[Geoserver-devel] From acegi to spring security 2.0

Christian_Mueller · November 4, 2010, 8:30am

I am currently working on replacing acegi security with spring security 2.0.6

Most of the time I have to replace the term "acegi" with a spring security term. (import statements, class names,...).

This requires modifying a lot of files resulting in a big patch.

Additionally I have seen that geoserver code itself uses the term "acegi". (package names, parameter names).

The question is:
Should i also rename the geoserver "acegi" elements resulting in a bigger patch to be consistent or or should I rename only the necessary elements. ?

Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Andrea_Aime4 · November 4, 2010, 8:45am

On Thu, Nov 4, 2010 at 9:30 AM, <christian.mueller@anonymised.com> wrote:

I am currently working on replacing acegi security with spring security 2.0.6

Most of the time I have to replace the term "acegi" with a spring
security term. (import statements, class names,...).

This requires modifying a lot of files resulting in a big patch.

Additionally I have seen that geoserver code itself uses the term
"acegi". (package names, parameter names).

The question is:
Should i also rename the geoserver "acegi" elements resulting in a
bigger patch to be consistent or or should I rename only the
necessary elements. ?

I would go for a full replacement, otherwise people reading the code won't
understand where "acegi" comes from.

Cheers
Andrea

-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

Christian_Mueller · November 5, 2010, 11:20am

I have replaced all references from acegi to spring-security in all pom.xml files. Nevertheless a

mvn clean install -PallExtensions

downloads the acegi jar file into the local maven repo.

I assume there is a transitive dependency in geowebcache. I never worked with geowebcache, but I googled and found that gwc needs acegi security.

What should I do.

1) Ignore
2) ???

Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Gabriel_Roldan2 · November 6, 2010, 12:44am

On Fri, 2010-11-05 at 12:20 +0100, christian.mueller@anonymised.com wrote:

I have replaced all references from acegi to spring-security in all
pom.xml files. Nevertheless a

mvn clean install -PallExtensions

downloads the acegi jar file into the local maven repo.

I assume there is a transitive dependency in geowebcache. I never
worked with geowebcache, but I googled and found that gwc needs acegi
security.

What should I do.

1) Ignore
2) ???

The dependency is being carried over by the gwc rest module, which is
wrong now that I think of it.
I'm gonna move the gwc security classes to the gwc web module, where the
security context is configured, and redeploy gwc so you don't get those
transitive dependencies.

I might need you help in migrating gwc to Spring security too, if you'd
be so kind and we decide we want to migrate gwc from acegi too.

Cheers,
Gabriel

Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Gabriel Roldan
groldan@anonymised.com
Expert service straight from the developers

Gabriel_Roldan2 · November 6, 2010, 3:02am

Christian, gwc should be out of your way now. It doesn't carry over the
acegi dependency transitively to geoserver any more.

Please check and confirm.

Gabriel
On Fri, 2010-11-05 at 21:44 -0300, Gabriel Roldán wrote:

On Fri, 2010-11-05 at 12:20 +0100, christian.mueller@anonymised.com wrote:
> I have replaced all references from acegi to spring-security in all
> pom.xml files. Nevertheless a
>
> mvn clean install -PallExtensions
>
> downloads the acegi jar file into the local maven repo.
>
> I assume there is a transitive dependency in geowebcache. I never
> worked with geowebcache, but I googled and found that gwc needs acegi
> security.
>
> What should I do.
>
> 1) Ignore
> 2) ???

The dependency is being carried over by the gwc rest module, which is
wrong now that I think of it.
I'm gonna move the gwc security classes to the gwc web module, where the
security context is configured, and redeploy gwc so you don't get those
transitive dependencies.

I might need you help in migrating gwc to Spring security too, if you'd
be so kind and we decide we want to migrate gwc from acegi too.

Cheers,
Gabriel
>
> Christian
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a
> Billion" shares his insights and actions to help propel your
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Gabriel Roldan
groldan@anonymised.com
Expert service straight from the developers

Christian_Mueller · November 6, 2010, 4:48pm

Confirmed, no acegi jar is downloaded during a maven build.
Cheers
Christian

Quoting Gabriel Roldán <groldan@anonymised.com>:

Christian, gwc should be out of your way now. It doesn't carry over the
acegi dependency transitively to geoserver any more.

Please check and confirm.

Gabriel
On Fri, 2010-11-05 at 21:44 -0300, Gabriel Roldán wrote:

On Fri, 2010-11-05 at 12:20 +0100, christian.mueller@anonymised.com wrote:
> I have replaced all references from acegi to spring-security in all
> pom.xml files. Nevertheless a
>
> mvn clean install -PallExtensions
>
> downloads the acegi jar file into the local maven repo.
>
> I assume there is a transitive dependency in geowebcache. I never
> worked with geowebcache, but I googled and found that gwc needs acegi
> security.
>
> What should I do.
>
> 1) Ignore
> 2) ???

The dependency is being carried over by the gwc rest module, which is
wrong now that I think of it.
I'm gonna move the gwc security classes to the gwc web module, where the
security context is configured, and redeploy gwc so you don't get those
transitive dependencies.

I might need you help in migrating gwc to Spring security too, if you'd
be so kind and we decide we want to migrate gwc from acegi too.

Cheers,
Gabriel
>
> Christian
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a
> Billion" shares his insights and actions to help propel your
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Gabriel Roldan
groldan@anonymised.com
Expert service straight from the developers

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Christian_Mueller · November 6, 2010, 5:07pm

I might need you help in migrating gwc to Spring security too, if you'd
be so kind and we decide we want to migrate gwc from acegi too.

Cheers,
Gabriel

Of course I would. As far as I understand gwc, all authentication/authorization rules must hold for gwc too. I does not make sense to protect resources within geoserver and not protecting them from the cache. Is my understanding correct here ?.

At the moment I am banging my head against the wall. I migrated all projects needed for a

mvn clean install -PallExtensions.

I altered the class names contained in applicationSecurityContext.xml in the main module.

A "mvn compile" works fine.

But "mvn clean install" results in

ClassNotFoundException for org.springframework.vote.AffirmativeBased

when the applicationSecurityContext.xml file is processed.

Adding a line
System.out.println(System.getProperty("java.class.path"))

in the test case shows that all spring-security jars are in the class path.

The only documentation about migrating I found is here

http://java.dzone.com/tips/pathway-acegi-spring-security-

The author did not migrate the old security xml file, he created a new one, which uses xml name spaces. I tried the same and as result, I get a parsing error "element beans:beans is missing", but it is there. It seems that the XML parser is not namespace aware.

For the moment, I have no further idea, perhaps I have to download all necessary source jars and have an in dept debugging session.

Is there an svn repo for gwc ?. Perhaps I could try with gwc to find the problem.

so far, so good
Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Christian_Mueller · November 7, 2010, 8:09am

Forget about the ClassNotFoundException from my last mail.

In the morning, drinking a cup of coffee, smoking a cigarette I looked in the applicationSecurityContext.xml and what did I see ? A typing error in the class name. Fuck.

I restored the securityApplicationContext.xml not using xml namespaces. If we introduce xml namespaces into the Spring confg files, we should do it for all of them. One advantage is that the config files could be checked against xml schemes.

Cheers
Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.