Activating Authorization Success Event Publish Feature

Spring Security publishes various authentication and authorization events during its security checks. Spring managed beans which implement ApplicationListener interface or beans with methods annotated with @EventListener can consume those events within the application. One of those security related events is AuthorizedEvent which indicates that user request is allowed to access secure web resource. It is, […]

Adding New Permission Types to Spring Security ACL

Domain object level security is probably least used feature of Spring Security compared to url based and method level security features for enterprise Java web applications. However, when you have a security requirement something like “I want to restrict some operations which is allowed for some roles based on criteria that can be obtained from […]

Reusing Persistent Token Mechanism of Spring Security

Spring Security Framework exists in my enterprise application development tool suite for ages. Over years it has evolved a lot and become a much more reusable and extendable framework for various security needs. Recently, one of my clients came up with an interesting requirement. They are developing a mobile client for their enterprise web application, […]

Some Notes About Various Certificate Operations Using OpenSSL

Our system support group delivered a signed certificate to be used in Apache SSL configuration. Its extension was *.pfx, which meant its contents were in PKCS12 format, and was containing both certificate and its private key in it. I needed to convert it into PEM format and to separate certificate from its private key. The […]

Enabling SSL on Apache HTTP Server

After opening our JIRA to outside world via Apache HTTP Server, the next obvious thing was securing communication between users and the web server. Enabling SSL on Apache HTTP Server is really easy. The key ingredients of securing Apache are mod_ssl and OpenSSL. It is possible to download Apache distribution including mod_ssl and openssl runtime. […]

Acegi-JSF 1.1.3 is released

It was over one year ago that Çağatay developed some JSF components which correspond to Acegi JSP taglib. We were in the same project at that time, and were using Acegi Security Framework extensively. Later, our ways were separated and we focused on different tasks. Recently, I started work on a new project to enable […]

How to keep hackers informed about your users!?

Application developers usually tend to be as much specific as possible when providing information about unexpected errors occurred during runtime. For most of the time, this is a good approach to do so, but not for all use cases. User login scenario is among one of those exceptions. When a user provides insufficient/invalid credentials, or […]

My applet is signed, but I am still getting AccessControlExceptions!

We are currently developing a solution that integrates applets and web applications together. Our solution includes a mechanism to notify applets when a user switch from a web page to a page that contains applet. We provide this with invoking explicitly a method in applet via javascript when the page is loaded. You may here […]

Redirecting Users to Different Start Pages based on Their Roles

In our project there is a requirement such that some users may have to be redirected to different start pages based on roles assigned to them other than initially provided defaultTargetUrl. Actually there is a similar discussion in Spring Framework’s forum, suggesting a solution to this issue with extending AuthenticationProcessingFilter and overriding its successfulAuthentication(…) method […]

Delegating Websphere Portal Authentication to CAS via Trust Association Interceptor (TAI)

In our current enterprise project we have a single sign on requirement, and IBM portal is planned to be used as the main gateway in our system. Basically, we need to provide an authentication mechanism, through which users should only need to login to the portal, and then be able to access all of their […]