tapestry-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Barker" <jonathan.theit...@gmail.com>
Subject RE: spring T5 integration on acegi security considerations
Date Wed, 08 Oct 2008 06:45:14 GMT

Please note that Spring Security is the successor to Acegi Security.  My
experience is with Acegi but you should probably invest the time in learning
Spring Security.  They have definitely changed how they configure things.

With my old T4 apps, using Acegi configured via Spring, but also using my
own custom components (one of which behaved like IfRole) I had this in my
web.xml:


	<filter>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
	
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
		<init-param>
			<param-name>targetClass</param-name>
	
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

That was before my OpenSessionInView filter for Hibernate.  There was also a
listener:

	<listener>
	
<listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</list
ener-class>
	</listener>


In my applicationContext-acegi.xml file, I had:

		<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
		<value>
		CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		PATTERN_TYPE_APACHE_ANT
	
/**=httpSessionContextIntegrationFilter,httpRequestIntegrationFilter
		</value>
		</property>
		</bean>

   <bean id="httpRequestIntegrationFilter"
class="org.acegisecurity.adapters.HttpRequestIntegrationFilter"/>

   <bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
   	
   </bean>

As well as configurations for AuthenticationProvider.

All of that configuration goes away if you use tapestry5-acegi, or to be
more accurate, most of what you need is already set up in the SecurityModule
class.  Things like the HttpSessionContextIntegrationFilter were re-written
to fit into the Tapestry processing pipeline.  Take a look at the source for
SecurityModule.


If you still want to set it up through Spring, then make sure your
FilterToBeanProxy is defined before your TapestrySpringFilter.



> -----Original Message-----
> From: wesley [mailto:wesleywj2@yahoo.co.uk]
> Sent: Wednesday, October 08, 2008 00:06
> To: users@tapestry.apache.org
> Subject: RE: spring T5 integration on acegi security considerations
> 
> 
> hi jon,
> 
> since i'm integrating the spring as back end and front end as T5, the
> filter
> that i'm using is TapestrySpringFilter as outline by the wiki from t5
> homepage.
> 
> "For access to pages, you either configure a filter through Spring, or
> through annotations, or through tapestry-ioc configuration.  The filters
> will invoke the necessary authentication and authorization functions."
> 
> as outline, i'm using tapestryspringfilter; with filter that accept filter
> mapping of url pattern of /*. is there gonna be a same configuration on
> this
> filter as well? please advise and thanks
> 
> regards,
> wesley
> 
> 
> 
> Jonathan Barker wrote:
> >
> > Wesley,
> >
> > I would rather spend two hours figuring out how to use a well thought
> out
> > /
> > designed / tested tool that will pay off in the long haul than spend one
> > hour doing a one-off solution to an immediate problem.  I didn't save
> time
> > the first time I used Acegi, but I really do save time now.
> >
> > Acegi is like a well equipped toolbox.
> >
> > For password encryption, Acegi provides several classes that implement
> the
> > PasswordEncoder interface.  These include PlaintextPasswordEncoder,
> > MessageDigestPAsswordEncoder, Md5PasswordEncoder, and a few others.  You
> > would pick one of these and use it to configure your UserDetailsService,
> > and
> > you can also use it directly to encode a password to store for yourself.
> >
> > You frequently want to use a password Salt, so there is a
> > SystemWideSaltSource where everyone gets the same salt, or a
> > ReflectionSaltSource that can read a property that you would store with
> > your
> > User record.  You would configure your UserDetailsService to use a Salt
> > source.
> >
> > For access to pages, you either configure a filter through Spring, or
> > through annotations, or through tapestry-ioc configuration.  The filters
> > will invoke the necessary authentication and authorization functions.
> >
> > You don't generally override authenticate(), because you would use one
> of
> > the dozen implementations of the AuthenticationProvider interface that
> > ship
> > with Acegi.  I typically use the LDAPAuthenticationProvider and the
> > DaoAuthenticationProvider.  Of course, each of these needs to be
> > configured
> > somehow.  For example, you need to have a UserDetailsService configured
> > for
> > the DaoAuthenticationProvider.
> >
> > Jonathan
> >
> >
> >
> >
> >> -----Original Message-----
> >> From: wesley [mailto:wesleywj2@yahoo.co.uk]
> >> Sent: Monday, October 06, 2008 12:54
> >> To: users@tapestry.apache.org
> >> Subject: RE: spring T5 integration on acegi security considerations
> >>
> >>
> >> hi Jon,
> >>
> >> thanks much for the feedback, i assumed acegi will do all hard
> >> work/encapsulate those like password encryption login and other
> >> unauthorized
> >> access to the pages? because with normal implementation, i need to do
> one
> >> way encrypt myself to authenticate user for example. does acegi do
> that?,
> >> i
> >> mean the authenticate method; do i need to override it myself for
> >> encryption
> >> purposes? please advise, thanks
> >>
> >> wesley
> >>
> >>
> >>
> >> Jonathan Barker wrote:
> >> >
> >> >
> >> > I remember going through the Acegi documentation the first time.  It
> >> was
> >> > daunting.
> >> >
> >> > In hindsight, it boils down to this:
> >> >
> >> > The central object in Acegi is the SecurityContext.  You need to
> store
> >> and
> >> > retrieve it from your HttpSession and that is done either through a
> >> filter
> >> > configured in web.xml (for a Spring-configured scenario), or as a
> part
> >> of
> >> > a
> >> > Tapestry filter chain (for tapestry5-acegi).
> >> >
> >> > You need to configure at least one AuthenticationProvider using a
> >> > UserDetailsService, and pass it to the AuthenticationManager.  I like
> >> the
> >> > InMemoryDaoImpl as the UserDetailsService for initial development,
> and
> >> a
> >> > way
> >> > of embedding special administrative accounts.  Don't waste time
> reading
> >> > about all of the options for this service.  Know that later you can
> add
> >> > additional AuthenticationProviders to have multiple authentication
> >> > methods.
> >> >
> >> > The AuthenticationProvider can be invoked manually (by injecting it
> >> into
> >> > your page, and calling methods like authenticate()), or via a
> specific
> >> jsp
> >> > page.
> >> >
> >> > For example, and this can be handy for testing, you can do this:
> >> >
> >> > 	@Inject
> >> > 	private AuthenticationManager _authenticationManager;
> >> >
> >> > ...
> >> >
> >> > 		UsernamePasswordAuthenticationToken authRequest =
> >> > 			new
> >> > UsernamePasswordAuthenticationToken(_username,_password);
> >> > 		Authentication authResult;
> >> >
> >> > 		try {
> >> > 			System.out.println("username:" + _username + "
> >> > password: " + _password);
> >> > 			authResult =
> >> > _authenticationManager.authenticate(authRequest);
> >> > 			logger.info("successful login for: " + _username);
> >> > 		} catch (BadCredentialsException failed) {
> >> > 			_form.recordError(_passwordField, "Invalid username
> >> > or password");
> >> > 			logger.info("bad password for: " + _username);
> >> > 			return null;
> >> > 		} catch (AuthenticationException failed) {
> >> > 			_form.recordError(_passwordField, "Invalid username
> >> > or password");
> >> > 			logger.info("failed login for: " + _username);
> >> > 			return null;
> >> > 		}
> >> >
> >> >
> >> > SecurityContextHolder.getContext().setAuthentication(authResult);
> >> >
> >> >
> >> > Then you need to enforce security (authorize).  This can be directly,
> >> by
> >> > getting the SecurityContext and asking for the Authentication object,
> >> and
> >> > then getting a list of GrantedAuthorities and working with that.
> (Read
> >> the
> >> > code for the tapestry5-acegi IfRole component if you want to see what
> I
> >> > mean). Or, it can be done using Spring configured filters for URL
> >> > patterns,
> >> > or tapestry5-acegi filters for pages or patterns.
> >> >
> >> > It's only daunting if you look at it all at once.
> >> >
> >> >
> >> > Jonathan
> >> >
> >> >
> >> >> -----Original Message-----
> >> >> From: wesley [mailto:wesleywj2@yahoo.co.uk]
> >> >> Sent: Sunday, October 05, 2008 12:37
> >> >> To: users@tapestry.apache.org
> >> >> Subject: RE: spring T5 integration on acegi security considerations
> >> >>
> >> >>
> >> >> hi,
> >> >>
> >> >> thanks for the feedback, as long as the pages are secure and can
> >> prevent
> >> >> unauthorized users from logging in i'm open for any options.
> >> previously
> >> >> what
> >> >> i did was quite traditional, implementing a one way password
> >> encryption,
> >> >> setting keystore and config within tomcat container. to me acegi is
> >> like
> >> >> a
> >> >> huge topic and mass complexion to implement. so when come to the
> >> decision
> >> >> on
> >> >> implementing it is really a challenge to me. the tutorials are great
> >> but
> >> >> mostly aim at T5 alone (which is normal). but within my
> implementation
> >> >> where
> >> >> it is an integrated environment, i really have no idea which one
> >> should
> >> i
> >> >> choose.
> >> >>
> >> >>
> >> >> Jonathan Barker wrote:
> >> >> >
> >> >> >
> >> >> > It depends on your needs.  The tapestry5-acegi or tapestry-spring-
> >> >> security
> >> >> > (http://www.localhost.nu/java/tapestry-spring-security/index.html)
> >> are
> >> >> > probably easier to drop in.  The Spring-configured route might
be
> >> >> better
> >> >> > if
> >> >> > your application includes other servlets or filters.
> >> >> >
> >> >> > Either way you will be able to get access to things like the
> >> >> > AuthenticationManager if you need to from your page classes.
> >> >> >
> >> >> > With an older T4 app, I used Spring / Hibernate / Acegi with Acegi
> >> >> > configured via Spring.  I also rolled a few components: Authorize
> >> and
> >> >> > AclAuthorize.
> >> >> >
> >> >> > With the T5 apps I now do, I use a slightly modified tapestry5-
> acegi
> >> >> > although I still use Spring for DAO's and some services.  Parts
of
> >> my
> >> >> old
> >> >> > Authorize component are now included in the tapestry5-acegi IfRole
> >> >> > component.
> >> >> >
> >> >> > Actually, I think tapestry5-acegi and its successor would benefit
> >> from
> >> >> > being
> >> >> > split in two: one piece for the annotations, components and
> >> supporting
> >> >> > pieces that are specific to Tapestry, and the second piece to
> allow
> >> for
> >> >> a
> >> >> > choice of configuration via Spring, or configuration via tapestry-
> >> ioc.
> >> >> >
> >> >> > Whichever way you choose, it's better than re-inventing the wheel
> >> and
> >> >> > rolling your own security.
> >> >> >
> >> >> > Jonathan
> >> >> >
> >> >> >
> >> >> >> -----Original Message-----
> >> >> >> From: wesley [mailto:wesleywj2@yahoo.co.uk]
> >> >> >> Sent: Friday, October 03, 2008 10:59
> >> >> >> To: users@tapestry.apache.org
> >> >> >> Subject: spring T5 integration on acegi security considerations
> >> >> >>
> >> >> >>
> >> >> >> hi all,
> >> >> >>
> >> >> >> i've been implementing a project by using T5 mostly as front
end,
> >> >> spring
> >> >> >> framework for back(eg Dao and db operations). after few search
on
> >> it
> >> >> >> regarding the acegi implementation, i'm a little bit confused
as
> >> >> whether
> >> >> >> or
> >> >> >> not to implement this security framework on T5 or spring.
any
> >> >> >> recommendations or advise on this topic? should i just apply
this
> >> >> >> security
> >> >> >> layer on T5 alone? or Spring 2 for securing the backend or
both??
> >> >> >>
> >> >> >> please advise, thanks
> >> >> >>
> >> >> >> wesley
> >> >> >> --
> >> >> >> View this message in context: http://n2.nabble.com/spring-T5-
> >> >> integration-
> >> >> >> on-acegi-security-considerations-tp1142158p1142158.html
> >> >> >> Sent from the Tapestry Users mailing list archive at Nabble.com.
> >> >> >>
> >> >> >>
> >> >> >>
> >> --------------------------------------------------------------------
> >> -
> >> >> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> >> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >> >> >
> >> >> >
> >> >> >
> >> ---------------------------------------------------------------------
> >> >> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> >> > For additional commands, e-mail: users-help@tapestry.apache.org
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >> --
> >> >> View this message in context: http://n2.nabble.com/spring-T5-
> >> integration-
> >> >> on-acegi-security-considerations-tp1142158p1299013.html
> >> >> Sent from the Tapestry Users mailing list archive at Nabble.com.
> >> >>
> >> >>
> >> >> --------------------------------------------------------------------
> -
> >> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> > For additional commands, e-mail: users-help@tapestry.apache.org
> >> >
> >> >
> >> >
> >>
> >> --
> >> View this message in context: http://n2.nabble.com/spring-T5-
> integration-
> >> on-acegi-security-considerations-tp1142158p1301362.html
> >> Sent from the Tapestry Users mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
> >
> >
> 
> --
> View this message in context: http://n2.nabble.com/spring-T5-integration-
> on-acegi-security-considerations-tp1142158p1305594.html
> Sent from the Tapestry Users mailing list archive at Nabble.com.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org


Mime
View raw message