Acegi running fine. Howto add roles, ...

[ThomasBecker]

Hi everyone,

I'm learning Spring (and I'm really enjoying it so far), but the really hard part for me is getting security running as I want to have it with acegi.

So far, after a lot of struggles and torned out hairs, I got Acegi authentication and authorization by roles running fine. Before I want to start learning how to implement ACLs/Permissions with Acegi, I want to let administrators add/change/remove Roles from the database and the security Context.

But I don't have a clue how to implement that and how to get it running. After reading the documentation, api and lots of threads here, I tried it as it's done in the contacts example with NamedEntityObjectIdentity.
Even if I tried it the same way as it's done in the example app, I struggled with an uncatched exception (TargetInvocationException), so I gave up for now.

I'm having a UserBean which extends a PersonBean and EntityBean. This is all mapped via Hibernate to a database. For the frontend, I'm using Spring MVC. I really don't regret any minute spent for learning spring. So far it's really nice.

Completely independent from my Beans, I implemented Acegi using the JdbcDaoImpl. I think this is not the best/correct way is it?!
Should I somehow couple Acegi with my Beans? Where's the best place to add roles and how can I tie the form input to a specific user?
I think using other Beans and HIbernate to fill Acegi tables independent from Acegi is the wrong way?!

I had a hard time getting Acegi to work as it does now, but now I'm getting stuck.

If you want to check my code:

svn+ssh://ashaman.dyndns.org:2222/data/subversion/projects
user/password: svnread/readsvn

Thanks a lot for any feedback and help!

And to all the Acegi/Spring contributors, thanks a lot for your nice work! I hope I'll get someday to the point, where I can contribute to the spring/acegi community.

Cheers,
Thomas

[ThomasBecker]

Ok, I started now with letting users change their own passwords.

This works fine so far. MD5 encoded passwords are working fine also. I think I got ReflectionSaltSource runnind additionally, but I have a stupid questions:

How do I initially setup a salted encrypted password for a user?! Is there a way to let acegi decide, that a specific user has never been logged in and that he can change his password on his own with an initial password?

For adding/changing/deleting roles, I guess I'll implement my own AuthoritiesBean and map it to hibernate and modifying the roles will then be independent from acegi. Is that a good approach?! Or am I walking in the wrong direction?

[ThomasBecker]

Tried it again for a couple of hours...with little success.

I "think" I've got salted passwords working fine based on the username. I created a small util class to encrypt the passwords (If user wants to change his/her password or admins add new users):

Code:

UserDetails userDetails = (UserDetails)SecureContextUtils.getSecureContext().getAuthentication().getDetails();

	public static String encodePassword(final String password, final UserDetails userdetails) {
        reflectionSaltSource.setUserPropertyToUse("username");
        Object salt = reflectionSaltSource.getSalt(userdetails);
        String username = userdetails.getUsername();
        return encoder.encodePassword(username,salt);
	}

But I can't test it at all...I have a form for letting users change their password themselves. I can't tried it, since I'm still lacking the initial password and don't have a clue how to generate it in advance.

Another form lets an admin add a new user, which should then be populated with a new initial password. But how could I get UserDetails, since no user is actually logged in?
How can I generate a salt based on userDetails.getUsername on a another user? As an admin? Is there a way to push the username directly to the encoder.encodePassword?!

I don't get any further...neither with the ReferenceGuide (which is fine for the configuration files, but no JavaCode in there), nor with the example apps (which don't cover my problems or I don't see it), nor with the api. Best help are the code snipplets here in the forum, but finding the right thing is hard.

So far the functionality of Acegi looks nice. But the learning curve is at least for me very high.

[ThomasBecker]

Gentlepeople, it's running. With salted password hashing. I'm able to change my own users password.
An admin is able to add/change users passwords on his behalf and the correct password is set then.

@Ben: If you're reading this sometime.

Wouldn't it make sense to put the following hints to the FAQ at least?:

- Simple PasswordGenerator. Found the source code here in the board, modified it a bit to get it running.:

Code:

import net.sf.acegisecurity.providers.encoding.Md5PasswordEncoder;

/**

/**
 * @author ashaman
 * @date 05.10.2005
 */

public class PasswordGenerator {

    private Md5PasswordEncoder encoder = new Md5PasswordEncoder();
    public PasswordGenerator(){};
    
    private String generateHashedPassword(String password, String saltString) {
        return encoder.encodePassword(password,saltString);
    }

    public static void main(String[] args) {

        PasswordGenerator generator = new PasswordGenerator();

        System.out.println("Hashed password: " + generator.generateHashedPassword("password", "$1$simpsons$"));
        System.out.println("Hashed password: " + generator.generateHashedPassword("password", "testSalt"));
        System.out.println("Hashed password: " + generator.generateHashedPassword("initial", "tbecker"));
    }
}

It's very important to be able to check the password encryption, when inserting new users or changing user's passwords.

To encrypt passwords in the application for updating/adding users (selfcare and/or by admin) I wrote the following small util class. It just crypts the password for you (to store in persistenz layer and/or update the SecureContext with new credentials):

Code:

/**
package com.vodafone.util;

import net.sf.acegisecurity.providers.dao.salt.ReflectionSaltSource;

/**
 * @author Beckert
 * @since: Oct 5, 2005
 */
public final class EncodePasswordUtil {
	private static final Md5PasswordEncoder encoder = new Md5PasswordEncoder();
    
	public static String encodePassword(final String password, final String salt {
        return encoder.encodePassword(password,salt);
	}	
}

I highly missed this configuration in the referencedocumentation:

Code:

	<bean id="saltSource" class="net.sf.acegisecurity.providers.dao.salt.ReflectionSaltSource">
		 <property name="userPropertyToUse"><value>getUsername</value></property> 
	</bean>

Sure, you can find out yourself with the API. But I didn't...the forum saved me here again.

And the steps needed for updating passwords should be mentioned in the FAQ. You can find that here in the board, but the first glance is always in the FAQ and searching it there is way faster and more comfortable.

Would really great if you can add that to the documentation. This would have made my work a lot easier, even if changing passwords and stuff are not part of acegi but the application, there's a strong relationship here from my point of view.

Last but not least: Thanks for all the work. It was very hard (for me, since I'm a java/spring novice and only hobby programmer) to get where I'am, but Acegi gives me exactly what I need for security. Next time it'll be much easier for me. And thanks for the support in the board and keeping answering people's questions here.

Cheers,
Thomas

ps: Next step is to get caching running...
Edit: Ok, caching was an easy one. It ran after the first try. It's getting fun again.

[onestar]

Hi

I'really enjoying your work and your progress.I need some help from you.
When I check out your code having error "svn: Connection closed unexpectedly". I couldn't get it. You can send your project for me?
My address is ng_hong_duc@yahoo.com

Thanks so much

[Ben Alex]

Hi Thomas

I am happy to add it to the FAQ. Would you mind providing a distilled entry I could paste in?

Thanks
Ben

[mist_AA]

Hi all,
Could some one please help me to figure out a way to implement the particular scenario

In our application Siteminder intercepts the request and authenticates it.I need to update a specific role back to the ACEGI based upon the siteminder header value so that, the user will have only role based access to the application resources.

Any help is greatly appreciated

thanks in advance

Prem

[RaduTanasa]

Hello. I am also very interested in using password encryption with salt in acegi. Can anyone please provide some documentation on how to do this and maybe some example if you have some? (applicationContext, web.xml, and anything u feel is relevant) Thank you very much!

[karldmoore]

What information are you looking for? The reference manual has a little information on this.
http://www.acegisecurity.org/guide/s...rovider-config

[RaduTanasa]

Thank you for your reply! I think I will manage from here.