[Geoserver-devel] Spring 3.0 upgrade

GeoServer GeoServer Developer
1

Hi Chris

I did not get your answer for my last message (GSIP 53) but I found your mail in the archive.

1) I am not sure if it is a good idea that I should make a GSIP for Spring 3.0, since I am no Spring expert at all. Perhaps somebody with more skills should create this GSIP.

2) Do you intend to have Spring 3.0 in geoserver 2.1.0 . ? I am a little confused at the moment.

Cheers
Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

2

Ah, if you’re not comfortable doing the Spring 3.0 upgrade we should probably hold off. But I guess you should just make a GSIP to do an upgrade to Spring Security 2.0, separate from the proposal on the whole security upgrade. And yes, ideally do that upgrade before 2.1.0, if you are able to do it.

C

On Tue, Oct 19, 2010 at 3:49 PM, <christian.mueller@anonymised.com> wrote:

Hi Chris

I did not get your answer for my last message (GSIP 53) but I found
your mail in the archive.

  1. I am not sure if it is a good idea that I should make a GSIP for
    Spring 3.0, since I am no Spring expert at all. Perhaps somebody with
    more skills should create this GSIP.

  2. Do you intend to have Spring 3.0 in geoserver 2.1.0 . ? I am a
    little confused at the moment.

Cheers
Christian

This message was sent using IMP, the Internet Messaging Program.

Download new Adobe(R) Flash(R) Builder™ 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder™ 4 (formerly
Flex(R) Builder™) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

3

Hi Chris

look here:
http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If this proposal is ok I would delete redundancies in GSIP 53 to clarify that GSIP 54 is the precondition for GSIP 53.

Cheers

Quoting Chris Holmes <cholmes@anonymised.com>:

Ah, if you're not comfortable doing the Spring 3.0 upgrade we should
probably hold off. But I guess you should just make a GSIP to do an upgrade
to Spring Security 2.0, separate from the proposal on the whole security
upgrade. And yes, ideally do that upgrade before 2.1.0, if you are able to
do it.

C

On Tue, Oct 19, 2010 at 3:49 PM, <christian.mueller@anonymised.com> wrote:

Hi Chris

I did not get your answer for my last message (GSIP 53) but I found
your mail in the archive.

1) I am not sure if it is a good idea that I should make a GSIP for
Spring 3.0, since I am no Spring expert at all. Perhaps somebody with
more skills should create this GSIP.

2) Do you intend to have Spring 3.0 in geoserver 2.1.0 . ? I am a
little confused at the moment.

Cheers
Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

4

Looks good to me.

On Tue, Oct 19, 2010 at 5:00 PM, <christian.mueller@anonymised.com> wrote:

Hi Chris

look here:
http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If this proposal is ok I would delete redundancies in GSIP 53 to clarify that GSIP 54 is the precondition for GSIP 53.

Cheers

Quoting Chris Holmes <cholmes@anonymised.com>:

Ah, if you’re not comfortable doing the Spring 3.0 upgrade we should
probably hold off. But I guess you should just make a GSIP to do an upgrade
to Spring Security 2.0, separate from the proposal on the whole security
upgrade. And yes, ideally do that upgrade before 2.1.0, if you are able to
do it.

C

On Tue, Oct 19, 2010 at 3:49 PM, <christian.mueller@anonymised.com> wrote:

Hi Chris

I did not get your answer for my last message (GSIP 53) but I found
your mail in the archive.

  1. I am not sure if it is a good idea that I should make a GSIP for
    Spring 3.0, since I am no Spring expert at all. Perhaps somebody with
    more skills should create this GSIP.

  2. Do you intend to have Spring 3.0 in geoserver 2.1.0 . ? I am a
    little confused at the moment.

Cheers
Christian

This message was sent using IMP, the Internet Messaging Program.

Download new Adobe(R) Flash(R) Builder™ 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder™ 4 (formerly
Flex(R) Builder™) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

This message was sent using IMP, the Internet Messaging Program.

5

I adapted GSIP 53 since GSIP 54 is now a prerequisite of GSIP 53.

Quoting Chris Holmes <cholmes@anonymised.com>:

Looks good to me.

On Tue, Oct 19, 2010 at 5:00 PM, <christian.mueller@anonymised.com> wrote:

Hi Chris

look here:

http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If this proposal is ok I would delete redundancies in GSIP 53 to clarify
that GSIP 54 is the precondition for GSIP 53.

Cheers

Quoting Chris Holmes <cholmes@anonymised.com>:

Ah, if you're not comfortable doing the Spring 3.0 upgrade we should

probably hold off. But I guess you should just make a GSIP to do an
upgrade
to Spring Security 2.0, separate from the proposal on the whole security
upgrade. And yes, ideally do that upgrade before 2.1.0, if you are able
to
do it.

C

On Tue, Oct 19, 2010 at 3:49 PM, <christian.mueller@anonymised.com> wrote:

Hi Chris

I did not get your answer for my last message (GSIP 53) but I found
your mail in the archive.

1) I am not sure if it is a good idea that I should make a GSIP for
Spring 3.0, since I am no Spring expert at all. Perhaps somebody with
more skills should create this GSIP.

2) Do you intend to have Spring 3.0 in geoserver 2.1.0 . ? I am a
little confused at the moment.

Cheers
Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

6

http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

7

On Wed, Oct 20, 2010 at 4:39 PM, <christian.mueller@anonymised.com> wrote:

http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If one reads the proposal he might think GeoServer uses its own
authentication implementation, however
that is not true, it uses Acegi, which is the old Spring Security,
however it does so in a way that is not
pluggable and that should be amended.

Also, the proposal talks about "security" generically, and at one
point about authentication/authorization.
I'm +1 on making the authentication mechanism be pluggable and use
Spring Security 2.0,
but not on making the authorization use Spring Security instead: the
authorization should be eventually
made more pluggable, but I find the Spring Security way of doing
authorization quite obscure.

For both authentication and authorization I would like to see a design
of how you want to modify the
code to make it pluggable.

I'm +1 on using Spring Security 2.0, however that by itself does not
make much of a GSIP, I don't want
for people to think that any implementation using Spring Security 2.0
will be accepted because
of the vote on the GSIP: a specific design will have to be provided
and voted separately.

Cheers
Andrea

Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

8

Agree with upgrade to Spring Security … should be quite straightforward, I already made it locally :stuck_out_tongue: … just a thought we of course must reside on Spring Security 2.0 since GeoServer depends on spring 2.5.5 … what about upgrading to spring and spring-security 3 instead?

Ing. Alessio Fabiani
Founder / CTO GeoSolutions S.A.S.

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: (+39) 0584 96.23.13
fax: (+39) 0584 96.23.13
mobile:(+39) 349 82.27.000

http://www.geo-solutions.it
http://geo-solutions.blogspot.com
http://www.linkedin.com/in/alessiofabiani
http://twitter.com/simogeo

On Mon, Oct 25, 2010 at 12:49 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

On Wed, Oct 20, 2010 at 4:39 PM, <christian.mueller@anonymised.com> wrote:

http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If one reads the proposal he might think GeoServer uses its own
authentication implementation, however
that is not true, it uses Acegi, which is the old Spring Security,
however it does so in a way that is not
pluggable and that should be amended.

Also, the proposal talks about “security” generically, and at one
point about authentication/authorization.
I’m +1 on making the authentication mechanism be pluggable and use
Spring Security 2.0,
but not on making the authorization use Spring Security instead: the
authorization should be eventually
made more pluggable, but I find the Spring Security way of doing
authorization quite obscure.

For both authentication and authorization I would like to see a design
of how you want to modify the
code to make it pluggable.

I’m +1 on using Spring Security 2.0, however that by itself does not
make much of a GSIP, I don’t want
for people to think that any implementation using Spring Security 2.0
will be accepted because
of the vote on the GSIP: a specific design will have to be provided
and voted separately.

Cheers
Andrea

Christian

This message was sent using IMP, the Internet Messaging Program.

Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

9

On Mon, Oct 25, 2010 at 1:01 PM, Alessio Fabiani
<alessio.fabiani@anonymised.com> wrote:

Agree with upgrade to Spring Security ... should be quite straightforward, I
already made it locally :stuck_out_tongue: ... just a thought we of course must reside on
Spring Security 2.0 since GeoServer depends on spring 2.5.5 ... what about
upgrading to spring and spring-security 3 instead?

That was discussed a bit before, I think the agreement was that
GeoServer 2.1 beta is a bit too late in
the game for a Spring upgrade now

Cheers
Andrea

-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

10

I also would like to use Spring 3.0 but I am not a Spring expert. As a consequence I could not bear the risk. There is a migration guide

http://static.springsource.org/spring/docs/upgrade/spring3/html/

I think this is definitively a job for a developer having Spring skills.

Quoting Andrea Aime <andrea.aime@anonymised.com>:

On Mon, Oct 25, 2010 at 1:01 PM, Alessio Fabiani
<alessio.fabiani@anonymised.com> wrote:

Agree with upgrade to Spring Security ... should be quite straightforward, I
already made it locally :stuck_out_tongue: ... just a thought we of course must reside on
Spring Security 2.0 since GeoServer depends on spring 2.5.5 ... what about
upgrading to spring and spring-security 3 instead?

That was discussed a bit before, I think the agreement was that
GeoServer 2.1 beta is a bit too late in
the game for a Spring upgrade now

Cheers
Andrea

-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

11

Hi Andrea, thanks for the long answer.

1) Chris wanted me to create an additional GSIP for Spring Security, originally I had GSIP 54 included in GSIP 53.

2) If you like I could add some sentences regarding Acegi Security.

3) The primary focus is pluggable authentication. Authorization is a later challenge.

4) The plan is to integrate Spring Security 2.0 and have authentication/authorization as it is. I only want to have Spring Security 2.0 in the trunk. After this has happened, I plan to make a public deployment of geoserver (like my build farm) to demonstrate progress to all developers. This is the point in time to dig deeper into the material and think about the concrete design. But as a prerequisite I need Spring Security on trunk, otherwise design ideas are more theoretical, no possibility to check something out.

Quoting Andrea Aime <andrea.aime@anonymised.com>:

On Wed, Oct 20, 2010 at 4:39 PM, <christian.mueller@anonymised.com> wrote:

http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If one reads the proposal he might think GeoServer uses its own
authentication implementation, however
that is not true, it uses Acegi, which is the old Spring Security,
however it does so in a way that is not
pluggable and that should be amended.

Also, the proposal talks about "security" generically, and at one
point about authentication/authorization.
I'm +1 on making the authentication mechanism be pluggable and use
Spring Security 2.0,
but not on making the authorization use Spring Security instead: the
authorization should be eventually
made more pluggable, but I find the Spring Security way of doing
authorization quite obscure.

For both authentication and authorization I would like to see a design
of how you want to modify the
code to make it pluggable.

I'm +1 on using Spring Security 2.0, however that by itself does not
make much of a GSIP, I don't want
for people to think that any implementation using Spring Security 2.0
will be accepted because
of the vote on the GSIP: a specific design will have to be provided
and voted separately.

Cheers
Andrea

Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

12

On Mon, Oct 25, 2010 at 2:47 PM, <christian.mueller@anonymised.com> wrote:

Hi Andrea, thanks for the long answer.

1) Chris wanted me to create an additional GSIP for Spring Security,
originally I had GSIP 54 included in GSIP 53.

2) If you like I could add some sentences regarding Acegi Security.

3) The primary focus is pluggable authentication. Authorization is a later
challenge.

4) The plan is to integrate Spring Security 2.0 and have
authentication/authorization as it is. I only want to have Spring Security
2.0 in the trunk. After this has happened, I plan to make a public
deployment of geoserver (like my build farm) to demonstrate progress to all
developers. This is the point in time to dig deeper into the material and
think about the concrete design. But as a prerequisite I need Spring
Security on trunk, otherwise design ideas are more theoretical, no
possibility to check something out.

Perfect. I'm +1 on the proposal and I look forward to the
future evolutions

Cheers
Andrea

-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

13

Hi Alessio, you wrote that you already integrated spring security 2.0 locally at your site.

Can you spend me a patch ?

Cheers
Christian

Quoting Alessio Fabiani <alessio.fabiani@anonymised.com>:

Agree with upgrade to Spring Security ... should be quite straightforward, I
already made it locally :stuck_out_tongue: ... just a thought we of course must reside on
Spring Security 2.0 since GeoServer depends on spring 2.5.5 ... what about
upgrading to spring and spring-security 3 instead?

-------------------------------------------------------
Ing. Alessio Fabiani
Founder / CTO GeoSolutions S.A.S.

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: (+39) 0584 96.23.13
fax: (+39) 0584 96.23.13
mobile:(+39) 349 82.27.000

http://www.geo-solutions.it
http://geo-solutions.blogspot.com
http://www.linkedin.com/in/alessiofabiani
http://twitter.com/simogeo
-------------------------------------------------------

On Mon, Oct 25, 2010 at 12:49 PM, Andrea Aime
<andrea.aime@anonymised.com>wrote:

On Wed, Oct 20, 2010 at 4:39 PM, <christian.mueller@anonymised.com> wrote:
>
http://geoserver.org/display/GEOS/GSIP+54+Upgrade+Geoserver+security+to+Spring+Security+2.0

If one reads the proposal he might think GeoServer uses its own
authentication implementation, however
that is not true, it uses Acegi, which is the old Spring Security,
however it does so in a way that is not
pluggable and that should be amended.

Also, the proposal talks about "security" generically, and at one
point about authentication/authorization.
I'm +1 on making the authentication mechanism be pluggable and use
Spring Security 2.0,
but not on making the authorization use Spring Security instead: the
authorization should be eventually
made more pluggable, but I find the Spring Security way of doing
authorization quite obscure.

For both authentication and authorization I would like to see a design
of how you want to modify the
code to make it pluggable.

I'm +1 on using Spring Security 2.0, however that by itself does not
make much of a GSIP, I don't want
for people to think that any implementation using Spring Security 2.0
will be accepted because
of the vote on the GSIP: a specific design will have to be provided
and voted separately.

Cheers
Andrea

> Christian
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
------------------------------------------------------------------------------
> Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
> Create new apps & games for the Nokia N8 for consumers in U.S. and
Canada
> $10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
> Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
> http://p.sf.net/sfu/nokia-dev2dev
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>

--
-----------------------------------------------------
Ing. Andrea Aime
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584962313
fax: +39 0584962313

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-----------------------------------------------------

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.