about this at The Spring Experience and we felt it needed more consideration as a standardised context duplication approach also needs to also consider (a) other ThreadLocals within Spring and (b) the interaction with task executor implementations (such as included in Spring 2). Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] LdapAuthenticationProvider and Chaining Providers
Tyler Nelson wrote: The provider manager seems to only need one provider to authenticate, not all . What would be the suggested way to handle this situation. besides extending ProviderManager? Could you subclass LdapAuthenticationProvider and override additionalAuthenticationChecks? For the benefit of the archives, chaining usually means trying one AuthenticationProvider and then another if the first fails to authenticate. ProviderManager can do this out-of-the-box. What Tyler is trying to do involves a single AuthenticationProvider requiring information stored in two different places (LDAP and RDBMS), so it needs a subclass. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] how to use AnonymousProcessingFilter.applyAnonymousForThisRequest() to filter subnet
Hongbo HE wrote: My config is like following: The configuration is incorrect. In your case you will require not one but two AnonymousProcessingFilters. The first will be the standard AnonymousProcessingFilter which will always setup the SecurityContextHolder with ROLE_ANONYMOUS. The second will be your subclasses AnonymousProcessingFilter which applies IP-specific anonymous authentication and has its UserAttribute property set to contain a different GrantedAuthority (such as ROLE_PRIVATE_SUBNET_ANONYMOUS as well as ROLE_ANONYMOUS). You must ensure the subclassed AnonymousProcessingFilter appears before the fallback AnonymousProcessingFilter in your FilterChainProxy. You can then use ROLE_ANONYMOUS for the login page, and ROLE_PRIVATE_SUBNET_ANONYMOUS when only an anonymous user from your restricted subnet is allowed. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Creating the first admin: the chicken and the egg
Patrick Huber wrote: Hi Mark I've only used acegi in a relatively small private project where I have full control over the server. For that project, I added that first user after creating the database trough another sql script. That's one way. Other ways might be to use an InitializingBean that detects an empty database and adds a new administrative user. Or, use InMemoryDaoImpl in conjunction with your RDBMS-backed AuthenticationProvider, as ProviderManager can try the RDBMS provider and then fallback to your in-memory implementation to lookup the administrative user. The InMemoryDaoImpl can even source the administrative user from an external properties file, so it might be worth investigating. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AbstractProcessingFilter and multiple home pages support
Sergio Bossa wrote: One implementation could be to add a call to a template method into AbstractProcessingFilet.successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) method, something like : You could also write your own custom AuthenticationEntryPoint, which is probably preferable to subclassing. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: AbstractProcessingFilter and multiple home pages support
Sergio Bossa wrote: I don't see how implementing a custom AuthenticationEntryPoint would solve my problem, which is not related to the login page, but rather to the page displayed after successfull login. It could be done by using the AuthenticationEntryPoint to modify the target URL defined by AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY. That way, irrespective of which authentication entry point you might ultimately switch to (CAS, form etc), your AuthenticationEntryPoint will be compatible with all of them. You could even store the original target URL in a different session attribute, and thus after your post-login page is displayed, you could still offer a pass-through to the originally requested page. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: Getting a unit test failure error with the latest sync of CVS files...
Vijay Varadan wrote: Reducing the size of the build output and reattaching so it doesn't require moderator approval. The test failure is occurring as follows: [junit] Running org.acegisecurity.providers.anonymous.AnonymousProcessingFilterTests [junit] Tests run: 5, Failures: 1, Errors: 0, Time elapsed: 0.265 sec This class was recently changed. Unit tests are currently all passing, so checkout again and you should be fine. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] making BasicAuthenticationFilter not authenticate
Brian Moseley wrote: where i'm stumbling is that BasicProcessingFilter immediately authenticates the credentials it finds in the Authorization header, and upon failure it commences its configured authentication entry point. why does it do this? why doesn't it simply set up an authentication token and let the SecurityEnforcementFilter handle the authentication? that's what my TicketProcessingFilter does, and it works fine (when the request contains only ticket credentials). Hi Brian BasicProcessingFilter proactively attempts authentication (via AuthenticationManager) whenever it sees a BASIC authentication header, which is consistent with the contract for an authentication mechanism and the others included with Acegi Security. The reason they all attempt authentication is to give the user early advice there is a problem with presented credentials, even in the case the user isn't actually requesting a secure object. For example, someone may present a BASIC header but request a public home page. In that situation the authentication mechanism would notify the user agent as early as possible there has been an issue. In your case we do have a few options: - Provide a failedAuthentication method in BasicProcessingFilter so you could subclass and override the default behavior. You'd probably like to leave the SecurityContextHolder null and allow the FilterChain to proceed. Your ticket filter would then have a chance to process the request. - Provide an ignoreFailure property, which essentially does the same FilterChain continuation as the aforementioned option. - Write your own authentication mechanism that reflects your particular needs. You don't need to use the BasicProcessingFilter. - Use BASIC authentication as a transport for your tickets. I'd probably see this as the most elegant approach, if it were possible. Rather than use a dedicated HTTP header, use a specific username to denote a ticket, eg TICKET. The password would be the actual ticket itself, Base64-encoded as per standard BASIC authentication headers. Then you're going to only need deal with all of this in your UserDetailsService implementation. So you've also avoided needing to write an AuthenticationProvider (and probably an Authentication implementation and authentication mechanism as well). Plus you've picked up the benefit of allowing migration (one day, if you like) to a form-based authentication interface (debugging?), digest or similar authentication that can also be carried in a simple username + : + password formatted payload. Thoughts? Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] making BasicAuthenticationFilter not authenticate
Brian Moseley wrote: so, i'll work up a patch tomorrow that adds an ignoreFailure property to BasicAuthenticationFilter (or to its superclass, if appropriate) and send it in. thanks for the suggestion! I've logged it as http://opensource2.atlassian.com/projects/spring/browse/SEC-180 and just checked the change and tests into CVS. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - new release 1.0.0 RC2
Dear Spring Community I'm pleased to announce that Acegi Security release 1.0.0 Release Candidate 2 is now available. This release includes over 50 improvements and fixes since 1.0.0 RC1, including comprehensive new LDAP capabilities. We recommend that users upgrade to 1.0.0 RC2 in order to take advantage of these improvements. Upgrading to 1.0.0 will also assist us in identifying any issues as we move towards our final 1.0.0 release. Please visit http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10361 for a detailed changelog. As always, detailed upgrade instructions are included in the release ZIP file. The project's web site at http://acegisecurity.org provides additional information on Acegi Security's features, access to online documentation, and links to download the latest release. We hope you find this new release useful in your projects. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] accept both basic and digest authentication?
[EMAIL PROTECTED] wrote: How can one set up acegi to accept either one of basic or digest authentication? Just add them both to the filter chain, and specify your preferred default (for unauthenticated requests which attempt to access a secure resource) as the ExceptionTranslationFilter.authenticationEntryPoint. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] security filters not executing for custom error page
Brian Moseley wrote: i've configured a custom error page for 403 responses in my web.xml. i want that page to use the authz taglib to render itself differently depending on whether the authentication for the request is anonymous or represents a known user of my application. This is discussed a few times on the forums. Essentially there is nothing we can do about it. Some people have modified the ExceptionTranslationFilter (RC2 rename of SecuirtyEnforcementFilter) method sendAccessDenied(ServletRequest, ServletResponse, FilterChain, AccessDeniedException) to store additional information in HttpSession given it's not available from the normal SecurityContextHolder. Alternatively, use a JSP-based 403 page and access the HttpSession attribute keyed on HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY to retrieve the user's details. This won't help you with the authz taglib, though, as it uses SecurityContextHolder. I suppose it's worth considering making it (and other taglibs) revert to checking the HttpSession directly if SecurityContextHolder doesn't contain an Authentication (such a check could be put into a static utility method for use by any taglib or templating system macro). Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Basic Auth and Form-Based Auth
Jeoff Wilks wrote: It's not immediately obvious to me how you'd do this, since Basic Auth normally prompts with a 401 response. However, I could require that machine clients proactively send the basic auth info (not waiting for a 401), so the server just attempts to process basic auth, and failing that, does form auth. That's exactly how it's done. Please see the Contacts Sample (Filters) application, as it demonstrates BASIC + Form authentication being used in the same application for different clients. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SecurityContextHolder javadoc error
Andrey Moiseenko wrote: Javadoc for org.acegisecurity.context.SecurityContextHolder: Associates a given SecurityContext with the current execution thread and any new threads the current execution thread may spawn. Logged as SEC-188 and fixed in CVS. Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CasPasswordHandler bean setup woes
Scott Battaglia wrote: If there's interest I can write an AuthenticationHandler that delegates to an Acegi AuthenticationManager similar to what the current CAS adapter does. Hi Scott I think it would be good to have a 3.x-series compatible AuthenticationHandler, so that people wanting to try out CAS who already have an Acegi Security authentication environment configured can do so without trying to configure one of the CAS-included handlers. It just makes the testing requirements a little easier on people, so they're more likely to try out CAS. Also, I am presuming that given CAS 3.0.4 is now stable we could probably move the old CAS 2.x PasswordHandler to the sandbox and change our project JAR dependency to 3.x. Any thoughts? Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CasPasswordHandler bean setup woes
Scott Battaglia wrote: Ben, I'll work on a CAS3/Acegi AuthenticationHandler this week. It shouldn't be too difficultlt. Do you think having both the PasswordHandler and an AuthenticationHandler will cause problems? We are in RC, so I'm not sure we want to remove the handler. After reading your and Andrew's mails, I think it best to keep CAS 2 compatibility in Acegi Security's CAS adapter subproject for a while longer. I am guessing 2.x and 3.x exist in different package namespaces, so having both JARs as dependencies shouldn't represent an issue. I will also add an option to CAS to create an api jar file to place in a Maven repository so that we can include it in Acegi (we don't have one yet). Excellent. In the meantime you are welcome to place them in the http://acegisecurity.sourceforge.net/maven repository. FYI you have access to shell.sourceforge.net:/home/groups/a/ac/acegisecurity/htdocs/maven by virtue of your CVS privileges. Finally, we should update the references to CAS in the project to JA-SIG CAS with the URL http://www.ja-sig.org/products/cas/ [we just created this site]. Do you want me to do that? Yes, please. If you could update the reference manual with an explanation of CAS 3.x-specific processes and some commentary about which version to use, it would be appreciated. If you don't have time to do this, would you please add it as a JIRA task so that it's tracked? Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi, JSF and Spring
Konstantin Shaposhnikov wrote: I would recommend you to write simple bean with getter method that returns current logged in user from SecurityContext: class CurrentUser { Object getPrincipal() { SecurityContext ctx = SecurityContextHolder.getContext(); if (ctx == null) return null; return ctx.getAuthentication().getPrincipal(); } } SecurityContextHolder.getContext() is guaranteed to never return null, so you can skip that check. Also consider if the getPrincipal() returns a UserDetails object, as in that case you'll probably want to cast the getPrincipal() Object to UserDetails and use one of its getters instead (eg getUsername()). Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL for massive databases
Jeoff Wilks wrote: Ben, can you elaborate a bit on how you structured your DB schema for ACLs? I'm facing this problem right now (need ACLs at both app level and database level), and I would appreciate understanding a little more about the intent of the Acegi design in that respect. (Apologies for resurrecting an old thread). Unfortunately I cannot provide a generally-useful schema, as it was very specific to the application I was working on. However, I would encourage you to consider the most efficient way to model, update (via triggers, stored procedures etc) and use (via views etc) your data at a DB level - don't worry too much about Acegi Security's ACL requirements. This is because DBs have specific optimisation considerations, not only in terms of normalisation but also in terms of efficient operation of views and triggers. Acegi Security can hook into whatever you end up developing for the DB via its general-purpose BasicAclDao interface. If needed you can always provide a DB view for use by your BasicAclDao implementation. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Scoped Role
Hao Chen wrote: I thing I can think of is to change the GrantedAuthorities dynamically for every request based on which workspace the user is trying to access. Will this work? That will work, but it means you will be using AuthenticationManager again for every request and you will need to be careful not to use the normal caching. It is far simpler in your case to write a custom AccessDecisionVoter that can read the current workspace (either from an argument to the secure method invocation or from a ThreadLocal) and then only consider the GrantedAuthority[]s that are applicable for that workspace. It's quite easy to do it, and you can use the existing RoleVoter as a guide. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] setting attributes for remember-me cookie
Tim Kettering wrote: I scoured the forums and mailing list and did not find anyone bringing up this issue. I suspect it's because everyone (?) so far might have been using the filter based login. Which we are not, so this would not be a problem for them. Hi Tim If you are able to provide a JIRA patch that will provide this flexibility, I would be happy to apply it for you. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Building with maven or maven2
Carlos Sanchez wrote: - What is the preferred maven version? I think maven2 is easier to tame 1.0.2 is the one I used a few weeks back to successfully build Acegi Security 1.0.0 RC2. - Which repos are to be used? They are defined in project.properties and you shouldn't need to modify them. - Could I expect the build from CVS to fail or am I doing something wrong It should build from CVS. Please try again with Maven 1.0.2 from CVS HEAD and report any problems on this list. Thanks Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] change to Authentication object
Scott Battaglia wrote: Would it make sense to change the Object getPrincipal() method to UserDetails getPrincipal() such that users can swap the providers without having to worry whether the Authentication object from one provider returns a different Principal from the other Authentication objects (or should people always just call UserDetails)? Hi Scott I am inclined to leave it as-is, as detecting the type returned by getPrincipal() is rather easy to do, and can be encapsulated into a static utility method in any event. Also, as we're in the 1.0.0 RC phase, changing a relatively central interface like Authentication should be viewed with caution. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations
Tim Kettering wrote: Maybe it'd be useful if those checks found in DaoAuthenticationProvider be made available as a pluggable component that other AuthenticationProviders can utilize? Hi Tim If you please add it to JIRA, I'll make a static method that accepts a UserDetails and throws an appropriate AuthenticationException based on its state. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Is it possible to secure CGI scripts?
[EMAIL PROTECTED] wrote: Is it possible to secure perl scripts that are invoked as CGI programs? FilterSecurityInterceptor works at the filter level, so if the filter will be called, it should be able to authorize based on URI. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Subversion?
Hi everyone SourceForge have recently modified their offering so we can migrate to SVN (without losing revision history) - see http://sourceforge.net/docman/display_doc.php?docid=31070group_id=1#import. I have also been using SVN recently and had good results. The Subclipse plugin at Update Manager URL http://subclipse.tigris.org/update_1.0.x works quite well. Does anyone have any concerns with the project migrating from CVS to SVN? If there aren't any objections, I'll make the change in about a week. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion?
Ben Alex wrote: Does anyone have any concerns with the project migrating from CVS to SVN? If there aren't any objections, I'll make the change in about a week. Last weekend SF had some CVS issues, so I didn't make the switch as intended. I'm now going to hold-off doing this until early May, because I'm largely on the road until then and don't want to change things and be unavailable if anything goes wrong. Just wanted to let everyone know what's happening with the change. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Conferences and Polish article
Hi everyone Just wanted to let you all know that I'll be attending two conference in Europe this June: * The Second International Conference on Open Source Systems on 8-10 June in Como, Italy. See http://oss2006.dti.unimi.it/. * SpringOne on 15-16 June in Antwerp, Belgium. I'll be presenting a session on Acegi Security. See http://www.springone.com. Look forward to meeting some of you there. On another issue, is there any member of the community interested in writing a high-level article on Acegi Security for a Polish computer magazine? I've been invited to write one in English (which the magazine will translate), but thought I'd extend the offer to anyone who may speak Polish natively, or has time to write an article in English with a view to translation. If interested, please ping me off-list. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Issue with FilterChainProxy when upgrading from 0.9.0 to 1.0.0-RC2
Konstantin Shaposhnikov wrote: I think that functionality provided in acegi 0.9.0 was quite useful, because ant patterns much more flexible then those provided by servlet-api, so it would be good to restore this behavior - when value is empty then no filters will be applied to request. Please add this to JIRA as an enhancement request. I think some sort of express value would be in order - such as #NONE# - rather than allowing the right hand side of the equals to be entirely empty. The alternative is to use a NullFilter, but this increases invocation time unnecessarily. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: CAS configuration
Marc-Antoine Garrigue wrote: I see 3 solutions : I will refer this one to Scott, as he maintains the CAS integration these days. Scott, your thoughts? Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Is it possible to secure CGI scripts?
[EMAIL PROTECTED] wrote: I've managed to authorize my perl scripts now as expected. Now I need to send some data from my java filters i.e. roles possessed by the user to the CGI perl script but I don't know how to do this. Any suggestion? What exact approach are you using to run your Perl scripts? Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
Ben Alex wrote: Last weekend SF had some CVS issues, so I didn't make the switch as intended. I'm now going to hold-off doing this until early May, because I'm largely on the road until then and don't want to change things and be unavailable if anything goes wrong. Just wanted to let everyone know what's happening with the change. I have now completed the migration from CVS to SVN. This includes: - CVS is no longer visible on the SF project page - SVN is now visible on the SF project page - All developers have had their CVS permissions revoked (in case they don't see this email) - All developers now have SVN permissions granted - The Maven POMs have been modified accordingly - SVN commit messages are now emailed to acegisecurity-cvs, just as CVS used to - The daily script now builds checkouts from SVN only (see http://acegisecurity.sourceforge.net/nightly) As an aside, I had to complete the migration manually (use a SF CVS tarball, run cvs2svn on a local Linux box, SSH the resulting dump file, then import). The SF process didn't work, and cvs2svn failed locally with keyword failure errors. If anyone else has similar difficulties, the --use-cvs option on cvs2svn sorted it out. Would one of our resident Maven experts (Luke, Carlos?) please check that the checkout instructions in /docs/xdocs/cvs-usage.html are correct, as are the various POM files. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Roadmap for 1.0.0 final
Hi everyone Last night I went through all open JIRA tasks. Most are now assigned to a target release and a specific developer. I would like to release 1.0.0 final in around two weeks, and I have set aside some days to work exclusively on Acegi Security in this period. Would developers therefore please take a look at their assigned tasks and comment on their present status within the next couple of days. If you do not believe you will have time to resolve assigned tasks over the next fortnight, please reassign them back to me so that I can either action it or defer it until a future release. Thanks in advance. BTW, I'll ensure 1.0.0 final includes some extra samples, tutorials, and revised reference documentation to help new users. We need to improve the quality of support resources for new users, such that forum time can be diminished in favor of more development time. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
Carlos Sanchez wrote: Looks right, only that https://svn.sourceforge.net/svnroot/acegisecurity/trunk/CVSROOT should be deleted Thanks for the feedback, Carlos. Re CVSROOT, that's an artifact of the cvs2svn process. Even automatically migrated SF repositories (eg Spring Rich Client) have this come across. On a related issue, what is stopping us using Maven 2 for Acegi Security now? I would ideally like to release 1.0.0 final with Maven 2, and remove all the old project.xml files. I don't mind if it means we have to lose some plugins, just as long as we can do some form of JAR creation, unit test execution, code coverage measurement and building a PDF and HTML-based DocBook. Are these functions working at present? Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CAS support in Acegi
Scott Battaglia wrote: I'm looking at re-working the CAS (some of it based on the new CAS client code). Would you prefer I wait until after the Acegi 1.0.0 Final release (i.e. target 1.1) and just focus on the current open CAS issues? Hi Scott I am trying to get 1.0.0 final out within a fortnight, and expect 1.0.1 will follow fairly quickly after that (ie within two or three weeks). It would probably be best if you could make any structural changes to be included in 1.0.0 final, otherwise 1.0.1 may not be backward compatible. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SVN Commit Messages
Hi everyone For the sake of consistency and ease of reviewing history logs, would developers please always format SVN commit messages to begin with the JIRA issue number, followed by a colon, then a brief description of the check-in. More detailed messages can be placed in the JIRA task. eg: SEC-123: Constructor no longer requires null. Thanks very much. Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Hit roadblock while securing Method AfterInvocation ...
Vikas Sasidharan wrote: I am not so enthusiastic about setting the flag to true. Could anybody suggest some other possible alternatives? My last option is to have a custom MethodSecurityInterceptor that enables separation of before-invocation and after-invocation interception. The problem is that I have set /allowIfAllAbstain/ to false. Consequently, when the method call gets intercepted (before invocation) the Role Voter would return ABSTAIN and because of the flag not being set, Acegi would deny access to the user. I'd suggest you investigate the different AccessDecisionManager implementations provided out-of-the-box and if needed provide your own. You could always use the AuthenticatedVoter so that there is a before-invocation authorization decision made for each secure object invocation. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] tentative 1.0 final date
Ben Munat wrote: I'm using RC-2 and I think I'm having trouble with the IllegalStateException problem as detailed in SEC-211. It appears that this issue is fixed in CVS, but won't be in a release until 1.0 final. Wondering if you guys are close on final (like in the next week or so), or if I should use a nightly build? Or maybe I should fall back to RC-1 since that didn't have the problem? We will try to release it on 19 May, although it might slip to 26 May. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] how to customize roles
Richard Han wrote: My question probably is more suitable to user-list, but we don't have one. Anyway, I am new to acegi, my question is, how do you customize role names, for instance, if I want to use ROLE_STUDENT, ROLE_PROFESSOR, how would I let acegi recognize them? In two places: 1. These would be your configuration attributes against AbstractSecurityInterceptor.objectDefinitionSource. 2. They would be returned in your UserDetails object from the UserDetailsService used by your AuthenticationProvider. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Final preparation for 1.0.0 final
Hi everyone I would like to release 1.0.0 final on Friday 26 May. All JIRA issues assigned to me are now either completed or marked for a future release. Please note that source code reformatting with Jalopy has been completed (SEC-97) and the /jalopy.xml file revised. One of the changes included going from 80 character to 120 character word wrapping (we all have wide screens by now, right?). Committers, please re-import this file into your IDE Jalopy plugin and ensure that all source code is formatted prior to committing. There are presently eight JIRA issues outstanding for 1.0.0 final, as listed in the roadmap: http://opensource.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel Would Luke, Scott and Marc Antoine please check these eight issues and either close them or assign them to a future release ASAP. None of them look critical except for SEC-270. A number of desired major feature improvements have been deferred to 1.0.1 or 1.1.0. These most notably include the refactored ACL services (SEC-239) and configuration simplification (SEC-271). These are two items I would have liked to see in 1.0.0, but we simply ran out of time. The sandbox contains some code for the ACL refactoring, so I'd like to invite existing ACL users to take a look and provide feedback. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Final preparation for 1.0.0 final
Joern Huxhorn wrote: It's possible that I'm missing something but I think it should be removed from the jar. It has already been taken care of. See SEC-240. ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Final preparation for 1.0.0 final
Angelo Luis wrote: this is not fixed: http://opensource.atlassian.com/projects/spring/browse/SEC-99 It isn't fixed for the reasons I provided in the comment, being: I wish there was a simple way of resolving this issue, but whatever we do would inevitably break backward compatibility and represent a risk as we try to get 1.0.0 out. A more substantial refactoring of MethodDefinitionMap might be in order, particularly if it also allowed arguments to be declared. Best regards Ben ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security 1.0.0 is released!
Dear Spring Community After more than two and a half years of development, I am delighted to announce that Acegi Security 1.0.0 is now officially released. In addition to more than 80 improvements and fixes since 1.0.0 RC2, this new release also includes several changes to help new users. This includes a significant restructure and expansion of the reference guide (now more than 90 pages) and a new bare bones tutorial sample application. Furthermore, many of the frequently-identified problems experienced by new users have been addressed, such as custom 403 messages (as opposed to using the Servlet Container's error handler), detecting corrupt property input following the reformatting of XML files, and a new logout filter. We've also refactored our LDAP services, made the SecurityContextHolder a pluggable strategy (especially useful for rich clients who wish to avoid ThreadLocal), and improved CAS support. Please visit http://opensource.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10360 for a detailed changelog. As always, detailed upgrade instructions are included in the release ZIP file. The project's web site at http://acegisecurity.org provides additional information on Acegi Security's features, access to online documentation, and links to download the latest release. I will also be providing a presentation on Acegi Security at SpringOne next month, so I hope to see you there. We trust that you find this new release useful in your projects. Cheers Ben ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SSO - Cookie, etc
Matthew Holt wrote: 1. Read SSO cookie username. 2. Check username against LDAP. You need to write an authentication mechanism that can setup the SecurityContextHolder with an Authentication object representing the username derived from your SSO cookie. Usually this will be implemented as a Servlet Filter, as discussed more fully in the reference guide that ships in the release ZIPs or can be accessed from www.acegisecurity.org. Best regards Ben Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Can't find some class for migration
Andrew Perepelytsya wrote: 1. Where is net.sf.acegisecurity.context.ContextInvalidExceptionContextInvalidException now? What is the replacement for it? 2. The SecureContext class had the validate() method, but I can't find it in SecurityContext now, neither does SecurityContextImpl contain it. The SecurityContextHolder classes were quite extensively refactored over these releases, going from a general-purpose ThreadLocal store to a security-specific store. Did you need the above exception and method for something in particular? If you provide the usage scenario we can perhaps offer some suggestions. Best regards Ben Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Enhancements to Siteminder integration for 1.1.0
[EMAIL PROTECTED] wrote: Hi All, In the Docbook, at the end of Chapter 9: Siteminder Authentication Mechanism, someone added a TODO suggesting that a dedicated AuthenticationProvider be created instead of users having to modify their DaoAuthenticationProvider. They don't actually, but it does make sense to have a dedicated provider to keep things clean, and I'll go ahead and write this for 1.1.0. I'm unclear about the additional line though, Also review the mixed use of SiteminderAuthenticationProcessingFilter, as it's inconsistent with the rest of Acegi Security's authentication mechanisms which are high cohesion. Could the person who added this Docbook TODO help me understand what is being suggested? Thanks, Scott Hi Scott I added the comment to the reference guide, after reading the following in the Siteminder section of the Reference Guide: Normally a |DaoAuthenticationProvider| expects the password property to match what it retrieves from the |UserDetailsSource|. In this case, authentication has already been handled by Siteminder and you've specified the same HTTP header for both username and password. As such, you must modify the code of |DaoAuthenticationProvider| to simply make sure the username and password values match. If we don't need users to modify DaoAuthenticationProvider, we should modify the Reference Guide accordingly. The second sentence of my comment really just reflected taking a closer look at the design, primarily because of the DaoAuthenticationProvider handling. Thanks for volunteering to look at this for 1.1.0 BTW. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AJAX support follow up
Brian Pontarelli wrote: Hello everyone. I'd like to try one last time to get some backing from the Acegi developers for a patch to include AJAX login support into Acegi. I have written all of the code and just need to finish test cases, but I'd like to commit this back into the main line rather than supporting a fork locally. I think there are enough companies doing AJAX work and using a session (or that would like to use an AJAX style login form) that this is really a valuable patch. Hi Brian As Ray mentioned, if you could kindly attach your patch to a JIRA issue one of us will be able to review and hopefully incorporate it into the code base (if you've already put it into JIRA, please let me know the issue number). Best regards Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bean initialization, constructor injection etc.
Luke Taylor wrote: I agree that reusability is important but I'm not convinced that these changes are justified on this basis, or that is just about balancing reusability and ease of use. The use of constructor arguments is about guaranteeing that objects can only be created with a specific state (the dependencies required by their design) and providing a single point for checking that state (the constructor). This is a design issue based on the requirements as determined by the developer at the time they write the class. As time goes on and different requirements become apparent from forum posts and so on, compromises are made, access is provided to state that was previously immutable or unreadable etc etc. The most reusable code may provide no-arg constructors and getters and setters for everything, but it is also the least stable. +1 To summarise, there may be situations where we *do* want to open things up in this way for some classes, to provide extra extensibility, but I don't think accommodating the inadequacies of plexus is sufficient justification for a cross-the-board change. Could it not be argued that the changes should be made to plexus rather than Acegi? Acegi Security should not be changed to accommodate limitations in IoC containers. If Plexus cannot be modified to support the required behaviour, I would encourage the addition of wrapper objects within a third party project (whatever is needing to use Acegi Security with Plexus) to achieve the required integration. I would hope that ultimately the wrapper objects could be removed, when Plexus supports constructor injection. The other issue is that not using Spring for IoC will become a more pronounced issue as we move towards 1.1.0, because the namespaces feature in Spring 2.0 will be leveraged. As part of this most (if not all) classes will be refactored to use [full] constructor injection and end users will be encouraged to wire things up with Acegi Security XML rather than beans XML. This is partly to make things easier on users (XML verbosity and auto-completion), partly to give XML validation, but also to provide a level of indirection between the OO implementation approach and user configuration approach (thus giving us more flexibility to refactor the former without breaking the latter). Therefore, perhaps the easiest thing to do would be look at using Spring as an internal configuration subsystem for Acegi Security and simply wrapping the Spring IoC container inside a bean that is in turn registered with Plexus or any other IoC container for that matter. On another issue, could ask was there a technical reason Plexus was selected instead of Spring? Perhaps you could use namespaces with Spring in your project, as they do give you a lot of genuine benefits aside from simpler Acegi Security integration (as summarized above). Best regards Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] advanced feature
Kirin Eugene wrote: I want to allow to watch this link not all users with user permission, but only user with concrete ID. Other words, if user has the user role and id = 5, then to show link. Do you know how better it to implement? The taglib is designed only to work with roles. You'll need to customize it, or perhaps explore using the ACL taglib or approaching your problem a different way. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Unsigned ACEGI jars
Kujat, Aaron wrote: I have downloaded the acegi-security-1.0.1 release from a number of mirrors now and I have not been able to find a properly signed jar file. Hi Aaron The JARs were not signed in 1.0.1 and this is not a problem. You can read more at http://www.mail-archive.com/acegisecurity-developer@lists.sourceforge.net/msg02009.html. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer