HomeSupportForumsGeneralGeneral Discussion

Good job !!!

Sun, 09/09/2007 - 3:55pm — kha
Hello,
 
I discovered JSecurity 3 days ago when i was browsing for Security plugins for Grails. Unfortunately they do not provide yet several example due to the project being quite recent.
 
But from now, i would say that i am very pleased to see a good Acegi alternative: i used Acegi since 3 years and i always find it long to configure, complicated and also it has a quite big learning curve, making its maintenance quite hard by mere Java developers. So i which you to continue in that way ! I would really like to see this project going further !
 
I have some questions / requirements:
 
1. Do JSecurity has the ability to use client certificates to authenticate ?
 
2. Do we have a way of controlling accessed URLs and ports and do a rewriting like it is done in Acegi with the channelProcessingFilter, and for example having urls such as /../secured/** controlled by client certificates and /../private/** controlled by basic authentication ?
 
3. Do you plan to use maven or publish in the maven repository your jars ?
 
4. Is there somewhere , or do you plan to do and update continuously a comparison chart between Acegi and JSecurity with features, usages, ... so that we can all see quickly the current limitations of both so that we can make a faster decision ?
 
5. I also have question about the presentation (powerpoint), as for the session management code: 
 
//get InetAddress from web request,
//local machine, or other means
InetAddress hostAddress = xxx;
Session s = factory.start( hostAddress);
 
If we start a factory like this, does it means that all users that are behind the same company firewall with the same IP will have the same factory ? Also, if we use a Java Web App with an Apache frontend for doing a reverse proxy, the app server will have the same remote address which is the address of the web server, isn't it ? So how the factory creation manage this ?
 
Thank you guys, i hope you will continue on this way !
 
Mathieu.
 
‹ Preparing for 1.0 - remaining API changes JSecurity 0.2.0 PR1 Released! ›
Mon, 09/10/2007 - 12:21pm — lhazlewood

> 1. Do JSecurity has the

> 1. Do JSecurity has the ability to use client certificates to authenticate ?

Not yet, but we'd be really happy to provide that for 0.3. Could you please create a Jira issue? (http://www.jsecurity.org/issues)

> 2. Do we have a way of controlling accessed URLs and ports and do a rewriting like it is done in Acegi with the channelProcessingFilter, and for example having urls such as /../secured/** controlled by client certificates and /../private/** controlled by basic authentication ?

Not at the moment, but, again, we'd be happy to do this - please create a Jira issue. Up until now, the majority of JSecurity functionality is based on things required by applications we've worked on in the real world, but we haven't had such a need yet. If you need it, then it means others probably need it to - so we'd be happy to create it ;) Please just document the requirements in the Jira issue.

> 3. Do you plan to use maven or publish in the maven repository your jars ?

I've never done this before - any documentation you can point me to that specifies the best way to do it? (Please create a Jira issue for this too - the only things worked on in JSecurity are those that are in Jira - if its not in there, it won't get done ;) ).

> 4. Is there somewhere , or do you plan to do and update continuously a comparison chart between Acegi and JSecurity with features, usages, ... so that we can all see quickly the current limitations of both so that we can make a faster decision ?

This is a great idea - I will try to get this done as part of the documentation for the next release, thanks.

> 5. If we start a factory like this, does it means that all users that are behind the same company firewall with the same IP will have the same factory?

I presume you mean same session? There is usually a single factory.

But to answer your question, even in a NAT and/or Proxy environment, each call to start will create a brand new session, regardless of the IP. Its just in these environments, the IP can't be used as a security principal for access control, since they would all be the same. JSecurity doesn't define what that means for your application - it leaves it up to you. It essentially logs the IP to the underlying Session so that can be traced back if you ever need to know what IP started the session. In Nat/Proxy environments, you can just ignore that.

Here is the SessionFactory interface code and JavaDoc that explains a little further.

Cheers,

Les

Thu, 09/13/2007 - 7:44am — jhaile

> 2. Do we have a way of

> 2. Do we have a way of controlling accessed URLs and ports and do a rewriting like it is done in Acegi with the channelProcessingFilter, and for example having urls such as /../secured/** controlled by client certificates and /../private/** controlled by basic authentication ?

 There is actually a JIRA issue to add this for 0.3: http://issues.jsecurity.org/browse/JSEC-45

If you have additional requirements for this feature, please add a comment to this issue!

> 3. Do you plan to use maven or publish in the maven repository your jars ?

We would definitely love to do this.  I also am not aware of how to accomplish this.  I know how I could publish it to our website - but is it difficult to get things published to ibiblio or some other major repository for example?  Any ideas? Anyone want to help out here?

Fri, 09/28/2007 - 12:09pm — kha

Hi,

Hi, Yes i have already proposed my help for this project if you need. I have sent an email to lhazlewood but i didn't get any response yet ;) Probably i will be able to help much more for the infrastructure parts (cruise control, continuum, ...) and build management part with maven for the beginning, and after why not help in coding ?