RE: [Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations

[Tim Kettering]

Yes, I'm aware that certain providers might not have the right hooks for all
the checks we do, but in our case we are using Jaas alongside with our own
implementation of a Provider to create an custom UserDetails object, and
rather than copy/paste the checks against UserDetails that are performed in
the DaoAuthenticationProvider, I thought it would be put to better use by
making that specific part of code accessible for other classes to use if
needed.

I will file a JIRA issue on it today.

Thanks!

-tim


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ray Krueger
Sent: Saturday, March 25, 2006 8:51 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] checking for invalid user accounts in
AuthenticationProvider implementations

That isn't really possible for the JaasAuthenticationProvider without
Jaas Provider specific hooks. The Jaas LoginModule interface doesn't
provide  isAccountNonLocked style accessors.

On 3/25/06, Ben Alex [EMAIL PROTECTED] wrote:
 Tim Kettering wrote:
  Maybe it'd be useful if those checks found in
  DaoAuthenticationProvider be made available as a pluggable component
  that other AuthenticationProviders can utilize?
 
 
 
 Hi Tim

 If you please add it to JIRA, I'll make a static method that accepts a
 UserDetails and throws an appropriate AuthenticationException based on
 its state.

 Best regards
 Ben


 ---
 This SF.Net email is sponsored by xPML, a groundbreaking scripting
language
 that extends applications into web and mobile media. Attend the live
webcast
 and join the prime developer group breaking into this new coding
territory!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=kkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] checking for invalid user accounts in AuthenticationProvider implementations

[Tim Kettering]

Hey all,

Can someone (Ben?) explain if it is expected to check the various
UserDetails states such as isAccountNonExpired(),
isAccountNonLocked(), isCredentialsNonExpired(), and isEnabled() in a
AuthenticationProvider?  This seems to be applied inconsistently...

We had originally been using DaoAuthenticationProvider, which in its
code does those checks, then we switched over to the
JaasAuthenticationProvider and after seeing some logins that occured
that shouldn't have occured, I tracked down the issue to
JaasAuthenticationProvider not doing those checks at all.  Looking at
CasAuthenticationProvider, this seems to not either.

Maybe it'd be useful if those checks found in
DaoAuthenticationProvider be made available as a pluggable component
that other AuthenticationProviders can utilize?

Thanks,

-tim


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] using an embedded library that also uses acegi

[Tim Kettering]

Just wanted to put this out here, to see what the developers have to
say about the implications of using a library that uses acegi
internally, inside an application that also uses acegi.

in our case, we're using 1.0 RC, while the library we're evaluating
uses 0.8.2, and that already has brought up some classloading
considerations, due to the different package names.

And I'm also wondering what the effect will be on the security context
in the thread.  I don't believe there is any sort of
name-spacing/sandboxing of diff security contexts, are there?

Any feedback or thoughts would be greatly appreciated.

-tim


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] setting attributes for remember-me cookie

[Tim Kettering]

Ben,

I actually filed a JIRA issue on it yesterday, and submitted a patch:

http://opensource.atlassian.com/projects/spring/browse/SEC-206

However, I had hoped to have some discussion on the list before
submitting the patch because there was some questions about how
defaults should be handled, and whether setting the path should be an
property (or just implicitly set to root), or some mix of the two.

The patch I submitted implicitly sets to root..  more details are in
the jira issue and the patch itself.  Hopefully it's useful.

Feel free to discuss this further if you feel it needs to offer more
flexibility.  Thanks!

-tim


On 3/2/06, Ben Alex [EMAIL PROTECTED] wrote:
 Tim Kettering wrote:
  I scoured the forums and mailing list and did not find anyone bringing
  up this issue.   I suspect it's because everyone (?) so far might have
  been using the filter based login.  Which we are not, so this would
  not be a problem for them.
 
 
 Hi Tim

 If you are able to provide a JIRA patch that will provide this
 flexibility, I would be happy to apply it for you.

 Cheers
 Ben



 ---
 This SF.Net email is sponsored by xPML, a groundbreaking scripting language
 that extends applications into web and mobile media. Attend the live webcast
 and join the prime developer group breaking into this new coding territory!
 http://sel.as-us.falkag.net/sel?cmd=lnkkid=110944bid=241720dat=121642
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] setting attributes for remember-me cookie

[Tim Kettering]

Hi Everyone.

Mabye there's already a really simple solution that's been staring me
in the face but I'm not seeing it.  I'm setting up the remember-me
functionality for this project I'm working on, and due to project
technical considerations, I've have to re-implement parts of the
remember-me in the login controller instead of using the
authentication filter.

So basically what's happening is that on a successful login, the login
controller will be making a call to the
rememberMeServices.loginSuccess(), to set the remember-me cookie.

But when I set out to test it, it didn't work.  I dug around a bit and
I think I found the problem, the application runs under the context
/foo, and the login controller url is found at /foo/login, so the
acegi remember-me cookie gets set with a path of /foo/login - which
makes it fall out of scope when accessing /foo, if i understand the
functionality of cookies right.

So I've been looking at the code in acegi, and it seems like a Cookie
is simply created with defaults in the TokenBasedRememberMeServices.  
So it would appear to me that I would need to subclass certain parts
of this code to get it to set the path to something different than the
default.

I scoured the forums and mailing list and did not find anyone bringing
up this issue.   I suspect it's because everyone (?) so far might have
been using the filter based login.  Which we are not, so this would
not be a problem for them.

So, I thought I'd bring it up on the list.. see what you guys think
should be done.

-tim


---
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnkkid0944bid$1720dat1642
___
Home: http://acegisecurity.org
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] Proposal: Rename AuthenticationDao interface

[Tim Kettering]

+1 from me too.  I think its better to break stuff now when we still have a
excuse (hey, it ain't 1.0 yet) than post 1.0.

-tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ray Krueger
Sent: Thursday, November 17, 2005 10:01 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Proposal: Rename AuthenticationDao
interface

lol Sorry Scott :)
When Ben puts it like that I gotta agree hehe.
+1

On 11/17/05, Dmitriy Kopylenko [EMAIL PROTECTED] wrote:
  +1 also

  Darrell Kundel wrote:
  +1

 I support the change, it makes more sense to me.

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]
 On Behalf
 Of Ben Alex
 Sent: Thursday, November 17, 2005 9:23 AM
 To: acegisecurity-developer@lists.sourceforge.net
 Subject: Re: [Acegisecurity-developer] Proposal: Rename
 AuthenticationDao interface

 Ray Krueger wrote:


  You currently have an AuthenticationDao that successfully returns a
 UserDetails instance that is built up by your four database scheme
 now, correct? The whole point of the AuthenticationDao is to build a
 UserDetails instance, by whatever means necessary. So, no, users like
 you should do exactly what you're doing. I don't see a reason for you
 two implement a new AuthenticationProvider, unless the
 DaoAuthenticationProvider is not meeting you're needs.



 The one and only method defined by AuthenticationDao is:

  public UserDetails loadUserByUsername(String username) throws
 UsernameNotFoundException, DataAccessException;

 AuthenticationDao is used variously within the system:

 Implementation: JdbcDaoImpl
 Implementation: InMemoryDaoImpl
 User: DaoAuthenticationProvider
 User: DaoCasAuthoritiesPopulator
 User: DaoX509AuthoritiesPopulator
 User: DigestProcessingFilter
 User: TokenBasedRememberMeServices
 User: SwitchUserProcessingFilter

 AuthenticationDao is presently found in the
 org.acegisecurity.providers.dao package. Given only the first three
 classes above are actually in that package or a subpackage, perhaps
 AuthenticationDao should be moved to a higher-level package to reflect
 its broader use in five other areas of the framework. We faced a similar

 transition for UserDetails itself, from the DAO package to the top-level

 package for a similar reason.

 Whilst it's mostly semantics, the other side is clarifying relationships

 and scope of services within the framework. Perhaps we should rename
 org.acegisecurity.providers.dao.AuthenticationDao to
 org.acegisecurity.UserDetailsService. It will mean that
 most users have
 to make a fairly minor change
  to the interface they're implementing in their AuthenticationDao
 implementations, but aside from that it will be transparent. If we do
 this, it might even be better to make an org.acegisecurity.userdetails
 package, to hold UserDetails, User, UserDetailsService and the two
 implementations listed above. At least we'd be emphasising these
 classes can be used anywhere within the framework or by your code - not

 just for DaoAuthenticationProvider.

 Anyhow, I note the current responses consider this mostly a semantics
 issue, but I tend to see where Scott's coming from regarding clarifying
 architectural use and layering. We can make these moves with losing
 revision history (I feel game - I'll log another SF CVS job! :-) ). And
 users are already going to be *having* to change the import of their
 AuthenticationDao implementations anyway, due to the package rename in
 SEC-104.

 Thoughts?

 Cheers
 Ben


 ---
 This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
 Register for a JBoss Training Course. Free Certification Exam
 for All Training Attendees Through End of 2005. For more info visit:
 http://ads.osdn.com/?ad_id=7628alloc_id=16845op=click
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



 ---
 This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
 Register for a JBoss Training Course. Free Certification Exam
 for All Training Attendees Through End of 2005. For more info visit:
 http://ads.osdn.com/?ad_idv28alloc_id845op=click
 ___
 Home: http://acegisecurity.org
 Acegisecurity-developer mailing list
 Acegisecurity-developer@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer





---
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28alloc_id845op=ick

[Acegisecurity-developer] AclVoter expecting SimpleAclEntry

[Tim Kettering]

I ran into a interesting problem when setting up AclVoters for our project.


We are using our own custom AclEntry that subclasses AbstractBasicAclEntry.
So when I tried to set up a class that uses AclVoter, I got a
ClassCastException at this particular section:

for(int i = 0; i  entries.length; i++) {
SimpleAclEntry sae = (SimpleAclEntry)entries[i];
for(int j = 0; j  requirePermission.length; j++) {
   if(sae.isPermitted(requirePermission[j])) {
   result = ACCESS_GRANTED;
   }
  }
}

So, from this, it seems that we are casting to SimpleAclEntry because we
need to access the method .isPermitted().  But this method is defined in
AbstractBasicAclEntry.  However because it is abstract, we cannot cast to
that specifically... 

So my subclass doesn't work, even though it has the method necessary to work
properly.  

I think this can be improved...  it just seems rather odd for BasicAclEntry
to not declare the method, but the abstract implementation does, and then
SimpleAclEntry makes use of it?  This doesn't lend well to making AclVoter
very extensible.

I think could either add the methods to BasicAclEntry, or make another
interface to back the added functions that AbstractBasicAclEntry brings to
the table and update AclVoter accordingly.

Thanks!

-tim




---
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42 plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] Blog entry on how to extend JdbcDaoImpl

[Tim Kettering]

I took another look at the JdbcDaoImpl (and JdbcExtendedDaoImpl).  I think I
understand what I was missing before, and I have a suggestion to add as
well.

In JdbcDaoImpl, the default query strings are static string parameters.  In
the constructor of JdbcDaoImpl, the default strings are copied to the query
string parameters that are called by the internal sql mapping classes, in
their constructors.  

So if my understanding is correct, the object instance is created first,
meaning the internal classes are initially created w/ the default strings,
before any getter/setters are called by Spring.  So what I was likely
missing before was the need to set 'init-method=initDao' in the spring
configuration to make sure that the initDao() method was called after spring
was finished, to re-initialize the internal sql mapping objects after the
new sql query strings are set by spring.  So if this init method is not
called, then attempting to use it will result in the class ignoring the set
query strings, and using the default ones.  So this should probably be
explicitly documented in the JavaDoc that if you are setting the query
strings, you need to call 'initDao()' as well.  Or a different mechanism
used to detect changes and remove the dependency on 'initDao'.

The other thing I wanted to bring up, was that JdbcExtendedDaoImpl
introduces a new method:

String convertAclObjectIdentityToString(AclObjectIdentity aclObjectIdentity)

Which converts the aclObjectIdentity argment to a string that it can use to
query the database.  If you look at JdbcDaoImpl, in the
'getAcls(AclObjectIdentity aclObjectIdentity)' method, you'll find that
theres a section of code that does virtually the same thing.  So I would
think it'd be cleaner code-wise and consistency  for the
'convertAclObjectIdentityToString' method to be moved to JdbcDaoImpl, and
used to implement the conversion to string in 'getAcls' as well.  

This would also make it easier to extend the class and still invoke the
superclass 'getAcls' when working with ACLs that need to be converted to
different string formats than the standard used in Acegi.

-tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tim Kettering
Sent: Monday, August 22, 2005 6:42 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: RE: [Acegisecurity-developer] Blog entry on how to extend
JdbcDaoImpl


I believe it does not work if you extend the class itself, due to how the
internal MappingSqlQuery classes that implement those queries set/reference
themselves.  Seems like the default strings get applied via constructor
before the setter methods are called via spring.   

I am not 100% on this. It was a while ago, and I may have done something
incorrectly. This kind of pertains to my earlier email about how I found it
difficult to extend JdbcDaoImpl (and the extended Dao as well), in a clean
fashion.  If I have some time tomorrow, I can try to investigate this and
report with more conclusive results.

-tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ben Alex
Sent: Monday, August 22, 2005 6:11 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Blog entry on how to extend
JdbcDaoImpl

Pascal Gehl wrote:

Hi,

I've written a blog entry on how to extend JdbcDaoImpl.
I would appreciate guru's to check if I don't misunderstood it.

http://www.jroller.com/page/paskos?entry=acegi_using_a_custom_select
  

Hi Pascal

You should have been able to use setAuthoritiesByUsernameQuery(String) 
and setUsersByUsernameQuery(String) on JdbcDaoImpl. Did that not work?

Cheers
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005

RE: [Acegisecurity-developer] using long for acegi acl id parameters

[Tim Kettering]

Ben,

Yes, sorry I wasn't clear on which class.  I meant the AclDetailsHolder in
the JdbcDaoImpl.  I've been forced to fork off the JdbcDaoImpl code into my
own classes completely here due to the fact that they're rather hard to
extend if you want to do more than just tweak the query strings.  One of the
issues I ran into was that AclDetailsHolder and other internal classes make
it difficult to extend because the code apparently still calls the original
implementations, not my implementations, and there doesn't seem to be a
clean way to hook into my own classes.  

Although I really have just started working on this stuff for a few days,
and I would need to work with it some more to formulate some suggestions on
how to make them more easily extensible.  But changing the values to long
would be a good start.  I would submit a patch, but Sourceforge's CVS still
is not working for me at the moment.  I'll file a JIRA issue on it.

-tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ben Alex
Sent: Sunday, August 21, 2005 6:14 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] using long for acegi acl id
parameters

Tim Kettering wrote:

 I'm wondering if there was a reason that most of Acegi's standard ACL 
 classes use int when dealing with object id values. We usually default 
 to using 'long' instead of 'int' - and I believe that other places do 
 as well, so it seems to me that it might be simpler to use 'long' in 
 the acegi classes, since the java compiler can automatically cast int 
 to long anyway.

Hi Tim

Which ACL classes are you referring to? AbstractBasicAclEntry uses int 
because it performs bit masking which shouldn't need the full size of a 
long. If you mean AclDetailsHolder (protected class within JdbcDaoImpl) 
I see your point and we should change it. Please feel free to submit a 
patch or issue to JIRA and I'll get it done.

Cheers
Ben



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] using long for acegi acl id parameters

[Tim Kettering]

Filed under JIRA as SEC-51.  

I also filed a issue a few days ago w/ a patch to fix something w/ acegi's
JAAS handler (SEC-48).  Would be nice if this could be added to CVS before
the 0.9 release.  

Thanks!

-tim


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Tim Kettering
Sent: Monday, August 22, 2005 10:42 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: RE: [Acegisecurity-developer] using long for acegi acl id
parameters

Ben,

Yes, sorry I wasn't clear on which class.  I meant the AclDetailsHolder in
the JdbcDaoImpl.  I've been forced to fork off the JdbcDaoImpl code into my
own classes completely here due to the fact that they're rather hard to
extend if you want to do more than just tweak the query strings.  One of the
issues I ran into was that AclDetailsHolder and other internal classes make
it difficult to extend because the code apparently still calls the original
implementations, not my implementations, and there doesn't seem to be a
clean way to hook into my own classes.  

Although I really have just started working on this stuff for a few days,
and I would need to work with it some more to formulate some suggestions on
how to make them more easily extensible.  But changing the values to long
would be a good start.  I would submit a patch, but Sourceforge's CVS still
is not working for me at the moment.  I'll file a JIRA issue on it.

-tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ben Alex
Sent: Sunday, August 21, 2005 6:14 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] using long for acegi acl id
parameters

Tim Kettering wrote:

 I'm wondering if there was a reason that most of Acegi's standard ACL 
 classes use int when dealing with object id values. We usually default 
 to using 'long' instead of 'int' - and I believe that other places do 
 as well, so it seems to me that it might be simpler to use 'long' in 
 the acegi classes, since the java compiler can automatically cast int 
 to long anyway.

Hi Tim

Which ACL classes are you referring to? AbstractBasicAclEntry uses int 
because it performs bit masking which shouldn't need the full size of a 
long. If you mean AclDetailsHolder (protected class within JdbcDaoImpl) 
I see your point and we should change it. Please feel free to submit a 
patch or issue to JIRA and I'll get it done.

Cheers
Ben



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

RE: [Acegisecurity-developer] Blog entry on how to extend JdbcDaoImpl

[Tim Kettering]

I believe it does not work if you extend the class itself, due to how the
internal MappingSqlQuery classes that implement those queries set/reference
themselves.  Seems like the default strings get applied via constructor
before the setter methods are called via spring.   

I am not 100% on this. It was a while ago, and I may have done something
incorrectly. This kind of pertains to my earlier email about how I found it
difficult to extend JdbcDaoImpl (and the extended Dao as well), in a clean
fashion.  If I have some time tomorrow, I can try to investigate this and
report with more conclusive results.

-tim

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ben Alex
Sent: Monday, August 22, 2005 6:11 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Blog entry on how to extend
JdbcDaoImpl

Pascal Gehl wrote:

Hi,

I've written a blog entry on how to extend JdbcDaoImpl.
I would appreciate guru's to check if I don't misunderstood it.

http://www.jroller.com/page/paskos?entry=acegi_using_a_custom_select
  

Hi Pascal

You should have been able to use setAuthoritiesByUsernameQuery(String) 
and setUsersByUsernameQuery(String) on JdbcDaoImpl. Did that not work?

Cheers
Ben


---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] using long for acegi acl id parameters

[Tim Kettering]

Im wondering if there was a reason that most of Acegis
standard ACL classes use int when dealing with object id values. We usually
default to using long instead of int  and I
believe that other places do as well, so it seems to me that it might be
simpler to use long in the acegi classes, since the java compiler
can automatically cast int to long anyway.



Just my two cents.



-tim

RE: [Acegisecurity-developer] cannot access cvs

[Tim Kettering]

Same here  cannot access CVS since
yesterday. I guess SF is messed up again.











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, August 19, 2005
11:09 AM
To: acegisecurity-developer@lists.sourceforge.net
Subject: [Acegisecurity-developer]
cannot access cvs





Im getting an error Project map lookup
failed



both by doing manual cvs login and executing the maven
checkout command that is shown of acegis site.

RE: [Acegisecurity-developer] logout functionality

[Tim Kettering]

Okay, allow me to take back what I said.
I later realized that the user in session would have nothing to do with where
the voters would be obtaining the user object from, so if I was properly
removing the user from the SecurityContextHolder, then everything should be
working right. So I went back and double checked my code, and turns out I
was performing the logout operation in the Render phase, not Action, even
though I was saying otherwise on my previous email. Now dont I
look all foolish. J



So, a big mea culpa and apologies to all.



-tim











From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Kettering
Sent: Friday, July 22, 2005 1:58
PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: [Acegisecurity-developer]
logout functionality







I was looking around for logout tips/practices on the
forums, and I found this thread from a while ago 



http://forum.springframework.org/viewtopic.php?t=5407highlight=logout



So, as I understand this, setting a new security context in
0.9 and up will effectively log out a user. The project Im working
on, which is a bunch of portlets running under a portlet container. We
are using Acegi to manage object-level permissions in the various portlets
using ACL. 



Since the changes to the user are not written back to the
session until the end of the request  the changes do not take effect for
that initial request. On a standard webapp, this would normally not be an
issue because the page could easily forward to a logout page or
something, and then all future requests would be processed as usual. 



However, with portlets, since we have Portlet A, Portlet B,
and Portlet C and a Login/Logout Portlet all existing on one page, it works
differently. When I click the logout link on the
login/logout portlet, the user is indeed logged out, but since the user still
exists in session, Portlets A, B and C still render their views as if the user
was still logged in. It is not until the next web request (or a page
reload) that the views are updated correctly. 



I believe this occurs because of the two phase process
(Action then Render) process. The logout is executed in the Action phase,
then all Portlets are rendered, but because the user is not removed from
session until end of request, the Render phase still has the User in session
visible, and acts accordingly so. So from a user/developer point of
view on the web page, the user has logged out, but the data that is displayed
in portlets are still displaying as if the user was logged in.



As more people start using Spring, and Acegi to build
portlet applications, I am quite certain this will become a common issue.
I plan to resolve this issue for the short term by explicitly clearing the
ACEGI context from the session in the Action phase. I do think that there
should be some re-consideration for a unified (or at least an endorsed) strategy
for clearing the user on logout from both the context and the session. 



My understand of Acegi is still rather new  Im
learning this stuff as I go, so if I have made any misassumptions, feel free to
correct me. I thought itd be a good time to bring this up for
discussion w/ the devs. 



-tim

[Acegisecurity-developer] behavior of JaasNameCallbackHander

[Tim Kettering]

I was tracking down some issues that came up after we
started using our own UserDetails object in the principal of Authentication.
This method in JaasNameCallbackHandler seems to be calling the incorrect
method. In AbstractAuthenticationHandler, the methods called are authentication.getPrincipal().getUsername()
not toString() like it appears below. Is there any reason for
this? The problem we are facing is that our JAAS handler is trying to
authenticate on the entire toString() output of our UserDetails object, instead
of just the username, at this point, when the Acegi API/source seems to
indicate that toString() is to be used for debug output. 



 public void handle(Callback callback, Authentication
authentication)

 throws IOException, UnsupportedCallbackException {

 if (callback instanceof NameCallback) {

 NameCallback ncb = (NameCallback) callback;

 ncb.setName(authentication.getPrincipal().toString());

 }

 }

RE: [Acegisecurity-developer] Suggested approach for authority design

[Tim Kettering]

Ray,

Many thanks for writing in.  You've pretty much confirmed many of the things I 
was thinking.  I just wanted to be sure that I was going down the path of least 
resistance and not run across some DOH! Moment a month later when I realize 
there's a far better way to do it.  

I think what I'll do is create a custom AuthorityProvider that will do the jaas 
operations and the role creation I need, since there are other stuff I should 
be pulling in as well that are not coming from JAAS, and using an 
AuthorityGranter doesn’t sit well with me.

Thanks again for your input.  Appreciate it much. 

-tim

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ray Krueger
Sent: Monday, July 18, 2005 11:44 PM
To: acegisecurity-developer@lists.sourceforge.net
Subject: Re: [Acegisecurity-developer] Suggested approach for authority design

Hey Tim, Jaas is full of smells :P

Let's see if I can help you out here...

1. You are correct. You can chain AuthenticationProviders, but as soon
as one returns a valid token the chain ends.

2. The first part of this is what the AuthorityGranter interface is
designed for. The AuthenticationDao thing, I'm not sure what your
intent was. Either way, the AuthenticationDao.authenticate(...) method
returns a UserDetails instance, which has the GrantedAuthority[]
getAuthorites() method on it.

3. The AuthorityGranter (AuthorityResolver would have been a better
name though hehe) returns a set for exactly the reason you mentioned.
You pass it a principal and it returns a set of ROLE_names. This +
some jdbc access or whatever your authority source is going to be
would be an option. Inelegance is in the eye of the beholder :P


One thing to keep in mind with Jaas, there will (almost) always be at
least one principal to work with, and that's the user. So if certain
users are going to get extra roles or authorities based on their
username for example writing an AuthorityGranter to do that would be
the way to go.

I hope this helps, or at least made sense.
-Ray


On 7/18/05, Tim Kettering [EMAIL PROTECTED] wrote:
  
  
 
   
 
 Hi everyone, 
 
   
 
 On this project I'm working on, we are using JAAS to authenticate a token,
 and Acegi's JAAS support classes allow for the translation of the user and
 its principals to Acegi's authority objects.  But in this particular case,
 we are not interested in the principals that JAAS returns.  We want to
 continue using our own method for obtaining the authorities.  
 
   
 
 So I've been looking at a few possible approaches.  But none of them seem to
 really avoid the sense of code smell, so I thought I'd ask on the list for
 suggestions from people who may be more familiar with a better strategy.  
 
   
  
 using a different authentication provider to simply populate the authorities
 – it seems to me that authentication manager will only process with one
 authentication provider, and if it returns a valid token, it does not
 continue down the list… so when jaas authentication provider returns a valid
 token, it wont process the custom class I made.  (correct me if im wrong). 
 
   
  
 Replace Acegi's JaasAuthenticationProvider with a similar one of our own
 that adds a method that obtains the additional authorities and adds it in. 
 This was the approach I started with, and I thought perhaps I could make use
 of the AuthenticationDao to obtain the authorities I needed for the user and
 add them in, but apparently AuthenticationDao does not provide an easy way
 to simply obtain the authorities.. but instead, need to obtain the user
 itself.  
 
   
  
 With the latest code in HEAD, AuthorityResolver can now return a set, so I
 could hack a custom Resolver that ignored the returned Jaas Principal and
 simply provided its own, but this seems rather inelegant, and has it's own
 issues.  
 
   
 
 So, I guess I'm asking here.. is there a easier way (that I've missed) to
 introduce my own GrantedAuthorities in the JAAS authentication flow?? 
 
   
 
 Thanks in advance! 
 
   
 
 -tim
HS^µéšŠX¬²š'²ŠÞu¼ƒŠÇ(½êÄjÌ‹Š{±2(+jب+kj× 
‰ë®‰ˆÁbÛš™^¶‡è–Z0F†™ªl²ÚÚŠm~Šðj·Z®Øœ•ëú+™«b½åžmƬ¶Æ§vj+xg­z÷«ÊØbž
¨ºwžvÚ zÛ©¶‹)yç_jËa¶Úý§l¢Çgr‰¿i؝¾;í©e¡È^¸÷j)
ÉbrAè™èm¶ŸÿiÇ [EMAIL 
PROTECTED]±ç.®+ruëÞ–Š^®f¢–)à–+-
Ç 
ŠÇœº¸­ÉׯzZ)z¹b²Û,¢êÜyú+éÞ¶m¦Ïÿ–+-²Ê.­ÇŸ¢¸ë–+-³ùb²Ø§~Úqè±ç.®+ruëÞ–Š^



---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click
___
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
Acegisecurity-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] Suggested approach for authority design

[Tim Kettering]

Hi everyone,



On this project Im working on, we are using JAAS to
authenticate a token, and Acegis JAAS support classes allow for the
translation of the user and its principals to Acegis authority
objects. But in this particular case, we are not interested in the
principals that JAAS returns. We want to continue using our own method
for obtaining the authorities. 



So Ive been looking at a few possible
approaches. But none of them seem to really avoid the sense of code
smell, so I thought Id ask on the list for suggestions from
people who may be more familiar with a better strategy. 




 using a different
 authentication provider to simply populate the authorities  it seems
 to me that authentication manager will only process with one
 authentication provider, and if it returns a valid token, it does not
 continue down the list so when jaas authentication provider returns
 a valid token, it wont process the custom class I made. (correct me
 if im wrong).





 Replace Acegis JaasAuthenticationProvider
 with a similar one of our own that adds a method that obtains the
 additional authorities and adds it in. This was the approach I started
 with, and I thought perhaps I could make use of the AuthenticationDao to
 obtain the authorities I needed for the user and add them in, but
 apparently AuthenticationDao does not provide an easy way to simply obtain
 the authorities.. but instead, need to obtain the user itself. 





 With the latest code in HEAD,
 AuthorityResolver can now return a set, so I could hack a custom Resolver
 that ignored the returned Jaas Principal and simply provided its own, but
 this seems rather inelegant, and has its own issues. 




So, I guess Im asking here.. is there a easier way
(that Ive missed) to introduce my own GrantedAuthorities in the JAAS
authentication flow??



Thanks in advance!



-tim

Re: [Acegisecurity-developer] New features now in CVS

[Tim Kettering]

Hi Ben,
Its funny how things like this work out, because I was just pondering a 
design issue on friday, and over the weekend, I thought I should 
probably email the acegi list about this, and then I read this email 
and it seems that you've already provided part, if not the whole 
solution.

In my project, I am incorporating the use of acegi security, and making 
specific use of the ACL for checking permissions of the user against 
the objects.  I've gotten it working w/ doing checks on single items, 
like for instance, loading a single object from the data source, and 
allowing/rejecting the method invocation, but my next problem is when 
the method could potentially return more than one object.

Like say, if I made a method call to return all items in the database 
between dates A and B.  I would need to run the security check on the 
collection after the data load to ensure that only the allowed objects 
are loaded.

So, this new afterinvocation provider you wrote up will help me with 
this situation?

-tim
On Nov 14, 2004, at 10:38 PM, Ben Alex wrote:
Hi everyone
I've just committed a (potentially very useful) new feature to Acegi 
Security. After secure object invocation allows you to throw an 
AccessDeniedException or modify the Object returned from your secure 
object invocation.

There's a new package, net.sf.acegisecurity.afterinvocation, which 
contains a couple of related providers. Both use AclManager and the 
integer bit masking provided by net.sf.acegisecurity.acl.basic. One of 
the providers throws an AccessDeniedException if the Authentication 
doesn't have an ACL permission for the returned Object (the required 
permission is defined in the application context). The other provider 
removes any item from a Collection if the Authentication doesn't have 
an ACL permission for that particular Collection element (again, the 
required permission is defined in the application context).

To help with before invocation ACL security, there's also a new 
AccessDecisionVoter called BasicAclEntryVoter. It votes to deny access 
if the Authentication doesn't have an ACL permission for a given 
method argument (the class type of the method argument, the permission 
required etc are application context defined).

The above isn't documented yet, but the Contacts sample application 
has been extensively refactored to use the above. Contacts are no 
longer owned by a single principal, but there is an ACL for each 
Contact. Permissions used include administer, delete and read. If the 
administer permission is held, the principal can modify the 
permissions list, adding or deleting ACL entries.

I'd be interested in what people think of these changes. In 
particular, please give Contacts a try and report any bugs to the 
list. To build it you'll need to CVS checkout, then from core do a 
maven jar:install, then from samples/contact do a maven war.

Best regards
Ben

---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] (no subject)

[Tim Kettering]

Yes, that would work.  Thanks.
-tim
Hi Tim
Yes, the design does require the DAO provider know how to interpret 
the presented AclObjectIdentity.

As you know, JdbcDaoImpl (and any BasicAclDao for that matter) needs 
to be able to create BasicAclEntry[]s in response to the DAO request. 
Each BasicAclEntry has getAclObjectIdentity() and 
getAclObjectParentIdentity() methods, meaning the BasicAclDao needs to 
convert from row-data expressing this information into a new object 
instance. So, whilst your proposal caters for object - database 
mapping, it doesn't address database - object mapping.

I guess we could offer a pluggable interface within JdbcDaoImpl which 
does this conversion. ie:

public interface AclObjectIdentityStringResolver {
 public AclObjectIdentity convertToIdentityObject(String identity);
 public String convertToIdentityString(AclObjectIdentity 
aclObjectIdentity);
}

Would that address your needs?
Ben
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] problem with using ehcache in junit tests

[Tim Kettering]

Hi all,
I was tracking down an issue earlier today regarding running some junit 
tests against my code.

Basically I was doing some simple benchmarks on the user authentication 
provider, and I decided to throw in the ehcache configuration in the 
spring context and thats when it all blew up - the authentication 
provider (DaoAuthenticationProvider) was throwing a NPE - a quick look 
in the debugger showed me that the cache instance in the provider was 
null, which should have been impossible because the bean postProcess 
method explictly checks for a null cache instance.

looking thru the process in the debugger, it seems like junit creates a 
new instance of every test method, so if I inititalize the spring 
context in the junit test constructor, and then run 3 test methods, 
junit will initalize the spring context three times and run each test 
method in sequence.

so trying out something, I disabled all but one test method, and ran 
the test.  The test ran fine, and ecache worked correctly, but as soon 
as I enabled a second (or more) test methods, the test would fail on 
the ecache access.

So I think there's some sort of issue going on here with multiple 
spring contexts being instanced, but a shared ecache instance exists in 
the JVM - so possibly after the first unit test method runs, the cache 
is set to null, and the second test method gets tripped up over an null 
cache instance that it wasn't expecting or something.

I'm not sure if this is an intended effect of ecache, or what. So I 
thought I'd report my findings to the list.

-tim

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Re: [Acegisecurity-developer] problem with using ehcache in junit tests

[Tim Kettering]

Nevermind.  I just checked CVS and there's already a fix in there, post 
0.6 release for this.  I'll just go back to the corner where I came 
from.

-tim
On Aug 24, 2004, at 3:37 PM, Tim Kettering wrote:
Hi all,
I was tracking down an issue earlier today regarding running some 
junit tests against my code.

Basically I was doing some simple benchmarks on the user 
authentication provider, and I decided to throw in the ehcache 
configuration in the spring context and thats when it all blew up - 
the authentication provider (DaoAuthenticationProvider) was throwing a 
NPE - a quick look in the debugger showed me that the cache instance 
in the provider was null, which should have been impossible because 
the bean postProcess method explictly checks for a null cache 
instance.

looking thru the process in the debugger, it seems like junit creates 
a new instance of every test method, so if I inititalize the spring 
context in the junit test constructor, and then run 3 test methods, 
junit will initalize the spring context three times and run each test 
method in sequence.

so trying out something, I disabled all but one test method, and ran 
the test.  The test ran fine, and ecache worked correctly, but as soon 
as I enabled a second (or more) test methods, the test would fail on 
the ecache access.

So I think there's some sort of issue going on here with multiple 
spring contexts being instanced, but a shared ecache instance exists 
in the JVM - so possibly after the first unit test method runs, the 
cache is set to null, and the second test method gets tripped up over 
an null cache instance that it wasn't expecting or something.

I'm not sure if this is an intended effect of ecache, or what. So I 
thought I'd report my findings to the list.

-tim

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

[Acegisecurity-developer] (no subject)

[Tim Kettering]

Thought about posting this in the forum, but thought the dev mailing 
list would be a better place to bring this up.

I've gotten my prototype to successfully perform ACL authentication at 
the method invocation level.  So right now I'm going a bit further 
beyond the standard ACL implementation given by Acegi to make it fit 
our needs.

One issue I've run into now when Im attempting to use my own 
AclObjectIdentity.  Because while I can set AclManager to use a 
specific class of AclObjectIdentity, the JdbcDaoImpl implemenation of 
BasicAclDao specifically checks for AclObjectIdentity to be of 
NamedEntityObjectIdentity.   So basically any attempt to check ACLs on 
a custom AclObjectidentity will not work w/ jdbcDaoImpl.

I see from the code that its necessary to do this because it needs to 
get values from getId() and getClassname(), which are not part of the 
interface signature of AclObjectIdentity to create the sql string.  
However, I would think that any sort of string returned by 
AclObjectIdentity would work.

So I'm wondering if there's a better way this can be handled, like 
adding a extended interface of AclObjectIdentity that would be called 
BasicAclObjectIdentity and it would have an additional method such as 
getNamedEntityString() or something ilke that.  And then people could 
create their own custom implemenations that would return String.

Then the JdbcDaoImpl coudl check to ensure that the object passed in 
implements BasicAclObjectIdentity, instaed of a specific class 
implementation, which is really not what the Spring people advocate 
(code against interfaces, not classes).  Re-coding the 
NamedEntityObjectIdentity to use the extended interface, and returning 
the string to be used in the SQL w/ the interface method would ensure 
that it would continue working, i think.

If I'm missing something - then please do point out what it is.  (I 
realize I can write my own custom DAO implementations to handle this 
stuff, but would like to extend/use as much acegi-provided code as 
possible.


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Acegisecurity-developer mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer