hi Jon, thanks much for the feedback, i assumed acegi will do all hard work/encapsulate those like password encryption login and other unauthorized access to the pages? because with normal implementation, i need to do one way encrypt myself to authenticate user for example. does acegi do that?, i mean the authenticate method; do i need to override it myself for encryption purposes? please advise, thanks
wesley Jonathan Barker wrote: > > > I remember going through the Acegi documentation the first time. It was > daunting. > > In hindsight, it boils down to this: > > The central object in Acegi is the SecurityContext. You need to store and > retrieve it from your HttpSession and that is done either through a filter > configured in web.xml (for a Spring-configured scenario), or as a part of > a > Tapestry filter chain (for tapestry5-acegi). > > You need to configure at least one AuthenticationProvider using a > UserDetailsService, and pass it to the AuthenticationManager. I like the > InMemoryDaoImpl as the UserDetailsService for initial development, and a > way > of embedding special administrative accounts. Don't waste time reading > about all of the options for this service. Know that later you can add > additional AuthenticationProviders to have multiple authentication > methods. > > The AuthenticationProvider can be invoked manually (by injecting it into > your page, and calling methods like authenticate()), or via a specific jsp > page. > > For example, and this can be handy for testing, you can do this: > > @Inject > private AuthenticationManager _authenticationManager; > > ... > > UsernamePasswordAuthenticationToken authRequest = > new > UsernamePasswordAuthenticationToken(_username,_password); > Authentication authResult; > > try { > System.out.println("username:" + _username + " > password: " + _password); > authResult = > _authenticationManager.authenticate(authRequest); > logger.info("successful login for: " + _username); > } catch (BadCredentialsException failed) { > _form.recordError(_passwordField, "Invalid username > or password"); > logger.info("bad password for: " + _username); > return null; > } catch (AuthenticationException failed) { > _form.recordError(_passwordField, "Invalid username > or password"); > logger.info("failed login for: " + _username); > return null; > } > > > SecurityContextHolder.getContext().setAuthentication(authResult); > > > Then you need to enforce security (authorize). This can be directly, by > getting the SecurityContext and asking for the Authentication object, and > then getting a list of GrantedAuthorities and working with that. (Read the > code for the tapestry5-acegi IfRole component if you want to see what I > mean). Or, it can be done using Spring configured filters for URL > patterns, > or tapestry5-acegi filters for pages or patterns. > > It's only daunting if you look at it all at once. > > > Jonathan > > >> -----Original Message----- >> From: wesley [mailto:[EMAIL PROTECTED] >> Sent: Sunday, October 05, 2008 12:37 >> To: users@tapestry.apache.org >> Subject: RE: spring T5 integration on acegi security considerations >> >> >> hi, >> >> thanks for the feedback, as long as the pages are secure and can prevent >> unauthorized users from logging in i'm open for any options. previously >> what >> i did was quite traditional, implementing a one way password encryption, >> setting keystore and config within tomcat container. to me acegi is like >> a >> huge topic and mass complexion to implement. so when come to the decision >> on >> implementing it is really a challenge to me. the tutorials are great but >> mostly aim at T5 alone (which is normal). but within my implementation >> where >> it is an integrated environment, i really have no idea which one should i >> choose. >> >> >> Jonathan Barker wrote: >> > >> > >> > It depends on your needs. The tapestry5-acegi or tapestry-spring- >> security >> > (http://www.localhost.nu/java/tapestry-spring-security/index.html) are >> > probably easier to drop in. The Spring-configured route might be >> better >> > if >> > your application includes other servlets or filters. >> > >> > Either way you will be able to get access to things like the >> > AuthenticationManager if you need to from your page classes. >> > >> > With an older T4 app, I used Spring / Hibernate / Acegi with Acegi >> > configured via Spring. I also rolled a few components: Authorize and >> > AclAuthorize. >> > >> > With the T5 apps I now do, I use a slightly modified tapestry5-acegi >> > although I still use Spring for DAO's and some services. Parts of my >> old >> > Authorize component are now included in the tapestry5-acegi IfRole >> > component. >> > >> > Actually, I think tapestry5-acegi and its successor would benefit from >> > being >> > split in two: one piece for the annotations, components and supporting >> > pieces that are specific to Tapestry, and the second piece to allow for >> a >> > choice of configuration via Spring, or configuration via tapestry-ioc. >> > >> > Whichever way you choose, it's better than re-inventing the wheel and >> > rolling your own security. >> > >> > Jonathan >> > >> > >> >> -----Original Message----- >> >> From: wesley [mailto:[EMAIL PROTECTED] >> >> Sent: Friday, October 03, 2008 10:59 >> >> To: users@tapestry.apache.org >> >> Subject: spring T5 integration on acegi security considerations >> >> >> >> >> >> hi all, >> >> >> >> i've been implementing a project by using T5 mostly as front end, >> spring >> >> framework for back(eg Dao and db operations). after few search on it >> >> regarding the acegi implementation, i'm a little bit confused as >> whether >> >> or >> >> not to implement this security framework on T5 or spring. any >> >> recommendations or advise on this topic? should i just apply this >> >> security >> >> layer on T5 alone? or Spring 2 for securing the backend or both?? >> >> >> >> please advise, thanks >> >> >> >> wesley >> >> -- >> >> View this message in context: http://n2.nabble.com/spring-T5- >> integration- >> >> on-acegi-security-considerations-tp1142158p1142158.html >> >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> > >> >> -- >> View this message in context: http://n2.nabble.com/spring-T5-integration- >> on-acegi-security-considerations-tp1142158p1299013.html >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://n2.nabble.com/spring-T5-integration-on-acegi-security-considerations-tp1142158p1301362.html Sent from the Tapestry Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]