Hello,
I'm developing an application based on Spring and Tapestry and I have
started to play with ASS4S . I wanted to make all my pages secure (user
login is required to access any page). So I have added this pattern into
FilterSecurityInterceptor configuration:
\A/app.*\Z=ROLE_USER
But the prob
Hello,
I'm very new to Acegi Security, but I think there are some problems with the
new release:
1) when passwordEncoder is used with DaoAuthenticationProvider it is
impossible to login. In the first call into the PasswordEncoder it is OK,
but on the subsequent calls there are passed the encoded
Hi,
Is there an easy way how can the GUI ask a secured bean if an operation will
be permited or not? Because according to the result it will allow logged
user to for example modify some items or show them read only.
Do I have to implement the same access logic (as in voters) again in my GUI
lookin
not accessed via /app,
> which you can do with some interceptor setup, or alternately
> programmatically by deriving protected pages from a common base class
> and have the pages check themselves for a logged in status...
>
> Hope this helps,
> Colin
>
> Karel Miarka wrote:
>
Hi,
2 days ago I have pointed out a problem with
accessing a Login page which is located in the same directory as the other pages
which should all be protected.
And a question has arised today:
Why I cannot create my own voters based on
just the ConfigAttributeDefinition or for example IP
Ben,
Thank you very much for the explanation. Just another possible solution
occured to me:
1) to define "ask" functions like this in secured beans:
public boolean canModify(MyBean obj) {
return true;
}
public boolen canInsert() {
return true;
}
2) apply to those functions the required role
Ben,
try this: In your Contacts example application I have done those changes in
applicationContext.xml:
1) changed the password of marrisa to be MD5 encrypted
2) added passwordEncoder bean
3) used this passwordEncoder in daoAuthenticationProvider
The whole part of changed config:
Ben,
Thanks for the fast fix!
Hmmm, I'm a bit disappointed, because I wanted to propose you the same fix.
I have made it, rebuilded my acegi-security.jar, placed it into container,
tried to run it and it doesn't help :(( I'm still a Java rookie. :-/
(just a note to our GUI thread: my GUI is Tapes
Yes, that's it! I have patched the acegi-security.jar in my
Tomcat/shared/lib, but didn't realized there is an old version in
Tomcat/webapps/contacts/WEB-INF/lib .
Thanks for your help. I'll sleep better tonight ;-)
Karel
- Original Message -
From: "Ben Alex" <[EMAIL PROTECTED]>
To: <[EMA
Ben,
Thanks for your advice. I have successfuly protected all my Tapestry pages
except Login page using the channel security using just one prefix for
Tapestry servlet (/app) and avoiding the need to protect the secured pages
by PageValidateListener. It seems to be a good option for Tapestry users
Hello,
I also vote for adding the possibility to have an access to a
full-app-specific-User object from an Authentication. I see it very usefull
in my custom security voters:
1) some decisions must be based on another user properties than the username
and it may be complicated to get the full User
Ben,
> Yes, I agree it's worthwhile to have the User object available from an
> Authentication. I think we got to the point of agreeing it would be
> returned from Authentication.getCredentials() and I asked if this would
> cause concerns for anybody. I didn't receive any feedback, so I will g
n Alex" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, June 21, 2004 8:24 AM
Subject: Re: [Acegisecurity-developer] Custom attributes on User Object
> Karel Miarka wrote:
>
> >>Yes, I agree it's worthwhile to have the User object available from an
&
Ben,
It works very fine for me. After changing the signature of
loadUserByUsername() as explained in the upgrade-05-06.txt file, all tests
of my application passed.
Thanks,
Karel
> Please, would people in a position to please check their code against
> CVS HEAD. This is the second major area of
Hi,
When you want to use the net.sf.acegisecurity.vote.RoleVoter you must use
this prefix (unless you create a subclass of RoleVoter working with some
differet prefix, but it doesn't make sence to do this). You can have any
other config attribute names for your custom voters.
I imagine that you a
Hi,
It seems there is no effort in this area, so I'm wondering about creating
and publishing a simplified version of my application (Hibernate, Spring +
Acegi security, Tapestry) to demonstrate this. I don't have and don't need
any special Tapestry Acegi integration classes. Except a few classes w
Hi,
For those searching for some example applications I have published a first
version of HISPACTA at http://sourceforge.net/projects/hispacta .
An example java web application using layered architecture and Hibernate
(persistence), Spring (integration, AOP) + Acegi security, Tapestry (GUI)
and J
Hi Wouter,
I'm using Channel Processing Filter to protect
the pages which requires user authentication (instead of commonly used HTTP
Request Security Filter), because of the different approch used by Tapestry to
access its pages. This Channel Processing Filter is commonly used for
restric
h the LanguageSwitch, how
to write a safe pattern enabling it?
Karel
- Original Message -
From:
Wouter de Vaal
To: 'Karel Miarka'
Sent: Thursday, July 22, 2004 3:01
PM
Subject: RE: tapestry + acegi
Thanx for your
reply.
Ok I
see now (I've
Regards,
Karel
- Original Message -
From:
Wouter de Vaal
To: 'Karel Miarka'
Sent: Thursday, July 22, 2004 4:26
PM
Subject: RE: tapestry + acegi
Hi
Karel,
Actually I've found another way using your idea in combination with a
"normal&qu
Hi,
You can obtain the Authentitation in any method of any class, because it is
bound to the current thread:
((SecureContext)ContextHolder.getContext()).getAuthentication();
HTH,
Karel
- Original Message -
From: "Indra Gunawan" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesda
Hi Ben,
I have started to use dao.event.LoggerListener and I'm wondering why no
event is published when invalid username was provided eg.
UsernameNotFoundException / BadCredentialsException arise.
I think this case should be logged by the same mechanism as the other events
(auth success, password
Hi Ben,
with the new release some of my integration
test stopped to work with NullPointerException in EhCacheBasedUserCache - the
cache variable was null. (Suprisingly it was working when deployed under
Tomcat.)
I have studied the code and than tried to
add this line into afterProperties
Hi,
> So it would be really cool if the User ( which implements UserDetails )
> also had an id ( Integer ) properties.
You can return any object implementing UserDetails interface from your
loadUserByUsername() implementation of AuthenticationDao interface, so at
any place you can cast this user
>- Original Message -
>From: "Ben Alex" <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Sent: Tuesday, August 10, 2004 2:16 AM
>Subject: Re: [Acegisecurity-developer] Bug in
net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache
>
> Kar
Ben,
This sounds good to me.
Thanks,
Karel
- Original Message -
From: "Ben Alex" <[EMAIL PROTECTED]>
To: "Karel Miarka" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Friday, September 03, 2004 7:54 AM
Subject: SecurityEnforcementFilter al
26 matches
Mail list logo
