You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Mohammad Shamsi <m....@gmail.com> on 2008/01/22 13:06:18 UTC
[T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
Hi all,
latest release of my phone book application is available now,
In this release i used :
- Tapestry 5.0.7 as a Web MVC framework.
- Acegi 1.0.5 as a Security System.
- Spring 2.5 as a Application framework.
- Spring JDBC for Data Access Layer.
- Hibernate 3.2.4 an alternative for Data Access Layer.
- JPA (Hibernate Implementation) another alternative for Data Access
Layer.
- HSQLDB 1.8.0.7 for application database.
read more about application configuration at
http://code.google.com/p/shams/wiki/TASJHJ
you can download source code for this release and previous releases from
http://code.google.com/p/shams/
--
sincerely yours
M. H. Shamsi
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
Posted by Mohammad Shamsi <m....@gmail.com>.
another way :
encrypt your and password and then send it with url.
you can do this in two way
1 - with java code in Login.java class :
this is my sample that used in a project :
public String digest(String password, String salt) {
if ((password == null) || (salt == null)) {
throw new IllegalArgumentException();
}
try {
MessageDigest digest = MessageDigest.getInstance("MD5");
int half = salt.length() / 2;
String firstSubString = salt.substring(0, half);
String secondSubString = salt.substring(half);
digest.update(firstSubString.getBytes());
digest.update(password.getBytes());
digest.update(secondSubString.getBytes());
return new String(digest.digest(), "UTF-8");
} catch (Exception e) {
throw new RuntimeException(e);
}
note that you most encrypt new user passwords too, before save in database.
2 - with javascript code in Login.tml
you can find sample javascripts for encrypt password in internet.
On Jan 22, 2008 5:14 PM, Baptiste Meurant <ba...@gmail.com>
wrote:
>
> Thanks for your response.
>
> It is the solution that I decided to use. It is perfectly working but
> without using T5 mechanisms. I was wondering if some "full T5" solution
> was
> posible.
>
> Thanks again,
>
> Baptiste.
>
>
> dalahoo wrote:
> >
> > a simple idea is to change Login.tml to submit directly to acegi filter
> :
> >
> >
> > <form method="POST" action="/j_acegi_security_check">
> >
> > <input type="text" name="j_username" />
> >
> > <input type="password" name="j_password" />
> >
> > <input type="submit" value="${message:login}"/>
> > </form>
> >
> >
> >
> >
> > On Jan 22, 2008 4:43 PM, Baptiste Meurant <ba...@gmail.com>
> > wrote:
> >
> >>
> >> Hi,
> >>
> >> Thank you for this great work. It will be really useful.
> >>
> >> I still have a question about security T5/acegi integration : the
> >> "classic" solution that you used to perform strong authentication with
> >> acegi
> >> through T5 is creating a T5 LinkImpl object. You give then parameters
> >> (login
> >> and password) to this link object to pass the request to acegi.
> >>
> >> The problem is that you are the able to see login and password in clear
> >> in
> >> your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl
> object
> >> to
> >> perform a GET (and not a POST) to server.
> >>
> >> I am very annoyed with this security hole that I have encountered on my
> >> own
> >> implementation of T5/acegi integration. I don't know any correct and
> >> elegant
> >> fix to this issue for now.
> >>
> >> Did you experiment this issue ? Do you have an idea on it ? Or maybe
> you
> >> found yet a solution to fix it ?
> >>
> >> Regards,
> >>
> >> Baptiste
> >>
> >>
> >>
> >> dalahoo wrote:
> >> >
> >> > Hi all,
> >> >
> >> > latest release of my phone book application is available now,
> >> >
> >> > In this release i used :
> >> >
> >> > - Tapestry 5.0.7 as a Web MVC framework.
> >> > - Acegi 1.0.5 as a Security System.
> >> > - Spring 2.5 as a Application framework.
> >> > - Spring JDBC for Data Access Layer.
> >> > - Hibernate 3.2.4 an alternative for Data Access Layer.
> >> > - JPA (Hibernate Implementation) another alternative for Data
> Access
> >> > Layer.
> >> > - HSQLDB 1.8.0.7 for application database.
> >> >
> >> > read more about application configuration at
> >> > http://code.google.com/p/shams/wiki/TASJHJ
> >> >
> >> > you can download source code for this release and previous releases
> >> from
> >> > http://code.google.com/p/shams/
> >> >
> >> >
> >> > --
> >> > sincerely yours
> >> > M. H. Shamsi
> >> >
> >> >
> >>
> >> --
> >> View this message in context:
> >>
> http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
> >> Sent from the Tapestry - User mailing list archive at Nabble.com.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: users-help@tapestry.apache.org
> >>
> >>
> >
> >
> > --
> > sincerely yours
> > M. H. Shamsi
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
sincerely yours
M. H. Shamsi
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all
in one
Posted by Baptiste Meurant <ba...@gmail.com>.
Thanks for your response.
It is the solution that I decided to use. It is perfectly working but
without using T5 mechanisms. I was wondering if some "full T5" solution was
posible.
Thanks again,
Baptiste.
dalahoo wrote:
>
> a simple idea is to change Login.tml to submit directly to acegi filter :
>
>
> <form method="POST" action="/j_acegi_security_check">
>
> <input type="text" name="j_username" />
>
> <input type="password" name="j_password" />
>
> <input type="submit" value="${message:login}"/>
> </form>
>
>
>
>
> On Jan 22, 2008 4:43 PM, Baptiste Meurant <ba...@gmail.com>
> wrote:
>
>>
>> Hi,
>>
>> Thank you for this great work. It will be really useful.
>>
>> I still have a question about security T5/acegi integration : the
>> "classic" solution that you used to perform strong authentication with
>> acegi
>> through T5 is creating a T5 LinkImpl object. You give then parameters
>> (login
>> and password) to this link object to pass the request to acegi.
>>
>> The problem is that you are the able to see login and password in clear
>> in
>> your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object
>> to
>> perform a GET (and not a POST) to server.
>>
>> I am very annoyed with this security hole that I have encountered on my
>> own
>> implementation of T5/acegi integration. I don't know any correct and
>> elegant
>> fix to this issue for now.
>>
>> Did you experiment this issue ? Do you have an idea on it ? Or maybe you
>> found yet a solution to fix it ?
>>
>> Regards,
>>
>> Baptiste
>>
>>
>>
>> dalahoo wrote:
>> >
>> > Hi all,
>> >
>> > latest release of my phone book application is available now,
>> >
>> > In this release i used :
>> >
>> > - Tapestry 5.0.7 as a Web MVC framework.
>> > - Acegi 1.0.5 as a Security System.
>> > - Spring 2.5 as a Application framework.
>> > - Spring JDBC for Data Access Layer.
>> > - Hibernate 3.2.4 an alternative for Data Access Layer.
>> > - JPA (Hibernate Implementation) another alternative for Data Access
>> > Layer.
>> > - HSQLDB 1.8.0.7 for application database.
>> >
>> > read more about application configuration at
>> > http://code.google.com/p/shams/wiki/TASJHJ
>> >
>> > you can download source code for this release and previous releases
>> from
>> > http://code.google.com/p/shams/
>> >
>> >
>> > --
>> > sincerely yours
>> > M. H. Shamsi
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
>> Sent from the Tapestry - User mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: users-help@tapestry.apache.org
>>
>>
>
>
> --
> sincerely yours
> M. H. Shamsi
>
>
--
View this message in context: http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15019005.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all in one
Posted by Mohammad Shamsi <m....@gmail.com>.
a simple idea is to change Login.tml to submit directly to acegi filter :
<form method="POST" action="/j_acegi_security_check">
<input type="text" name="j_username" />
<input type="password" name="j_password" />
<input type="submit" value="${message:login}"/>
</form>
On Jan 22, 2008 4:43 PM, Baptiste Meurant <ba...@gmail.com>
wrote:
>
> Hi,
>
> Thank you for this great work. It will be really useful.
>
> I still have a question about security T5/acegi integration : the
> "classic" solution that you used to perform strong authentication with
> acegi
> through T5 is creating a T5 LinkImpl object. You give then parameters
> (login
> and password) to this link object to pass the request to acegi.
>
> The problem is that you are the able to see login and password in clear in
> your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object
> to
> perform a GET (and not a POST) to server.
>
> I am very annoyed with this security hole that I have encountered on my
> own
> implementation of T5/acegi integration. I don't know any correct and
> elegant
> fix to this issue for now.
>
> Did you experiment this issue ? Do you have an idea on it ? Or maybe you
> found yet a solution to fix it ?
>
> Regards,
>
> Baptiste
>
>
>
> dalahoo wrote:
> >
> > Hi all,
> >
> > latest release of my phone book application is available now,
> >
> > In this release i used :
> >
> > - Tapestry 5.0.7 as a Web MVC framework.
> > - Acegi 1.0.5 as a Security System.
> > - Spring 2.5 as a Application framework.
> > - Spring JDBC for Data Access Layer.
> > - Hibernate 3.2.4 an alternative for Data Access Layer.
> > - JPA (Hibernate Implementation) another alternative for Data Access
> > Layer.
> > - HSQLDB 1.8.0.7 for application database.
> >
> > read more about application configuration at
> > http://code.google.com/p/shams/wiki/TASJHJ
> >
> > you can download source code for this release and previous releases from
> > http://code.google.com/p/shams/
> >
> >
> > --
> > sincerely yours
> > M. H. Shamsi
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
sincerely yours
M. H. Shamsi
Re: [T5][ANN] - Tapestry+Acegi+Spring+JDBC+Hibernate+JPA+HSQLDB all
in one
Posted by Baptiste Meurant <ba...@gmail.com>.
Hi,
Thank you for this great work. It will be really useful.
I still have a question about security T5/acegi integration : the
"classic" solution that you used to perform strong authentication with acegi
through T5 is creating a T5 LinkImpl object. You give then parameters (login
and password) to this link object to pass the request to acegi.
The problem is that you are the able to see login and password in clear in
your server (Apache, Tomcat, ...) logs. Indeed, T5 uses a LinkImpl object to
perform a GET (and not a POST) to server.
I am very annoyed with this security hole that I have encountered on my own
implementation of T5/acegi integration. I don't know any correct and elegant
fix to this issue for now.
Did you experiment this issue ? Do you have an idea on it ? Or maybe you
found yet a solution to fix it ?
Regards,
Baptiste
dalahoo wrote:
>
> Hi all,
>
> latest release of my phone book application is available now,
>
> In this release i used :
>
> - Tapestry 5.0.7 as a Web MVC framework.
> - Acegi 1.0.5 as a Security System.
> - Spring 2.5 as a Application framework.
> - Spring JDBC for Data Access Layer.
> - Hibernate 3.2.4 an alternative for Data Access Layer.
> - JPA (Hibernate Implementation) another alternative for Data Access
> Layer.
> - HSQLDB 1.8.0.7 for application database.
>
> read more about application configuration at
> http://code.google.com/p/shams/wiki/TASJHJ
>
> you can download source code for this release and previous releases from
> http://code.google.com/p/shams/
>
>
> --
> sincerely yours
> M. H. Shamsi
>
>
--
View this message in context: http://www.nabble.com/-T5--ANN----Tapestry%2BAcegi%2BSpring%2BJDBC%2BHibernate%2BJPA%2BHSQLDB-all-in-one-tp15017544p15018441.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org