[Acegisecurity-developer] [ANN] Spring Security 2.0.0 Released
Dear Spring Community After almost two years of development, Spring Security 2.0.0 is now available for download. This significant new release replaces Acegi Security as the official security module for Spring applications. Spring Security 2.0.0 features substantially simplified configuration. Whilst old configurations required hundreds of lines of XML, our new convention over configuration approach ensures that many deployments will now require less than 10 lines. We've also added many other new capabilities to Spring Security 2.0.0: * OpenID integration, which is the web's emerging single sign on standard (supported by Google, IBM, Sun, Yahoo and others) * Windows NTLM support, providing easy enterprise-wide single sign on against Windows corporate networks * Support for JSR 250 (EJB 3) security annotations, delivering a standards-based model for authorization metadata * AspectJ pointcut expression language support, allowing developers to apply cross-cutting security logic across their Spring managed objects * Substantial improvements to the high-performance domain object instance security (ACL) capabilities * Comprehensive support for RESTful web request authorization, which works well with Spring 2.5's @MVC model for building RESTful systems * Long-requested support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration * An improved, database-backed remember me implementation * Support for portlet authentication out-of-the-box * Support for additional languages * Numerous other general improvements, documentation and new samples * New support for web state and flow transition authorization through the Spring Web Flow 2.0 release * New support for visualizing secured methods, plus configuration auto-completion support in Spring IDE * Enhanced WSS (formerly WS-Security) support through the Spring Web Services 1.5 release Please visit http://www.springframework.org/download to download the latest release and access the change log. We hope you find this new release useful in your projects. Best regards Ben Alex Project Lead, Spring Security - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SEC-533: Subversion repository restructure
Hi everyone Today Luke Taylor and I restructured the SVN repository on SourceForge. The restructure had several goals: * To be usable for the 1.0.5 as well as future 2.x releases * To rename acegisecurity to spring-security where feasible * To relocate trunk and tags under spring-security (previously in root) * To retain all version history * To remove old branches no longer being used * To prepare for eventual SVN repository consolidation with other Spring Portfolio projects The repository restructure was successful and is reflected in SVN revision 1945. You will need to update your working copies or use the SVN switch command. The following command will perform a fresh checkout (recommended) from the new trunk location: svn co https://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk spring-security Best regards Ben - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] OT: Invitation to participate in research project
Hello there I would greatly appreciate a small amount of your time to assist with my doctoral research at The University of Newcastle. The research concerns open source licensing and we're seeking developers working on Java projects. The research is supervised, ethics-approved, anonymous and results will be freely available. Participation will also provide a custom licensing report for your project. To learn more, please visit: http://licensing-research.newcastle.edu.au Thanks for reading this email, and I hope you'll consider participating. Best regards Ben Alex (My apologies for being off-topic; this list will not be emailed again) - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Problems with 1.0.4 examples
Karl Moore wrote: Some users have been reporting problems with the examples that are bundled with 1.0.4. It appears that acegi-security-sample-tutorial.war, is missing all the files apart from the jars. Hi Karl I've added this to JIRA to investigate for the next release: http://opensource.atlassian.com/projects/spring/browse/SEC-488 Cheers Ben - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Our build is a mess...
Hi all Carlos and Luke, what's the latest status of the Maven 2 build? Does the reference documentation build successfully with Maven 2 as-is? I see acegisecurity.org hasn't built and uploaded since 18 December 2006. Luke, is that running the Maven 2 build? We're shooting at releasing 1.0.4 in the next couple of weeks. Vishal Puri is busily working away on it. In terms of introductions, Vishal works for Interface21 (the company behind Spring) as a Senior Consultant and is based here in Sydney with me. So you'll see more of Vishal on this list, in JIRA and SVN. We're aiming at releasing 1.1.0 final in June. For 1.0.4 we will stick with the Maven 1.0.x build. For 1.1.0 we will refactor the Contacts XML and build (as this is desirable anyway due to the new namespaces support which will be present in 1.1.0) and switch entirely to Maven 2. I'd be happy to switch to Maven 2 immediately (ie for 1.0.4) if it is ready, thus the question above for Luke and Carlos. Cheers Ben - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Jalopy?
Luke Taylor wrote: Hey, I spent ages bringing the errors down a while back :). There are only 34 at the moment in core and 12 are due to spaces around brackets. If we can get someone to nail the file down to what we want the code to look like (e.g. our benevolent dictator, Ben?), then we can run from there. At the moment it's just an approximation based on my best guesses. The consensus seems to be to change, so I agree entirely. Luke or Ray, can you take care of this? If we use the present Jalopy rules as a guide, that should maintain reasonable compatibility with past source code formatting. Cheers Ben - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] bug in AclAuthorizationStrategyImpl
Hi Bear Please log all bugs in our JIRA instance, so they're appropriately tracked and reviewed. All bug reports should ideally contain a unit test which provides an ongoing test that the bug has been fixed and not reintroduced. Patches with bug reports are particularly welcome and will be applied expeditiously. You can log JIRA issues here: http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040 You can read the project policies, which contains details of how the project works, here: http://www.acegisecurity.org/policies.html Thanks for your interest in the project and assistance with identifying problems with the ACL features. Cheers Ben Giles, Bear wrote: (I’m still not sure how to file bug reports, and this is the fourth serious bug I’ve found!) AclAuthorizationStrategyImpl#securityCheck() has the following code: Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); // Check if authorized by virtue of ACL ownership Sid currentUser = new PrincipalSid(authentication); The problem is that it’s not checking whether the authentication already contains a PrincipalSid. If so, the expected tests for equality fail since it’s comparing the original principal “Alice” to the new principal “PrincipalSid[Alice]”. - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Invitation to participate in research project
Dear Spring Community You are invited to participate in a research project that I am conducting into open source component licensing. The research is part of my Doctorate of Business Administration degree at the University of Newcastle, Australia and is being supervised by Dr Len Whitehouse. It is hoped that the research will offer useful information about how component licensing is approached in practice, and the results will be made freely available to any person who is interested. We are looking for software developers who are working on either commercial or open source projects. Participation in the research is entirely voluntary, and privacy has been carefully addressed to ensure that participants cannot be identified. The research has received an ethics clearance from the university. Participation will normally take less than 30 minutes. If you participate, you may optionally view a licensing compliance assessment report for your project. This may be of general interest or assist in planning licensing compliance strategies. If you are interested in learning more about the research, please visit http://research.acegitech.com. At that location you will find the full Research Information Sheet that explains the research and provides you with details on how to participate or ask further questions. Thank you taking the time to read this email, and I hope that you will consider participating. Kind regards Ben Alex - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How to invalidate Authentication when a user's account is disabled or deleted?
CJ wrote: Scenario is: an Administrator disables or deletes a user account, while the user is logged in. The user's Authentication should be revoked from that moment on. What is the recommended approach for this in Acegi? I'd suggest forcing reauthentication for each secure object request by setting AbstractSecurityInterceptor.alwaysReauthenticate = true. That will cause your AuthenticationManager to be requeried for each authorization request. The actual configuration will then vary on a per-provider basis, but assuming you're using DaoAuthenticationProvider it simply becomes a matter of evicting the cached UserDetails object from AbstractUserDetailsAuthenticationProvider.userCache. That will cause the next secure object request to go through to your database, and the invalidated/deleted account will thus be detected. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] persisting Permission
Andrei Sereda wrote: Hello Team, One quick question: is it possible to persist different permissions in current acegi implementation (acls package) ? It seems to me that only BasePermission is supported out of the box (see BasicLookupStrategy convertCurrentResultIntoObject() method) . What if I have my own PermissionA and PermissionB (they can be granted to the same domain object) ? Is new column (permission_class) in acl_entry table needed to have this functionality? Am I missing something ? Hi Andrei Interesting questions, and I'm delighted you're trying out the new ACL package and provide much-needed feedback. I agree it's necessary to provide some more sophisticated way of allowing custom Permission instances to be returned and included in the generated AclImpl. As such, perhaps we could change BasicLookupStrategy so it uses a new interface: public interface PermissionConverter { public Permission buildPermissionFromMask(int mask); } This would be used instead of the following line: Permission permission = BasePermission.buildFromMask(rs.getInt(MASK)); As such, it should provide you a way to return any type of Permission instance you wish. Regarding your other question on mask checking, this one is by design. I used some of the ideas from the Windows ACL subsystem, and it operates this way. One benefit of the existing approach is we can have as many permission _combinations_ as we like, whereas considering bits individually limits us to 32 distinct permissions for an application only. Using combinations also simplifies permission blocking logic. To resolve your requirement, you have two basic options: 1. Add individual permission entries to a single domain object. This would increase database rows, naturally. 2. Add cumulative permission masks to your AclEntryVoter etc configurations. This would increase XML, but we could mitigate that to a large extent with proper namespace support. I am not entirely opposed to AclImpl using a new strategy interface that provides the isGranted(Permission[] permission, Sid[] sids, boolean administrativeMode) response. However, doing so would mean any administrative tools or other extensions that people might build for the ACL package would become bound to whatever approach that strategy used. I'm therefore leaning slightly towards not providing the flexibility of custom ACL, as I don't believe the second option above is too onerous. Your comments on this are welcome, of course. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] newbie question
hrvoje pejcinovic wrote: Say I have a simple web app with one login screen and two web pages a,b which are protected. App also has two different types of users userA and userB. How do I configure the acegi so that upon successful authentication and authorisation userA gets re-directed to pageA, and userB gets re-directed to pageB. UserA should only have access to pageA and userB should only have access to pageB. Use AbstractProcessingFilter.alwaysUseDefaultTargetUrl = true and set the corresponding defaultTargetUrl property to redirect to an MVC controller that you provide which can automatically handle the appropriate user redirect based on SecurityContextHolder.getContext().getAuthentication().getPrincipal(). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Multiple applications and different roles
Stephane Bailliez wrote: Hi all, I'm trying to see whether there is an easy way to implement roles (authorities) for several applications. Each application having its own set of authorities (ie: john being registered as ROLE_SUPERVISOR only for application A, does not apply to application B and C for example). Seems there is no support for this out of the box and the model is rather flat. A potential workaround I was thinking to avoid too much initial code would be to have a convention such such as: ROLE_A_SUPERVISOR, ROLE_B_SUPERVISOR respectively for application A and B which will be an acceptable workaround for half a dozen applications in the short term even though not extremely elegant. Does any one have solve this type of issue differently or any opinion on the above ? Another option is to modify your UserDetailsService to return a custom GrantedAuthority that reflects the assigned role in one property and the application in another. Then provide a custom AccessDecisionVoter that works with your custom GrantedAuthority and is aware of which application the present operation applies to (perhaps derived from a configuration property or a ThreadLocal or even contextual metadata like a method argument). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Spring 2.0 XSD/Parsers
James Carman wrote: I am thinking about writing a Spring 2.0 style parser for Acegi configuration. Hi James This is very important work for a subsequent release, although I'd like to ensure that the proposed XSD is conceptually similar with other Spring XSDs (one big benefit of Spring is once you learn one part of it, the other parts feel the same to work with). We'd also need to ensure the XSD catered for all commonly-used configuration options in the framework and genuinely reduced XML whilst also leveraging XSD validation and auto-completion. Give the above comments, it is rather important that we have a comprehensive XML example of what we'd like Acegi Security configuration to look like from release 1.1.0. The example would need to show how people could achieve their own customizations without resorting to writing large numbers of bean definitions from scratch. I'd be quite happy for people on this list to collaborate on the target XML. Once we get the target XML sorted, writing the namespace handler and XSD is comparatively easy work. How does that sound? Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] [Fwd: [Fwd: Re: Authentication and authorization status in OGC-compliant OSS GIS software]]
Krystian Nowak wrote: Do you think it is possible to include DACS (http://dacs.dss.ca/) as a authentication adapter (just as it is with Yale's CAS)? There were talks about the future of authorization in OSS GIS GeoServer (http://docs.codehaus.org/display/GEOS/Home) which heavily uses Spring, so it would be natural to use Acegi. On the other hand there is an Open Geospatial Consortium (OGC) standardising organisation for GIS software and one of their implementation for security used in demos is DACS. The problem is that DACS is native application whereas the GeoServer is a Java webapp. Maybe you have some ideas or already have head about works between DACS and Acegi? Do you find it possible to integrate in any scope (just authentication or maybe even more - to simulate DACS-like authorization using Acegi)? Below there is an email on these talks. If it's not clear for you, please, do not hesitate to ask questions to make it more informative. Hi There are no efforts underway to provide a DACS authentication adapter. Nevertheless, Acegi Security is very flexible in what it will accept for authentication. So I see no reason we couldn't use DACS for authentication. The issue touched upon at the bottom of the email is perhaps the most important issue for your project to address, namely which target platform does OSS GIS GeoServer plan on using. As your project is Java-based, it would make some sense to use Acegi Security with perhaps a nice simple out-of-the-box and platform-portable default authentication mechanism such as JDBC or similar. Then also ship a DACS adapter so system evaluators can see that you support the OGC standard. cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi Rebranding??
Mark St.Godard wrote: Ben can chime in as well if he would like to add to this.. Hi everyone As this is an important question, I've posted a blog on the subject: http://blog.interface21.com/main/2007/01/24/why-the-name-acegi/ Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationSimpleHttpInvokerRequestExecutor should validate response codes?
Camilo Arango wrote: One solution I have found is removing both the exceptionTranslationFilter and filterInvocationInterceptor from the chain and managing authorization with AOP. That way, the exceptions are serialized correctly. This is actually the recommended usage pattern. You use FilterInvocationInterceptor for securing web requests. If you wish to secure method authorizations, you use MethodSecurityInterceptor or AspectJSecurityInterceptor. You'd normally configure FilterChainProxy so it differentiates between browser clients and rich clients. The browser clients will use ExceptionTranslationFilter, as that type of client requires HTTP response codes and if you fail to provide them, your servlet container will fallback to a response code 500 in the event of an exception. The rich clients should not include ExceptionTranslationFilter or FilterInvocationInterceptor, as all authorization is performed by one of the aforementioned security interceptors and exceptions will be serialized by the applicable remoting protocol instead. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] How can the objectDefintionSource be updated dynamically?
[EMAIL PROTECTED] wrote: I would like to add new resources (web-pages) to the objectDefinitionSource dynamically. I don't want to stop the application, change the applicationContext.xml and then start the application again. What is the best way to achieve this? Just write a database-backed FilterInvocationObjectDefinitionSource implementation. I know others have done this. Simply dependency inject your custom implementation into the FilterSecurityInterceptor. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] using acl_permission and acl_object_identity for complex cases
[EMAIL PROTECTED] wrote: The problem here is that the unique key on the ACL_PERMISSION table is [Object (the ACL_OBJECT_IDENTITY reference column), Recipient]. It wouldn't seem from the suggested schema for this table that you can support different collections for the same Recipient based on the Mask. Is this the case? Is it safe to extend the unique key to include Mask? Would collection filtering even work if I did? You just need to use an integer which represents both the read and write bits being high. You shouldn't need two separate rows. This is whole idea of bit masking in the ACL system - to represent multiple permissions being switched on or off via a single integer. BTW I'd recommend you consider using the new ACL package in 1.0.3. It has a CumulativePermission class which may help. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] MethodDefinitionMap and inherited methods
Luc Boudreau wrote: I'd like to propose a patch to the MethodDefinitionMap. With the actual source code, you can't secure inherited methods. This patch will fix the problem. It's really simple and straightforward. I needed it see the inherited methods so I could secure my generic service layer interfaces. Could the patch be applied fast, if possible ? There are complications in doing this. Please see: http://opensource.atlassian.com/projects/spring/browse/SEC-99 Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AuthenticationSimpleHttpInvokerRequestExecutor should validate response codes?
Camilo Arango wrote: Not always. I seems that only exceptions thrown by the called object are propagated by the client. In my case, the exception is thrown by a filter, and therefore the call to the Spring remoting proxy never occurs and I get and ugly 500 response code at the client. What would be the best thing to do in that case? Depends where ExceptionTranslationFilter appears in your chain. Which filter is throwing the exception, and where is ETF in your chain? Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Fwd: multiple authentication stores in one context?
John Noble wrote: So. Does anyone know if I can configure Acegi to handle this kind of situation, or should I just run two separate contexts, one /webapp-backend/ and one /webapp-customer/ for example? Or should I have a shared table or something.. basic_user that holds credentials for both employees and customers and then associate the user either with an employee or a customer and just have one set of roles? The simplest thing to do is try to have just one set of tables, bearing in mind you can use a custom GrantedAuthority (from your UserDetailsService) to indicate whether a particular Authentication relates to a customer or employee. If you really wanted to have multiple tables, you might be able to approach it by a custom authentication mechanism and provider, with the mechanism detecting either a radio button on the login page (ie customer or staff) or more likely the HttpSession attribute which records the destination page, and then modifying the Authentication request object to include an employee or customer prefix. Your UserDetailsService would then query the relevant target table. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] rememberMe problem since SEC-359
Didier LINK wrote: I've just upgrade acegi in 1.0.3 version (before I've 1.0.1) and my webapp drive to an annoying error. This is the same as Matt Raible (01-12-2006 on the list archives) but I've some more details. This was logged as SEC-404 (and 407). I just fixed it in SVN rev 1773. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL sanfbox status
Wojciech Gdela wrote: Hello, Where can I find this new ACL stuff (where is the code)? Is there any documentation about it? It is in release 1.0.3 and has some reference guide coverage, plus the Contacts Sample. I'm also giving a talk on it tomorrow at The Spring Experience, after which I'll check-in the demo I've written. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Switching completely to Maven 2
Luke Taylor wrote: I suggested to Ben that we refactor the contacts sample to make it a single app, rather than having so many different versions. We could default to having a standard form login app and leave additional context files commented out in the web.xml file. That way people could add them and rebuild if they wanted. At the moment I think it's hard to understand how it fits together anyway because there are so many different parts to it. +1. Let's simplify the samples and move to Maven 2 ASAP. If someone could ensure the site /docs are converted to Maven 2 format before removing the Maven 1 build it would be appreciated. Thanks Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Jalopy formatting
Scott McCrory wrote: I'd vote for disabling formatting of comments. That's one thing that humans still generally do a better job of managing. I agree, also with Luke's suggestion re throws formatting. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Propagating Acegi's Security Context in Web Service SOAP Header
Michael Vorburger wrote: Hello, I thought some of you on this list may be interested in my http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html in the context of propagating Acegi's Security Context in a Spring Web Service Remoting scenario... kind of like a ContextPropagatingRemoteInvocationFactory for WS, I guess. My example is done with XFire, but the (interesting possibly useful to you) code is related to wss4j, which is what Axis also uses to do WSS, it should be easy to make it work for Axis, or even another JAX-RPC implementation I presume. Hi Michael Thanks for sharing this with the community. I'll add your blog entry to our articles page. Spring Web Services has another WS-Security integration - not sure if you've seen it yet. If you feel your contribution could be useful in Acegi Security directly (as opposed to maintained in perhaps XFire or Spring Web Services or standalone instead) please feel free to add an enhancement request to JIRA and I'll be pleased to follow it up. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] [ANN] Acegi Security 1.0.3 released
Dear Spring Community I am pleased to advise Acegi Security 1.0.3 is now available. This release is mostly a bug fix release, although the new domain object access control list (ACL) feature is now available for preview. I'll be presenting a session on this new feature at The Spring Experience next month, so I hope to see you there. Existing users can upgrade to release 1.0.3 with a simple JAR drop. Please visit http://tinyurl.com/ym2k7k for a detailed changelog. The project's web site at http://acegisecurity.org provides additional information on Acegi Security's features, access to online documentation, and links to download the latest release. We trust that you find this new release useful in your projects. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi Roadmap (and preparing for 1.0.3)
Karl Moore wrote: Just wondered if there was a road map for the product and where it might be going. Are there any plans to take advantage of the new Spring 2.0 features? 1.0.3 will be released soon - probably tomorrow before I fly interstate. Failing that, it will certainly be out on the weekend of 24 November. People are invited to check out from SVN and test out the 1.0.3 snapshot against their projects. It's 100% backwards compatible, so just drop the JAR in and see how you go. The roadmap for 1.0.3 and 1.1.0 is at http://tinyurl.com/tn45b. I had intended to release 1.1.0 by The Spring Experience (next month) but I have simply run out of time. As shown, 1.1.0 will support Spring 2 namespaces, which I hope to address in Q1 2007. The 1.0.3 release, on the other hand, mostly adds minor enhancements and a new ACL module (which I'm working on presently and will present information on at The Spring Experience). If I get some spare time are there any outstanding tasks relating to Acegi I could look into? If you have any free time, please feel free to look at the issues on the roadmap which have a personal interest to you, and just comment any issue you'd like to work on it. We welcome any and all help! Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] OpenSSO integration... what do you think?
Hi Jin I think there are already plugin points for each of these steps. Jin Peng wrote: 1. Retrieve SSO token from HTTP request (usually SSO cookie) Authentication mechanism (usually a filter). 2. Validate SSO token 3. Recreate authentication context from a valid SSO token. Authentication provider and generally an Authentication object to pass between the authentication mechanism and authentication provider. 4. Terminate a SSO token (global sign off) Logout handler. A couple of weeks ago I wrote the above at a client site and it took about twenty minutes (including unit tests). It could be simplified further by having an Authentication object contain a field to denote the source authentication mechanism class, and a general AuthenticationProvider which automatically accepts such objects (the authentication mechanism would still need to be written, but you could include an abstract method that contains the HttpServletRequest parameter and returns an Authentication object). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] java5 compiler bug regarding annotations - annoying
Wim Lambrecht wrote: anyone ? Wim Lambrecht schreef: We've encountered a rather annoying bug in the java5 compiler regarding annotations, see the buglist: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6365854 . So, it does I know this ain't an acegi bug, but i like to know how you guys handle this situation ? As you note, this is a bug in Java itself and nothing to do with Acegi Security. Personally I include Acegi Security JARs in my classpath, so haven't encountered the particular bug. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] OpenSSO integration... what do you think?
Jose Luis Huertas Fernández wrote: I was thinking about developing a new module to integrate Acegi with OpenSSO (https://opensso.dev.java.net/) in a similar way that the existing CAS integration. Hi Jose You'd be very welcome to take this on. It would be good to add another SSO alternative to the present CAS and SiteMinder options. The other one is JOSSO, although I've not heard any demand from the community for JOSSO. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Retrieve Authorities remotely
Lucas Opara wrote: Hello, I was wondering if there is any support in acegi for retrieving authorities from a remote web service. For now, we use straight JDBC connection to an Oracle database to retrieve the roles and it works great. What we would like to have is a secured web service that can provide roles to our internal webapps but also to webapps hosted by our partners. Have a look at the org.acegisecurity.providers.rcp package. It might be useful. But I'd say you'll need to write your own web service that provides the authorities for a particular username. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] switch user filter - exception processing
Robert Blumen wrote: It is not clear to me at this point what is the intended usage of the SwitchUserProcessingFilter. Possibly it needs its own failureUrl, something like the authenticationProcessingFilter has. And to trap the UsernameNotFound and then redirect to the failure url? Thoughts? http://opensource.atlassian.com/projects/spring/browse/SEC-372 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] No process filter with images
Arturo San Feliciano Martín wrote: Hi, Is there any way to avoid acegi filter images? When I see the log i find somethings like: 2006-10-01 12:00:36,010 DEBUG [org.acegisecurity.util.FilterChainProxy] - /img/menu/setaOff.gif reached end of additional filter chain; proceeding with original chain But I don´t want that the filter process the images, how can i do it? Is there any way to indicate that acegi should filter all except one specific directory? Hello Arturo I see from your debug log that you're using FilterChainProxy, which is good as it is the recommended approach. Because you're using the recommended approach, it is very easy to have FilterChainProxy skip particular URL patterns. Simply edit your FilterChainProxy.filterInvocationDefinitionSource property so that /images/*=#NONE#. If you look at FilterChainProxy, it has a public static final String field named TOKEN_NONE which equals #NONE#. This has special meaning to FilterChainProxy and is useful in forcing particular patterns to be skipped. The other way to do it is to edit web.xml and modify the filter-mapping element to only match on items FilterChainProxy should use. That will be more work, though (you'll need an entry for every path it SHOULD match, not paths it should NOT match), plus you are editing web.xml which doesn't enjoy the configuration flexibility of a Spring application context. With the latter you could, for example, pull the FilterInvocationDefinitionSource from a database, properties file etc. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Changing the session identifier after a successful login
Twomey, Sean wrote: Our application has just recently integrated acegi as our security framework. However we now have a requirement to change the session identifier (JSESSIONID) after a successful login, since this session id is issued at/before the login page, and is thus prone to session fixation attack. I had thought of subclassing the AuthenticationProcessingFilter class's onSuccessfulAuthentication(..) method to invalidate the old HttpSession and create new one. Will this cause any issues? Or is there an alternative, and perhaps cleaner way of implementing the requirement that I have outlined? Hi Sean Most people simply use the channel security capabilities so JSESSIONID is only ever sent over HTTPS, thus avoiding the need to modify the session ID. If you do need to modify session ID, you'll need to find a way of preserving the behaviour of HttpSessionContextIntegrationFilter and also preserving the authenticated identity. HTTPS is probably easier (and safer, too). Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] NTLM support
[EMAIL PROTECTED] wrote: I am trying to build an acegi jar with ntlm support. Could anyone tell me the maven command for this? What version of acegi should I check out to build? Hi Xiaobo You will need to checkout from SVN. I believe there is a pom.xml in sandbox/other, so try running mvn install from there. Please remember that sandbox code is not supported. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Dinamic objectDefinitionSource
Arturo San Feliciano Martín wrote: Is there any way to build dinamicaly the asociantions between url pattern and ROLE (or profile) ? Could I save in a DataBase these associations(URL pattern-Profile(ROLE))? could acegi could ask for them? Hi Arturo You can write a custom FilterInvocationDefinitionSource and obtain the information from anywhere. I'm aware of at least one content management system that pulls the metadata from a database. Once you've written a database FilterInvocationDefinitionSource, simply use property name=objectDefinitionSource ref=xx/ element inside your FilterSecurityInteceptor bean definition. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Release 1.0.2 ready
Hi all 1.0.2 is now ready to release. Carlos, were you still able to take care of it? I can do so, but I won't have time for a few more days. Please feel free to remove the reference guide and README.TXT sections that mention JAR signing. I think we've agreed to drop it. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AccessDecisionVoter interface and multiple configuration attributes
Peter Kharchenko wrote: I am writing a custom voter implementation and have a question regarding how configuration attributes are being fed to the voters. Hi Peter Basically the AccessDecisionVoter.supports(ConfigAttribute attribute) method is structured the way it is because we want AbstractSecurityInterceptor to poll every possible voter and run-as manager and after-invocation manager to see if somebody is able to digest or process a particular ConfigAttribute. At actual decision time, the AccessDecisionVoter.vote(Authentication authentication, Object object, ConfigAttributeDefinition config) method accepts the full ConfigAttributeDefinition because a voter might make different decisions based on the presence of extra attributes on the particular secure object invocation. Hope this helps clarify the rationale. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AccessDecisionVoter interface and multiple configuration attributes
Peter Kharchenko wrote: So if I wanted to make use of a voter that needs more than one config attribute at the same time, would you recommend writing an alternate version of UnanimousBased decision manager, or is there a reason why Unanimous decision have to be done this way (and therefore I need to switch to AffermativeBase or something else) ? It's pretty rare to use UnanimousBased. Most people find AffirmativeBased the most useful AccessDecisionManager. I honestly can't remember why UnanimousBased was designed this way. It was like this in the initial commit, so goes right back to March 2004 (if not late 2003 when I first wrote it). A good lesson why I should have JavaDoced why. Given I cannot see any strong justification for this behavior, I am not opposed to modifying it to be consistent with ConsensusBased. The UnanimousBased approach is basically a ConsensusBased approach, except if any AccessDecisionVoter denies, then immediately throw AccessDeniedException. I would want to wait until 1.1.0 before changing anything, though, in case someone relies on UnanimousBased's current logic. Please feel free to raise a JIRA issue if you wish. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Releasing 1.0.2 - final 3 issues
Hi everyone 23 issues are now resolved, with 3 more still outstanding. The outstanding issues are SEC-304, SEC-348 and SEC-346, assigned to Marc Antoine, Scott and Luke respectively. Would Marc Antoine, Scott and Luke please comment on these tasks, close them, or assign them to a later release (if you judge them to be non-urgent, lacking information or non-backward compatible)? We need to get 1.0.2 out so that people can benefit from the bug fixes. Thanks Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Releasing 1.0.2
Scott McCrory wrote: Ben Alex wrote: Could other developers please finalize their 1.0.2-related tasks (see http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa). Ben, I'd like to get the Siteminder improvements noted in SEC-319 in with the 1.0.2 release if permissible. The fix version was set for 1.1.0, but that was before the 1.0.2 and 1.0.3 releases were added to Jira. I already have changes committed in SVN that work, but I've made improvements to both the code and documentation since then that I'd like to commit and make complete. Anyone opposed? Hi Scott As we're now post-1.0.0, it's important that we follow the APR versioning guidelines which state that patch releases (ie 1.0.x) should be binary and source compatible with previous releases in that series. In other words, people should be able to simply drop in the new JAR and it work. Just looking at the revision history for SiteminderAuthenticationProvider and its corresponding tests, they seem to be new classes added 27 July 2006. As such, I imagine that users employing the 1.0.1 SiteMinder integration will need to change their configuration to use these new classes, and in doing so not benefit from a drop in replacement. I don't think SiteMinder usage with Acegi Security is extremely widespread, so we could relax the rules a little if there is good reason to include the SEC-319 changes in 1.0.2. The conservative choice would be to defer until 1.1.0, though (assuming I haven't misunderstood the backward compatibility issue - if the existing integration continues to work in 1.0.2, I have no problem at all with the refactoring being included so people have the choice of using it if they wish). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] XACML
Baz wrote: if (principal instanceof org.acegisecurity.userdetails.User) { User user = (User) principal; userName = user.getUsername(); } else { userName = principal.toString(); } In addition to using FacesContext, the above code should ideally deal with the UserDetails interface, and not the User concrete implementation thereof. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Releasing 1.0.2
Carlos Sanchez wrote: Will it be possible to make a 1.0.2 bug release in the next two weeks? I can go thorugh all the release process, i just would like to know if people agree in taking what it is curently in svn and tag it as 1.0.2. Hi Carlos You want to be release manager? I would certainly welcome this. I have just been through JIRA and looked at all bugs. I've moved all but one bug to release 1.0.2 (the one being ignored because it's more a low-impact known limitation than an actual bug). We need to get these bugs quashed before 1.0.2 goes out. Most bugs are relatively trivial to address, and I will hopefully find some time to do so over the next two weeks. Other committers are welcome to address the bugs marked for 1.0.2. As I said, most are pretty simple and in many cases the issue itself provides the fix. Once the issues currently against 1.0.2 are sorted, I have no problems with a release. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] About The Following Acegi Releases
Luke Taylor wrote: On the branching front, it seems like we could be making more use of branches with subversion. I am happy for these changes to be made. Whilst changing to Maven 2 we should also give consideration to how we distribute source code for IDE integration. At present we release a separate ZIP file containing the sources (which is not intended for compilation). I noticed that the Maven 2 approach appears to be a name-of-artifact-sources.jar file in the standard jar repository. Whilst I see merit in the above approach, I am not particularly fond of it because I still have to undertake the manual step of configuring Eclipse to look at a particular source JAR or ZIP. In addition, as new releases are made, it is not uncommon to forget to change the old source code attachment location. So your source code appears to be for say release 2.0 but it is really for 1.2.7. I am also unaware if Maven 2 can be made to automatically understand it needs to download source artifacts but not include them as classpath resources. Those of you who have been using Google Web Toolkit (GWT) would know Google bundles both source code and compiled class files into the same JAR. This saves the manual step and I have found it extremely useful. I just point to the new release JAR and my JavaDocs and source code attachment is correct. The only downside is a bigger JAR, which in my view is a low price to pay for enhanced productivity and troubleshooting reliability. To put the bigger JAR issue into context: 63 2006-06-17 03:50 acegi-security-1.0.1.jar 529413 2006-06-23 05:34 acegi-security-1.0.1-sources.jar Based on release 1.0.1, we'd go from a 444Kb release to a 973Kb combined JAR. I don't think this is a serious issue from a download or disk space perspective. Especially concerned people can always re-jar for their production deployment. How would people feel about future Acegi Security release JARs including source code, as per GWT? I guess we could continue to have two releases, but our acegi-security-release-sources.jar would contain *both* classes and source code. It would be good to discuss this and get some feedback from the community. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] About The Following Acegi Releases
Ray Krueger wrote: Ben were you suggesting having acegi-version.jar would be just binary, and acegi-version-sources.jar would be binary with source? Yes, a traditional .class-only JAR, and a combined .class plus .java JAR. People like me would use the latter, whereas people concerned about the extra 500 Kb in their download can use the former. In my experience delivering training courses, I know how very useful it is to have automatic JavaDocs and source code available to people trying to learn a new API. It is really an issue of what do we value more: * Minimizing bandwidth. Bandwidth is cheap. Every decent library (Spring, Eclipse, Java) is now dozens of megabytes to download. I won't lose much sleep adding 500 Kb (or even 1 Mb!) to a JAR download. * Maximizing productivity. Unlike bandwidth, people are expensive. People are time poor. People are constantly dealing with API changes and new APIs. People don't remember every argument and interface contract they read. We can make peoples' lives easier by including source in the JARs. Besides, we're more likely to get bugs detected and fixes contributed back if more people see the source code. Google (GWT) have obviously concluded the latter is more important, and I'm not aware of anyone objecting to their inclusion of source code. They don't even offer a source-code-free JAR, yet we would continue to. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Limiting number of failed logins
On Sat, 2006-08-26 at 14:56 -0700, Robert Blumen wrote: With the event-listening approach, I see that you could track the number of failed attempts, but how would that tie back into preventing additional attempts after the limit was exceeded? Wouldn't you have to modify the authentication processing at some point? Generally your custom UserDetailsService will return a UserDetails with the appropriate flag to indicate the account is locked. The AuthenticationProvider will then automatically throw the corresponding exception. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi and hessian/burlap
On Sun, 2006-08-27 at 10:16 -0500, Hector Suarez Barenca wrote: Is there an example about how to integrate hessian and acegi?, could you tell me where i could find examples? The Contacts sample in its client/clientContext.xml can be changed to use Hessian. However, as an aside, think carefully before using Hessian or Burlap. They do have serialization problems in many situations. If you need to go Java to Java, use HttpInvoker or RMI. If you need to go cross-platform, generally look to CORBA, web services (SOAP), or one of the lightweight protocols (JSON-RPC, XML-RPC). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Dynamic defaultTargetUrl
Brian Pontarelli wrote: I think the issue is that the login is a component that exists on many pages and the login/failure should return the user to the page they were viewing rather than a stock login/home page. The best bet at this point is probably to subclass APF and just redirect or forward back to a URL stored in a form parameter. You will have to place the current URL in a hidden field. You might be able to pull off a referrer URL as well depending on your setup. If the referrer URL approach works, I think this would be of general usefulness to others as well. We could have a new property, forceReturnToReferrerUrl on AbstractProcessingFilter. If anyone gets this to consistently work, please pop your code into a JIRA patch and I'll get it applied. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] About The Following Acegi Releases
Luke Taylor wrote: That's good. You'll be an expert on branching with subversion then :-). I'd like to get the automatic build upgraded to Maven 2 as well (and running again). There are a couple of issues I've come across so far: I am a BIG fan of moving to Maven 2 ASAP. Acegi Security is the only application I still have which requires Maven 1.0.2, and every time we release it requires a slightly different workaround (typically MAVEN_OPTS parameters for JVM memory/stack allocation). I'd much prefer the improved robustness of Maven 2, even if it means most of the reports are lost. The only essential use cases are compile, JAR, test, DocBook, unit test coverage report, and site build. 1. The new site generation doesn't seem to support html files. Do you know if they all have to converted to xdoc, apt or whatever to be part of the main site (with the menu etc). 2. The contacts app is too complicated - I thought about refactoring this into a single web-app where people can comment select which contexts are included in the web.xml file. As discussed on Skype, I am happy for this to proceed. It is more user-friendly in any event that people wanting to try X509 certificates, CAS or container adapters be able to do so without the inconvenience of building from source. There was also some guy in the forum complaining about the fact that the jar wasn't signed. We should probably formalize the use of PGP keys, add them to the website and arrange to do some key signing when possible. The readme file also needs to be changed. I have a PGP key these days (ID 0x9BBCD24D) and know that both Luke and Carlos do, so it's pretty easy to go with ZIP-level signing - plus there's a lot of precedence for this approach courtesy of Apache. Do people feel we should continue to sign the JAR using keytool, though, as well? Does anyone actually rely upon JAR signing? Carlos, has Maven got any smarts in terms of automatic verification of JARs downloaded from repositories against the public keys in the repository or similar? I don't see a lot of value in maintaining two signing approaches, as it would make life harder for someone else to perform releases. In any event, I'm a little tired of annually renewing keytool certificates when PGP keys can be configured to never expire (yet still provide a revocation approach). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] User.equals method requires same sequence
[EMAIL PROTECTED] wrote: The method org.acegisecurity. userdetails.User.equals requires that the GrantedAuthority values on the two instance be in the same order. Unless there is some order dependency in the behavior, does it make sense to require that the order be the same for equality? Are not two User instances with the same GrantedAuthoritys, no matter in what order, equal() ? We haven't expressly spelled out the UserDetails.equals(Object) contract either way. If we relaxed the iteration order restriction in User.equals(Object), it might result in inconsistent behavior if someone has configured AccessDecisionVoters or AfterInvocationProviders in complex ways that relied upon specific ordering. Namely, a developer might consider user1.equals(user2) yet receive different authorization or after invocation behavior when presenting these apparently equal user instances. I acknowledge that we need to specify the correct contract in the UserDetails.equals(Object) method. In terms of whether to preserve the ordering requirement or not, the conservative choice is to preserve it. Additionally, the Java Array class defines equality to mean same elements as well as same order (http://java.sun.com/j2se/1.5.0/docs/api/java/util/Arrays.html#equals(int[],%20int[])). I therefore think there is some justification for developers who may have relied upon iteration order in their configurations. Of course, I am open to persuasion if iteration order should be abandoned. I look forward to a lively debate! :-) Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] XACML
McGovern, James F (HTSC, IT) wrote: In searching through the archives, I ran across a discussion in 2004 on combining ACEGI and XAMCL that seemed to have went no where because it was too difficult. Is the position still the same? There has been no progress on this issue, because we haven't had anyone really demanding it or offering to sponsor/contribute. I would welcome anyone to participate, though. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] FilterChain proxy initialization and subclass
[EMAIL PROTECTED] wrote: I would like to be able to initialize the FilterChainProxy entirely using Spring XML tags, without relying on the special syntax parsed by the ACEGI property editors. I have various reasons for this, one being that the Spring IDE and the XML parser do not understand the bean names in the special syntax as bean refs. Figure 1 below is what I have in mind. Please feel free to log an issue in JIRA in patch file format against current SVN HEAD. I cannot guarantee it will be included, but at first glance I don't think there would be a problem. Also remember that for 1.1.0 we will be moving to Spring namespaces, so this type of XML configuration will be eliminated anyway (through intelligent defaulting, introspection of registered beans and a dedicated XML namespace). Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Retrieving User after AuthenticationException
Kimball, Mark W wrote: In AbstractUserDetailsAuthenticationProvider the authenticate() method calls the additionalAuthenticationChecks() method in a try block and can catch an AuthenticationException. The code in the catch block (line 147 for rel 1.0.1) calls the retrieveUser() and additionalAuthenticationChecks() methods. If the user details used for the call in the try block came from the cache, I understand why this makes sense. However, if cacheWasUsed is false, the call to retrieve the user details obtains the exact same user details. Perhaps the catch block should only repeat those method calls if cacheWasUsed is true, and throws the caught AuthenticationException if cacheWasUsed is false. I agree, this should be changed. Please add it to JIRA and I'll take care of it. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Limiting number of failed logins
[EMAIL PROTECTED] wrote: This seems to be working ok, however, this might be slightly simpler to do if the AuthenticationException had its own handler interface, like the accessDeniedHandler. call it the authentcationFailedHandler. Most people either do it the way you have, or listen for events and update the authentication repository accordingly. You're welcome to pop a patch into JIRA if you like... Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ExceptionTranslationFilter not an interface
[EMAIL PROTECTED] wrote: Most of the components in ACEGI have their own interface, then provide an implementation. e.g. AuthenticationEntryPoint The ExceptionTranslationFilter does not, it is a class that implements Filter. I am running into some problems with proxying and auto-wiring a class that do not occur with interfaces. I would like there to be an interface for ExceptionTranslationException. Why do you need to make a proxy object for ExceptionTranslationFilter? It doesn't feel quite right to me. You get auto-wiring out-of-the-box given it's configured by a Spring application context. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] amazon like login
hv @ Fashion Content wrote: How would you configure a login policy where 1) The last username used is never forgotten(saved in cookie) You can't do that out of the box. You could investigate plugging into the remember-me filter, though, which has hooks to send back cookies after successful authentication. The cookie would later be read by your login.jsp (or equivalent controller that builds the view). 2) Some pages are merely dependent on the active user You mean basic authorization approaches? Acegi Security does this in some depth. You should read the reference guide for details. I think there's several chapters on authorization alone. 3) Other pages are only available to an authorised user See response to question #2. Also have a read of the section about tag libraries. Also is it possible to combine form and basic authentication Yes. See the Contacts sample. HTH Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Dynamic defaultTargetUrl
Tom Stroobants wrote: Suppose that my login form is integrated in an other page and I want to return to that page that integrated my login page (so the original page) ... How do you do that in ACEGI ? Couldn't you use AbstractProcessingFilter.defaultTargetUrl = your login page plus AbstractProcessingFilter.alwaysUseDefaultTargetUrl = true? HTH Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] inconsistency in the UserMap imoplementation
Hi Pete Pete Guyatt wrote: Does anyone have any objections to this suggestion? None at all. Looks fine at first glance. Sorry about posting this bug via the mailing list, but I could not see any way to report this bug via JIRA or the website. For future reference I would like to know the correct procedure for posting bugs. Would you please visit http://opensource.atlassian.com/projects/spring/secure/BrowseProject.jspa?id=10040 and log this as a JIRA issue? That way it can get tracked. Thanks Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bean initialization, constructor injection etc.
Carlos Sanchez wrote: anyone? On 7/20/06, Carlos Sanchez [EMAIL PROTECTED] wrote: I'm just wondering what people think about protected empty constructor so I can extend that classes instead of write wrappers. Hi Carlos I am not a big fan of this idea. It's still compromising the project's source code for the sake of a suboptimal IoC container. Indeed I'm not entirely sure what it will buy you, as you still need to subclass in order to utilise the protected no-argument constructor. Thus, you could instead isolate the changes using bytecode manipulation, as mentioned in an off-list email. You could write a general purpose no-argument utility class which contained a method such as: public static Object instantiateWithGeneratedNoArgConstructor(Class) Additional utility methods could be added to the utility class in order to obtain access to other protected fields that your new wrapper class might require. What I'm essentially proposing is you write wrapper classes instead of subclassing, as the latter requires no-argument constructors whereas the former does not and you still end up with one additional class per Acegi Security class either way. I still think that using the planned 1.1.0's namespace support with a private Spring beans dependency is the optimal long-term approach anyway. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Unsigned ACEGI jars
Kujat, Aaron wrote: I have downloaded the acegi-security-1.0.1 release from a number of mirrors now and I have not been able to find a properly signed jar file. Hi Aaron The JARs were not signed in 1.0.1 and this is not a problem. You can read more at http://www.mail-archive.com/acegisecurity-developer@lists.sourceforge.net/msg02009.html. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] advanced feature
Kirin Eugene wrote: I want to allow to watch this link not all users with user permission, but only user with concrete ID. Other words, if user has the user role and id = 5, then to show link. Do you know how better it to implement? The taglib is designed only to work with roles. You'll need to customize it, or perhaps explore using the ACL taglib or approaching your problem a different way. Cheers Ben - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Bean initialization, constructor injection etc.
Luke Taylor wrote: I agree that reusability is important but I'm not convinced that these changes are justified on this basis, or that is just about balancing reusability and ease of use. The use of constructor arguments is about guaranteeing that objects can only be created with a specific state (the dependencies required by their design) and providing a single point for checking that state (the constructor). This is a design issue based on the requirements as determined by the developer at the time they write the class. As time goes on and different requirements become apparent from forum posts and so on, compromises are made, access is provided to state that was previously immutable or unreadable etc etc. The most reusable code may provide no-arg constructors and getters and setters for everything, but it is also the least stable. +1 To summarise, there may be situations where we *do* want to open things up in this way for some classes, to provide extra extensibility, but I don't think accommodating the inadequacies of plexus is sufficient justification for a cross-the-board change. Could it not be argued that the changes should be made to plexus rather than Acegi? Acegi Security should not be changed to accommodate limitations in IoC containers. If Plexus cannot be modified to support the required behaviour, I would encourage the addition of wrapper objects within a third party project (whatever is needing to use Acegi Security with Plexus) to achieve the required integration. I would hope that ultimately the wrapper objects could be removed, when Plexus supports constructor injection. The other issue is that not using Spring for IoC will become a more pronounced issue as we move towards 1.1.0, because the namespaces feature in Spring 2.0 will be leveraged. As part of this most (if not all) classes will be refactored to use [full] constructor injection and end users will be encouraged to wire things up with Acegi Security XML rather than beans XML. This is partly to make things easier on users (XML verbosity and auto-completion), partly to give XML validation, but also to provide a level of indirection between the OO implementation approach and user configuration approach (thus giving us more flexibility to refactor the former without breaking the latter). Therefore, perhaps the easiest thing to do would be look at using Spring as an internal configuration subsystem for Acegi Security and simply wrapping the Spring IoC container inside a bean that is in turn registered with Plexus or any other IoC container for that matter. On another issue, could ask was there a technical reason Plexus was selected instead of Spring? Perhaps you could use namespaces with Spring in your project, as they do give you a lot of genuine benefits aside from simpler Acegi Security integration (as summarized above). Best regards Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Enhancements to Siteminder integration for 1.1.0
[EMAIL PROTECTED] wrote: Hi All, In the Docbook, at the end of Chapter 9: Siteminder Authentication Mechanism, someone added a TODO suggesting that a dedicated AuthenticationProvider be created instead of users having to modify their DaoAuthenticationProvider. They don't actually, but it does make sense to have a dedicated provider to keep things clean, and I'll go ahead and write this for 1.1.0. I'm unclear about the additional line though, Also review the mixed use of SiteminderAuthenticationProcessingFilter, as it's inconsistent with the rest of Acegi Security's authentication mechanisms which are high cohesion. Could the person who added this Docbook TODO help me understand what is being suggested? Thanks, Scott Hi Scott I added the comment to the reference guide, after reading the following in the Siteminder section of the Reference Guide: Normally a |DaoAuthenticationProvider| expects the password property to match what it retrieves from the |UserDetailsSource|. In this case, authentication has already been handled by Siteminder and you've specified the same HTTP header for both username and password. As such, you must modify the code of |DaoAuthenticationProvider| to simply make sure the username and password values match. If we don't need users to modify DaoAuthenticationProvider, we should modify the Reference Guide accordingly. The second sentence of my comment really just reflected taking a closer look at the design, primarily because of the DaoAuthenticationProvider handling. Thanks for volunteering to look at this for 1.1.0 BTW. Cheers Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] AJAX support follow up
Brian Pontarelli wrote: Hello everyone. I'd like to try one last time to get some backing from the Acegi developers for a patch to include AJAX login support into Acegi. I have written all of the code and just need to finish test cases, but I'd like to commit this back into the main line rather than supporting a fork locally. I think there are enough companies doing AJAX work and using a session (or that would like to use an AJAX style login form) that this is really a valuable patch. Hi Brian As Ray mentioned, if you could kindly attach your patch to a JIRA issue one of us will be able to review and hopefully incorporate it into the code base (if you've already put it into JIRA, please let me know the issue number). Best regards Ben - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SSO - Cookie, etc
Matthew Holt wrote: 1. Read SSO cookie username. 2. Check username against LDAP. You need to write an authentication mechanism that can setup the SecurityContextHolder with an Authentication object representing the username derived from your SSO cookie. Usually this will be implemented as a Servlet Filter, as discussed more fully in the reference guide that ships in the release ZIPs or can be accessed from www.acegisecurity.org. Best regards Ben Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Can't find some class for migration
Andrew Perepelytsya wrote: 1. Where is net.sf.acegisecurity.context.ContextInvalidExceptionContextInvalidException now? What is the replacement for it? 2. The SecureContext class had the validate() method, but I can't find it in SecurityContext now, neither does SecurityContextImpl contain it. The SecurityContextHolder classes were quite extensively refactored over these releases, going from a general-purpose ThreadLocal store to a security-specific store. Did you need the above exception and method for something in particular? If you provide the usage scenario we can perhaps offer some suggestions. Best regards Ben Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security 1.0.0 is released!
Dear Spring Community After more than two and a half years of development, I am delighted to announce that Acegi Security 1.0.0 is now officially released. In addition to more than 80 improvements and fixes since 1.0.0 RC2, this new release also includes several changes to help new users. This includes a significant restructure and expansion of the reference guide (now more than 90 pages) and a new bare bones tutorial sample application. Furthermore, many of the frequently-identified problems experienced by new users have been addressed, such as custom 403 messages (as opposed to using the Servlet Container's error handler), detecting corrupt property input following the reformatting of XML files, and a new logout filter. We've also refactored our LDAP services, made the SecurityContextHolder a pluggable strategy (especially useful for rich clients who wish to avoid ThreadLocal), and improved CAS support. Please visit http://opensource.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10360 for a detailed changelog. As always, detailed upgrade instructions are included in the release ZIP file. The project's web site at http://acegisecurity.org provides additional information on Acegi Security's features, access to online documentation, and links to download the latest release. I will also be providing a presentation on Acegi Security at SpringOne next month, so I hope to see you there. We trust that you find this new release useful in your projects. Cheers Ben ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Final preparation for 1.0.0 final
Joern Huxhorn wrote: It's possible that I'm missing something but I think it should be removed from the jar. It has already been taken care of. See SEC-240. ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Final preparation for 1.0.0 final
Angelo Luis wrote: this is not fixed: http://opensource.atlassian.com/projects/spring/browse/SEC-99 It isn't fixed for the reasons I provided in the comment, being: I wish there was a simple way of resolving this issue, but whatever we do would inevitably break backward compatibility and represent a risk as we try to get 1.0.0 out. A more substantial refactoring of MethodDefinitionMap might be in order, particularly if it also allowed arguments to be declared. Best regards Ben ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Final preparation for 1.0.0 final
Hi everyone I would like to release 1.0.0 final on Friday 26 May. All JIRA issues assigned to me are now either completed or marked for a future release. Please note that source code reformatting with Jalopy has been completed (SEC-97) and the /jalopy.xml file revised. One of the changes included going from 80 character to 120 character word wrapping (we all have wide screens by now, right?). Committers, please re-import this file into your IDE Jalopy plugin and ensure that all source code is formatted prior to committing. There are presently eight JIRA issues outstanding for 1.0.0 final, as listed in the roadmap: http://opensource.atlassian.com/projects/spring/browse/SEC?report=com.atlassian.jira.plugin.system.project:roadmap-panel Would Luke, Scott and Marc Antoine please check these eight issues and either close them or assign them to a future release ASAP. None of them look critical except for SEC-270. A number of desired major feature improvements have been deferred to 1.0.1 or 1.1.0. These most notably include the refactored ACL services (SEC-239) and configuration simplification (SEC-271). These are two items I would have liked to see in 1.0.0, but we simply ran out of time. The sandbox contains some code for the ACL refactoring, so I'd like to invite existing ACL users to take a look and provide feedback. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Hit roadblock while securing Method AfterInvocation ...
Vikas Sasidharan wrote: I am not so enthusiastic about setting the flag to true. Could anybody suggest some other possible alternatives? My last option is to have a custom MethodSecurityInterceptor that enables separation of before-invocation and after-invocation interception. The problem is that I have set /allowIfAllAbstain/ to false. Consequently, when the method call gets intercepted (before invocation) the Role Voter would return ABSTAIN and because of the flag not being set, Acegi would deny access to the user. I'd suggest you investigate the different AccessDecisionManager implementations provided out-of-the-box and if needed provide your own. You could always use the AuthenticatedVoter so that there is a before-invocation authorization decision made for each secure object invocation. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] tentative 1.0 final date
Ben Munat wrote: I'm using RC-2 and I think I'm having trouble with the IllegalStateException problem as detailed in SEC-211. It appears that this issue is fixed in CVS, but won't be in a release until 1.0 final. Wondering if you guys are close on final (like in the next week or so), or if I should use a nightly build? Or maybe I should fall back to RC-1 since that didn't have the problem? We will try to release it on 19 May, although it might slip to 26 May. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] how to customize roles
Richard Han wrote: My question probably is more suitable to user-list, but we don't have one. Anyway, I am new to acegi, my question is, how do you customize role names, for instance, if I want to use ROLE_STUDENT, ROLE_PROFESSOR, how would I let acegi recognize them? In two places: 1. These would be your configuration attributes against AbstractSecurityInterceptor.objectDefinitionSource. 2. They would be returned in your UserDetails object from the UserDetailsService used by your AuthenticationProvider. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] SVN Commit Messages
Hi everyone For the sake of consistency and ease of reviewing history logs, would developers please always format SVN commit messages to begin with the JIRA issue number, followed by a colon, then a brief description of the check-in. More detailed messages can be placed in the JIRA task. eg: SEC-123: Constructor no longer requires null. Thanks very much. Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
Carlos Sanchez wrote: Looks right, only that https://svn.sourceforge.net/svnroot/acegisecurity/trunk/CVSROOT should be deleted Thanks for the feedback, Carlos. Re CVSROOT, that's an artifact of the cvs2svn process. Even automatically migrated SF repositories (eg Spring Rich Client) have this come across. On a related issue, what is stopping us using Maven 2 for Acegi Security now? I would ideally like to release 1.0.0 final with Maven 2, and remove all the old project.xml files. I don't mind if it means we have to lose some plugins, just as long as we can do some form of JAR creation, unit test execution, code coverage measurement and building a PDF and HTML-based DocBook. Are these functions working at present? Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CAS support in Acegi
Scott Battaglia wrote: I'm looking at re-working the CAS (some of it based on the new CAS client code). Would you prefer I wait until after the Acegi 1.0.0 Final release (i.e. target 1.1) and just focus on the current open CAS issues? Hi Scott I am trying to get 1.0.0 final out within a fortnight, and expect 1.0.1 will follow fairly quickly after that (ie within two or three weeks). It would probably be best if you could make any structural changes to be included in 1.0.0 final, otherwise 1.0.1 may not be backward compatible. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion? (Change completed)
Ben Alex wrote: Last weekend SF had some CVS issues, so I didn't make the switch as intended. I'm now going to hold-off doing this until early May, because I'm largely on the road until then and don't want to change things and be unavailable if anything goes wrong. Just wanted to let everyone know what's happening with the change. I have now completed the migration from CVS to SVN. This includes: - CVS is no longer visible on the SF project page - SVN is now visible on the SF project page - All developers have had their CVS permissions revoked (in case they don't see this email) - All developers now have SVN permissions granted - The Maven POMs have been modified accordingly - SVN commit messages are now emailed to acegisecurity-cvs, just as CVS used to - The daily script now builds checkouts from SVN only (see http://acegisecurity.sourceforge.net/nightly) As an aside, I had to complete the migration manually (use a SF CVS tarball, run cvs2svn on a local Linux box, SSH the resulting dump file, then import). The SF process didn't work, and cvs2svn failed locally with keyword failure errors. If anyone else has similar difficulties, the --use-cvs option on cvs2svn sorted it out. Would one of our resident Maven experts (Luke, Carlos?) please check that the checkout instructions in /docs/xdocs/cvs-usage.html are correct, as are the various POM files. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Roadmap for 1.0.0 final
Hi everyone Last night I went through all open JIRA tasks. Most are now assigned to a target release and a specific developer. I would like to release 1.0.0 final in around two weeks, and I have set aside some days to work exclusively on Acegi Security in this period. Would developers therefore please take a look at their assigned tasks and comment on their present status within the next couple of days. If you do not believe you will have time to resolve assigned tasks over the next fortnight, please reassign them back to me so that I can either action it or defer it until a future release. Thanks in advance. BTW, I'll ensure 1.0.0 final includes some extra samples, tutorials, and revised reference documentation to help new users. We need to improve the quality of support resources for new users, such that forum time can be diminished in favor of more development time. Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Re: CAS configuration
Marc-Antoine Garrigue wrote: I see 3 solutions : I will refer this one to Scott, as he maintains the CAS integration these days. Scott, your thoughts? Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Is it possible to secure CGI scripts?
[EMAIL PROTECTED] wrote: I've managed to authorize my perl scripts now as expected. Now I need to send some data from my java filters i.e. roles possessed by the user to the CGI perl script but I don't know how to do this. Any suggestion? What exact approach are you using to run your Perl scripts? Cheers Ben --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Issue with FilterChainProxy when upgrading from 0.9.0 to 1.0.0-RC2
Konstantin Shaposhnikov wrote: I think that functionality provided in acegi 0.9.0 was quite useful, because ant patterns much more flexible then those provided by servlet-api, so it would be good to restore this behavior - when value is empty then no filters will be applied to request. Please add this to JIRA as an enhancement request. I think some sort of express value would be in order - such as #NONE# - rather than allowing the right hand side of the equals to be entirely empty. The alternative is to use a NullFilter, but this increases invocation time unnecessarily. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Conferences and Polish article
Hi everyone Just wanted to let you all know that I'll be attending two conference in Europe this June: * The Second International Conference on Open Source Systems on 8-10 June in Como, Italy. See http://oss2006.dti.unimi.it/. * SpringOne on 15-16 June in Antwerp, Belgium. I'll be presenting a session on Acegi Security. See http://www.springone.com. Look forward to meeting some of you there. On another issue, is there any member of the community interested in writing a high-level article on Acegi Security for a Polish computer magazine? I've been invited to write one in English (which the magazine will translate), but thought I'd extend the offer to anyone who may speak Polish natively, or has time to write an article in English with a view to translation. If interested, please ping me off-list. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Subversion?
Ben Alex wrote: Does anyone have any concerns with the project migrating from CVS to SVN? If there aren't any objections, I'll make the change in about a week. Last weekend SF had some CVS issues, so I didn't make the switch as intended. I'm now going to hold-off doing this until early May, because I'm largely on the road until then and don't want to change things and be unavailable if anything goes wrong. Just wanted to let everyone know what's happening with the change. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations
Tim Kettering wrote: Maybe it'd be useful if those checks found in DaoAuthenticationProvider be made available as a pluggable component that other AuthenticationProviders can utilize? Hi Tim If you please add it to JIRA, I'll make a static method that accepts a UserDetails and throws an appropriate AuthenticationException based on its state. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Is it possible to secure CGI scripts?
[EMAIL PROTECTED] wrote: Is it possible to secure perl scripts that are invoked as CGI programs? FilterSecurityInterceptor works at the filter level, so if the filter will be called, it should be able to authorize based on URI. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Subversion?
Hi everyone SourceForge have recently modified their offering so we can migrate to SVN (without losing revision history) - see http://sourceforge.net/docman/display_doc.php?docid=31070group_id=1#import. I have also been using SVN recently and had good results. The Subclipse plugin at Update Manager URL http://subclipse.tigris.org/update_1.0.x works quite well. Does anyone have any concerns with the project migrating from CVS to SVN? If there aren't any objections, I'll make the change in about a week. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] change to Authentication object
Scott Battaglia wrote: Would it make sense to change the Object getPrincipal() method to UserDetails getPrincipal() such that users can swap the providers without having to worry whether the Authentication object from one provider returns a different Principal from the other Authentication objects (or should people always just call UserDetails)? Hi Scott I am inclined to leave it as-is, as detecting the type returned by getPrincipal() is rather easy to do, and can be encapsulated into a static utility method in any event. Also, as we're in the 1.0.0 RC phase, changing a relatively central interface like Authentication should be viewed with caution. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Building with maven or maven2
Carlos Sanchez wrote: - What is the preferred maven version? I think maven2 is easier to tame 1.0.2 is the one I used a few weeks back to successfully build Acegi Security 1.0.0 RC2. - Which repos are to be used? They are defined in project.properties and you shouldn't need to modify them. - Could I expect the build from CVS to fail or am I doing something wrong It should build from CVS. Please try again with Maven 1.0.2 from CVS HEAD and report any problems on this list. Thanks Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Acegi, JSF and Spring
Konstantin Shaposhnikov wrote: I would recommend you to write simple bean with getter method that returns current logged in user from SecurityContext: class CurrentUser { Object getPrincipal() { SecurityContext ctx = SecurityContextHolder.getContext(); if (ctx == null) return null; return ctx.getAuthentication().getPrincipal(); } } SecurityContextHolder.getContext() is guaranteed to never return null, so you can skip that check. Also consider if the getPrincipal() returns a UserDetails object, as in that case you'll probably want to cast the getPrincipal() Object to UserDetails and use one of its getters instead (eg getUsername()). Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] ACL for massive databases
Jeoff Wilks wrote: Ben, can you elaborate a bit on how you structured your DB schema for ACLs? I'm facing this problem right now (need ACLs at both app level and database level), and I would appreciate understanding a little more about the intent of the Acegi design in that respect. (Apologies for resurrecting an old thread). Unfortunately I cannot provide a generally-useful schema, as it was very specific to the application I was working on. However, I would encourage you to consider the most efficient way to model, update (via triggers, stored procedures etc) and use (via views etc) your data at a DB level - don't worry too much about Acegi Security's ACL requirements. This is because DBs have specific optimisation considerations, not only in terms of normalisation but also in terms of efficient operation of views and triggers. Acegi Security can hook into whatever you end up developing for the DB via its general-purpose BasicAclDao interface. If needed you can always provide a DB view for use by your BasicAclDao implementation. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Scoped Role
Hao Chen wrote: I thing I can think of is to change the GrantedAuthorities dynamically for every request based on which workspace the user is trying to access. Will this work? That will work, but it means you will be using AuthenticationManager again for every request and you will need to be careful not to use the normal caching. It is far simpler in your case to write a custom AccessDecisionVoter that can read the current workspace (either from an argument to the secure method invocation or from a ThreadLocal) and then only consider the GrantedAuthority[]s that are applicable for that workspace. It's quite easy to do it, and you can use the existing RoleVoter as a guide. Best regards Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] setting attributes for remember-me cookie
Tim Kettering wrote: I scoured the forums and mailing list and did not find anyone bringing up this issue. I suspect it's because everyone (?) so far might have been using the filter based login. Which we are not, so this would not be a problem for them. Hi Tim If you are able to provide a JIRA patch that will provide this flexibility, I would be happy to apply it for you. Cheers Ben --- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CasPasswordHandler bean setup woes
Scott Battaglia wrote: If there's interest I can write an AuthenticationHandler that delegates to an Acegi AuthenticationManager similar to what the current CAS adapter does. Hi Scott I think it would be good to have a 3.x-series compatible AuthenticationHandler, so that people wanting to try out CAS who already have an Acegi Security authentication environment configured can do so without trying to configure one of the CAS-included handlers. It just makes the testing requirements a little easier on people, so they're more likely to try out CAS. Also, I am presuming that given CAS 3.0.4 is now stable we could probably move the old CAS 2.x PasswordHandler to the sandbox and change our project JAR dependency to 3.x. Any thoughts? Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] CasPasswordHandler bean setup woes
Scott Battaglia wrote: Ben, I'll work on a CAS3/Acegi AuthenticationHandler this week. It shouldn't be too difficultlt. Do you think having both the PasswordHandler and an AuthenticationHandler will cause problems? We are in RC, so I'm not sure we want to remove the handler. After reading your and Andrew's mails, I think it best to keep CAS 2 compatibility in Acegi Security's CAS adapter subproject for a while longer. I am guessing 2.x and 3.x exist in different package namespaces, so having both JARs as dependencies shouldn't represent an issue. I will also add an option to CAS to create an api jar file to place in a Maven repository so that we can include it in Acegi (we don't have one yet). Excellent. In the meantime you are welcome to place them in the http://acegisecurity.sourceforge.net/maven repository. FYI you have access to shell.sourceforge.net:/home/groups/a/ac/acegisecurity/htdocs/maven by virtue of your CVS privileges. Finally, we should update the references to CAS in the project to JA-SIG CAS with the URL http://www.ja-sig.org/products/cas/ [we just created this site]. Do you want me to do that? Yes, please. If you could update the reference manual with an explanation of CAS 3.x-specific processes and some commentary about which version to use, it would be appreciated. If you don't have time to do this, would you please add it as a JIRA task so that it's tracked? Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] SecurityContextHolder javadoc error
Andrey Moiseenko wrote: Javadoc for org.acegisecurity.context.SecurityContextHolder: Associates a given SecurityContext with the current execution thread and any new threads the current execution thread may spawn. Logged as SEC-188 and fixed in CVS. Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Basic Auth and Form-Based Auth
Jeoff Wilks wrote: It's not immediately obvious to me how you'd do this, since Basic Auth normally prompts with a 401 response. However, I could require that machine clients proactively send the basic auth info (not waiting for a 401), so the server just attempts to process basic auth, and failing that, does form auth. That's exactly how it's done. Please see the Contacts Sample (Filters) application, as it demonstrates BASIC + Form authentication being used in the same application for different clients. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
[Acegisecurity-developer] Acegi Security - new release 1.0.0 RC2
Dear Spring Community I'm pleased to announce that Acegi Security release 1.0.0 Release Candidate 2 is now available. This release includes over 50 improvements and fixes since 1.0.0 RC1, including comprehensive new LDAP capabilities. We recommend that users upgrade to 1.0.0 RC2 in order to take advantage of these improvements. Upgrading to 1.0.0 will also assist us in identifying any issues as we move towards our final 1.0.0 release. Please visit http://opensource2.atlassian.com/projects/spring/secure/ReleaseNote.jspa?projectId=10040styleName=Htmlversion=10361 for a detailed changelog. As always, detailed upgrade instructions are included in the release ZIP file. The project's web site at http://acegisecurity.org provides additional information on Acegi Security's features, access to online documentation, and links to download the latest release. We hope you find this new release useful in your projects. Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] accept both basic and digest authentication?
[EMAIL PROTECTED] wrote: How can one set up acegi to accept either one of basic or digest authentication? Just add them both to the filter chain, and specify your preferred default (for unauthenticated requests which attempt to access a secure resource) as the ExceptionTranslationFilter.authenticationEntryPoint. Best regards Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] security filters not executing for custom error page
Brian Moseley wrote: i've configured a custom error page for 403 responses in my web.xml. i want that page to use the authz taglib to render itself differently depending on whether the authentication for the request is anonymous or represents a known user of my application. This is discussed a few times on the forums. Essentially there is nothing we can do about it. Some people have modified the ExceptionTranslationFilter (RC2 rename of SecuirtyEnforcementFilter) method sendAccessDenied(ServletRequest, ServletResponse, FilterChain, AccessDeniedException) to store additional information in HttpSession given it's not available from the normal SecurityContextHolder. Alternatively, use a JSP-based 403 page and access the HttpSession attribute keyed on HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY to retrieve the user's details. This won't help you with the authz taglib, though, as it uses SecurityContextHolder. I suppose it's worth considering making it (and other taglibs) revert to checking the HttpSession directly if SecurityContextHolder doesn't contain an Authentication (such a check could be put into a static utility method for use by any taglib or templating system macro). Cheers Ben --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnkkid=103432bid=230486dat=121642 ___ Home: http://acegisecurity.org Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer