Issue Details (XML | Word | Printable)

Key: APF-6
Type: Improvement Improvement
Status: Resolved Resolved
Resolution: Fixed
Priority: Trivial Trivial
Assignee: Matt Raible
Reporter: Justin Spears
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
AppFuse

Using Acegi for remember me and authentication

Created: 06/May/05 12:21 PM   Updated: 29/Aug/05 10:17 AM   Resolved: 29/Aug/05 10:15 AM
Component/s: Security
Affects Version/s: 1.8
Fix Version/s: 1.9

File Attachments: 1. Text File AcegiForRememberMeAndSSL.txt (342 kB)


 Description  « Hide
Summary:
Appfuse currently uses a filter and a servlet to do authentication. This authentication implements simple login and remember functionality. Acegi the security framework included with appfuse can also handle these tasks. There is no advantage to using acegi to do this AFAIK, and a slight disadvantage of relying on time to expire the users cookie, the appfuse package allows one to delete the cookie from a database, to invalidate the login cookie, and on relogin
invalidates the old cookie. Acegi currently only does this based on time, default expiration is 1 week, the length can be changed). So it is possible that someone could login again on a different machine, and their cookie remain valid on the first machine. Not a huge gaping flaw, and the Acegi developers are aware of this, there is a mention in the docs, for doing something similar to the way appfuse does it.

Directions:

Add the remember me beans in /web/WEB-INF/applicationContext-security.xml

<!-- remember me functionality -->
   <bean id="rememberMeProcessingFilter" class="net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
     <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
   </bean>
   <bean id="rememberMeServices" class="net.sf.acegisecurity.ui.rememberme.TokenBasedRememberMeServices" >
     <property name="authenticationDao"><ref local="jdbcAuthenticationDao"/></property>
     <property name="key"><value>yourKey</value></property>
     <property name="parameter"><value>rememberMe</value></property>
<!--
  Setting this changes the default amount of time that the cookie is valid
  864000 changes the login time to 10 days.
-->
  <!--property name="tokenValiditySeconds"><value>864000</value></property-->


   </bean>
 
   <bean id="rememberMeAuthenticationProvider" class="net.sf.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
     <property name="key"><value>yourKey</value></property>
   </bean>

<!-- Attach to Provider Manager -->
 <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
       <property name="providers">
           <list>
               <ref local="daoAuthenticationProvider"/>
               <ref local="anonymousAuthenticationProvider"/>
               <ref local="rememberMeAuthenticationProvider"/>
           </list>
       </property>
 </bean>

<!-- To bypass loginFilter use the built in SHA Acegi encoder

Note: Acegi supports plain text MD5 and others, by default appfuse uses
shaw, so that is what is set here. Make sure you set it to what is defined
in properties.xml

 <property name="encrypt.algorithm" value="SHA"/>

-->


<bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.ShaPasswordEncoder"/>

<!-- add the password encoder see below -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="authenticationDao"><ref local="jdbcAuthenticationDao"/></property>
        <property name="userCache"><ref local="userCache"/></property>
<!--add the password encoding to the auth provider -->
        <property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
</bean>


Comment out the references to loginFilter in, you might be better off removing these,
because the ant script that uncomments the dispatcher's could screw up the web.xml:
/metadata/web/filter-mappings.xml

    <!-- filter-mapping>
        <filter-name>loginFilter</filter-name>
        <url-pattern>/login.jsp</url-pattern-->
        <!-- These are needed in case a request is forwarded to login.jsp -->
        <!--dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher-->
    <!-- /filter-mapping-->
    <!-- Must be after securityFilter so request.getRemoteUser() works -->
    <!-- filter-mapping>
        <filter-name>loginFilter</filter-name>
        <url-pattern>/logout.jsp</url-pattern>
    </filter-mapping-->


Change /web/pages/loginForm.jsp if you are using this jsp. If you are using some
other framework, change the login form to use /j_security_check

<form method="post" id="loginForm" action="<c:url value="/j_security_check"/>"
   onsubmit="saveUsername(this);return validateForm(this)>


Run ant clean && ant deploy to rebuild and redeploy. It seems to work just fine
for me, but YMMV.




Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Matt Raible added a comment - 29/Aug/05 10:17 AM
Changes can be found at https://appfuse.dev.java.net/servlets/ReadMsg?list=cvs&msgNo=1568

Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for AppFuse. Try JIRA - bug tracking software for your team.