On 9/20/05, Elias Torres <[EMAIL PROTECTED]> wrote: > Hi Matt, > > I need to spend more time looking into Acegi and compatability with > J2EE security. At IBM, we use CMA going against LDAP now, but it might > change to be SSO-compliant with the rest of our web applications. I > can currently see how I'm going to do it with Roller with CMA, but > don't know how to do it with Acegi. Any tips will be greatly > appreciated.
LDAP support is coming in a future release of Acegi, but it doesn't look like it's there as of yet. http://forum.springframework.org/viewtopic.php?p=9172 Note that Acegi also supports CMA through the use of Realms, so it's possible that you could use CMA+Acegi. I haven't had a chance to play with this yet. Matt > > However, I definitely agree with your proposal of removing > LoginServlet, passwords in URLs, etc. > > Elias > > On 9/20/05, Matt Raible <[EMAIL PROTECTED]> wrote: > > Here's my proposal for doing this integration. Note that there's a > > couple outstanding issues in the Related Issues section. > > > > http://rollerweblogger.org/wiki/Wiki.jsp?page=Proposal_AcegiSecurity > > > > Thanks, > > > > Matt > > > > On 9/19/05, Matt Raible <[EMAIL PROTECTED]> wrote: > > > On 9/17/05, Allen Gilliland <[EMAIL PROTECTED]> wrote: > > > > cool ... this sounds like a welcome improvement over CMA. > > > > > > > > i know we've talked about using Acegi on the list before, but is there a > > > > proposal plan that outlines genrally how Acegi integration works, what > > > > new classes would be created, and how SSO would tie in? > > > > > > No, I should do this. First, I wanted to prove that it would actually > > > work. As far as SSO, Acegi integrates with Yale's CAS system - more > > > information is available in Acegi's documentation. > > > > > > http://acegisecurity.sourceforge.net/docbook/acegi.html#security-cas > > > > > > If you look at the forum link below, you'll see I got an answer to my > > > question and was able to get everything working today. I've attached > > > a patch of what changes in existing classes. > > > > > > The biggest change is that a lot of the startup logic in LoginServlet > > > moved to RollerContext (where everything else is initialized). Other > > > changes include removing the secure and unsecure port numbers in > > > roller.properties. This is because Acegi defaults to 8443 (when using > > > 8080 for http://) and 443 (when using 80 for http://). > > > > > > The one thing I haven't done in this patch is to remove the UserCookie > > > object (and code from UserManager) - but this will no longer be > > > necessary either. > > > > > > I'll try to write up a proposal on the wiki in the next day or two. > > > Any suggestions on an existing proposal to use for a template? > > > > > > Thanks, > > > > > > Matt > > > > > > > > > > > > > > -- Allen > > > > > > > > > > > > On Sat, 2005-09-17 at 08:34, Matt Raible wrote: > > > > > FYI... > > > > > > > > > > I did some work yesterday to create a version of Roller that uses > > > > > Acegi Security for its security mechanism as an alternative to CMA. > > > > > It's my believe that this should be possible w/o changing a single > > > > > line of Java code. In fact, it should result in deleting quite a bit > > > > > of code (LoginServlet, LoginFilter, UserCookie, etc.). > > > > > > > > > > However, I've run into one issue. > > > > > > > > > > <snip> > > > > > Principal principal = request.getUserPrincipal(); > > > > > String username = principal.getName(); > > > > > > > > > > With CMA, this returns "mraible" (my login name). However, with Acegi, > > > > > it returns: > > > > > > > > > > userName= "[EMAIL PROTECTED]: Username: > > > > > mraible; Password: [PROTECTED]; Enabled: true; AccountNonExpired: > > > > > true; credentialsNonExpired: true; AccountNonLocked: true; Granted > > > > > Authorities: editor" > > > > > </snip> > > > > > > > > > > I've posted this to the Acegi Security forums, but haven't had a > > > > > response yet. > > > > > > > > > > http://forum.springframework.org/viewtopic.php?t=8917 > > > > > > > > > > I suspect it's a bug. A workaround is to use request.getRemoteUser(), > > > > > but I'd rather see this fixed in Acegi. > > > > > > > > > > To reiterate why I'm doing this little experiment: it's because Acegi > > > > > has more fine-grained control of security - allowing you to get a > > > > > user's role or information in any layer (b/c the information is stored > > > > > in a thread local). Furthermore, it has Remember Me and SSL Switching > > > > > built in. > > > > > > > > > > AppFuse had the same setup that Roller has at one point. In fact, most > > > > > of the Login/RememberMe/SSL Switching is from AppFuse. I switched to > > > > > Acegi in AppFuse about 6 months ago and it's resulted in nothing but > > > > > good things. We've been able to plug a few security holes that > > > > > would've been more difficult if we were using CMA. > > > > > > > > > > Another good reason to switch is this will get us away from something > > > > > users complain about often: the redirect to j_security_check - where > > > > > the password is shown in the URL. > > > > > > > > > > Have a good weekend, > > > > > > > > > > Matt > > > > > > > > > > > > > > > > > > > >
