There seems to be a problem when digest passwords are used. By the time isPasswordCorrect DaoAuthenticationProvider is call the 2nd and subsequent times, the authentication and user (from the cache) objects it is fed both have the hashed password strings. Then MD5PasswordEncoder tries to rehash what it thinks is the raw pass (coming from the Authentication object), so authentication fails.
I think this is a probably a very trivial fix, but this is my last day at this position, so I don't know if I will have time to fix this and check in a fix right now, I'm running out of time with lots of stuff to do left, so I may just roll back to the previous version for the time being.
Colin
Ben Alex wrote:
Dear Spring Community
I'm pleased to announce the Acegi Security System for Spring release 0.51 is now available from http://acegisecurity.sourceforge.net. The project provides comprehensive security services for The Spring Framework.
FEATURES:
* It is ready NOW * Easy to use and deploy (includes a new samples/quick-start directory) * Enterprise-wide single sign on (via Yale Uni's CAS project) * Reuses your Spring expertise * Non-intrusive setup * Full (but optional) container integration * Keeps your objects free of security code * Secures your HTTP requests as well (regular expressions, Ant Paths etc) * Channel security (HTTPS/HTTP auto redirection etc) * Supports HTTP BASIC authentication (RFC 1945) * Convenient security taglib * Application context or attribute-based configuration * Various authentication backends (including JDBC) * Event support * Easy integration with existing databases (no schema changes) * Caching (now pluggable, with an EHCACHE implementation) * Pluggable architecture * Startup-time validation * Remoting support (demonstrated in sample application) * Advanced password encoding (SHA, MD5, salts etc) * Run-as replacement * Unit tests (Clover coverage is currently 97%) * Container integration tests * Supports your own unit tests * Peer reviewed * Thorough documentation * Apache license
CHANGES IN 0.51:
* Added samples/quick-start * Added NullRunAsManager and made default for AbstractSecurityInterceptor * Added event notification (see net.sf.acegisecurity.providers.dao.event) * Updated JAR to Spring 1.0.2 * Updated JAR to Commons Attributes CVS snapshot from Spring 1.0.2 release * Updated GrantedAuthorityImpl to be serializable (JBoss support) * Updated Authentication interface to present extra details for a request * Updated Authentication interface to subclass java.security.Principal * Refactored DaoAuthenticationProvider caching (refer to reference docs) * Improved HttpSessionIntegrationFilter to manage additional attributes * Improved URL encoding during redirects * Fixed issue with hot deploy of EhCacheBasedTicketCache (used with CAS) * Fixed issue with NullPointerExceptions in taglib * Removed DaoAuthenticationToken and session-based caching * Documentation improvements
Whilst 0.51 is mostly a maintenance release, we recommend that you upgrade to take advantage of the various fixes and caching improvements. The only 0.5 to 0.51 upgrade issue most typical users would need to be aware of is DaoAuthenticationProvider no longer has a "key" property. References to this property should be removed from your application context configuration file(s). The reference documentation describes the new pluggable caching support and event support in sections 1.5.4 and 1.5.5 respectively.
Please visit http://acegisecurity.sourceforge.net to access the latest version or read more about the features.
Best regards
Ben
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
