spring-projects / spring-security Goto Github PK
View Code? Open in Web Editor NEWSpring Security
Home Page: http://spring.io/projects/spring-security
License: Apache License 2.0
Spring Security
Home Page: http://spring.io/projects/spring-security
License: Apache License 2.0
Ben Alex(Migrated from SEC-15) said:
It would be desirable to offer a Filter-based way for administrators to switch to a different user, then do work as that user, then revert to the original administrator account.
An implementation approach is detailed at http://forum.springframework.org/viewtopic.php?t=5719.
Tim Kettering(Migrated from SEC-48) said:
I submitted this via the listserv on 7/21/2005, and one of the developers said it would be looked into immediately, so I didnt file a JIRA issue on it, but since it apparently hasn’t been touched in CVS, I’m going to submit it here. I’m pasting in the email contents below:
I’m also going to submit a patch, which is my version of the fix.
I’ll double check but I’m pretty sure that’s a bug. If so I’ll get it committed either tonight or tomorrow. US time that is :P -Ray
On 7/21/05, Tim Kettering [email protected] wrote:
> I was tracking down some issues that came up after we started using our own
> UserDetails object in the principal of Authentication. This method in
> JaasNameCallbackHandler seems to be calling the incorrect method. In
> AbstractAuthenticationHandler, the methods called are
> ‘authentication.getPrincipal().getUsername()’ not
> ‘toString()’ like it appears below. Is there any reason for this? The
> problem we are facing is that our JAAS handler is trying to
> authenticate on the entire toString() output of our UserDetails
> object, instead of just the username, at this point, when the Acegi
> API/source seems to indicate that
> toString() is to be used for debug output.
>
> ```
> public void handle(Callback callback, Authentication
> ```
>
> authentication)
>
> ```
> throws IOException, UnsupportedCallbackException {
>
> if (callback instanceof NameCallback) {
>
> NameCallback ncb = (NameCallback) callback;
>
> ncb.setName(authentication.getPrincipal().toString());
>
> }
>
> }
> ```
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick
Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Luke Taylor(Migrated from SEC-36) said:
This test:
```
public void testNullAuthenticationInSecureContext()
throws Exception {
SecurityContextHolder.getContext().setAuthentication(null);
assertFalse(“Should return false and ask to be ignored”, module.login());
}
```
fails because the login module throws an exception if the authentication is null:
```
public boolean login() throws LoginException {
authen = SecurityContextHolder.getContext().getAuthentication();
}
```
Can we clear up if these tests meant to be running at the moment – they’re not being run in the automated builds because the class name ends in “Test” rather than “Tests”?
Ben Alex(Migrated from SEC-21) said:
We need a new AccessDecisionVoter that responds to a configurable configuration attribute (eg IS_AUTHENTICATED). It would simply ensure the Authentication is fully authenticated, by reference to the AuthenticationTrustResolver. It probably will support IS_AUTHENTICATED_REMEMBERED and IS_AUTHENTICATED_FULLY (the latter meaning AuthenticationTrustResolver.isAnonymous = false and .isRememberME = false).
Konstantin Shaposhnikov(Migrated from SEC-27) said:
I have tried to start my application with the latest (from CVS) version of acegi and get following exception:
java.lang.IllegalArgumentException: null source
java.util.EventObject.(EventObject.java:34)
org.springframework.context.ApplicationEvent.(ApplicationEvent.java:37)
net.sf.acegisecurity.ui.InteractiveAuthenticationSuccesEvent.(InteractiveAuthenticationSuccesEvent.java:45)
net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:136)
After some investigation I have found reason. In RememberMeProcessingFilter.java InteractiveAuthenticationSuccesEvent is fired even in case of unsucessful authentication.
SecurityContextHolder.getContext().setAuthentication(rememberMeServi
.autoLogin(httpRequest, httpResponse));
```
if (logger.isDebugEnabled()) {
logger.debug(
“Replaced SecurityContextHolder with remember-me token: ’”
+ SecurityContextHolder.getContext().getAuthentication()
+ “’”);
}
```
Fix would be quite easy: check that after autoLogin authentication in security context is not null.
Ben Alex(Migrated from SEC-17) said:
http://forum.springframework.org/viewtopic.php?t=4132
http://forum.springframework.org/viewtopic.php?t=4558
Based on past forum requests, a lot of users appear to be using Apache to front their servlet container, with connectors to bind them together. Acegi Security needs to support better integration with connectors.
Discussed this with Luke in London, so he has more details.
Luke Taylor(Migrated from SEC-44) said:
This has been reported in the forums and the dev list and I just verified it with a freshly built JBoss 4.0.2. When browsing to the “add” page in the sample application, the file add.jsp fails to compile:
An error occurred at line: 21 in the jsp file: /WEB-INF/jsp/add.jsp
Generated servlet error:
org.springframework.web.servlet.tags.BindStatus cannot be resolved or is not a type
Generated servlet error:
org.springframework.web.servlet.tags.BindStatus cannot be resolved or is not a type
```
org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:84)
org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:328)
org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:397)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:288)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:267)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:255)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:556)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:293)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:97)
org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
```
Scott Russell(Migrated from SEC-28) said:
Class javadoc comments for net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter read with description and instructions for use of BasicProcessingFilter.
Ben Alex(Migrated from SEC-49) said:
Make AfterInvocationProvider adds a mixin for:
public interface AclAware {
public AclEntry[] getAcls();
}
Thus enabling result objects from a method invocation to provide access to the underlaying ACL details without a further call to AclManager. Example code:
Account account = accountManager.getAccount(54);
AclAware aclInfo = (AclAware) account;
for (int i = 0; i < aclInfo.getAcls().length; i++) {
System.out.println(aclInfo.getAcls()[i]);
}
Ben Alex(Migrated from SEC-14) said:
http://forum.springframework.org/viewtopic.php?t=5915
FilterSecurityInterceptor must have a flag that enables once-per-request handling to be switched off. This is needed so that servlet forwards in a 2.4 servlet container can be secured if desired.
The trade-off is that people using SiteMesh etc probably don’t want their decorators to be authorized, given all the extra performance hit when the main request URI was authorized.
nicolas de loof(Migrated from SEC-46) said:
I’m using Acegy security to secure a web service application. It is required NOT to use HTTP session. I have set httpSessionContextIntegrationFilter with “allowSessionCreation=false” but BasicProcessingFilter creates the HTTP session when it does
authRequest.setDetails(new WebAuthenticationDetails(httpRequest));
In fact, WebAuthenticationDetails constructor does a request.getSession().getId();. It should be something like :
HttpSession session = request.getSession(false);
if (session != null) {
this.sessionId = session.getId();
}
Andres March(Migrated from SEC-32) said:
the BasicAclEntryAfterInvocationProvider (and its filtering sibling) requires the use of the AbstractBasicAclEntry, so it can call isPermitted(). I am wondering why this method cannot be part of an interface (maybe BasicAclEntry). For various reasons, some of them hibernate-related, I need to have my own implementation of BasicAclEntry.
The code requires an AbstractBasicAclEntry but given that the mask is definitely and int then it should not be a problem to require an isPermitted(int perm) method on the interface.
snip:
// Locate processable AclEntrys
if (acls[i] instanceof AbstractBasicAclEntry) {
AbstractBasicAclEntry processableAcl = (AbstractBasicAclEntry) acls[i];
```
// See if principal has any of the required permissions
for (int y = 0; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug(
"Principal DOES have permission to return object: "
+ returnedObject + " due to ACL: "
+ processableAcl.toString());
}
}
```
}
Ben Alex(Migrated from SEC-30) said:
As per discussion with Keith, refactor AuthenticationManager/Provider to have a public Authentication authenticate(Credentials).
Then, have Credentials hold the getPrincipal() and getCredentials() methods, with Authentication extending Credentials with the remaining methods.
pascal gehl(Migrated from SEC-33) said:
Create a sub class/implementation of AuthenticationProcessingFilterEntryPoint allowing for multiple login pages depending on the URI asked .
Something like :
false
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin/=/loginAdmin.html
/user/=/loginUser.html
Stefan Becker(Migrated from SEC-42) said:
Maybe I’m just a complete foul but I cannot get the LDAP authentication to work.
I boiled it down to a simple (too simple?) testcase.
Running the test gives the following exception:
Exception in thread “main” org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘authenticationProvider’ defined in file [D:\jdev\Acegitest\helloacegi.xml]: Can’t resolve reference to bean ‘ldapDaoImpl’ while setting property ‘passwordAuthenticationDao’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘ldapDaoImpl’ defined in file [D:\jdev\Acegitest\helloacegi.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property ‘uRL’ of bean class [net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao]: Bean property ‘uRL’ is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?
org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘ldapDaoImpl’ defined in file [D:\jdev\Acegitest\helloacegi.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property ‘uRL’ of bean class [net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao]: Bean property ‘uRL’ is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?
org.springframework.beans.NotWritablePropertyException: Invalid property ‘uRL’ of bean class [net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao]: Bean property ‘uRL’ is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?
at org.springframework.beans.BeanWrapperImpl.setPropertyValue(BeanWrapperImpl.java:814)
at org.springframework.beans.BeanWrapperImpl.setPropertyValue(BeanWrapperImpl.java:734)
at org.springframework.beans.BeanWrapperImpl.setPropertyValue(BeanWrapperImpl.java:862)
at org.springframework.beans.BeanWrapperImpl.setPropertyValues(BeanWrapperImpl.java:889)
at org.springframework.beans.BeanWrapperImpl.setPropertyValues(BeanWrapperImpl.java:878)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:934)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:731)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:340)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:226)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:147)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:176)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:105)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:920)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:731)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:340)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:226)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:147)
at HelloAcegi.main(HelloAcegi.java:9)
Same happens, when I try to wire ldap in a web application on a tomcat server.
Andreas Senft(Migrated from SEC-25) said:
I would like to propose the addition of some support concerning EJB usage. Especially there are two points:
- Providing an EJB-based AuthenticationProvider
- Providing means to propagate SecureContext information via EJB interfaces
Regards,
Andreas
Ben Alex(Migrated from SEC-16) said:
http://forum.springframework.org/viewtopic.php?t=6056
If a Collection/array of domain objects are presented to BasicAclEntryAfterInvocationCollectionFilteringProvider, the filtering will occur at the level of the presented Collection/array only.
We should consider adding a feature to BasicAclEntryAfterInvocationCollectionFilteringProvider that allows it to reflectively evaluate each property to locate internal Collections/arrays. These would then be processed at an ACL level. This would continue so any level of object nesting is processed. It would be necessary to avoid infinite loops, as one object may refer (by reference) to a parent object. The Acegi Security domain subproject contains some examples of this sort of detection behaviour in its validation package.
Such a new feature must be switchable, as the expense of reflectively evaluating every domain object in a Collection/array may be high.
Scott McCrory(Migrated from SEC-11) said:
http://forum.springframework.org/viewtopic.php?t=5630&start=0&postdays=0&postorder=asc&highlight=&sid=22018da8ea72240182c836518d2d61d8
I used Acegi 0.6.0 Authz tags successfully in Tomcat 5.0 and now I’m trying to use 0.8.1 in Websphere Application Server 5.0, but am getting org.springframework.web.util.ExpressionEvaluationUtils Using Jakarta JSTL ExpressionEvaluatorManager ; java.lang.NoSuchMethodError: java/lang/String.replaceAll.
When I check the Javadoc for org.springframework.web.util.ExpressionEvaluationUtils
(http://www.springframework.org/docs/api/org/springframework/web/util/ExpressionEvaluationUtils.html) it says that Jakarta’s JSTL implementation is used if JSP 2.0 support is not found. However, I wonder if it’s trying to fall back to Jakarta’s JSTL 1.1 instead of 1.0. If so, I believe only 1.0.x will run within Websphere’s older JDK 1.3 environment. Upgrading to a JSP 2.0 container isn’t an option for a lot of companies yet.
I’ll try to create a patch which does not use String.replaceAll(), but does the same thing iteratively, but if someone gets to this first, please have at it. Thanks!
Lynn Richards(Migrated from SEC-45) said:
In:
1. Fix class name
Change:
class=“net.sf.acegisecurity.intercept.method.MethodSecurityInterceptor”
To:
class=“net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor”
1. Use full classname on all annotations
Change:
@@SecurityConfig
To:
@@net.sf.acegisecurity.SecurityConfig
Ben Alex(Migrated from SEC-37) said:
See http://forum.springframework.org/viewtopic.php?t=7104
Basically if more than one request comes into a web container for the same browser, both requests will be for the same jsessionid. If the requests finish in a different order from which they are received, any authentication action that occurs in the faster-to-complete request will be overwritten by the slower-to-complete request.
The fix is to only ever write to HttpSession if the SecurityContextHolder.getContext() has actually changed during the request. As such, in the above case the slower-to-complete request will not have changed its SecurityContextHolder and therefore would not have overwritten the faster-to-complete request’s modification of SecurityContextHolder and thus persistence in HttpSession.
I have no problem with this change, it makes sense, we just need to ensure test coverage carefully checks its correct operation.
Ray Suliteanu(Migrated from SEC-23) said:
Per thread on the Acegi Spring forum http://forum.springframework.org/viewtopic.php?p=25760, the current JaasAuthenticationProvider does not provide any means to log out a user that was logged in via the JaasAuthenticationProvider, so the JAAS integration provided by it is not sufficient.
I have created a patch for my own temporary use against a nightly snapshot. I do not know if it’s correctly done, but it appears to work.
Feel free to use it or trash it, as long as there’s a way to log out a user via JAAS (i.e. the LoginContext.logout() method is invoked).
Thanks.
\ acegisecurity/core/src/main/java/net/sf/acegisecurity/providers/jaas/JaasAuthenticationProvider.java Tue Apr 26 20:39:06 2005
- JaasAuthenticationProvider.java.new Mon Jun 6 14:03:57 2005
\ 19,24 ****
- 19,27 --
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.AuthenticationException;
import net.sf.acegisecurity.GrantedAuthority;
- import net.sf.acegisecurity.context.SecurityContext;
- import net.sf.acegisecurity.context.SecurityContextHolder;
- import net.sf.acegisecurity.ui.session.HttpSessionDestroyedEvent;
import net.sf.acegisecurity.providers.AuthenticationProvider;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationFailedEvent;
-
- import org.springframework.context.ApplicationListener;
- import org.springframework.context.ApplicationEvent;
\ 160,166 ****
- @version $Id: JaasAuthenticationProvider.java,v 1.11 2005/04/27 03:39:05 raykrueger Exp $
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
! InitializingBean, ApplicationContextAware {
//~ Static fields/initializers =========
- @version $Id: JaasAuthenticationProvider.java,v 1.11 2005/04/27 03:39:05 raykrueger Exp $
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
! InitializingBean, ApplicationContextAware, ApplicationListener {
//~ Static fields/initializers =========
\ 307,312 ****
- 314,322 --
```
Assert.notNull(Configuration.getConfiguration(),
“As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html \”If a Configuration object was set via the Configuration.setConfiguration method, then that object is returned. Otherwise, a default Configuration object is returned\“. Your JRE returned null to Configuration.getConfiguration().”);
```
+
- callbackHandler = new InternalCallbackHandler();
- ```
loginContext = new LoginContext(loginContextName, callbackHandler);
```
- ```
public void onApplicationEvent(ApplicationEvent event) {
```
- if (event instanceof HttpSessionDestroyedEvent) {
- SecurityContext context = (SecurityContext) SecurityContextHolder.getContext();
- if (context != null) {
- try {
- loginContext.logout();
- }
- catch (LoginException e) {
- AcegiSecurityException ase = loginExceptionResolver.resolveException(e);
- log.error(ase.getMessage(), ase);
- }
- }
- else {
- log.debug(“onApplicationEvent – no SecureContext available”);
- }
- }
- ```
}
```
! public InternalCallbackHandler(Authentication authentication) {
! this.authentication = authentication;
}
```
public void handle(Callback[] callbacks)
```
! public InternalCallbackHandler() {
! }
!
! public void setAuthentication(Authentication authentication) {
! this.authentication = authentication;
}
```
public void handle(Callback[] callbacks)
```
Scott McCrory(Migrated from SEC-41) said:
package.html files are missing for the following packages:
net.sf.acegisecurity.captcha
net.sf.acegisecurity.intercept.event
net.sf.acegisecurity.providers.jaas
net.sf.acegisecurity.providers.jaas.event
net.sf.acegisecurity.providers.×509.cache
net.sf.acegisecurity.providers.×509.populator
net.sf.acegisecurity.ui.session
It doesn’t affect any operation but it’s nice to have all of the packages documented for JavaDoc output.
Mark St.Godard(Migrated from SEC-50) said:
“DaoAuthenticationProvider.java around line 300, publishes an
AuthenticationSuccessEvent when the user has logged in. However – it
only does this if the cache wasn’t used… This seems odd and incorrect
to me.
Since this sequence of events misses the second event :
1) login as user A – event is fired
2) logout
3) login as user A – event isn’t fired
Andrey Grebnev(Migrated from SEC-29) said:
I am developing AtLeap CMS (https://atleap.dev.java.net) using Acegi 0.8.2.
In my application I really need the feature to save data(especially
POST) from old request and populate it into new
after success
authentication.
the same
functionality as in Jakarta Apache Tomcat. It works.
following classes
and replace with them your default classes in security
Spring config.
future Acegi version.
Andrey Grebnev
Ben Alex(Migrated from SEC-1) said:
As discussed with Luke Taylor, generate a new tool that converts a web.xml file containing security constraints into an Acegi Security application context XML file. Designed to provide a simple migration for people, but with the more advanced features such as remember-me and anonymous authentication enabled by default.
Ben Alex(Migrated from SEC-9) said:
DaoAuthenticationProvider and PasswordDaoAuthenticationProvider are basically duplicates. It is time to refactor to at least an abstract parent, or using a template pattern.
Need to also consider whether PasswordEncoder should happen at the level of the AuthenticationProvider, or at the level of the AuthenticationDao. Some people have wanted to mix JDBC and In-Memory providers, wherein each have different password encoding.
Ben Alex(Migrated from SEC-13) said:
Recently AbstractSecurityInterceptor was modified to not delegate to the AuthenticationManager if the current Authentication.isAuthenticated() returned true.
This change was made to satisfy user concerns about performance. However, the current CVS needs to be modified to make this AbstractSecurityInterceptor behaviour switchable, as some users will want to use the traditional approach and thus allow the AuthenticationProvider-level caching to operate.
Ben Alex(Migrated from SEC-7) said:
At present it is difficult to chain AuthenticationProviders, as they differentiate based on the supports() method and whether they return null to indicate to try the next AuthenticationProvider. Need something more sophisticated (eg usernameNotFoundBehaviour=abortAtFirstFailure|continueChain).
http://forum.springframework.org/viewtopic.php?p=19514
Ben Alex(Migrated from SEC-40) said:
HibernateDao uses Criteria API to build a PaginatedList. The current implementation is inefficient as it retrieves every row when determing the total number of matching results.
I wrote a more efficient HQL based implementation of this method recently, but we should explore using the org.hibernate.criterion.Projections.rowCount() instead.
Ben Alex(Migrated from SEC-8) said:
http://opensource.cenqua.com/shaj/ provides a mechanism to authenticate against Windows NT Domains.
See also http://forum.springframework.org/viewtopic.php?p=22163
See also http://forum.springframework.org/viewtopic.php?t=4670 which discusses NTLM authentication and refers to some code that has already been written for this purpose.
Greg Rickman(Migrated from SEC-39) said:
net.sf.acegisecurity.providers.dao.User is not overriding the equals method, which means that object identity is used for equals comparisons. It would be more convenient for unit testing that involves User if the class overrode equals to make a comparison based on the value of it’s attributes.
Specifically when using the EasyMock API, the fact that User uses object identity for equals comparisons makes argument matching when User is an argument difficult.
Dan Batten(Migrated from SEC-22) said:
Currently the code used to create the PrincipalAcegiUserToken is the following:
identity = new PrincipalAcegiUserToken(this.key,
response.getPrincipal().toString(),
response.getCredentials().toString()
response.getAuthorities());
This means that the PrincipalAcegiUserToken is passed a serialized response principal NOT the username which is the method signature for PrincipalAcegiUserToken.
I would suggest that the code should look like this:
identity = new PrincipalAcegiUserToken(this.key,
response.getPrincipal().getName(), //<— CHANGED
response.getCredentials().toString()
response.getAuthorities());
Cheers,
Dan.
Ben Alex(Migrated from SEC-18) said:
http://forum.springframework.org/viewtopic.php?t=6085
Provide a simple MethodInvocationPrivilegeEvaluator class that has the ObjectDefinitionSource and AccessDecisionManager as collaborators. It would have a single method:
public boolean allowed(MethodInvocation, Authentication);
This allows testing of privileges before calling a method – particularly useful in the case of domain object instance security.
See also SEC-113 for a related helper class.
Stein Martin Hustad(Migrated from SEC-43) said:
Using JdbcExtendedDaoImpl together with PostgreSQL and the following acl tables fails when inserting new identities or permissions:
create table acl_object_identity (
id serial primary key,
object_identity varchar(250) not null unique,
parent_object integer references acl_object_identity,
acl_class varchar(250) not null
);
create table acl_permission (
id serial primary key,
acl_object_identity integer not null references acl_object_identity(id),
recipient varchar(100) not null,
mask integer not null,
constraint unique_recipient unique(acl_object_identity, recipient)
);
This is due to the fact that JdbcExtendedDaoImpl explicitly sets the id to null. Postgres will naturally give an error as this is a primary key and thus cannot be null. Either set it to the value you want or leave it out of the statement.
It doesn’t seem to be possible to override this by injecting new sql statements for AclObjectIdentityInsertStatement and AclPermissionInsertStatement. AclObjectIdentityInsert and AclPermissionInsert classes declares four parameters, the first of which is hardcoded to null.
Ben Alex(Migrated from SEC-5) said:
It would be desirable if AuthenticationProcessingFilter generated events at interactive login time.
This might no longer be required, as the modifications to the Authentication.isAuthenticated() handling mean that AuthenticationManager is only generally called once-per-interactive-login anyway.
Logged in JIRA so there is some record.
http://forum.springframework.org/viewtopic.php?t=4292
Ben Alex(Migrated from SEC-19) said:
http://forum.springframework.org/viewtopic.php?t=2875
Would be good if there was a way of automatically creating/removing ACL rows based on ORM events, or services layer AOP, instead of needing to manually code relevant workflow into service layer method implementations.
Matthew was looking at this a few months back, so I’ll assign it to him in case he made some ground. If not, please feel free to reassign back to me.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.