Details
Improvement
Resolved
Trivial
Description
Summary:
Appfuse currently uses a filter and a servlet to do authentication. This authentication implements simple login and remember functionality. Acegi the security framework included with appfuse can also handle these tasks. There is no advantage to using acegi to do this AFAIK, and a slight disadvantage of relying on time to expire the users cookie, the appfuse package allows one to delete the cookie from a database, to invalidate the login cookie, and on relogin
invalidates the old cookie. Acegi currently only does this based on time, default expiration is 1 week, the length can be changed). So it is possible that someone could login again on a different machine, and their cookie remain valid on the first machine. Not a huge gaping flaw, and the Acegi developers are aware of this, there is a mention in the docs, for doing something similar to the way appfuse does it.
Directions:
Add the remember me beans in /web/WEB-INF/applicationContext-security.xml
<!-- remember me functionality -->
<bean id="rememberMeProcessingFilter" class="net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="rememberMeServices"><ref local="rememberMeServices"/></property>
</bean>
<bean id="rememberMeServices" class="net.sf.acegisecurity.ui.rememberme.TokenBasedRememberMeServices" >
<property name="authenticationDao"><ref local="jdbcAuthenticationDao"/></property>
<property name="key"><value>yourKey</value></property>
<property name="parameter"><value>rememberMe</value></property>
<!--
Setting this changes the default amount of time that the cookie is valid
864000 changes the login time to 10 days.
-->
<!--property name="tokenValiditySeconds"><value>864000</value></property-->
</bean>
<bean id="rememberMeAuthenticationProvider" class="net.sf.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key"><value>yourKey</value></property>
</bean>
<!-- Attach to Provider Manager -->
<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<ref local="rememberMeAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- To bypass loginFilter use the built in SHA Acegi encoder
Note: Acegi supports plain text MD5 and others, by default appfuse uses
shaw, so that is what is set here. Make sure you set it to what is defined
in properties.xml
<property name="encrypt.algorithm" value="SHA"/>
-->
<bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.ShaPasswordEncoder"/>
<!-- add the password encoder see below -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao"><ref local="jdbcAuthenticationDao"/></property>
<property name="userCache"><ref local="userCache"/></property>
<!--add the password encoding to the auth provider -->
<property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
</bean>
Comment out the references to loginFilter in, you might be better off removing these,
because the ant script that uncomments the dispatcher's could screw up the web.xml:
/metadata/web/filter-mappings.xml
<!-- filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/login.jsp</url-pattern-->
<!-- These are needed in case a request is forwarded to login.jsp -->
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
<!-- /filter-mapping-->
<!-- Must be after securityFilter so request.getRemoteUser() works -->
<!-- filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/logout.jsp</url-pattern>
</filter-mapping-->
Change /web/pages/loginForm.jsp if you are using this jsp. If you are using some
other framework, change the login form to use /j_security_check
<form method="post" id="loginForm" action="<c:url value="/j_security_check"/>"
onsubmit="saveUsername(this);return validateForm(this)>
Run ant clean && ant deploy to rebuild and redeploy. It seems to work just fine
for me, but YMMV.
Appfuse currently uses a filter and a servlet to do authentication. This authentication implements simple login and remember functionality. Acegi the security framework included with appfuse can also handle these tasks. There is no advantage to using acegi to do this AFAIK, and a slight disadvantage of relying on time to expire the users cookie, the appfuse package allows one to delete the cookie from a database, to invalidate the login cookie, and on relogin
invalidates the old cookie. Acegi currently only does this based on time, default expiration is 1 week, the length can be changed). So it is possible that someone could login again on a different machine, and their cookie remain valid on the first machine. Not a huge gaping flaw, and the Acegi developers are aware of this, there is a mention in the docs, for doing something similar to the way appfuse does it.
Directions:
Add the remember me beans in /web/WEB-INF/applicationContext-security.xml
<!-- remember me functionality -->
<bean id="rememberMeProcessingFilter" class="net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="rememberMeServices"><ref local="rememberMeServices"/></property>
</bean>
<bean id="rememberMeServices" class="net.sf.acegisecurity.ui.rememberme.TokenBasedRememberMeServices" >
<property name="authenticationDao"><ref local="jdbcAuthenticationDao"/></property>
<property name="key"><value>yourKey</value></property>
<property name="parameter"><value>rememberMe</value></property>
<!--
Setting this changes the default amount of time that the cookie is valid
864000 changes the login time to 10 days.
-->
<!--property name="tokenValiditySeconds"><value>864000</value></property-->
</bean>
<bean id="rememberMeAuthenticationProvider" class="net.sf.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key"><value>yourKey</value></property>
</bean>
<!-- Attach to Provider Manager -->
<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<ref local="rememberMeAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- To bypass loginFilter use the built in SHA Acegi encoder
Note: Acegi supports plain text MD5 and others, by default appfuse uses
shaw, so that is what is set here. Make sure you set it to what is defined
in properties.xml
<property name="encrypt.algorithm" value="SHA"/>
-->
<bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.ShaPasswordEncoder"/>
<!-- add the password encoder see below -->
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="authenticationDao"><ref local="jdbcAuthenticationDao"/></property>
<property name="userCache"><ref local="userCache"/></property>
<!--add the password encoding to the auth provider -->
<property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
</bean>
Comment out the references to loginFilter in, you might be better off removing these,
because the ant script that uncomments the dispatcher's could screw up the web.xml:
/metadata/web/filter-mappings.xml
<!-- filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/login.jsp</url-pattern-->
<!-- These are needed in case a request is forwarded to login.jsp -->
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
<!-- /filter-mapping-->
<!-- Must be after securityFilter so request.getRemoteUser() works -->
<!-- filter-mapping>
<filter-name>loginFilter</filter-name>
<url-pattern>/logout.jsp</url-pattern>
</filter-mapping-->
Change /web/pages/loginForm.jsp if you are using this jsp. If you are using some
other framework, change the login form to use /j_security_check
<form method="post" id="loginForm" action="<c:url value="/j_security_check"/>"
onsubmit="saveUsername(this);return validateForm(this)>
Run ant clean && ant deploy to rebuild and redeploy. It seems to work just fine
for me, but YMMV.
