Just found an interesting article over on the Register:
http://www.theregister.co.uk/2005/11/10/password_hashes/page2.html
It's about a new online service that has built huge "rainbow" tables
containing hashes and the associated passwords that generate those hashes for
the most popular hashing al
OK, so my example might look like this for you (again, I'm going to use
concrete code here). First, define the class that will "wrap" the call to
your actual target method:
public class CustomerReportQuartzAuthenticator
{
private CustomerReport customerReport;
pricate SecurityFacade se
On Friday 16 September 2005 01:26 pm, Achmad Arif Rachim wrote:
> Hi andy,
>
> Im using your suggestion to use SecurityFacade. i found very interesting
> result, yes its working but not 100% well. Every successfull invocations
> theres periode where AuthenticationCredentialsNotFoundException thrown
On Friday 16 September 2005 12:07 pm, Andy Depue wrote:
> ... As soon as it shows up in gmane, I'll post a link to the thread
> (as a response to this message).
Here is the head of the ActiveMQ thread:
http://thread.gmane.org/gmane.comp.java.activem
On Friday 16 September 2005 11:07 am, Andy Depue wrote:
> I need to integrate ActiveMQ's JMS security with Acegi. Before I do this,
> I just want to make sure I'm not solving a problem that has already been
> solved. Has anyone else integrated ActiveMQ's security wit
On Friday 16 September 2005 04:17 am, Achmad Arif Rachim wrote:
> I was thinking like that before. but how do i intercept quartz. This is
> becouse im using MethodSecurityInterceptor, every time targetMethod invoked
> by localhost it throws AuthenticationException.
>
> Im using MethodDefinitionAttr
I need to integrate ActiveMQ's JMS security with Acegi. Before I do this, I
just want to make sure I'm not solving a problem that has already been
solved. Has anyone else integrated ActiveMQ's security with Acegi? It
should be fairly straightforward as ActiveMQ provides a single simple adapte
zation of the syntaxes.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Andy Depue
> Sent: Friday, August 05, 2005 6:12 PM
> To: acegisecurity-developer@lists.sourceforge.net
> Subject: Re: [Acegisecurity-developer] miss
We did something very similar, only chose a more verbose route. We created a
"SuperiorVoter" that can inspect a parameter, determine the owner of that
parameter (object), and then only allow the owner or the owner's superior
through. We chose this syntax: OWNER_OR_SUPERIOR_OF(PARAM_IDX=#) - He
On Thursday 28 July 2005 09:39 am, Scott McCrory wrote:
> On Thu, 28 Jul 2005 09:33:41 -0700, March, Andres wrote
>
> > -1 for any debate that has the words tab and space in the same sentence.
>
> Ahh yes, I still tell stories about the Great Tab/Space War of '86. We
> lost a lot of characters in
(subsystemUserName, subsystemCredentials);
try {
// Background process code goes here
...
} finally {
securityFacade.unauthenticateUser();
}
-
- Andy
On Monday 20 June 2005 09:26 am, Marco Mistroni wrote:
> Hello,
> few time ago Mr Andy Depue reply tomy message on how to use
I have a very similar situation in my own application where our workflow
engine can invoke (Acegi protected) service methods from a background task.
This also arises when you are using JMS - your message receiver will execute
without any user context, and yet often you need to call into service
this situation. In
the meantime, this patch should allow anyone on the bleeding edge of Spring
to continue using Acegi...
- Andy
On Friday 08 April 2005 04:22 pm, Andy Depue wrote:
> Just so you know, Acegi is not working with the latest cvs version of
> Spring. I'm not sure yet h
Just so you know, Acegi is not working with the latest cvs version of Spring.
I'm not sure yet how many problems there are, but I'm currently running into
the fact that Acegi expects org.springframework.util.PathMatcher to contain a
static "boolean match(String, String)" but PathMatcher is now
In our model, the lazy approach wouldn't have bought us too much since we have
rich clients, meaning that all service invocations happen remotely. One of
our goals was to prevent sensitive information from even being transmitted to
the client. This means that we would have had to apply the laz
We utilized a Hibernate interceptor in our solution, though that is only a
part of the solution (the interceptor didn't give us everything we needed).
- Andy
On Wednesday 09 February 2005 09:40 pm, Ben Alex wrote:
> Gavin Terrill wrote:
> >We recently adopted Acegi Security for one of our ente
on/Cache/DB but before the object is part of a
> transaction?
>
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf
>
> Of
>
> > Andy Depue
> > Sent: Wednesday, February 09, 2005 3:23 PM
> > To:
We developed our current ACL type system before Acegi had its ACL system, and
planned for this behavior from the beginning (we work with Hibernate as
well). Our system has these abilities:
1. Property level ACLs. If the user does not have read access for a property,
then somehow blank it out s
The new model object filtering is a fascinating area in my mind. One thing
we've implemented (before Acegi had its own filtering) is the ability to
filter down to the property level on an object. In other words, you can
secure a specific property and if someone doesn't have clearance then the
Your implementation sounds very similar. We too created an aspect around the
service facade and use thread locals to store the current principal. We also
wanted to keep track of who was calling who (for example, in some situations
it is important for us to know when the client is calling a ser
We implemented a similar sounding audit log several months back (though we no
longer use Hessian) - I'd be interested in seeing what you have. In our case
we needed to audit all service methods invoked (and their parameters) and all
data operations performed (that is, all Hibernate operations).
I'm looking at the spring rich client security package
(org.springframework.richclient.security). I would like to customize the
login form to include an additional field, but it looks the form fields are
hardcoded. I guess at the moment I have to create my own LoginForm and
LoginCommand. Not
I've implemented security in my web application using Acegi security. I'm in
the process now of implementing a very simple password policy (basically, the
administrator has the ability to set a flag on the user to force them to
change their password the next time they log in). In the grand sch
Has any thought been given to adding instance based security support to Acegi?
This seems to be a common requirement. Basically, what I mean by this is
that you can apply security constraints (hopefully in a declarative fashion)
to an object class with rules that are capable of discriminating
I'm doing something similar in my AuthenticationDao implementation. Since all
the roles are stored in the DB without the "ROLE_" prefix (and usually in
lower case), I simply convert them in my Dao before returning to Acegi:
---
public User loadUserByUsername(final String username) throws
User
Yeah, I've gotten around the issue for now by using redirect - but will need
to look at it again soon. I'll see if CVS HEAD provides more functionality.
Basically, our app provides different "user spaces". When a user logs in,
they must provide both a user space and a username (usernames need
OK, I did some searching around (gmane, cvs) and discovered that this bug had
been discovered and fixed after 0.51 (the release I'm using). Sorry for all
the noise. :-)
- Andy
On Thursday 08 July 2004 02:36 pm, Andy Depue wrote:
> It appears that when DaoAuthenticationProvider c
I solved my problem by not using encoded passwords - now everything is working
as expected... this will work during development, but won't be an option when
we deploy. It appears that my version of Acegi has a bug concerning encoded
passwords (see my previous post for details).
--
It appears that when DaoAuthenticationProvider creates a
UsernamePasswordAuthenticationToken, it passes in the password from the User
object returned from the DAO. This password is coming straight from the DB
in my case, and is already SHA encoded. So, we now have a authentication
token that
One of the things that could help me diagnose this problem is if
SecurityEnforcementFilter would log a stack trace of AuthenticationException
when it catches it (see Acegi v 0.51 SecurityEnforcementFilter.java line
170). Right now, the source exception is completely discarded - making it
diffi
I'm a newbie to acegi-security and am running into a problem (probably
something stupid on my end). Anyway, I have a page that is protected. The
definition in my FilterSecurityInterceptor goes something like this:
/rcp/launchhr.jsp=ROLE_HUMANRESOURCES
Ok, so I attempt to access the page and a
Hello,
Before I go and figure this out myself, I thought I'd poll the collective
wisdom of this maillist. :-) Anyway, I would like to perform some processing
on the values the user enters on the login form before passing the info off
to AuthenticationProcessingFilter. I thought to myself, "n
Wow, thanks for the timely response and modification! I won't get a chance to
try this out immediately, though I should be able to get to it in the next
few days. I'll report back and let you know how it works.
Thanks,
Andy
On Tuesday 29 June 2004 04:31 pm, Ben Alex wrote:
> Hi Andy
>
> I
I'm using Spring + Acegi and I would like to use a custom SecureContext in my
web app (basically, it would extend SecureContextImpl and provide additional
context for my app). Unfortunately, it appears that
AbstractIntegrationFilter has a hardcoded instantiation of SecureContextImpl:
34 matches
Mail list logo
