Tim Kettering(Migrated from SEC-48) said:

I submitted this via the listserv on 7/21/2005, and one of the developers said it would be looked into immediately, so I didnt file a JIRA issue on it, but since it apparently hasn’t been touched in CVS, I’m going to submit it here. I’m pasting in the email contents below:

I’m also going to submit a patch, which is my version of the fix.

I’ll double check but I’m pretty sure that’s a bug. If so I’ll get it committed either tonight or tomorrow. US time that is :P -Ray

On 7/21/05, Tim Kettering [email protected] wrote:

> I was tracking down some issues that came up after we started using our own
> UserDetails object in the principal of Authentication. This method in
> JaasNameCallbackHandler seems to be calling the incorrect method. In
> AbstractAuthenticationHandler, the methods called are
> ‘authentication.getPrincipal().getUsername()’ not
> ‘toString()’ like it appears below. Is there any reason for this? The
> problem we are facing is that our JAAS handler is trying to
> authenticate on the entire toString() output of our UserDetails
> object, instead of just the username, at this point, when the Acegi
> API/source seems to indicate that
> toString() is to be used for debug output.
>
> ```
> public void handle(Callback callback, Authentication
> ```
>
> authentication)
>
> ```
> throws IOException, UnsupportedCallbackException {
>
> if (callback instanceof NameCallback) {
>
> NameCallback ncb = (NameCallback) callback;
>
> ncb.setName(authentication.getPrincipal().toString());
>
> }
>
> }
> ```

---

SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=ick

---

Home: http://acegisecurity.sourceforge.net
Acegisecurity-developer mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer

Scott McCrory(Migrated from SEC-41) said:

package.html files are missing for the following packages:

net.sf.acegisecurity.captcha
net.sf.acegisecurity.intercept.event
net.sf.acegisecurity.providers.jaas
net.sf.acegisecurity.providers.jaas.event
net.sf.acegisecurity.providers.×509.cache
net.sf.acegisecurity.providers.×509.populator
net.sf.acegisecurity.ui.session

It doesn’t affect any operation but it’s nice to have all of the packages documented for JavaDoc output.

Luke Taylor(Migrated from SEC-44) said:

This has been reported in the forums and the dev list and I just verified it with a freshly built JBoss 4.0.2. When browsing to the “add” page in the sample application, the file add.jsp fails to compile:

An error occurred at line: 21 in the jsp file: /WEB-INF/jsp/add.jsp
Generated servlet error:
org.springframework.web.servlet.tags.BindStatus cannot be resolved or is not a type

Generated servlet error:
org.springframework.web.servlet.tags.BindStatus cannot be resolved or is not a type

```
org.apache.jasper.compiler.DefaultErrorHandler.javacError(DefaultErrorHandler.java:84)
org.apache.jasper.compiler.ErrorDispatcher.javacError(ErrorDispatcher.java:328)
org.apache.jasper.compiler.JDTCompiler.generateClass(JDTCompiler.java:397)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:288)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:267)
org.apache.jasper.compiler.Compiler.compile(Compiler.java:255)
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:556)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:293)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
org.springframework.web.servlet.view.InternalResourceView.renderMergedOutputModel(InternalResourceView.java:97)
org.springframework.web.servlet.view.AbstractView.render(AbstractView.java:250)
```

Ben Alex(Migrated from SEC-9) said:

DaoAuthenticationProvider and PasswordDaoAuthenticationProvider are basically duplicates. It is time to refactor to at least an abstract parent, or using a template pattern.

Need to also consider whether PasswordEncoder should happen at the level of the AuthenticationProvider, or at the level of the AuthenticationDao. Some people have wanted to mix JDBC and In-Memory providers, wherein each have different password encoding.

Stein Martin Hustad(Migrated from SEC-43) said:

Using JdbcExtendedDaoImpl together with PostgreSQL and the following acl tables fails when inserting new identities or permissions:

create table acl_object_identity (
id serial primary key,
object_identity varchar(250) not null unique,
parent_object integer references acl_object_identity,
acl_class varchar(250) not null
);

create table acl_permission (
id serial primary key,
acl_object_identity integer not null references acl_object_identity(id),
recipient varchar(100) not null,
mask integer not null,
constraint unique_recipient unique(acl_object_identity, recipient)
);

This is due to the fact that JdbcExtendedDaoImpl explicitly sets the id to null. Postgres will naturally give an error as this is a primary key and thus cannot be null. Either set it to the value you want or leave it out of the statement.

It doesn’t seem to be possible to override this by injecting new sql statements for AclObjectIdentityInsertStatement and AclPermissionInsertStatement. AclObjectIdentityInsert and AclPermissionInsert classes declares four parameters, the first of which is hardcoded to null.

Ben Alex(Migrated from SEC-35) said:

Split out of issue http://opensource.atlassian.com/projects/spring/browse/SEC-17.

Provide SiteMinder integration.

Scott has already completed some base work in this regard.

Ben Alex(Migrated from SEC-4) said:

http://forum.springframework.org/viewtopic.php?t=4904

An existing implementation of Acegi Security Java 5 annotations may be found at http://up-u.com/?p=183.

Ben Alex(Migrated from SEC-49) said:

Make AfterInvocationProvider adds a mixin for:

public interface AclAware {
public AclEntry[] getAcls();
}

Thus enabling result objects from a method invocation to provide access to the underlaying ACL details without a further call to AclManager. Example code:

Account account = accountManager.getAccount(54);
AclAware aclInfo = (AclAware) account;
for (int i = 0; i < aclInfo.getAcls().length; i++) {
System.out.println(aclInfo.getAcls()[i]);
}

Ben Alex(Migrated from SEC-47) said:

AbstractSecurityInterceptor should have a new property, rejectPublicInvocations, which by default will ensure that any public / non-secure invocations are rejected. This is now possible due to the existence of anonymous authentication services in Acegi Security.

Ben Alex(Migrated from SEC-19) said:

http://forum.springframework.org/viewtopic.php?t=2875

Would be good if there was a way of automatically creating/removing ACL rows based on ORM events, or services layer AOP, instead of needing to manually code relevant workflow into service layer method implementations.

Matthew was looking at this a few months back, so I’ll assign it to him in case he made some ground. If not, please feel free to reassign back to me.

pascal gehl(Migrated from SEC-33) said:

Create a sub class/implementation of AuthenticationProcessingFilterEntryPoint allowing for multiple login pages depending on the URI asked .
Something like :

false


CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin/=/loginAdmin.html
/user/=/loginUser.html

Lynn Richards(Migrated from SEC-45) said:

In:

1. Fix class name

Change:
class=“net.sf.acegisecurity.intercept.method.MethodSecurityInterceptor”

To:
class=“net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor”
1. Use full classname on all annotations

Change:
@@SecurityConfig

To:
@@net.sf.acegisecurity.SecurityConfig

Luke Taylor(Migrated from SEC-36) said:

This test:

```
public void testNullAuthenticationInSecureContext()
throws Exception {
SecurityContextHolder.getContext().setAuthentication(null);
assertFalse(“Should return false and ask to be ignored”, module.login());
}
```

fails because the login module throws an exception if the authentication is null:

```
public boolean login() throws LoginException {
authen = SecurityContextHolder.getContext().getAuthentication();

if (authen == null) { throw new LoginException(“Authentication not found in security” + " context"); } return true;

}
```

Can we clear up if these tests meant to be running at the moment – they’re not being run in the automated builds because the class name ends in “Test” rather than “Tests”?

Mark St.Godard(Migrated from SEC-50) said:

“DaoAuthenticationProvider.java around line 300, publishes an
AuthenticationSuccessEvent when the user has logged in. However – it
only does this if the cache wasn’t used… This seems odd and incorrect
to me.

Since this sequence of events misses the second event :

1) login as user A – event is fired
2) logout
3) login as user A – event isn’t fired

Ben Alex(Migrated from SEC-18) said:

http://forum.springframework.org/viewtopic.php?t=6085

Provide a simple MethodInvocationPrivilegeEvaluator class that has the ObjectDefinitionSource and AccessDecisionManager as collaborators. It would have a single method:

public boolean allowed(MethodInvocation, Authentication);

This allows testing of privileges before calling a method – particularly useful in the case of domain object instance security.

See also SEC-113 for a related helper class.

Konstantin Shaposhnikov(Migrated from SEC-27) said:

I have tried to start my application with the latest (from CVS) version of acegi and get following exception:

java.lang.IllegalArgumentException: null source
java.util.EventObject.(EventObject.java:34)
org.springframework.context.ApplicationEvent.(ApplicationEvent.java:37)
net.sf.acegisecurity.ui.InteractiveAuthenticationSuccesEvent.(InteractiveAuthenticationSuccesEvent.java:45)
net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:136)

After some investigation I have found reason. In RememberMeProcessingFilter.java InteractiveAuthenticationSuccesEvent is fired even in case of unsucessful authentication.
SecurityContextHolder.getContext().setAuthentication(rememberMeServi
.autoLogin(httpRequest, httpResponse));

```
if (logger.isDebugEnabled()) {
logger.debug(
“Replaced SecurityContextHolder with remember-me token: ’”
+ SecurityContextHolder.getContext().getAuthentication()
+ “’”);
}

// Fire event if (this.context != null) { context.publishEvent(new InteractiveAuthenticationSuccesEvent( SecurityContextHolder.getContext().getAuthentication(), this.getClass())); }

```

Fix would be quite easy: check that after autoLogin authentication in security context is not null.

Seth Ladd(Migrated from SEC-34) said:

I added a debug line, printing out what is being set into javax.net.ssl.trustedStore environment parameter. This can help in the often confusing SSL configurations required for Acegi + CAS + SSL.

Ben Alex(Migrated from SEC-3) said:

Require a static method so that an encoded password can be stored that meet the requirements for Digest authentication.

http://forum.springframework.org/viewtopic.php?p=15403#15403

Ben Alex(Migrated from SEC-31) said:

As per Keith’s suggestion, consider returning a Vote object instead of ints, such that a reason for a decline vote can be given for UI display.

Ben Alex(Migrated from SEC-7) said:

At present it is difficult to chain AuthenticationProviders, as they differentiate based on the supports() method and whether they return null to indicate to try the next AuthenticationProvider. Need something more sophisticated (eg usernameNotFoundBehaviour=abortAtFirstFailure|continueChain).

http://forum.springframework.org/viewtopic.php?p=19514

Ben Alex(Migrated from SEC-26) said:

The generated Contacts web site needs a link to http://acegisecurity.sourceforge.net/multiproject/acegi-security-sample-contacts/ssl/howto.txt

Andres March(Migrated from SEC-32) said:

the BasicAclEntryAfterInvocationProvider (and its filtering sibling) requires the use of the AbstractBasicAclEntry, so it can call isPermitted(). I am wondering why this method cannot be part of an interface (maybe BasicAclEntry). For various reasons, some of them hibernate-related, I need to have my own implementation of BasicAclEntry.

The code requires an AbstractBasicAclEntry but given that the mask is definitely and int then it should not be a problem to require an isPermitted(int perm) method on the interface.

snip:
// Locate processable AclEntrys
if (acls[i] instanceof AbstractBasicAclEntry) {
AbstractBasicAclEntry processableAcl = (AbstractBasicAclEntry) acls[i];

```
// See if principal has any of the required permissions
for (int y = 0; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug(
"Principal DOES have permission to return object: "
+ returnedObject + " due to ACL: "
+ processableAcl.toString());
}

return returnedObject; }

}
```

}

Ben Alex(Migrated from SEC-5) said:

It would be desirable if AuthenticationProcessingFilter generated events at interactive login time.

This might no longer be required, as the modifications to the Authentication.isAuthenticated() handling mean that AuthenticationManager is only generally called once-per-interactive-login anyway.

Logged in JIRA so there is some record.

http://forum.springframework.org/viewtopic.php?t=4292

Greg Rickman(Migrated from SEC-39) said:

net.sf.acegisecurity.providers.dao.User is not overriding the equals method, which means that object identity is used for equals comparisons. It would be more convenient for unit testing that involves User if the class overrode equals to make a comparison based on the value of it’s attributes.

Specifically when using the EasyMock API, the fact that User uses object identity for equals comparisons makes argument matching when User is an argument difficult.

Ben Alex(Migrated from SEC-16) said:

http://forum.springframework.org/viewtopic.php?t=6056

If a Collection/array of domain objects are presented to BasicAclEntryAfterInvocationCollectionFilteringProvider, the filtering will occur at the level of the presented Collection/array only.

We should consider adding a feature to BasicAclEntryAfterInvocationCollectionFilteringProvider that allows it to reflectively evaluate each property to locate internal Collections/arrays. These would then be processed at an ACL level. This would continue so any level of object nesting is processed. It would be necessary to avoid infinite loops, as one object may refer (by reference) to a parent object. The Acegi Security domain subproject contains some examples of this sort of detection behaviour in its validation package.

Such a new feature must be switchable, as the expense of reflectively evaluating every domain object in a Collection/array may be high.

Ben Alex(Migrated from SEC-2) said:

http://www.javaworld.com/javaworld/jw-03-2005/jw-0307-captcha.html

Ben Alex(Migrated from SEC-38) said:

http://forum.springframework.org/viewtopic.php?t=7126

Convert InMemoryDaoImpl to use java.util.Properties, so that either XML or an external file can be used for authentication information.

Scott McCrory(Migrated from SEC-11) said:

http://forum.springframework.org/viewtopic.php?t=5630&start=0&postdays=0&postorder=asc&highlight=&sid=22018da8ea72240182c836518d2d61d8

I used Acegi 0.6.0 Authz tags successfully in Tomcat 5.0 and now I’m trying to use 0.8.1 in Websphere Application Server 5.0, but am getting org.springframework.web.util.ExpressionEvaluationUtils Using Jakarta JSTL ExpressionEvaluatorManager ; java.lang.NoSuchMethodError: java/lang/String.replaceAll.

When I check the Javadoc for org.springframework.web.util.ExpressionEvaluationUtils
(http://www.springframework.org/docs/api/org/springframework/web/util/ExpressionEvaluationUtils.html) it says that Jakarta’s JSTL implementation is used if JSP 2.0 support is not found. However, I wonder if it’s trying to fall back to Jakarta’s JSTL 1.1 instead of 1.0. If so, I believe only 1.0.x will run within Websphere’s older JDK 1.3 environment. Upgrading to a JSP 2.0 container isn’t an option for a lot of companies yet.

I’ll try to create a patch which does not use String.replaceAll(), but does the same thing iteratively, but if someone gets to this first, please have at it. Thanks!

Andreas Senft(Migrated from SEC-25) said:

I would like to propose the addition of some support concerning EJB usage. Especially there are two points:
- Providing an EJB-based AuthenticationProvider
- Providing means to propagate SecureContext information via EJB interfaces

Regards,
Andreas

Ben Alex(Migrated from SEC-20) said:

http://forum.springframework.org/viewtopic.php?t=6223

HttpSessionContextIntegrationFilter must set the ContextHolder to null irrespective of exceptions thrown inside the filter chain. ie use a finally {} block to set to null and re-throw exception.

Andrey Grebnev(Migrated from SEC-29) said:

I am developing AtLeap CMS (https://atleap.dev.java.net) using Acegi 0.8.2.

In my application I really need the feature to save data

(especially
POST) from old request and populate it into new
after success
authentication.

I extended some acegi (0.8.2) classes in order to have

the same
functionality as in Jakarta Apache Tomcat. It works.

Any who want to use this feature can download the

following classes
and replace with them your default classes in security
Spring config.

https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/acegi/CustomAuthenticationProcessingFilter.java https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/acegi/CustomContextHolderAwareRequestFilter.java https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/acegi/CustomContextHolderAwareRequestWrapper.java https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/acegi/CustomSecurityEnforcementFilter.java https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/acegi/SavedRequest.java https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/util/core/FastHttpDateFormat.java https://atleap.dev.java.net/source/browse/atleap/application/src/web/com/blandware/atleap/webapp/util/core/Enumerator.java The real example of using you find in AtLeap project (see version 0.5rc1 or more). The developers of Acegi can apply this patch for their

future Acegi version.

Andrey Grebnev

Ben Alex(Migrated from SEC-10) said:

Various improvements to concurrent session handling are noted at
http://forum.springframework.org/viewtopic.php?t=4289

Ray Suliteanu(Migrated from SEC-23) said:

Per thread on the Acegi Spring forum http://forum.springframework.org/viewtopic.php?p=25760, the current JaasAuthenticationProvider does not provide any means to log out a user that was logged in via the JaasAuthenticationProvider, so the JAAS integration provided by it is not sufficient.

I have created a patch for my own temporary use against a nightly snapshot. I do not know if it’s correctly done, but it appears to work.
Feel free to use it or trash it, as long as there’s a way to log out a user via JAAS (i.e. the LoginContext.logout() method is invoked).

Thanks.

\ acegisecurity/core/src/main/java/net/sf/acegisecurity/providers/jaas/JaasAuthenticationProvider.java Tue Apr 26 20:39:06 2005
- JaasAuthenticationProvider.java.new Mon Jun 6 14:03:57 2005

---

\ 19,24 ****
- 19,27 --
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.AuthenticationException;
import net.sf.acegisecurity.GrantedAuthority;
- import net.sf.acegisecurity.context.SecurityContext;
- import net.sf.acegisecurity.context.SecurityContextHolder;
- import net.sf.acegisecurity.ui.session.HttpSessionDestroyedEvent;
import net.sf.acegisecurity.providers.AuthenticationProvider;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationFailedEvent;
-

\ 32,37 **** - 35,42 -- import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContextAware;

- import org.springframework.context.ApplicationListener;
- import org.springframework.context.ApplicationEvent;

import org.springframework.core.io.Resource;

---

\ 160,166 ****
- @version $Id: JaasAuthenticationProvider.java,v 1.11 2005/04/27 03:39:05 raykrueger Exp $
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
! InitializingBean, ApplicationContextAware {
//~ Static fields/initializers =========

protected static final Log log = LogFactory.getLog(JaasAuthenticationProvider.class); - 165,171 --

- @version $Id: JaasAuthenticationProvider.java,v 1.11 2005/04/27 03:39:05 raykrueger Exp $
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
! InitializingBean, ApplicationContextAware, ApplicationListener {
//~ Static fields/initializers =========

protected static final Log log = LogFactory.getLog(JaasAuthenticationProvider.class); - \ 174,179 **** - 179,186 -- private String loginContextName = “ACEGI”; private AuthorityGranter[] authorityGranters; private JaasAuthenticationCallbackHandler[] callbackHandlers; - private InternalCallbackHandler callbackHandler; - ``` private LoginContext loginContext; ``` //~ Methods ================

---

\ 307,312 ****
- 314,322 --

```
Assert.notNull(Configuration.getConfiguration(),
“As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html \”If a Configuration object was set via the Configuration.setConfiguration method, then that object is returned. Otherwise, a default Configuration object is returned\“. Your JRE returned null to Configuration.getConfiguration().”);
```

+
- callbackHandler = new InternalCallbackHandler();
- ```
loginContext = new LoginContext(loginContextName, callbackHandler);
```

} /** - \ 330,341 **** UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) auth; ``` try { ``` ! //Create the LoginContext object, and pass our InternallCallbackHandler ! LoginContext lc = new LoginContext(loginContextName, ! new InternalCallbackHandler(auth)); ``` //Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point. ``` ! lc.login(); ``` //create a set to hold the authorities, and add any that have already been applied. Set authorities = new HashSet(); ``` - 340,349 -- UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) auth; ``` try { ``` ! callbackHandler.setAuthentication(auth); ``` //Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point. ``` ! loginContext.login(); ``` //create a set to hold the authorities, and add any that have already been applied. Set authorities = new HashSet(); ``` - \ 345,351 **** } ``` //get the subject principals and pass them to each of the AuthorityGranters ``` ! Set principals = lc.getSubject().getPrincipals(); ``` for (Iterator iterator = principals.iterator(); iterator.hasNext();) { ``` - 353,359 -- } ``` //get the subject principals and pass them to each of the AuthorityGranters ``` ! Set principals = loginContext.getSubject().getPrincipals(); ``` for (Iterator iterator = principals.iterator(); iterator.hasNext();) { ``` - \ 451,456 **** - 459,482 -- } }

- ```
public void onApplicationEvent(ApplicationEvent event) {
```
- if (event instanceof HttpSessionDestroyedEvent) {
- SecurityContext context = (SecurityContext) SecurityContextHolder.getContext();
- if (context != null) {
- try {
- loginContext.logout();
- }
- catch (LoginException e) {
- AcegiSecurityException ase = loginExceptionResolver.resolveException(e);
- log.error(ase.getMessage(), ase);
- }
- }
- else {
- log.debug(“onApplicationEvent – no SecureContext available”);
- }
- }
- ```
}
```

+ //~ Inner Classes ============== /** - \ 459,466 **** private class InternalCallbackHandler implements CallbackHandler { private Authentication authentication;

! public InternalCallbackHandler(Authentication authentication) {
! this.authentication = authentication;
}

```
public void handle(Callback[] callbacks)
```

---

485,495 -- private class InternalCallbackHandler implements CallbackHandler { private Authentication authentication;

! public InternalCallbackHandler() {
! }
!
! public void setAuthentication(Authentication authentication) {
! this.authentication = authentication;
}

```
public void handle(Callback[] callbacks)
```

Ben Alex(Migrated from SEC-13) said:

Recently AbstractSecurityInterceptor was modified to not delegate to the AuthenticationManager if the current Authentication.isAuthenticated() returned true.

This change was made to satisfy user concerns about performance. However, the current CVS needs to be modified to make this AbstractSecurityInterceptor behaviour switchable, as some users will want to use the traditional approach and thus allow the AuthenticationProvider-level caching to operate.

Ben Alex(Migrated from SEC-8) said:

http://opensource.cenqua.com/shaj/ provides a mechanism to authenticate against Windows NT Domains.

See also http://forum.springframework.org/viewtopic.php?p=22163

See also http://forum.springframework.org/viewtopic.php?t=4670 which discusses NTLM authentication and refers to some code that has already been written for this purpose.

Ben Alex(Migrated from SEC-40) said:

HibernateDao uses Criteria API to build a PaginatedList. The current implementation is inefficient as it retrieves every row when determing the total number of matching results.

I wrote a more efficient HQL based implementation of this method recently, but we should explore using the org.hibernate.criterion.Projections.rowCount() instead.

Stefan Becker(Migrated from SEC-42) said:

Maybe I’m just a complete foul but I cannot get the LDAP authentication to work.

I boiled it down to a simple (too simple?) testcase.

Running the test gives the following exception:
Exception in thread “main” org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘authenticationProvider’ defined in file [D:\jdev\Acegitest\helloacegi.xml]: Can’t resolve reference to bean ‘ldapDaoImpl’ while setting property ‘passwordAuthenticationDao’; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘ldapDaoImpl’ defined in file [D:\jdev\Acegitest\helloacegi.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property ‘uRL’ of bean class [net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao]: Bean property ‘uRL’ is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?
org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘ldapDaoImpl’ defined in file [D:\jdev\Acegitest\helloacegi.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property ‘uRL’ of bean class [net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao]: Bean property ‘uRL’ is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?
org.springframework.beans.NotWritablePropertyException: Invalid property ‘uRL’ of bean class [net.sf.acegisecurity.providers.dao.ldap.LdapPasswordAuthenticationDao]: Bean property ‘uRL’ is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?
at org.springframework.beans.BeanWrapperImpl.setPropertyValue(BeanWrapperImpl.java:814)
at org.springframework.beans.BeanWrapperImpl.setPropertyValue(BeanWrapperImpl.java:734)
at org.springframework.beans.BeanWrapperImpl.setPropertyValue(BeanWrapperImpl.java:862)
at org.springframework.beans.BeanWrapperImpl.setPropertyValues(BeanWrapperImpl.java:889)
at org.springframework.beans.BeanWrapperImpl.setPropertyValues(BeanWrapperImpl.java:878)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:934)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:731)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:340)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:226)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:147)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:176)
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:105)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:920)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:731)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:340)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:226)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:147)
at HelloAcegi.main(HelloAcegi.java:9)

Same happens, when I try to wire ldap in a web application on a tomcat server.

nicolas de loof(Migrated from SEC-46) said:

I’m using Acegy security to secure a web service application. It is required NOT to use HTTP session. I have set httpSessionContextIntegrationFilter with “allowSessionCreation=false” but BasicProcessingFilter creates the HTTP session when it does

authRequest.setDetails(new WebAuthenticationDetails(httpRequest));

In fact, WebAuthenticationDetails constructor does a request.getSession().getId();. It should be something like :

HttpSession session = request.getSession(false); if (session != null) { this.sessionId = session.getId(); }

Ben Alex(Migrated from SEC-15) said:

It would be desirable to offer a Filter-based way for administrators to switch to a different user, then do work as that user, then revert to the original administrator account.

An implementation approach is detailed at http://forum.springframework.org/viewtopic.php?t=5719.

Ben Alex(Migrated from SEC-21) said:

We need a new AccessDecisionVoter that responds to a configurable configuration attribute (eg IS_AUTHENTICATED). It would simply ensure the Authentication is fully authenticated, by reference to the AuthenticationTrustResolver. It probably will support IS_AUTHENTICATED_REMEMBERED and IS_AUTHENTICATED_FULLY (the latter meaning AuthenticationTrustResolver.isAnonymous = false and .isRememberME = false).

Ben Alex(Migrated from SEC-12) said:

Complete LDAP capabilities including unit tests that do not require external LDAP server to be configured.

An important feature for a 1.0.0 official release, but we need a volunteer who wants to take on the LDAP effort.

Ben Alex(Migrated from SEC-37) said:

See http://forum.springframework.org/viewtopic.php?t=7104

Basically if more than one request comes into a web container for the same browser, both requests will be for the same jsessionid. If the requests finish in a different order from which they are received, any authentication action that occurs in the faster-to-complete request will be overwritten by the slower-to-complete request.

The fix is to only ever write to HttpSession if the SecurityContextHolder.getContext() has actually changed during the request. As such, in the above case the slower-to-complete request will not have changed its SecurityContextHolder and therefore would not have overwritten the faster-to-complete request’s modification of SecurityContextHolder and thus persistence in HttpSession.

I have no problem with this change, it makes sense, we just need to ensure test coverage carefully checks its correct operation.

Ben Alex(Migrated from SEC-1) said:

As discussed with Luke Taylor, generate a new tool that converts a web.xml file containing security constraints into an Acegi Security application context XML file. Designed to provide a simple migration for people, but with the more advanced features such as remember-me and anonymous authentication enabled by default.

Ben Alex(Migrated from SEC-6) said:

Bring Petclinic RCP into line with latest Acegi Security release.

http://forum.springframework.org/viewtopic.php?t=4574
http://forum.springframework.org/viewtopic.php?p=18414

Ben Alex(Migrated from SEC-24) said:

http://www.josso.org/

Java Open Source Single Sign On is another SSO solution. It would be good to offer a choice of CAS or JOSSO to Acegi Security users.

Scott Russell(Migrated from SEC-28) said:

Class javadoc comments for net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter read with description and instructions for use of BasicProcessingFilter.

Ben Alex(Migrated from SEC-30) said:

As per discussion with Keith, refactor AuthenticationManager/Provider to have a public Authentication authenticate(Credentials).

Then, have Credentials hold the getPrincipal() and getCredentials() methods, with Authentication extending Credentials with the remaining methods.

Ben Alex(Migrated from SEC-14) said:

http://forum.springframework.org/viewtopic.php?t=5915

FilterSecurityInterceptor must have a flag that enables once-per-request handling to be switched off. This is needed so that servlet forwards in a 2.4 servlet container can be secured if desired.

The trade-off is that people using SiteMesh etc probably don’t want their decorators to be authorized, given all the extra performance hit when the main request URI was authorized.

Ben Alex(Migrated from SEC-17) said:

http://forum.springframework.org/viewtopic.php?t=4132
http://forum.springframework.org/viewtopic.php?t=4558

Based on past forum requests, a lot of users appear to be using Apache to front their servlet container, with connectors to bind them together. Acegi Security needs to support better integration with connectors.

Discussed this with Luke in London, so he has more details.

Dan Batten(Migrated from SEC-22) said:

Currently the code used to create the PrincipalAcegiUserToken is the following:

identity = new PrincipalAcegiUserToken(this.key,
response.getPrincipal().toString(),
response.getCredentials().toString()
response.getAuthorities());

This means that the PrincipalAcegiUserToken is passed a serialized response principal NOT the username which is the method signature for PrincipalAcegiUserToken.

I would suggest that the code should look like this:

identity = new PrincipalAcegiUserToken(this.key,
response.getPrincipal().getName(), //<— CHANGED
response.getCredentials().toString()
response.getAuthorities());

Cheers,
Dan.