[T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
Hi all, latest release of my phone book application is available now, In this release i used : - Tapestry 5.0.7 as a Web MVC framework. - Acegi 1.0.5 as a Security System. - Spring 2.5 as a Application framework. - Spring JDBC for Data Access Layer. - Hibernate 3.2.4 an alternative for Data Access Layer. - JPA (Hibernate Implementation) another alternative for Data Access Layer. - HSQLDB 1.8.0.7 for application database. read more about application configuration at http://code.google.com/p/shams/wiki/TASJHJ you can download source code for this release and previous releases from http://code.google.com/p/shams/ -- sincerely yours M. H. Shamsi
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
Hi, Thank you for this great work. It will be really useful. I still have a question about security T5/acegi integration : the classic solution that you used to perform strong authentication with acegi through T5 is creating a T5 LinkImpl object. You give then parameters (login and password) to this link object to pass the request to acegi. The problem is that you are the able to see login and password in clear in your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object to perform a GET (and not a POST) to server. I am very annoyed with this security hole that I have encountered on my own implementation of T5/acegi integration. I don't know any correct and elegant fix to this issue for now. Did you experiment this issue ? Do you have an idea on it ? Or maybe you found yet a solution to fix it ? Regards, Baptiste dalahoo wrote: Hi all, latest release of my phone book application is available now, In this release i used : - Tapestry 5.0.7 as a Web MVC framework. - Acegi 1.0.5 as a Security System. - Spring 2.5 as a Application framework. - Spring JDBC for Data Access Layer. - Hibernate 3.2.4 an alternative for Data Access Layer. - JPA (Hibernate Implementation) another alternative for Data Access Layer. - HSQLDB 1.8.0.7 for application database. read more about application configuration at http://code.google.com/p/shams/wiki/TASJHJ you can download source code for this release and previous releases from http://code.google.com/p/shams/ -- sincerely yours M. H. Shamsi -- View this message in context: http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
a simple idea is to change Login.tml to submit directly to acegi filter : form method=POST action=/j_acegi_security_check input type=text name=j_username / input type=password name=j_password / input type=submit value=${message:login}/ /form On Jan 22, 2008 4:43 PM, Baptiste Meurant [EMAIL PROTECTED] wrote: Hi, Thank you for this great work. It will be really useful. I still have a question about security T5/acegi integration : the classic solution that you used to perform strong authentication with acegi through T5 is creating a T5 LinkImpl object. You give then parameters (login and password) to this link object to pass the request to acegi. The problem is that you are the able to see login and password in clear in your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object to perform a GET (and not a POST) to server. I am very annoyed with this security hole that I have encountered on my own implementation of T5/acegi integration. I don't know any correct and elegant fix to this issue for now. Did you experiment this issue ? Do you have an idea on it ? Or maybe you found yet a solution to fix it ? Regards, Baptiste dalahoo wrote: Hi all, latest release of my phone book application is available now, In this release i used : - Tapestry 5.0.7 as a Web MVC framework. - Acegi 1.0.5 as a Security System. - Spring 2.5 as a Application framework. - Spring JDBC for Data Access Layer. - Hibernate 3.2.4 an alternative for Data Access Layer. - JPA (Hibernate Implementation) another alternative for Data Access Layer. - HSQLDB 1.8.0.7 for application database. read more about application configuration at http://code.google.com/p/shams/wiki/TASJHJ you can download source code for this release and previous releases from http://code.google.com/p/shams/ -- sincerely yours M. H. Shamsi -- View this message in context: http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- sincerely yours M. H. Shamsi
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
Thanks for your response. It is the solution that I decided to use. It is perfectly working but without using T5 mechanisms. I was wondering if some full T5 solution was posible. Thanks again, Baptiste. dalahoo wrote: a simple idea is to change Login.tml to submit directly to acegi filter : form method=POST action=/j_acegi_security_check input type=text name=j_username / input type=password name=j_password / input type=submit value=${message:login}/ /form On Jan 22, 2008 4:43 PM, Baptiste Meurant [EMAIL PROTECTED] wrote: Hi, Thank you for this great work. It will be really useful. I still have a question about security T5/acegi integration : the classic solution that you used to perform strong authentication with acegi through T5 is creating a T5 LinkImpl object. You give then parameters (login and password) to this link object to pass the request to acegi. The problem is that you are the able to see login and password in clear in your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object to perform a GET (and not a POST) to server. I am very annoyed with this security hole that I have encountered on my own implementation of T5/acegi integration. I don't know any correct and elegant fix to this issue for now. Did you experiment this issue ? Do you have an idea on it ? Or maybe you found yet a solution to fix it ? Regards, Baptiste dalahoo wrote: Hi all, latest release of my phone book application is available now, In this release i used : - Tapestry 5.0.7 as a Web MVC framework. - Acegi 1.0.5 as a Security System. - Spring 2.5 as a Application framework. - Spring JDBC for Data Access Layer. - Hibernate 3.2.4 an alternative for Data Access Layer. - JPA (Hibernate Implementation) another alternative for Data Access Layer. - HSQLDB 1.8.0.7 for application database. read more about application configuration at http://code.google.com/p/shams/wiki/TASJHJ you can download source code for this release and previous releases from http://code.google.com/p/shams/ -- sincerely yours M. H. Shamsi -- View this message in context: http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- sincerely yours M. H. Shamsi -- View this message in context: http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
another way : encrypt your and password and then send it with url. you can do this in two way 1 - with java code in Login.java class : this is my sample that used in a project : public String digest(String password, String salt) { if ((password == null) || (salt == null)) { throw new IllegalArgumentException(); } try { MessageDigest digest = MessageDigest.getInstance(MD5); int half = salt.length() / 2; String firstSubString = salt.substring(0, half); String secondSubString = salt.substring(half); digest.update(firstSubString.getBytes()); digest.update(password.getBytes()); digest.update(secondSubString.getBytes()); return new String(digest.digest(), UTF-8); } catch (Exception e) { throw new RuntimeException(e); } note that you most encrypt new user passwords too, before save in database. 2 - with javascript code in Login.tml you can find sample javascripts for encrypt password in internet. On Jan 22, 2008 5:14 PM, Baptiste Meurant [EMAIL PROTECTED] wrote: Thanks for your response. It is the solution that I decided to use. It is perfectly working but without using T5 mechanisms. I was wondering if some full T5 solution was posible. Thanks again, Baptiste. dalahoo wrote: a simple idea is to change Login.tml to submit directly to acegi filter : form method=POST action=/j_acegi_security_check input type=text name=j_username / input type=password name=j_password / input type=submit value=${message:login}/ /form On Jan 22, 2008 4:43 PM, Baptiste Meurant [EMAIL PROTECTED] wrote: Hi, Thank you for this great work. It will be really useful. I still have a question about security T5/acegi integration : the classic solution that you used to perform strong authentication with acegi through T5 is creating a T5 LinkImpl object. You give then parameters (login and password) to this link object to pass the request to acegi. The problem is that you are the able to see login and password in clear in your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object to perform a GET (and not a POST) to server. I am very annoyed with this security hole that I have encountered on my own implementation of T5/acegi integration. I don't know any correct and elegant fix to this issue for now. Did you experiment this issue ? Do you have an idea on it ? Or maybe you found yet a solution to fix it ? Regards, Baptiste dalahoo wrote: Hi all, latest release of my phone book application is available now, In this release i used : - Tapestry 5.0.7 as a Web MVC framework. - Acegi 1.0.5 as a Security System. - Spring 2.5 as a Application framework. - Spring JDBC for Data Access Layer. - Hibernate 3.2.4 an alternative for Data Access Layer. - JPA (Hibernate Implementation) another alternative for Data Access Layer. - HSQLDB 1.8.0.7 for application database. read more about application configuration at http://code.google.com/p/shams/wiki/TASJHJ you can download source code for this release and previous releases from http://code.google.com/p/shams/ -- sincerely yours M. H. Shamsi -- View this message in context: http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- sincerely yours M. H. Shamsi -- View this message in context: http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- sincerely yours M. H. Shamsi