You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by sn...@apache.org on 2007/07/26 17:58:18 UTC
svn commit: r559865 - /roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Author: snoopdave
Date: Thu Jul 26 08:58:15 2007
New Revision: 559865
URL: http://svn.apache.org/viewvc?view=rev&rev=559865
Log:
Fix for ROL-1492 "Change users profile and admin permissions feature does not work"
The problem is caused by the Acegi user-cache. The user's role is changed in the Roller DB, but Acegi is still hanging on to the old user object. So access to the Server Admin page is denied.
There might be a way to flush the Acegi user cache, but I don't think there is much need for this cache and I'd rather not introduce any more Acegi dependencies. So I removed the cache from secrity.xml and that fixes the problem.
Modified:
roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Modified: roller/trunk/apps/weblogger/web/WEB-INF/security.xml
URL: http://svn.apache.org/viewvc/roller/trunk/apps/weblogger/web/WEB-INF/security.xml?view=diff&rev=559865&r1=559864&r2=559865
==============================================================================
--- roller/trunk/apps/weblogger/web/WEB-INF/security.xml (original)
+++ roller/trunk/apps/weblogger/web/WEB-INF/security.xml Thu Jul 26 08:58:15 2007
@@ -125,12 +125,13 @@
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="jdbcAuthenticationDao"/>
- <property name="userCache" ref="userCache"/>
+ <!-- <property name="userCache" ref="userCache"/> -->
</bean>
<!-- Read users from Roller API -->
<bean id="jdbcAuthenticationDao" class="org.apache.roller.weblogger.ui.core.security.RollerUserDetailsService"/>
+ <!--
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache">
<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
@@ -141,6 +142,7 @@
</bean>
</property>
</bean>
+ -->
<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="anonymous"/>
Re: svn commit: r559865 - /roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Posted by Dave <sn...@gmail.com>.
You have to flush the cache because the user is not the current user.
I've got code ready to commit that does the trick.
- Dave
On 7/26/07, Matt Raible <ma...@raibledesigns.com> wrote:
> You could also reset the authentication object:
>
> // reset the authentication object if current user
> 107 Authentication auth =
> SecurityContextHolder.getContext().getAuthentication();
> 108 if (auth != null && auth.getPrincipal() instanceof
> UserDetails) {
> 109 User currentUser = (User) auth.getPrincipal();
> 110 if (currentUser.getId().equals(user.getId())) {
> 111 auth = new
> UsernamePasswordAuthenticationToken(user, user.getPassword(),
> user.getAuthorities());
> 112
> SecurityContextHolder.getContext().setAuthentication(auth);
> 113 }
> 114 }
>
> From http://static.appfuse.org/appfuse-service/xref/org/appfuse/service/UserSecurityAdvice.html.
>
> Matt
>
> On 7/26/07, Allen Gilliland <al...@sun.com> wrote:
> >
> >
> > Dave wrote:
> > > On 7/26/07, Allen Gilliland <al...@sun.com> wrote:
> > >> Hmmm, I don't know that there is no need for that cache. That cache is
> > >> used to prevent us from having to hit the db constantly when checking
> > >> authentication/authorization. Without it, every single request from
> > >> users that are logged in requires extra queries against the db.
> > >
> > > Good point. I'll figure out how to flush that cache.
> >
> >
> > I took a quick look at it and I think you should be able to lookup the
> > "userCache" bean from spring and then call
> > userCache.removeUserFromCache(username). The class used for caching is
> > this one ...
> >
> > http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.html
> >
> > Generally speaking I don't like the idea of putting in more code that
> > directly tries to access spring beans, but I'm not sure there is any
> > other option here.
> >
> > -- Allen
> >
> >
> > >
> > > - Dave
> >
>
>
> --
> http://raibledesigns.com
>
Re: svn commit: r559865 - /roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Posted by Matt Raible <ma...@raibledesigns.com>.
You could also reset the authentication object:
// reset the authentication object if current user
107 Authentication auth =
SecurityContextHolder.getContext().getAuthentication();
108 if (auth != null && auth.getPrincipal() instanceof
UserDetails) {
109 User currentUser = (User) auth.getPrincipal();
110 if (currentUser.getId().equals(user.getId())) {
111 auth = new
UsernamePasswordAuthenticationToken(user, user.getPassword(),
user.getAuthorities());
112
SecurityContextHolder.getContext().setAuthentication(auth);
113 }
114 }
>From http://static.appfuse.org/appfuse-service/xref/org/appfuse/service/UserSecurityAdvice.html.
Matt
On 7/26/07, Allen Gilliland <al...@sun.com> wrote:
>
>
> Dave wrote:
> > On 7/26/07, Allen Gilliland <al...@sun.com> wrote:
> >> Hmmm, I don't know that there is no need for that cache. That cache is
> >> used to prevent us from having to hit the db constantly when checking
> >> authentication/authorization. Without it, every single request from
> >> users that are logged in requires extra queries against the db.
> >
> > Good point. I'll figure out how to flush that cache.
>
>
> I took a quick look at it and I think you should be able to lookup the
> "userCache" bean from spring and then call
> userCache.removeUserFromCache(username). The class used for caching is
> this one ...
>
> http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.html
>
> Generally speaking I don't like the idea of putting in more code that
> directly tries to access spring beans, but I'm not sure there is any
> other option here.
>
> -- Allen
>
>
> >
> > - Dave
>
--
http://raibledesigns.com
Re: svn commit: r559865 -
/roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Posted by Allen Gilliland <al...@sun.com>.
Dave wrote:
> On 7/26/07, Allen Gilliland <al...@sun.com> wrote:
>> Hmmm, I don't know that there is no need for that cache. That cache is
>> used to prevent us from having to hit the db constantly when checking
>> authentication/authorization. Without it, every single request from
>> users that are logged in requires extra queries against the db.
>
> Good point. I'll figure out how to flush that cache.
I took a quick look at it and I think you should be able to lookup the
"userCache" bean from spring and then call
userCache.removeUserFromCache(username). The class used for caching is
this one ...
http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/providers/dao/cache/EhCacheBasedUserCache.html
Generally speaking I don't like the idea of putting in more code that
directly tries to access spring beans, but I'm not sure there is any
other option here.
-- Allen
>
> - Dave
Re: svn commit: r559865 - /roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Posted by Dave <sn...@gmail.com>.
On 7/26/07, Allen Gilliland <al...@sun.com> wrote:
> Hmmm, I don't know that there is no need for that cache. That cache is
> used to prevent us from having to hit the db constantly when checking
> authentication/authorization. Without it, every single request from
> users that are logged in requires extra queries against the db.
Good point. I'll figure out how to flush that cache.
- Dave
Re: svn commit: r559865 -
/roller/trunk/apps/weblogger/web/WEB-INF/security.xml
Posted by Allen Gilliland <al...@sun.com>.
Hmmm, I don't know that there is no need for that cache. That cache is
used to prevent us from having to hit the db constantly when checking
authentication/authorization. Without it, every single request from
users that are logged in requires extra queries against the db.
-- Allen
snoopdave@apache.org wrote:
> Author: snoopdave
> Date: Thu Jul 26 08:58:15 2007
> New Revision: 559865
>
> URL: http://svn.apache.org/viewvc?view=rev&rev=559865
> Log:
> Fix for ROL-1492 "Change users profile and admin permissions feature does not work"
>
> The problem is caused by the Acegi user-cache. The user's role is changed in the Roller DB, but Acegi is still hanging on to the old user object. So access to the Server Admin page is denied.
>
> There might be a way to flush the Acegi user cache, but I don't think there is much need for this cache and I'd rather not introduce any more Acegi dependencies. So I removed the cache from secrity.xml and that fixes the problem.
>
> Modified:
> roller/trunk/apps/weblogger/web/WEB-INF/security.xml
>
> Modified: roller/trunk/apps/weblogger/web/WEB-INF/security.xml
> URL: http://svn.apache.org/viewvc/roller/trunk/apps/weblogger/web/WEB-INF/security.xml?view=diff&rev=559865&r1=559864&r2=559865
> ==============================================================================
> --- roller/trunk/apps/weblogger/web/WEB-INF/security.xml (original)
> +++ roller/trunk/apps/weblogger/web/WEB-INF/security.xml Thu Jul 26 08:58:15 2007
> @@ -125,12 +125,13 @@
>
> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
> <property name="userDetailsService" ref="jdbcAuthenticationDao"/>
> - <property name="userCache" ref="userCache"/>
> + <!-- <property name="userCache" ref="userCache"/> -->
> </bean>
>
> <!-- Read users from Roller API -->
> <bean id="jdbcAuthenticationDao" class="org.apache.roller.weblogger.ui.core.security.RollerUserDetailsService"/>
>
> + <!--
> <bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
> <property name="cache">
> <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
> @@ -141,6 +142,7 @@
> </bean>
> </property>
> </bean>
> + -->
>
> <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
> <property name="key" value="anonymous"/>
>
>