Re: tapestry-spring-security: how to set ASO on successful login?
On Mon, Dec 8, 2008 at 03:59, Jonathan Barker <[EMAIL PROTECTED]> wrote: > you will see where the AnonymousAuthenticationProcessingFilter is hooked in. I've been following this thread, I've just not come up with any good answers before other people :). I was thinking of the AnonymousAuthenticationProcessingFilter, maybe this should be made optional? -- regards, Robin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Short answer: I don't know. I have, for various reasons, maintained a slightly modified version of the tapestry5-acegi project. I will likely do the same for tapestry-spring-security. If you look at the source for nu.localhost.tapestry5.springsecurity.services.SecurityModule you will see where the AnonymousAuthenticationProcessingFilter is hooked in. You could leave it out. You should also know that the HttpSessionContextIntegrationFilter is responsible for moving SecurityContext information back and forth to the HttpSession. I'm not sure under what circumstances you will cause a session to be created - probably anything that puts something in the SecurityContext. OTOH, that won't solve the issue of Tapestry creating the session to store the validation tracker for the Login form. There have been various conversations about session-less strategies on the list. Jonathan > -Original Message- > From: rs1050 [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 21:23 > To: users@tapestry.apache.org > Subject: RE: tapestry-spring-security: how to set ASO on successful login? > > > Off topic: is there a way of instructing spring-security not to create a > session before authentication (kind of 'no role at all' rather than > ROLE_ANONYMOUS)? I am thinking about a web site with big traffic - > creation > of too many sessions for public pages will really slow it down... > > > Jonathan Barker wrote: > > > > IIRC, the default configuration for tapestry-acegi resulted in > > ROLE_ANONYMOUS being given to unauthenticated users. That resulted in > the > > creation of the session. > > > > -- > View this message in context: http://www.nabble.com/tapestry-spring- > security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888633.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Off topic: is there a way of instructing spring-security not to create a session before authentication (kind of 'no role at all' rather than ROLE_ANONYMOUS)? I am thinking about a web site with big traffic - creation of too many sessions for public pages will really slow it down... Jonathan Barker wrote: > > IIRC, the default configuration for tapestry-acegi resulted in > ROLE_ANONYMOUS being given to unauthenticated users. That resulted in the > creation of the session. > -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888633.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
IIRC, the default configuration for tapestry-acegi resulted in ROLE_ANONYMOUS being given to unauthenticated users. That resulted in the creation of the session. Also, I hit issues in testing where I would go back to the login page and log in as a different user. Unfortunately, I still had page state left over from the original login, so now I invalidate the session to clear any user-specific state. Jonathan > -Original Message- > From: rs1050 [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 20:58 > To: users@tapestry.apache.org > Subject: RE: tapestry-spring-security: how to set ASO on successful login? > > > Why do you expect that the session already exists so that you have to > invalidate it? Does spring-security create it automatically? > > > Session s = _request.getSession(false); > > s.invalidate(); > > s = _request.getSession(true); > > -- > View this message in context: http://www.nabble.com/tapestry-spring- > security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888463.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Why do you expect that the session already exists so that you have to invalidate it? Does spring-security create it automatically? > Session s = _request.getSession(false); > s.invalidate(); > s = _request.getSession(true); -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20888463.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
My 'loginform.url' points to "/login". I've also looked at the source for the new tapestry-spring-security and I don't see much for differences. I noticed a post by Martijn asking how you configured Spring Security. If you are using tapestry-spring-security, you don't need to do the usual Spring configuration so I could see you running into problems there if you did that. Yes, all un-authenticated requests go to my login page. I also use the SavedRequest from Acegi to continue on to the desired page with the correct parameters, if possible. Here's a chunk of my login page: public Object onSuccessFromLoginForm(){ UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(_username,_password); Authentication authResult; try { authResult = _authenticationManager.authenticate(authRequest); logger.info("successful login for: " + _username); } catch (BadCredentialsException failed) { _form.recordError(_passwordField, "Invalid username or password"); logger.info("bad password for: " + _username); return null; } catch (AuthenticationException failed) { _form.recordError(_passwordField, "Invalid username or password"); logger.info("failed login for: " + _username); return null; } // get the saved request before we trash the session SavedRequest savedRequest = (SavedRequest) _requestGlobals.getHTTPServletRequest().getSession().getAttribute(AbstractPr ocessingFilter.ACEGI_SAVED_REQUEST_KEY); // make sure the user state gets cleared // and problems with anonymous auth Session s = _request.getSession(false); s.invalidate(); s = _request.getSession(true); SecurityContextHolder.getContext().setAuthentication(authResult); if(savedRequest != null){ java.net.URL url = null; try { url = new URL(savedRequest.getRequestURL()); } catch (MalformedURLException e){ logger.error("malformed url:" + savedRequest.getRequestURI()); } return url; } return Summary.class; } > -Original Message- > From: rs1050 [mailto:[EMAIL PROTECTED] > Sent: Sunday, December 07, 2008 15:14 > To: users@tapestry.apache.org > Subject: RE: tapestry-spring-security: how to set ASO on successful login? > > > Thank you Jonathan, > > My login page is 'user/login', and this is what i have in configuration of > spring-security: > > configuration.add("spring-security.loginform.url", "/user/login"); > configuration.add("spring-security.failure.url", > "/user/login/failed"); > > Then spring-security hijacks all submits from login page. I did not do any > custom filter creation in addition to that. In your application, what is > the > 'loginform.url'? Does it point to the actual tapestry login page? > > Assuming that in your case spring-security does *not* hijack the submits > from the login page, does it still redirects to login page if a user tries > to access some other secured page without being authenitcated? > > Thank you. > R. > -- > View this message in context: http://www.nabble.com/tapestry-spring- > security%3A-how-to-set-ASO-on-successful-login--tp20865863p20885230.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tapestry-spring-security: how to set ASO on successful login?
I was using tapestry-spring-security. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20885666.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tapestry-spring-security: how to set ASO on successful login?
Are you using Spring Security directly or are you using the tapestry5-acegi library? I use Sprint Security without using tapestry5-acegi and my Login page is a fully functional tapestry page (ie it allows you to set ASO's etc.). The trick is to disable Spring security filtering for the login page (in de spring config file). In my case: If you are using tapestry5-acegi you should somehow make the filter not filter you login page: Martijn Brinkers On Fri, 2008-12-05 at 17:58 -0800, rs1050 wrote: > Hi, > > I would like to create and set ASO on successful login. Without using > tapestry-spring-security my Login page looked like this: > > public class Login { > > Object onSuccess() { > boolean authResult = authenticate(); > if (authResult) { > // create and set ASO 'myState' > } > } > > @ApplicationState(create=false) > private MyState myState; > } > > after integrating with tapestry-spring-security, spring security intercepts > submits from the login form, and my Index java page in never called. I was > thinking about providing my own AuthenticationProcessingFilter and there > setting new instance of ASO in http session manually, but it is very ugly > because I will have to invoke this method from > SessionApplicationStatePersistenceStrategy (which is private, so I will need > to use reflection tricks to overcome, and you get the picture - it becomes > really ugly): > private String buildKey(Class asoClass) > { > return PREFIX + asoClass.getName(); > } > > Any help is appreciated. > R. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Thank you Jonathan, My login page is 'user/login', and this is what i have in configuration of spring-security: configuration.add("spring-security.loginform.url", "/user/login"); configuration.add("spring-security.failure.url", "/user/login/failed"); Then spring-security hijacks all submits from login page. I did not do any custom filter creation in addition to that. In your application, what is the 'loginform.url'? Does it point to the actual tapestry login page? Assuming that in your case spring-security does *not* hijack the submits from the login page, does it still redirects to login page if a user tries to access some other secured page without being authenitcated? Thank you. R. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20885230.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Responses inline > -Original Message- > From: rs1050 [mailto:[EMAIL PROTECTED] > Sent: Saturday, December 06, 2008 15:27 > To: users@tapestry.apache.org > Subject: RE: tapestry-spring-security: how to set ASO on successful login? > > > Thank you. > > "You could work with the ASO in the relevant onSuccess method." - i wish i > could - my onSuccess method for my Login page is *not* being called b/c > tapestry-spring-security filter hijacks the request to that url. Once > spring-security's filter (and it is not a Tapestry's filter) start > processing the request, i need to be able to do something with the ASO. I'm using tapestry5-acegi, but I don't think it's changed with the update to Spring Security. I AM using a Login page, and my onSuccess() method does get called. I haven't tried to configure any authentication processing filter which may explain why what I do works - I don't get hijacked. > > Currently I am planning to subclass > org.springframework.security.ui.webapp.AuthenticationProcessingFilter and > overwrite onSuccessfulAuthentication method to create ASO. In order to do > that I need reference to ApplicationStateManager. However, i can't figure > out a way of how to get it except for a very ugly one: > > 1. I create a TapestryExposer eager service, which on construction, > remembers ApplicationStateManager passed to the constructor and set itself > into a Spring-defined bean called 'TapestryExposerHolder' > 2. in my custom spring-security filter's (non-tapestry filter) > onSuccessfulAuthentication method I lookup TapestryExposerHolder, and from > it get TapestryExposer, and from that I get ApplicationStateManager. > ugr. > I suggest you follow the link I gave earlier: http://www.nabble.com/Accessing-ApplicationStateManager-from-within-a-Filter -td20274449.html#a20324607 My strategy was simple: You only get a page that uses the ASO if you have been authenticated. Therefore, on any page that asks for the ASO, you know that authentication will already have occurred. You can put all your ASO-building code in a contribution to the ApplicationStateManager, and get the authentication information from the SecurityContext. This also guarantees that any "accidental" ASO creation will create a properly constructed ASO, and allows things like the RememberMe service to be used (that would not be calling your onSuccess() method) yet still get a properly constructed ASO at the end. > I anyone can come up with a cleaner way of doing something with ASO after > successful authentication by spring security, it is really appreciated. > > R. > -- > View this message in context: http://www.nabble.com/tapestry-spring- > security%3A-how-to-set-ASO-on-successful-login--tp20865863p20874204.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
Thank you. "You could work with the ASO in the relevant onSuccess method." - i wish i could - my onSuccess method for my Login page is *not* being called b/c tapestry-spring-security filter hijacks the request to that url. Once spring-security's filter (and it is not a Tapestry's filter) start processing the request, i need to be able to do something with the ASO. Currently I am planning to subclass org.springframework.security.ui.webapp.AuthenticationProcessingFilter and overwrite onSuccessfulAuthentication method to create ASO. In order to do that I need reference to ApplicationStateManager. However, i can't figure out a way of how to get it except for a very ugly one: 1. I create a TapestryExposer eager service, which on construction, remembers ApplicationStateManager passed to the constructor and set itself into a Spring-defined bean called 'TapestryExposerHolder' 2. in my custom spring-security filter's (non-tapestry filter) onSuccessfulAuthentication method I lookup TapestryExposerHolder, and from it get TapestryExposer, and from that I get ApplicationStateManager. ugr. I anyone can come up with a cleaner way of doing something with ASO after successful authentication by spring security, it is really appreciated. R. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20874204.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tapestry-spring-security: how to set ASO on successful login?
It is possible to "update" your old code to bypass traditional Acegi processing and use the authentication manager directly. One relevant thread is here: http://thread.gmane.org/gmane.comp.java.tapestry.user/59931/ (look for the post at 15:33 on Mar 28) with a critical missing bit here: http://article.gmane.org/gmane.comp.java.tapestry.user/60045 You could work with the ASO in the relevant onSuccess method. I should also point you to: http://www.nabble.com/Accessing-ApplicationStateManager-from-within-a-Filter -td20274449.html#a20324607 Part of this thread flips things around and puts all the ASO creation work into a contribution to the Application State Manager. Jonathan > -Original Message- > From: rs1050 [mailto:[EMAIL PROTECTED] > Sent: Friday, December 05, 2008 20:59 > To: users@tapestry.apache.org > Subject: tapestry-spring-security: how to set ASO on successful login? > > > Hi, > > I would like to create and set ASO on successful login. Without using > tapestry-spring-security my Login page looked like this: > > public class Login { > > Object onSuccess() { > boolean authResult = authenticate(); > if (authResult) { > // create and set ASO 'myState' > } > } > > @ApplicationState(create=false) > private MyState myState; > } > > after integrating with tapestry-spring-security, spring security > intercepts > submits from the login form, and my Index java page in never called. I was > thinking about providing my own AuthenticationProcessingFilter and there > setting new instance of ASO in http session manually, but it is very ugly > because I will have to invoke this method from > SessionApplicationStatePersistenceStrategy (which is private, so I will > need > to use reflection tricks to overcome, and you get the picture - it becomes > really ugly): > private String buildKey(Class asoClass) > { > return PREFIX + asoClass.getName(); > } > > Any help is appreciated. > R. > -- > View this message in context: http://www.nabble.com/tapestry-spring- > security%3A-how-to-set-ASO-on-successful-login--tp20865863p20865863.html > Sent from the Tapestry - User mailing list archive at Nabble.com. > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tapestry-spring-security: how to set ASO on successful login?
sorry, instead of "and my Index java page in never called" i meant "and my Login java page is never called". -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20865881.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tapestry-spring-security: how to set ASO on successful login?
Hi, I would like to create and set ASO on successful login. Without using tapestry-spring-security my Login page looked like this: public class Login { Object onSuccess() { boolean authResult = authenticate(); if (authResult) { // create and set ASO 'myState' } } @ApplicationState(create=false) private MyState myState; } after integrating with tapestry-spring-security, spring security intercepts submits from the login form, and my Index java page in never called. I was thinking about providing my own AuthenticationProcessingFilter and there setting new instance of ASO in http session manually, but it is very ugly because I will have to invoke this method from SessionApplicationStatePersistenceStrategy (which is private, so I will need to use reflection tricks to overcome, and you get the picture - it becomes really ugly): private String buildKey(Class asoClass) { return PREFIX + asoClass.getName(); } Any help is appreciated. R. -- View this message in context: http://www.nabble.com/tapestry-spring-security%3A-how-to-set-ASO-on-successful-login--tp20865863p20865863.html Sent from the Tapestry - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]