You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Robin Helgelin <lo...@gmail.com> on 2008/05/06 22:29:11 UTC
Replace item in OrderedConfiguration
Hi,
My tapestry5-acegi module contains this:
public static void contributeHttpServletRequestHandler(
OrderedConfiguration<HttpServletRequestFilter> configuration,
@InjectService("HttpSessionContextIntegrationFilter")
HttpServletRequestFilter httpSessionContextIntegrationFilter,
@InjectService("AuthenticationProcessingFilter")
HttpServletRequestFilter authenticationProcessingFilter,
@InjectService("RememberMeProcessingFilter")
HttpServletRequestFilter rememberMeProcessingFilter,
@InjectService("SecurityContextHolderAwareRequestFilter")
HttpServletRequestFilter
securityContextHolderAwareRequestFilter,
@InjectService("AnonymousProcessingFilter")
HttpServletRequestFilter anonymousProcessingFilter) {
configuration.add("acegiHttpSessionContextIntegrationFilter",
httpSessionContextIntegrationFilter, "before:acegi*");
configuration.add("acegiAuthenticationProcessingFilter",
authenticationProcessingFilter);
configuration.add("acegiRememberMeProcessingFilter",
rememberMeProcessingFilter);
configuration.add("acegiSecurityContextHolderAwareRequestFilter",
securityContextHolderAwareRequestFilter,
"after:acegiRememberMeProcessingFilter");
configuration.add("acegiAnonymousProcessingFilter",
anonymousProcessingFilter,
"after:acegiRememberMeProcessingFilter",
"after:acegiAuthenticationProcessingFilter");
}
How would go ahead to override a single of these filters? It seems you
can't remove an entry from an OrderedConfiguration, and it also seems
like you can put in another object with the same name.
So, should I use the alias contribution instead when injection the
specific filter?
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Chris Lewis <ch...@bellsouth.net>.
Robin Helgelin wrote:
> On Wed, May 7, 2008 at 11:30 AM, Otho <ta...@googlemail.com> wrote:
>
>> One thing which bothered me a couple of times already on this list. With the
>> neat tapestry-spring integration, why don't you just use Spring to configure
>> Spring services? The little xml used for configuring acegi is in my personal
>> view more readable than the contributions in a service class and it got even
>> less with 2.0. And you don't need any changes to Tapestry itself.
>>
>
> One of the ideas of tapestry5-acegi is that it should be as
> transparent to spring as possible, using spring xml makes the user
> need to learn spring if he wants to make changes, currently this isn't
> the case.
>
I have to argue that point. Up until a week or so ago I had never used
spring and had avoided using it for a long time. I knew of acegi and was
looking for a canned authorization library, so I was pleased to find
tapestry-hibernate. Unfortunately it assumes you know acegi, which I
don't, and acegi in turn assumes you know spring, which I didn't. If one
is to use acegi they are expected to know spring, so I think avoiding it
is somewhat moot (unless the module includes code to remove the spring
deps).
> On the other hand, if there's a patch available, I don't see a problem
> to change it :)
>
>
--
http://thegodcode.net
Re: Replace item in OrderedConfiguration
Posted by Howard Lewis Ship <hl...@gmail.com>.
boolean dispatchComponentEvent(ComponentEvent event);
So, in your advice:
ComponentEvent event = (ComponentEvent) invocation.getParameter(0);
if (event.matches("activate", "", 0) {
// Do some extra checking here.
}
invocation.proceed();
On Fri, May 9, 2008 at 10:32 AM, Robin Helgelin <lo...@gmail.com> wrote:
> On Fri, May 9, 2008 at 5:54 PM, Howard Lewis Ship <hl...@gmail.com> wrote:
>> Since it's a specific method, we know what the parameters are; we can
>> then cast the first parameter to ComponentEvent, and (inside the
>> advice) check to see if it is an "activate" event, and apply security
>> checks there. So we do coarse grained security access, that entire
>> pages are restricted by user role.
>
> Yes, that's what I thought :). Any ideas on what signature to use for the code?
>
> CONTAINING_PAGE_DID_ATTACH_SIGNATURE fires too often as it's invoked
> when just linking to a page, and BEGIN_RENDER_SIGNATURE fires too
> late, as the action method can be invoked before the page starts to
> render.
>
> --
> regards,
> Robin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator Apache Tapestry and Apache HiveMind
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Robin Helgelin <lo...@gmail.com>.
On Fri, May 9, 2008 at 5:54 PM, Howard Lewis Ship <hl...@gmail.com> wrote:
> Since it's a specific method, we know what the parameters are; we can
> then cast the first parameter to ComponentEvent, and (inside the
> advice) check to see if it is an "activate" event, and apply security
> checks there. So we do coarse grained security access, that entire
> pages are restricted by user role.
Yes, that's what I thought :). Any ideas on what signature to use for the code?
CONTAINING_PAGE_DID_ATTACH_SIGNATURE fires too often as it's invoked
when just linking to a page, and BEGIN_RENDER_SIGNATURE fires too
late, as the action method can be invoked before the page starts to
render.
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Howard Lewis Ship <hl...@gmail.com>.
At Formos, we used the ComponentMethodAdvice approach to enforce
page-level security, advising the dispatchComponentEvent() method
(part of the Component interface).
Since it's a specific method, we know what the parameters are; we can
then cast the first parameter to ComponentEvent, and (inside the
advice) check to see if it is an "activate" event, and apply security
checks there. So we do coarse grained security access, that entire
pages are restricted by user role.
It's a bit more complicated if you want to dive down and apply
fine-grained advice to methods, especially if you want to find all the
event handling methods (you need to know the naming convention and the
annotation, just like OnEventWorker). I'd stick with an
annotation-driven approach rather than blindly advising everthing in
sight ... you'll likely advise too much!
On Wed, May 7, 2008 at 10:43 AM, Filip S. Adamsen <fs...@fsadev.com> wrote:
> There isn't much documentation on this yet as far as I know, but Howard
> posted a bit about it on his blog:
>
> http://tapestryjava.blogspot.com/2008/04/tapestry-components-aspects.html
>
> -Filip
>
> On 2008-05-07 19:29, Robin Helgelin wrote:
>>
>> On Wed, May 7, 2008 at 4:21 PM, Filip S. Adamsen <fs...@fsadev.com> wrote:
>>>
>>> How about using the new ComponentMethodAdvice? Sounds like that might be
>>> a
>>> good fit.
>>
>> Reading up about that now, any specific ideas on how to use it? Seems
>> like it can help on secure methods, but not on secure classes. In that
>> case I need to advise on all possible action methods?
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator Apache Tapestry and Apache HiveMind
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by "Filip S. Adamsen" <fs...@fsadev.com>.
There isn't much documentation on this yet as far as I know, but Howard
posted a bit about it on his blog:
http://tapestryjava.blogspot.com/2008/04/tapestry-components-aspects.html
-Filip
On 2008-05-07 19:29, Robin Helgelin wrote:
> On Wed, May 7, 2008 at 4:21 PM, Filip S. Adamsen <fs...@fsadev.com> wrote:
>> How about using the new ComponentMethodAdvice? Sounds like that might be a
>> good fit.
>
> Reading up about that now, any specific ideas on how to use it? Seems
> like it can help on secure methods, but not on secure classes. In that
> case I need to advise on all possible action methods?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Robin Helgelin <lo...@gmail.com>.
On Wed, May 7, 2008 at 4:21 PM, Filip S. Adamsen <fs...@fsadev.com> wrote:
> How about using the new ComponentMethodAdvice? Sounds like that might be a
> good fit.
Reading up about that now, any specific ideas on how to use it? Seems
like it can help on secure methods, but not on secure classes. In that
case I need to advise on all possible action methods?
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by "Filip S. Adamsen" <fs...@fsadev.com>.
How about using the new ComponentMethodAdvice? Sounds like that might be
a good fit.
-Filip
On 2008-05-07 15:20, Robin Helgelin wrote:
> On Wed, May 7, 2008 at 1:06 PM, Otho <ta...@googlemail.com> wrote:
>> Hi Robin,
>> of the underlying concepts from developers. For example your Todo list still
>> has the non working method security and the ability to access action
>> handlers in @Secured classes open. Because of the conventions in method
>> naming it is not that hard to guess the complete url of some action handlers
>> and possibly wreak havoc.
>
> Secure methods are working in the latest 1.1.0-SNAPSHOT, and I should
> probably release that so more can test it.
>
> However, action handlers is another thing. As I currently extend
> TransformConstants.BEGIN_RENDER_SIGNATURE, it breaks action handlers.
> But, if I extend CONTAINING_PAGE_DID_ATTACH_SIGNATURE you'll get an
> access failure just by linking to a secured page. Perhaps
> DISPATCH_COMPONENT_EVENT would work? But there is no matching end
> event to that one.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Robin Helgelin <lo...@gmail.com>.
On Wed, May 7, 2008 at 1:06 PM, Otho <ta...@googlemail.com> wrote:
> Hi Robin,
> of the underlying concepts from developers. For example your Todo list still
> has the non working method security and the ability to access action
> handlers in @Secured classes open. Because of the conventions in method
> naming it is not that hard to guess the complete url of some action handlers
> and possibly wreak havoc.
Secure methods are working in the latest 1.1.0-SNAPSHOT, and I should
probably release that so more can test it.
However, action handlers is another thing. As I currently extend
TransformConstants.BEGIN_RENDER_SIGNATURE, it breaks action handlers.
But, if I extend CONTAINING_PAGE_DID_ATTACH_SIGNATURE you'll get an
access failure just by linking to a secured page. Perhaps
DISPATCH_COMPONENT_EVENT would work? But there is no matching end
event to that one.
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Otho <ta...@googlemail.com>.
Hi Robin,
I must admit that I learned Spring before Tapestry :)
The remark was not coined at your work specifically since a seamless
integration of Acegi/Spring Security into Tapestry is without doubt
something good, because a kind of security and user rights is needed in
almost every non trivial webapplication and reinventing the wheel just once
again by writing your own security is not really desirable. Integrating
Acegi in a generic way is not really easy I thhink but I do think also, that
people with security requirements in their webapplications should know what
they do when using a framework like Spring Security and thus should bother
with learning at least some of the internals. Especially with todays
automated attacks on websites I don't think it is advisable to hide too much
of the underlying concepts from developers. For example your Todo list still
has the non working method security and the ability to access action
handlers in @Secured classes open. Because of the conventions in method
naming it is not that hard to guess the complete url of some action handlers
and possibly wreak havoc. With Acegis standard method of url based security
that doesn't play a role, since all urls starting with a specific string can
be wildcarded and you can configure it as finegrained as you want. It is of
course a question of personal needs and preferences, but I like to stay in
control :)
Regards,
Otho
2008/5/7 Robin Helgelin <lo...@gmail.com>:
> On Wed, May 7, 2008 at 11:30 AM, Otho <ta...@googlemail.com> wrote:
> > One thing which bothered me a couple of times already on this list. With
> the
> > neat tapestry-spring integration, why don't you just use Spring to
> configure
> > Spring services? The little xml used for configuring acegi is in my
> personal
> > view more readable than the contributions in a service class and it got
> even
> > less with 2.0. And you don't need any changes to Tapestry itself.
>
> One of the ideas of tapestry5-acegi is that it should be as
> transparent to spring as possible, using spring xml makes the user
> need to learn spring if he wants to make changes, currently this isn't
> the case.
>
> On the other hand, if there's a patch available, I don't see a problem
> to change it :)
>
> --
> regards,
> Robin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Replace item in OrderedConfiguration
Posted by Robin Helgelin <lo...@gmail.com>.
On Wed, May 7, 2008 at 11:30 AM, Otho <ta...@googlemail.com> wrote:
> One thing which bothered me a couple of times already on this list. With the
> neat tapestry-spring integration, why don't you just use Spring to configure
> Spring services? The little xml used for configuring acegi is in my personal
> view more readable than the contributions in a service class and it got even
> less with 2.0. And you don't need any changes to Tapestry itself.
One of the ideas of tapestry5-acegi is that it should be as
transparent to spring as possible, using spring xml makes the user
need to learn spring if he wants to make changes, currently this isn't
the case.
On the other hand, if there's a patch available, I don't see a problem
to change it :)
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Otho <ta...@googlemail.com>.
One thing which bothered me a couple of times already on this list. With the
neat tapestry-spring integration, why don't you just use Spring to configure
Spring services? The little xml used for configuring acegi is in my personal
view more readable than the contributions in a service class and it got even
less with 2.0. And you don't need any changes to Tapestry itself.
Regards,
Otho
2008/5/7 Robin Helgelin <lo...@gmail.com>:
> On Tue, May 6, 2008 at 11:04 PM, Howard Lewis Ship <hl...@gmail.com>
> wrote:
> > I've been thinking for a while about adding remove() and replace()
> > methods to OrderedConfiguration and MappedConfiguration, and adding
> > other methods to OrderedConfiguration to allow minor tweaks to
> > dependencies. It just hasn't been a priority. It also leads to
> > ambiguities ... what if you remove and replace? Or replace multiple
> > times?
>
> Any ideas on how to solve this with the current available releases?
>
> As for your question, maybe services can declare the configuration
> entry non-removable/non-replaceable, such as internal Tapestry
> services?
>
> --
> regards,
> Robin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
Re: Replace item in OrderedConfiguration
Posted by Robin Helgelin <lo...@gmail.com>.
On Tue, May 6, 2008 at 11:04 PM, Howard Lewis Ship <hl...@gmail.com> wrote:
> I've been thinking for a while about adding remove() and replace()
> methods to OrderedConfiguration and MappedConfiguration, and adding
> other methods to OrderedConfiguration to allow minor tweaks to
> dependencies. It just hasn't been a priority. It also leads to
> ambiguities ... what if you remove and replace? Or replace multiple
> times?
Any ideas on how to solve this with the current available releases?
As for your question, maybe services can declare the configuration
entry non-removable/non-replaceable, such as internal Tapestry
services?
--
regards,
Robin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Howard Lewis Ship <hl...@gmail.com>.
I've been thinking for a while about adding remove() and replace()
methods to OrderedConfiguration and MappedConfiguration, and adding
other methods to OrderedConfiguration to allow minor tweaks to
dependencies. It just hasn't been a priority. It also leads to
ambiguities ... what if you remove and replace? Or replace multiple
times?
On Tue, May 6, 2008 at 1:41 PM, Daniel Jue <te...@gmail.com> wrote:
> Sounds the same as my issue with replacing the "Default" hibernate
> config, which is stored in a OrderedConfiguration list.
> (I ended up just putting a minimal dummy hibernate.cfg.xml in the
> path, and then the configuration I made replaces the entire config
> since it's loaded after the "Default".
>
> Can you think of any unforseen issues if we were to have a remove feature?
> I can only think of one: the Tapestry supplied *impl classes can't
> rely on the default ones being there, since we may have removed them.
>
> OTOH, using an Ordered set would cause issues with multiple modules
> contributing configurations with the same string name. (Unless we
> adopt a convention of fully qualifying the configuration name, i.e.
> "com.mycompany.myapp.Default")
Just something I've been trying to avoid; earlier T5 IoC looked more
like hivemind, with module ids tacked on the front of everything. I
eventually scrapped that, for simplicity, and got rid of private
services as well. I think it was a step in the right direction.
>
>
>
> On Tue, May 6, 2008 at 4:29 PM, Robin Helgelin <lo...@gmail.com> wrote:
> > Hi,
> >
> > My tapestry5-acegi module contains this:
> >
> > public static void contributeHttpServletRequestHandler(
> > OrderedConfiguration<HttpServletRequestFilter> configuration,
> > @InjectService("HttpSessionContextIntegrationFilter")
> > HttpServletRequestFilter httpSessionContextIntegrationFilter,
> > @InjectService("AuthenticationProcessingFilter")
> > HttpServletRequestFilter authenticationProcessingFilter,
> > @InjectService("RememberMeProcessingFilter")
> > HttpServletRequestFilter rememberMeProcessingFilter,
> > @InjectService("SecurityContextHolderAwareRequestFilter")
> > HttpServletRequestFilter
> > securityContextHolderAwareRequestFilter,
> > @InjectService("AnonymousProcessingFilter")
> > HttpServletRequestFilter anonymousProcessingFilter) {
> >
> > configuration.add("acegiHttpSessionContextIntegrationFilter",
> > httpSessionContextIntegrationFilter, "before:acegi*");
> > configuration.add("acegiAuthenticationProcessingFilter",
> > authenticationProcessingFilter);
> > configuration.add("acegiRememberMeProcessingFilter",
> > rememberMeProcessingFilter);
> > configuration.add("acegiSecurityContextHolderAwareRequestFilter",
> > securityContextHolderAwareRequestFilter,
> > "after:acegiRememberMeProcessingFilter");
> > configuration.add("acegiAnonymousProcessingFilter",
> > anonymousProcessingFilter,
> > "after:acegiRememberMeProcessingFilter",
> > "after:acegiAuthenticationProcessingFilter");
> > }
> >
> > How would go ahead to override a single of these filters? It seems you
> > can't remove an entry from an OrderedConfiguration, and it also seems
> > like you can put in another object with the same name.
> >
> > So, should I use the alias contribution instead when injection the
> > specific filter?
> >
> > --
> > regards,
> > Robin
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> > For additional commands, e-mail: users-help@tapestry.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Howard M. Lewis Ship
Creator Apache Tapestry and Apache HiveMind
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Replace item in OrderedConfiguration
Posted by Daniel Jue <te...@gmail.com>.
Sounds the same as my issue with replacing the "Default" hibernate
config, which is stored in a OrderedConfiguration list.
(I ended up just putting a minimal dummy hibernate.cfg.xml in the
path, and then the configuration I made replaces the entire config
since it's loaded after the "Default".
Can you think of any unforseen issues if we were to have a remove feature?
I can only think of one: the Tapestry supplied *impl classes can't
rely on the default ones being there, since we may have removed them.
OTOH, using an Ordered set would cause issues with multiple modules
contributing configurations with the same string name. (Unless we
adopt a convention of fully qualifying the configuration name, i.e.
"com.mycompany.myapp.Default")
On Tue, May 6, 2008 at 4:29 PM, Robin Helgelin <lo...@gmail.com> wrote:
> Hi,
>
> My tapestry5-acegi module contains this:
>
> public static void contributeHttpServletRequestHandler(
> OrderedConfiguration<HttpServletRequestFilter> configuration,
> @InjectService("HttpSessionContextIntegrationFilter")
> HttpServletRequestFilter httpSessionContextIntegrationFilter,
> @InjectService("AuthenticationProcessingFilter")
> HttpServletRequestFilter authenticationProcessingFilter,
> @InjectService("RememberMeProcessingFilter")
> HttpServletRequestFilter rememberMeProcessingFilter,
> @InjectService("SecurityContextHolderAwareRequestFilter")
> HttpServletRequestFilter
> securityContextHolderAwareRequestFilter,
> @InjectService("AnonymousProcessingFilter")
> HttpServletRequestFilter anonymousProcessingFilter) {
>
> configuration.add("acegiHttpSessionContextIntegrationFilter",
> httpSessionContextIntegrationFilter, "before:acegi*");
> configuration.add("acegiAuthenticationProcessingFilter",
> authenticationProcessingFilter);
> configuration.add("acegiRememberMeProcessingFilter",
> rememberMeProcessingFilter);
> configuration.add("acegiSecurityContextHolderAwareRequestFilter",
> securityContextHolderAwareRequestFilter,
> "after:acegiRememberMeProcessingFilter");
> configuration.add("acegiAnonymousProcessingFilter",
> anonymousProcessingFilter,
> "after:acegiRememberMeProcessingFilter",
> "after:acegiAuthenticationProcessingFilter");
> }
>
> How would go ahead to override a single of these filters? It seems you
> can't remove an entry from an OrderedConfiguration, and it also seems
> like you can put in another object with the same name.
>
> So, should I use the alias contribution instead when injection the
> specific filter?
>
> --
> regards,
> Robin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org