SEC-25: SecureContext propagation for EJBs about spring-security HOT 21 CLOSED

Andreas Senft said:

This is an implementation of the proposed features, including some tests , build scripts and a simple demo application. The code is packed as eclipse project (3.1M7). The application is configured for JBoss (4.0.1SP1). The JBoss jars for the client are excluded.

from spring-security.

Ben Alex said:

Luke, would you please take a look at this…?

from spring-security.

Andreas Senft said:

As I recently needed this functionality again, I reworked it and adapted it to 1.0.0RC2.

Regards,
Andreas

from spring-security.

Ben Alex said:

Luke, do you think you’ll get time to look at this? If not, please assign it back to me and I’ll review and apply Andreas’ patch.

from spring-security.

Andreas Senft said:

If you need additional information about the classes, please let me know.
Also, if you want me to do some refactoring/repackaging, just send me a note.

Regards,
Andreas

from spring-security.

Luke Taylor said:

I’ll try and take a look at it this weekend.

from spring-security.

Luke Taylor said:

There’s quite a lot of code here and I don’t want to commit it to the core so soon before the 1.0 release. It might be worth having a separate module for it too, rather than adding it to the core, as I’m not sure how much demand there will be for EJB support in Acegi.

from spring-security.

Andreas Senft said:

Hello Luke,

I agree with your suggestion to put this into an external module. I, too, think that this is no core functionality, rather some kind of add-on. This is also true, because using this approach is not only about configuration but also influences the coding (of the EJB layer).

As of demand of EJB support: I guess, of those who can decide, the most will choose more lightweight approaches, so they won’t need this.
However, there are also those that have to use EJB (even when it does not make sense), because it is demanded. For those it might be a way to use Acegi without taking care of context propagation inside their code.

Regards,
Andreas

from spring-security.

Ben Alex said:

Andreas, does this code work with Acegi Security 1.0.3, and are there tests and documentation for it?

from spring-security.

Andreas Senft said:

Hi Ben,

the sources should work with version 1.0.3. I just had to do a small change to adapt to Spring 2.0.5.
I will attach an updated version.

There are two unit test classes for the argument extraction/ insertion. Further there is a demo package with a simple application to be deployed on JBoss (JBoss jars not included) which should highlight the usage.
Written documentation is not available as yet, but I could write something down if you like.

Regards,
Andreas

from spring-security.

Andreas Senft said:

Attached Acegi-ejb_103.zip.
Updated version for Spring 2.0.5 and Acegi 1.0.3

from spring-security.

Andreas Senft said:

Hello Ben,

the attached sources yet have some homegrown packaging. If you could suggest a package name/structure, I would refactor the code accordingly.
I already tried to contact you via e-mail, but perhaps the message got lost (not sure if I correctly memorized the address).

Regards,
Andreas

from spring-security.

Andreas Senft said:

Attached a new version with major reworkings (spring_security_ejb_V1.zip).
- Repackaged to org.springframework.security
- Added FactoryBeans for much easier usage
- Added further unit tests

The code has been tested with Spring 2.0.4, Acegi 1.0.4 and JBoss 4.0.5
Required jars are missing from the archive to keep it small. Though, the required jars are named in CONTENTS.TXT files in the lib folders.

Build-scripts are provided to create a demo EAR and client jar. The EAR can be deployed to JBoss and the client jar can be started with the “java -jar” command from a console.

from spring-security.

Andreas Senft said:

Attached documentation in DocBook format. I hope it can be used that way.

from spring-security.

Luke Taylor said:

I haven’t been able to integrate this with the main project maven 2 build yet.

from spring-security.

Luke Taylor said:

I’m afraid I have to postpone this again as I don’t see how it can be integrated with the build.

from spring-security.

Andreas Senft said:

Do you want me to repackage things? In effect, only the src and test folders need to be processed. The rest is part of the samples.

from spring-security.

Andreas Senft said:

Attached archive “spring_security_ejb_V1.1.zip”. This contains only the sources and unit tests. Perhaps that might be integrated more easily. There should be no external dependencies to resolve beside those SpringSecurity needs itself.

Regards,
Andreas

from spring-security.

Wei Ming You said:

If you don’t do this, somebody else will do it. The monody and arbitrary are against the spirit of Open Source. This problem " Propogate Security Identity from Servlet Layer to EJB Layer" has been came up for years, Eg. http://forum.springframework.org/showthread.php?t=26514.

Re:
Luke Taylor – 28/Jan/08 11:41 AM
I’m afraid I have to postpone this again as I don’t see how it can be integrated with the build.

from spring-security.

Luke Taylor said:

I’d like to thank Andreas for his work in putting this together, but I’m afraid we are not realistically going to include it in the codebase. EJB 2.0 support isn’t part of the roadmap for Spring Security. EJB are increasingly uncommon in this era of Spring and EJB 3.0. The code will still be available here for anyone who wants to use it in legacy applications.

from spring-security.

ajay hada said:

Andreas you did a great job.. I feel that suggested feature is realistic. and I think lots of people want this feature.
Luke why don't you reopen this issues and think again to integrate.

from spring-security.