Announcement Announcement Module
Collapse
No announcement yet.
Spring Security 2.0 and captcha Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security 2.0 and captcha

    Hello,

    I am developing some web application, that needs to be secured with CAPTCHA. Additionally I am using Spring Security 2.0.0. I have found that Acegi had support for captcha, but Spring Security seems to not have it any more.

    Additionally I have found on Spring's Jira, that module captcha has been moved to sandbox (SEC-737, and comment on SEC-141).

    So I would like to ask if (and when) this module will be released.
    If it won't, then what are you proposing to do to secure my application with captcha.

    I will be very thankful if anybody can give me some advices.

  • #2
    The code in the sandbox is the same code that was available before, so you can build the module and make use of it as you see fit. The person who contributed the code was no longer maintaining it and we felt the quality could suffer as a result, hence the decision to move it to the sandbox.

    Comment


    • #3
      Thanks Luke for your answer.

      I have built this module from sources and used it in my application with success. Thanks again.

      However I have another question - this time about Spring Security core.

      I have to use CaptchaSecurityContextImpl class as contextClass in HttpSessionContextIntegrationFilter. Is there any possibility to overwrite this property in predefined HttpSessionContextIntegrationFilter and move this filter at the begining of filter chain? At this moment I am creating new HttpSessionContextIntegrationFilter and placing it at the very beginig of filter chain (position FIRST). But later there is still predefined HttpSessionContextIntegrationFilter present in filter chain (which doubles functionality).

      In other words I want to create filter chain which looks like this:
      1. HttpSessionContextIntegrationFilter (with captcha contextClass implementation)
      2. CaptchaValidationProcessingFilter
      3. ChannelProcessingFilter
      4. SessionFixationProtectionFilter
      5. ...and so on

      How can I achieve this?

      Comment


      • #4
        There's no option for using a custom security context with the namespace or for replacing HttpSessionContextIntegrationFilter, so it would have to use traditional beans.

        Comment


        • #5
          Are there any plans to provide some new tags in security namespace to enable similar modifications in future?
          I think this might be useful feature at all.

          Comment


          • #6
            No plans, no. Using a custom security context implementation is quite a rare requirement.

            Comment


            • #7
              Ok, I understand.
              Thank you for your support. You were very helpful.

              Comment


              • #8
                Calvo, were you able to get the sandbox components working?

                I have set up a traditional bean as Luke suggested, however I get the following error using the subsequent config:
                Code:
                java.lang.ClassCastException: org.springframework.security.context.SecurityContextImpl cannot be cast to org.springframework.security.captcha.CaptchaSecurityContext
                    at org.springframework.security.captcha.CaptchaChannelProcessorTemplate.decide(CaptchaChannelProcessorTemplate.java:87)
                    at org.springframework.security.securechannel.ChannelDecisionManagerImpl.decide(ChannelDecisionManagerImpl.java:85)
                    at org.springframework.security.securechannel.ChannelProcessingFilter.doFilterHttp(ChannelProcessingFilter.java:109)
                    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
                Code:
                    <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
                        <security:custom-filter position="SESSION_CONTEXT_INTEGRATION_FILTER"/>
                        <property name="contextClass"><value>org.springframework.security.captcha.CaptchaSecurityContextImpl</value></property>
                    </bean>
                I looked at the code here:
                http://acegisecurity.svn.sourceforge...25&view=markup
                and it seems that the cast should work.

                Any input would be appreciated.

                Thanks,
                Julian

                Comment


                • #9
                  Hi julian.

                  Yes, I was.
                  I think that some HttpSessionContextIntegrationFilter is present in your filter chain before this manually defined one, and he creates instance of predefined Context.
                  You can preview your filter chain in logs.

                  Maybe because you use security namespace tags, predefined chain is used also.


                  I have used this configuration to make it work:
                  Code:
                    <bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
                      <property name="contextClass" value="org.springframework.security.captcha.CaptchaSecurityContextImpl"/>
                      <sec:custom-filter position="FIRST"/>
                    </bean>

                  Comment


                  • #10
                    Thanks, this appears to solve my initial issues. Thanks again.

                    Comment


                    • #11
                      Luke, I would be happy to maintain it. I've contributed some work to Ben already.

                      Thanks,
                      Jon

                      Comment


                      • #12
                        Please see http://jira.springframework.org/browse/SEC-737 for comments.

                        Comment

                        Working...
                        X