For testing environments, it is sometimes desirable to disable all security restrictions. A symbol could be introduced to control whether security is enabled (defaulting to true of course).

Class: SecurityFilterChainHubImpl
method: commitModifications

the updated chain ignore possible pattern matcher RegExPatternMatcher and re-builded with
AntPathMatcher.

Reason: the createChain method use the defaultPatternMatcher

if (chain.getPath().equalsIgnoreCase(updateChainConfig.path)) {
  chainsToRemove.add(chain);
  insertChains.add(factory.createChain(updateChainConfig.path).add(updateChainConfig.filter, updateChainConfig.config).build());
}

see pull request #50

Also see if there are any other built-in asset urls that in general should be available to all (i.e. configuration.add(factory.createChain("/modules/**").add(factory.anon()).build());).

From http://jira.codehaus.org/browse/TYNAMO-234.

I have a component that creates an XHR with request parameters when clicking on a link.
When the session times out before the link is clicked, the request is saved and I'm asked to log in again. When I'm redirected to the saved URL, I get an Exception about the missing parameter.
Of course, we could save the request parameters and restore them too, but I think we need a more fine-grained control for the request save and restore mechanism. I think, I'd like to redirect to the base page in case of an XHR and also for event links. (e.g. http://host/ctx/page:event -> http://host/ctx/page).
I suggest creating a chain that can be contributed to and that LoginContextService uses to extract the redirect-after-login URL from the active request. The terminator would just return the original URL and query parameters.
Then, for my use case, I could just contribute two links to the chain, one that checks for the XHR header and one that checks for event link URLs and return the base URL in both cases.

Class: SecurityComponentRequestFilter
Method: checkInternal

private void checkInternal(String logicalPageName) {
String pageClassName = resolver.resolvePageNameToClassName(logicalPageName);
if (!(pageClassName.equals(loginClassName) ||
  pageClassName.equals(unauthorizedClassName))) {
			
  String className = resolver.resolvePageNameToClassName(logicalPageName);
			
  List<SecurityInterceptor> interceptors = classInterceptorsCache.get(className);
			
  if (interceptors != null) {
    for (SecurityInterceptor interceptor : interceptors) {
      interceptor.intercept();
    }
  }
}
}

see pull request #50

Perhaps we could use SymbolConstants.HMAC_PASSPHRASE as a default even if cipher key is not explicitly set.

While upgrading from Tapestry 5.3 to 5.4, I updated Tynamo's Tapestry Security to version 0.6.2, but when running I received:

org.apache.shiro.subject.ExecutionException: java.lang.NoClassDefFoundError: org/apache/commons/io/IOUtils
    at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:385)
    at org.tynamo.security.services.impl.SecurityConfiguration.service(SecurityConfiguration.java:54)

Adding the following to my pom.xml fixed the issue:

<dependency>
    <groupId>commons-io</groupId>
    <artifactId>commons-io</artifactId>
    <version>2.4</version>
</dependency>

Does Tynamo's Tapestry Security have a missing dependency?

Thanks!

See #32

In Tapestry-security version 0.6.6, the pom.xml specifies a "compile" dependency on testng:

		<dependency>
			<groupId>org.testng</groupId>
			<artifactId>testng</artifactId>
			<scope>compile</scope>
		</dependency>

As a consequence the testng JAR ends up in war files where it isn't wanted. Shouldn't that be <scope>test</scope> instead?

As a work-around, users can exclude it in their own pom.xml files, like this:

        <dependency>
            <groupId>org.tynamo</groupId>
            <artifactId>tapestry-security</artifactId>
            <version>0.6.6</version>
            <exclusions>
                <exclusion>
                    <!-- tapestry-security has erroneous compile-time dependency on testng -->
                    <groupId>org.testng</groupId>
                    <artifactId>testng</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

but that shouldn't be necessary.

Hi Kalle, I'm using a couple older versions of Tapestry, 5.4.3 and an older 5.3 that can't be upgraded. In my 5.4.3 I'm using Tapestry-Security 0.6.6 and need to integrate with Okta using SAML with SSO. Any thoughts on how I might be able to achieve this?

It is possible to configure a default success URL via SecuritySymbols.SUCCESS_URL

I would like add a new optional parameter to security.loginForm to being able to redirect to different page than the one configured via SecuritySymbols.SUCCESS_URL.

The rationale behind that I would like to redirect to different pages depending where the user has come from.

How do you feel guys feel about this? Would you merge this feature to tapestry-security if I fork it?

Using the SimplePrincipalSerializer as discussed at http://markmail.org/message/lgklwoze65h5fbsj.

When a session times out and a user submits a form where there are query parameters in the URL, those query parameters are never added to the shiroSavedRequest cookie. When the user logs back in, they are unable to be redirected back to their original page.

I'm guessing it's because the query parameters aren't being added to the context
https://github.com/tynamo/tapestry-security/blob/master/src/main/java/org/tynamo/security/internal/services/impl/LoginContextServiceImpl.java#L170

https://github.com/tynamo/tapestry-security/blob/master/src/main/java/org/tynamo/security/internal/services/impl/LoginContextServiceImpl.java#L126

If I leave a page open (annotated with '''@RequiresUser''') with a form on it and submit the form after session timed out then I get redirected to the login page.
On successful login the form submission is attempted again, but it fails with the following error: Forms require that the request method be POST and that the t:formdata query parameter have values.

Is this possible? Let me explain:

Let's say I got a page A and a page B, which are unrelated in terms of content and have different layouts (including header, footer etc), and also have their own login "visuals".

A.java has @RequiresRoles(SomeConstants.USER_ROLE_A)
B.java has @RequiresRoles(SomeConstants.USER_ROLE_B)

A should have loginA.tml and B should have loginB.tml for authentication.

We can do this : configuration.add(SecuritySymbols.LOGIN_URL, "/loginA");

So this means, whenever a user needs to be authenticated, redirect will happen through the /loginA page, but I would want to have a user on page B to be authenticated through /loginB in order to maintain the same layout.

Is it possible to have a role based redirect? (Maybe through an intermediate page which intercepts the role?)

Edit: I'm not talking about what happens after the login, I saw this implemented in the testapp:

package org.tynamo.security.testapp.pages;

import org.apache.tapestry5.annotations.PageActivationContext;
import org.apache.tapestry5.annotations.Property;
import org.tynamo.security.pages.Login;

public class LoginWithContext extends Login {
    @PageActivationContext
    @Property
    private String successURL;

}

If I check "remember me", upon login I get

org.apache.shiro.crypto.CryptoException: Unable to init cipher instance.
    at org.apache.shiro.crypto.JcaCipherService.init(JcaCipherService.java:495)
    at org.apache.shiro.crypto.JcaCipherService.initNewCipher(JcaCipherService.java:598)
    at org.apache.shiro.crypto.JcaCipherService.crypt(JcaCipherService.java:444)
    at org.apache.shiro.crypto.JcaCipherService.encrypt(JcaCipherService.java:324)
    at org.apache.shiro.crypto.JcaCipherService.encrypt(JcaCipherService.java:313)
    at org.apache.shiro.mgt.AbstractRememberMeManager.encrypt(AbstractRememberMeManager.java:463)
    at org.apache.shiro.mgt.AbstractRememberMeManager.convertPrincipalsToBytes(AbstractRememberMeManager.java:352)
    at org.apache.shiro.mgt.AbstractRememberMeManager.rememberIdentity(AbstractRememberMeManager.java:336)
    at org.apache.shiro.mgt.AbstractRememberMeManager.rememberIdentity(AbstractRememberMeManager.java:311)
    at org.apache.shiro.mgt.AbstractRememberMeManager.onSuccessfulLogin(AbstractRememberMeManager.java:287)
    at $RememberMeManager_b697f32e0c8.onSuccessfulLogin(Unknown Source)
    at org.apache.shiro.mgt.DefaultSecurityManager.rememberMeSuccessfulLogin(DefaultSecurityManager.java:206)
    at org.apache.shiro.mgt.DefaultSecurityManager.onSuccessfulLogin(DefaultSecurityManager.java:291)
    at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:285)
    at $WebSecurityManager_b697f32e0bb.login(Unknown Source)
    at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
    at org.tynamo.security.components.LoginForm.attemptToLogin(LoginForm.java:122)
[snip]
Caused by: java.security.InvalidKeyException: Invalid AES key length: 93 bytes
    at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87)
    at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91)
    at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582)
    at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:339)
    at javax.crypto.Cipher.implInit(Cipher.java:806)
    at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
    at javax.crypto.Cipher.init(Cipher.java:1396)
    at javax.crypto.Cipher.init(Cipher.java:1327)
    at org.apache.shiro.crypto.JcaCipherService.init(JcaCipherService.java:488)
    ... 135 common frames omitted

The remember me functionality does not work, I'm logged out when my session expires.

The validation messages for the login form currently read "You must provide a value for Tynamo Login." and "You must provide a value for Tynamo Password.". Those are the default messages generated by Tapestry. The average user will not know what a "tynamo" is, so that's a little bit confusing.
Either the messages should be adapted or - if you want to leverage Tapestry's shipped validation (and internationalized) messages - the component ids should be changed to not include "tynamo".

I Used tapestry-kaptcha in login form, whether i enter the right kaptcha character, the form records error “Enter the text displayed in the image.”. Is there some session issue tapestry-security with tapestry-kaptcha?

As described in the comments for #7.

Should have been removed already in 0.6.0 - I think fine to remove for 0.6.1 while T5.4 is still in beta.

I know it's supposed to be Apache-licensed, but there's no license file in the repository. Could you please include one? Thanks in advance.

Apparently there are cases where services may get the original request using the shadow if they refer to it early enough during. Store the wrapper into request globals to prevent services using different versions of the HttpServletRequest.

We should allow using either contextpath-less or absolute requests. Currently the behavior is undefined. We should add the context only if paths are contributed without the leading slash. As part of this issue remove the deprecated operations in LoginContextService.

I'm trying to use this library with Tap 5.8, but it for some odd reason when I grab either 0.8.0 or 0.9.0 they both pull in tap core 5.5, tap ioc 5.5 and shiro 1.0.3 ultimately causing Caused by: java.lang.ClassNotFoundException: org.apache.tapestry5.ioc.MappedConfiguration.

In org.tynamo.security.SecuritySymbols, the variable name is spelt incorrectly. There should be no "R" in "KEY".

public static final String REMEMBERME_CIPHERKERY = "security.remembermecipherkey";

You could also consider adding underscores between each word so it becomes REMEMBER_ME_CIPHER_KEY. You probably need to deprecate existing constant and add new one with correct spelling to prevent breaking existing code.

These are currently hardcoded. SecurityModule#defaultSecurity should be:

@Contribute(HttpServletRequestFilter.class)
@Security
public static void defaultSecurity(
			OrderedConfiguration<SecurityFilterChain> configuration,
			SecurityFilterChainFactory factory,
			@Symbol(SymbolConstants.MODULE_PATH_PREFIX) String modulesPathPrefix,
			@Symbol(SymbolConstants.ASSET_PATH_PREFIX) String assetPathPrefix
) {
	configuration.add("ModulesCompressed", factory.createChain("/" + modulesPathPrefix + ".gz/**").add(factory.anon()).build());
	configuration.add("Modules", factory.createChain("/" + modulesPathPrefix + "/**").add(factory.anon()).build());
	configuration.add("Assets", factory.createChain("/" + assetPathPrefix + "/**").add(factory.anon()).build());
}

As of Tapestry 5.4, handling redirects to login screen for XMLHttpRequests has changed from { redirectURL: "..." } to { _tapestry: { redirectURL: "..." } }.
Unfortunately, there's a but in org.tynamo.security.shiro.AccessControlFilter.redirectToLogin when constructing the response - the version check is invalid, it does not foresee Tapestry versions newer than 5.4.x. Hence, when using tapestry-security 0.7.x or 0.8.0 with Tapestry 5.5, it returns the response in the older format.

It should (probably) be using some semver library to check the Tapestry version compatibility, or an alternate solution.

The CAS support in this library is based on a library that Shiro has deprecated. They say go use buji-pac4j. So I'm trying to figure that out. I saw a different issue that was closed pointing someone with a SAML request at federated accounts, so I'm going to look at that path.

Not sure where or if you CAS support updated somewhere in the pair of projects or not. Once I get it figured out, I'll be happy to provide pull requests at the right location, or post independently as an example if CAS support is removed altogether from the two projects.

Currently, "${" + SymbolConstants.START_PAGE_NAME + "}", i.e. the url to redirect to after successful login, defaults to "/index". "${" + SymbolConstants.START_PAGE_NAME + "}" would be a better default.

It would be nice if you could write <t:if test="permission:users.edit">... or <t:userdisplay canEdit="permission:users.edit" ....

Not a bug, a feature request :-)

Jens