thanks for the advise, if T5's acegi can cover up much of the hardwork, i guess i'll go for it. thanks again for the feedback.
regards, wesley Jonathan Barker wrote: > > > Please note that Spring Security is the successor to Acegi Security. My > experience is with Acegi but you should probably invest the time in > learning > Spring Security. They have definitely changed how they configure things. > > With my old T4 apps, using Acegi configured via Spring, but also using my > own custom components (one of which behaved like IfRole) I had this in my > web.xml: > > > <filter> > <filter-name>Acegi Filter Chain Proxy</filter-name> > > <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> > <init-param> > <param-name>targetClass</param-name> > > <param-value>org.acegisecurity.util.FilterChainProxy</param-value> > </init-param> > </filter> > <filter-mapping> > <filter-name>Acegi Filter Chain Proxy</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > That was before my OpenSessionInView filter for Hibernate. There was also > a > listener: > > <listener> > > <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</list > ener-class> > </listener> > > > In my applicationContext-acegi.xml file, I had: > > <bean id="filterChainProxy" > class="org.acegisecurity.util.FilterChainProxy"> > <property name="filterInvocationDefinitionSource"> > <value> > CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON > PATTERN_TYPE_APACHE_ANT > > /**=httpSessionContextIntegrationFilter,httpRequestIntegrationFilter > </value> > </property> > </bean> > > <bean id="httpRequestIntegrationFilter" > class="org.acegisecurity.adapters.HttpRequestIntegrationFilter"/> > > <bean id="httpSessionContextIntegrationFilter" > class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> > > </bean> > > As well as configurations for AuthenticationProvider. > > All of that configuration goes away if you use tapestry5-acegi, or to be > more accurate, most of what you need is already set up in the > SecurityModule > class. Things like the HttpSessionContextIntegrationFilter were > re-written > to fit into the Tapestry processing pipeline. Take a look at the source > for > SecurityModule. > > > If you still want to set it up through Spring, then make sure your > FilterToBeanProxy is defined before your TapestrySpringFilter. > > > >> -----Original Message----- >> From: wesley [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, October 08, 2008 00:06 >> To: users@tapestry.apache.org >> Subject: RE: spring T5 integration on acegi security considerations >> >> >> hi jon, >> >> since i'm integrating the spring as back end and front end as T5, the >> filter >> that i'm using is TapestrySpringFilter as outline by the wiki from t5 >> homepage. >> >> "For access to pages, you either configure a filter through Spring, or >> through annotations, or through tapestry-ioc configuration. The filters >> will invoke the necessary authentication and authorization functions." >> >> as outline, i'm using tapestryspringfilter; with filter that accept >> filter >> mapping of url pattern of /*. is there gonna be a same configuration on >> this >> filter as well? please advise and thanks >> >> regards, >> wesley >> >> >> >> Jonathan Barker wrote: >> > >> > Wesley, >> > >> > I would rather spend two hours figuring out how to use a well thought >> out >> > / >> > designed / tested tool that will pay off in the long haul than spend >> one >> > hour doing a one-off solution to an immediate problem. I didn't save >> time >> > the first time I used Acegi, but I really do save time now. >> > >> > Acegi is like a well equipped toolbox. >> > >> > For password encryption, Acegi provides several classes that implement >> the >> > PasswordEncoder interface. These include PlaintextPasswordEncoder, >> > MessageDigestPAsswordEncoder, Md5PasswordEncoder, and a few others. >> You >> > would pick one of these and use it to configure your >> UserDetailsService, >> > and >> > you can also use it directly to encode a password to store for >> yourself. >> > >> > You frequently want to use a password Salt, so there is a >> > SystemWideSaltSource where everyone gets the same salt, or a >> > ReflectionSaltSource that can read a property that you would store with >> > your >> > User record. You would configure your UserDetailsService to use a Salt >> > source. >> > >> > For access to pages, you either configure a filter through Spring, or >> > through annotations, or through tapestry-ioc configuration. The >> filters >> > will invoke the necessary authentication and authorization functions. >> > >> > You don't generally override authenticate(), because you would use one >> of >> > the dozen implementations of the AuthenticationProvider interface that >> > ship >> > with Acegi. I typically use the LDAPAuthenticationProvider and the >> > DaoAuthenticationProvider. Of course, each of these needs to be >> > configured >> > somehow. For example, you need to have a UserDetailsService configured >> > for >> > the DaoAuthenticationProvider. >> > >> > Jonathan >> > >> > >> > >> > >> >> -----Original Message----- >> >> From: wesley [mailto:[EMAIL PROTECTED] >> >> Sent: Monday, October 06, 2008 12:54 >> >> To: users@tapestry.apache.org >> >> Subject: RE: spring T5 integration on acegi security considerations >> >> >> >> >> >> hi Jon, >> >> >> >> thanks much for the feedback, i assumed acegi will do all hard >> >> work/encapsulate those like password encryption login and other >> >> unauthorized >> >> access to the pages? because with normal implementation, i need to do >> one >> >> way encrypt myself to authenticate user for example. does acegi do >> that?, >> >> i >> >> mean the authenticate method; do i need to override it myself for >> >> encryption >> >> purposes? please advise, thanks >> >> >> >> wesley >> >> >> >> >> >> >> >> Jonathan Barker wrote: >> >> > >> >> > >> >> > I remember going through the Acegi documentation the first time. It >> >> was >> >> > daunting. >> >> > >> >> > In hindsight, it boils down to this: >> >> > >> >> > The central object in Acegi is the SecurityContext. You need to >> store >> >> and >> >> > retrieve it from your HttpSession and that is done either through a >> >> filter >> >> > configured in web.xml (for a Spring-configured scenario), or as a >> part >> >> of >> >> > a >> >> > Tapestry filter chain (for tapestry5-acegi). >> >> > >> >> > You need to configure at least one AuthenticationProvider using a >> >> > UserDetailsService, and pass it to the AuthenticationManager. I >> like >> >> the >> >> > InMemoryDaoImpl as the UserDetailsService for initial development, >> and >> >> a >> >> > way >> >> > of embedding special administrative accounts. Don't waste time >> reading >> >> > about all of the options for this service. Know that later you can >> add >> >> > additional AuthenticationProviders to have multiple authentication >> >> > methods. >> >> > >> >> > The AuthenticationProvider can be invoked manually (by injecting it >> >> into >> >> > your page, and calling methods like authenticate()), or via a >> specific >> >> jsp >> >> > page. >> >> > >> >> > For example, and this can be handy for testing, you can do this: >> >> > >> >> > @Inject >> >> > private AuthenticationManager _authenticationManager; >> >> > >> >> > ... >> >> > >> >> > UsernamePasswordAuthenticationToken authRequest = >> >> > new >> >> > UsernamePasswordAuthenticationToken(_username,_password); >> >> > Authentication authResult; >> >> > >> >> > try { >> >> > System.out.println("username:" + _username + " >> >> > password: " + _password); >> >> > authResult = >> >> > _authenticationManager.authenticate(authRequest); >> >> > logger.info("successful login for: " + >> >> > _username); >> >> > } catch (BadCredentialsException failed) { >> >> > _form.recordError(_passwordField, "Invalid >> >> > username >> >> > or password"); >> >> > logger.info("bad password for: " + _username); >> >> > return null; >> >> > } catch (AuthenticationException failed) { >> >> > _form.recordError(_passwordField, "Invalid >> >> > username >> >> > or password"); >> >> > logger.info("failed login for: " + _username); >> >> > return null; >> >> > } >> >> > >> >> > >> >> > SecurityContextHolder.getContext().setAuthentication(authResult); >> >> > >> >> > >> >> > Then you need to enforce security (authorize). This can be >> directly, >> >> by >> >> > getting the SecurityContext and asking for the Authentication >> object, >> >> and >> >> > then getting a list of GrantedAuthorities and working with that. >> (Read >> >> the >> >> > code for the tapestry5-acegi IfRole component if you want to see >> what >> I >> >> > mean). Or, it can be done using Spring configured filters for URL >> >> > patterns, >> >> > or tapestry5-acegi filters for pages or patterns. >> >> > >> >> > It's only daunting if you look at it all at once. >> >> > >> >> > >> >> > Jonathan >> >> > >> >> > >> >> >> -----Original Message----- >> >> >> From: wesley [mailto:[EMAIL PROTECTED] >> >> >> Sent: Sunday, October 05, 2008 12:37 >> >> >> To: users@tapestry.apache.org >> >> >> Subject: RE: spring T5 integration on acegi security considerations >> >> >> >> >> >> >> >> >> hi, >> >> >> >> >> >> thanks for the feedback, as long as the pages are secure and can >> >> prevent >> >> >> unauthorized users from logging in i'm open for any options. >> >> previously >> >> >> what >> >> >> i did was quite traditional, implementing a one way password >> >> encryption, >> >> >> setting keystore and config within tomcat container. to me acegi is >> >> like >> >> >> a >> >> >> huge topic and mass complexion to implement. so when come to the >> >> decision >> >> >> on >> >> >> implementing it is really a challenge to me. the tutorials are >> great >> >> but >> >> >> mostly aim at T5 alone (which is normal). but within my >> implementation >> >> >> where >> >> >> it is an integrated environment, i really have no idea which one >> >> should >> >> i >> >> >> choose. >> >> >> >> >> >> >> >> >> Jonathan Barker wrote: >> >> >> > >> >> >> > >> >> >> > It depends on your needs. The tapestry5-acegi or >> tapestry-spring- >> >> >> security >> >> >> > >> (http://www.localhost.nu/java/tapestry-spring-security/index.html) >> >> are >> >> >> > probably easier to drop in. The Spring-configured route might be >> >> >> better >> >> >> > if >> >> >> > your application includes other servlets or filters. >> >> >> > >> >> >> > Either way you will be able to get access to things like the >> >> >> > AuthenticationManager if you need to from your page classes. >> >> >> > >> >> >> > With an older T4 app, I used Spring / Hibernate / Acegi with >> Acegi >> >> >> > configured via Spring. I also rolled a few components: Authorize >> >> and >> >> >> > AclAuthorize. >> >> >> > >> >> >> > With the T5 apps I now do, I use a slightly modified tapestry5- >> acegi >> >> >> > although I still use Spring for DAO's and some services. Parts >> of >> >> my >> >> >> old >> >> >> > Authorize component are now included in the tapestry5-acegi >> IfRole >> >> >> > component. >> >> >> > >> >> >> > Actually, I think tapestry5-acegi and its successor would benefit >> >> from >> >> >> > being >> >> >> > split in two: one piece for the annotations, components and >> >> supporting >> >> >> > pieces that are specific to Tapestry, and the second piece to >> allow >> >> for >> >> >> a >> >> >> > choice of configuration via Spring, or configuration via >> tapestry- >> >> ioc. >> >> >> > >> >> >> > Whichever way you choose, it's better than re-inventing the wheel >> >> and >> >> >> > rolling your own security. >> >> >> > >> >> >> > Jonathan >> >> >> > >> >> >> > >> >> >> >> -----Original Message----- >> >> >> >> From: wesley [mailto:[EMAIL PROTECTED] >> >> >> >> Sent: Friday, October 03, 2008 10:59 >> >> >> >> To: users@tapestry.apache.org >> >> >> >> Subject: spring T5 integration on acegi security considerations >> >> >> >> >> >> >> >> >> >> >> >> hi all, >> >> >> >> >> >> >> >> i've been implementing a project by using T5 mostly as front >> end, >> >> >> spring >> >> >> >> framework for back(eg Dao and db operations). after few search >> on >> >> it >> >> >> >> regarding the acegi implementation, i'm a little bit confused as >> >> >> whether >> >> >> >> or >> >> >> >> not to implement this security framework on T5 or spring. any >> >> >> >> recommendations or advise on this topic? should i just apply >> this >> >> >> >> security >> >> >> >> layer on T5 alone? or Spring 2 for securing the backend or >> both?? >> >> >> >> >> >> >> >> please advise, thanks >> >> >> >> >> >> >> >> wesley >> >> >> >> -- >> >> >> >> View this message in context: http://n2.nabble.com/spring-T5- >> >> >> integration- >> >> >> >> on-acegi-security-considerations-tp1142158p1142158.html >> >> >> >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> >> >> >> >> >> >> >> >> >> >> >> >> -------------------------------------------------------------------- >> >> - >> >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > >> >> >> > >> >> >> > >> >> --------------------------------------------------------------------- >> >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> >> >> > >> >> >> > >> >> >> > >> >> >> >> >> >> -- >> >> >> View this message in context: http://n2.nabble.com/spring-T5- >> >> integration- >> >> >> on-acegi-security-considerations-tp1142158p1299013.html >> >> >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> >> >> >> >> >> >> >> >> -------------------------------------------------------------------- >> - >> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > >> >> > >> >> > >> --------------------------------------------------------------------- >> >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> > For additional commands, e-mail: [EMAIL PROTECTED] >> >> > >> >> > >> >> > >> >> >> >> -- >> >> View this message in context: http://n2.nabble.com/spring-T5- >> integration- >> >> on-acegi-security-considerations-tp1142158p1301362.html >> >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> >> For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [EMAIL PROTECTED] >> > For additional commands, e-mail: [EMAIL PROTECTED] >> > >> > >> > >> >> -- >> View this message in context: http://n2.nabble.com/spring-T5-integration- >> on-acegi-security-considerations-tp1142158p1305594.html >> Sent from the Tapestry Users mailing list archive at Nabble.com. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://n2.nabble.com/spring-T5-integration-on-acegi-security-considerations-tp1142158p1305901.html Sent from the Tapestry Users mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
