[T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one

2008-01-22 Thread Mohammad Shamsi 
Hi all,

latest release of my phone book application is available now,

In this release i used :

   - Tapestry 5.0.7 as a Web MVC framework.
   - Acegi 1.0.5 as a Security System.
   - Spring 2.5 as a Application framework.
   - Spring JDBC for Data Access Layer.
   - Hibernate 3.2.4 an alternative for Data Access Layer.
   - JPA (Hibernate Implementation) another alternative for Data Access
   Layer.
   - HSQLDB 1.8.0.7 for application database.

read more about application configuration at
http://code.google.com/p/shams/wiki/TASJHJ

you can download source code for this release and previous releases from
http://code.google.com/p/shams/


-- 
sincerely yours
M. H. Shamsi

Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one

2008-01-22 Thread Baptiste Meurant 

Hi, 

Thank you for this great work. It will be really useful. 

I still have a question about security T5/acegi integration : the
classic solution that you used to perform strong authentication with acegi
through T5 is creating a T5 LinkImpl object. You give then parameters (login
and password) to this link object to pass the request to acegi. 

The problem is that you are the able to see login and password in clear in
your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object to
perform a GET (and not a POST) to server. 

I am very annoyed with this security hole that I have encountered on my own
implementation of T5/acegi integration. I don't know any correct and elegant
fix to this issue for now. 

Did you experiment this issue ? Do you have an idea on it ? Or maybe you
found yet a solution to fix it ? 

Regards, 

Baptiste



dalahoo wrote:
 
 Hi all,
 
 latest release of my phone book application is available now,
 
 In this release i used :
 
- Tapestry 5.0.7 as a Web MVC framework.
- Acegi 1.0.5 as a Security System.
- Spring 2.5 as a Application framework.
- Spring JDBC for Data Access Layer.
- Hibernate 3.2.4 an alternative for Data Access Layer.
- JPA (Hibernate Implementation) another alternative for Data Access
Layer.
- HSQLDB 1.8.0.7 for application database.
 
 read more about application configuration at
 http://code.google.com/p/shams/wiki/TASJHJ
 
 you can download source code for this release and previous releases from
 http://code.google.com/p/shams/
 
 
 -- 
 sincerely yours
 M. H. Shamsi
 
 

-- 
View this message in context: 
http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
Sent from the Tapestry - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one

2008-01-22 Thread Mohammad Shamsi 
a simple idea is to change Login.tml to submit directly to acegi filter :


form method=POST action=/j_acegi_security_check

   input type=text name=j_username  /

   input type=password name=j_password /

   input type=submit value=${message:login}/
/form




On Jan 22, 2008 4:43 PM, Baptiste Meurant [EMAIL PROTECTED]
wrote:


 Hi,

Thank you for this great work. It will be really useful.

I still have a question about security T5/acegi integration : the
 classic solution that you used to perform strong authentication with
 acegi
 through T5 is creating a T5 LinkImpl object. You give then parameters
 (login
 and password) to this link object to pass the request to acegi.

 The problem is that you are the able to see login and password in clear in
 your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object
 to
 perform a GET (and not a POST) to server.

 I am very annoyed with this security hole that I have encountered on my
 own
 implementation of T5/acegi integration. I don't know any correct and
 elegant
 fix to this issue for now.

 Did you experiment this issue ? Do you have an idea on it ? Or maybe you
 found yet a solution to fix it ?

 Regards,

 Baptiste



 dalahoo wrote:
 
  Hi all,
 
  latest release of my phone book application is available now,
 
  In this release i used :
 
 - Tapestry 5.0.7 as a Web MVC framework.
 - Acegi 1.0.5 as a Security System.
 - Spring 2.5 as a Application framework.
 - Spring JDBC for Data Access Layer.
 - Hibernate 3.2.4 an alternative for Data Access Layer.
 - JPA (Hibernate Implementation) another alternative for Data Access
 Layer.
 - HSQLDB 1.8.0.7 for application database.
 
  read more about application configuration at
  http://code.google.com/p/shams/wiki/TASJHJ
 
  you can download source code for this release and previous releases from
  http://code.google.com/p/shams/
 
 
  --
  sincerely yours
  M. H. Shamsi
 
 

 --
 View this message in context:
 http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
 Sent from the Tapestry - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-- 
sincerely yours
M. H. Shamsi

Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one

2008-01-22 Thread Baptiste Meurant 

Thanks for your response.

It is the solution that I decided to use. It is perfectly working but
without using T5 mechanisms. I was wondering if some full T5 solution was
posible.

Thanks again,

Baptiste.


dalahoo wrote:
 
 a simple idea is to change Login.tml to submit directly to acegi filter :
 
 
 form method=POST action=/j_acegi_security_check
 
input type=text name=j_username  /
 
input type=password name=j_password /
 
input type=submit value=${message:login}/
 /form
 
 
 
 
 On Jan 22, 2008 4:43 PM, Baptiste Meurant [EMAIL PROTECTED]
 wrote:
 

 Hi,

Thank you for this great work. It will be really useful.

I still have a question about security T5/acegi integration : the
 classic solution that you used to perform strong authentication with
 acegi
 through T5 is creating a T5 LinkImpl object. You give then parameters
 (login
 and password) to this link object to pass the request to acegi.

 The problem is that you are the able to see login and password in clear
 in
 your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object
 to
 perform a GET (and not a POST) to server.

 I am very annoyed with this security hole that I have encountered on my
 own
 implementation of T5/acegi integration. I don't know any correct and
 elegant
 fix to this issue for now.

 Did you experiment this issue ? Do you have an idea on it ? Or maybe you
 found yet a solution to fix it ?

 Regards,

 Baptiste



 dalahoo wrote:
 
  Hi all,
 
  latest release of my phone book application is available now,
 
  In this release i used :
 
 - Tapestry 5.0.7 as a Web MVC framework.
 - Acegi 1.0.5 as a Security System.
 - Spring 2.5 as a Application framework.
 - Spring JDBC for Data Access Layer.
 - Hibernate 3.2.4 an alternative for Data Access Layer.
 - JPA (Hibernate Implementation) another alternative for Data Access
 Layer.
 - HSQLDB 1.8.0.7 for application database.
 
  read more about application configuration at
  http://code.google.com/p/shams/wiki/TASJHJ
 
  you can download source code for this release and previous releases
 from
  http://code.google.com/p/shams/
 
 
  --
  sincerely yours
  M. H. Shamsi
 
 

 --
 View this message in context:
 http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
 Sent from the Tapestry - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]


 
 
 -- 
 sincerely yours
 M. H. Shamsi
 
 

-- 
View this message in context: 
http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html
Sent from the Tapestry - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one

2008-01-22 Thread Mohammad Shamsi 
another way :

encrypt your  and password and then send it with url.

you can do this in two way

1 - with java code in Login.java class :

this is my sample that used in a project :

public String digest(String password, String salt) {

if ((password == null) || (salt == null)) {
throw new IllegalArgumentException();
}

try {
MessageDigest digest = MessageDigest.getInstance(MD5);

int half = salt.length() / 2;
String firstSubString = salt.substring(0, half);
String secondSubString = salt.substring(half);

digest.update(firstSubString.getBytes());
digest.update(password.getBytes());
digest.update(secondSubString.getBytes());

return new String(digest.digest(), UTF-8);

} catch (Exception e) {
throw new RuntimeException(e);
}

note that you most encrypt new user passwords too, before save in database.


2 - with javascript code in Login.tml

you can find sample javascripts for  encrypt password in internet.



On Jan 22, 2008 5:14 PM, Baptiste Meurant [EMAIL PROTECTED]
wrote:


 Thanks for your response.

 It is the solution that I decided to use. It is perfectly working but
 without using T5 mechanisms. I was wondering if some full T5 solution
 was
 posible.

 Thanks again,

 Baptiste.


 dalahoo wrote:
 
  a simple idea is to change Login.tml to submit directly to acegi filter
 :
 
 
  form method=POST action=/j_acegi_security_check
 
 input type=text name=j_username  /
 
 input type=password name=j_password /
 
 input type=submit value=${message:login}/
  /form
 
 
 
 
  On Jan 22, 2008 4:43 PM, Baptiste Meurant [EMAIL PROTECTED]
  wrote:
 
 
  Hi,
 
 Thank you for this great work. It will be really useful.
 
 I still have a question about security T5/acegi integration : the
  classic solution that you used to perform strong authentication with
  acegi
  through T5 is creating a T5 LinkImpl object. You give then parameters
  (login
  and password) to this link object to pass the request to acegi.
 
  The problem is that you are the able to see login and password in clear
  in
  your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl
 object
  to
  perform a GET (and not a POST) to server.
 
  I am very annoyed with this security hole that I have encountered on my
  own
  implementation of T5/acegi integration. I don't know any correct and
  elegant
  fix to this issue for now.
 
  Did you experiment this issue ? Do you have an idea on it ? Or maybe
 you
  found yet a solution to fix it ?
 
  Regards,
 
  Baptiste
 
 
 
  dalahoo wrote:
  
   Hi all,
  
   latest release of my phone book application is available now,
  
   In this release i used :
  
  - Tapestry 5.0.7 as a Web MVC framework.
  - Acegi 1.0.5 as a Security System.
  - Spring 2.5 as a Application framework.
  - Spring JDBC for Data Access Layer.
  - Hibernate 3.2.4 an alternative for Data Access Layer.
  - JPA (Hibernate Implementation) another alternative for Data
 Access
  Layer.
  - HSQLDB 1.8.0.7 for application database.
  
   read more about application configuration at
   http://code.google.com/p/shams/wiki/TASJHJ
  
   you can download source code for this release and previous releases
  from
   http://code.google.com/p/shams/
  
  
   --
   sincerely yours
   M. H. Shamsi
  
  
 
  --
  View this message in context:
 
 http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
  Sent from the Tapestry - User mailing list archive at Nabble.com.
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 
 
  --
  sincerely yours
  M. H. Shamsi
 
 

 --
 View this message in context:
 http://www.nabble.com/-T5--ANNTapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html
 Sent from the Tapestry - User mailing list archive at Nabble.com.


 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]




-- 
sincerely yours
M. H. Shamsi