Spring framework upgrade in 7.7.x?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Spring framework upgrade in 7.7.x?

Auke
Hello,

I see that in the 7.8.x branch the spring libraries are updated to 3.0.7.RELEASE (from 3.0.4.RELEASE AFAICT).

I want to / must upgrade the spring libraries in 7.7.x since we're using spring-security. There are some known vulnerabilities against spring 3.0.4: http://support.springsource.com/security/spring-framework

My question to the hippo developers is whether or not you encountered any issues while upgrading?

PS: I don't seem to be able to simply set <spring.version> to a relevant version in my pom, that's a pity...
Reply | Threaded
Open this post in threaded view
|

Re: Spring framework upgrade in 7.7.x?

Laurens Leeuwis
we're having the same issues, so a +1 from our team!

________________________________________
Van: [hidden email] [[hidden email]] namens Auke [[hidden email]]
Verzonden: donderdag 7 maart 2013 15:28
To: [hidden email]
Onderwerp: [Hippo-cms7-user] Spring framework upgrade in 7.7.x?

Hello,

I see that in the 7.8.x branch the spring libraries are updated to
3.0.7.RELEASE (from 3.0.4.RELEASE AFAICT).

I want to / must upgrade the spring libraries in 7.7.x since we're using
spring-security. There are some known vulnerabilities against spring 3.0.4:
http://support.springsource.com/security/spring-framework

My question to the hippo developers is whether or not you encountered any
issues while upgrading?

PS: I don't seem to be able to simply set <spring.version> to a relevant
version in my pom, that's a pity...



--
View this message in context: http://hippo.2275632.n2.nabble.com/Spring-framework-upgrade-in-7-7-x-tp7580588.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Spring framework upgrade in 7.7.x?

Adolfo Benedetti
In reply to this post by Auke
Hi Auke,

AFAIK the recent release of the hippo spring security plugin(v0.02.03) includes the Update spring to 3.0.7.RELEASE, and If you look at the issue[2][3] just and upgrade in the pom will be required(?)
Cheers,

Adolfo


--
Adolfo Benedetti
M +31 614 706 176


2013/3/7 Auke <[hidden email]>
Hello,

I see that in the 7.8.x branch the spring libraries are updated to
3.0.7.RELEASE (from 3.0.4.RELEASE AFAICT).

I want to / must upgrade the spring libraries in 7.7.x since we're using
spring-security. There are some known vulnerabilities against spring 3.0.4:
http://support.springsource.com/security/spring-framework

My question to the hippo developers is whether or not you encountered any
issues while upgrading?

PS: I don't seem to be able to simply set <spring.version> to a relevant
version in my pom, that's a pity...



--
View this message in context: http://hippo.2275632.n2.nabble.com/Spring-framework-upgrade-in-7-7-x-tp7580588.html
Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html


_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html
Reply | Threaded
Open this post in threaded view
|

Re: Spring framework upgrade in 7.7.x?

Auke
As a matter of fact we're not using the hippo-spring-security plugin. As far as I understood that plugin uses spring-security to authenticate against the hippo repository.

We are authenticating against some webservice and there is no relation between the content in hippo and the logged in user. All content that is relevant for this user is retrieved via webservices and enriched with (general) content from the repository.

However I was browsing from some of the code of the plugin and I do find comments saying:

"..However, you can use any other authentication provider(s) if you don't need to authenticate users against Hippo Repository..."

I'm beginning to wonder what it brings me apart from that authenticationProvder?
Reply | Threaded
Open this post in threaded view
|

Re: Spring framework upgrade in 7.7.x?

Woonsan Ko-3
Hi Auke,

It might be a good idea to add 'spring.framework.version' in the release
pom. Then it will be easier to upgrade.

The hst-spring-security forge project is basically to provide
authentication feature in the hst web application side only, not in the
repository side. It allows you to establish user subject in the web
application tier.
It probably contains an authentication provider component or reference
to the hst-security module, authenticating against hippo repository by
default, but you may use any other authentication mechanism you can
implement easily with spring-security. That's why it exists.

Regards,

Woonsan


On 3/7/13 10:31 AM, Auke wrote:

> As a matter of fact we're not using the hippo-spring-security plugin. As far
> as I understood that plugin uses spring-security to authenticate against the
> hippo repository.
>
> We are authenticating against some webservice and there is no relation
> between the content in hippo and the logged in user. All content that is
> relevant for this user is retrieved via webservices and enriched with
> (general) content from the repository.
>
> However I was browsing from some of the code of the plugin and I do find
> comments saying:
>
> "..However, you can use any other authentication provider(s) if you don't
> need to authenticate users against Hippo Repository..."
>
> I'm beginning to wonder what it brings me apart from that
> authenticationProvder?
>
>
>
> --
> View this message in context: http://hippo.2275632.n2.nabble.com/Spring-framework-upgrade-in-7-7-x-tp7580588p7580592.html
> Sent from the Hippo CMS 7 mailing list archive at Nabble.com.
> _______________________________________________
> Hippo-cms7-user mailing list and forums
> http://www.onehippo.org/cms7/support/forums.html
>


--
[hidden email]     www.onehippo.com
Boston - 1 Broadway, Cambridge, MA 02142
Amsterdam - Oosteinde 11, 1017 WT Amsterdam
US +1 877 414 4776 (toll free)
Europe +31(0)20 522 4466
_______________________________________________
Hippo-cms7-user mailing list and forums
http://www.onehippo.org/cms7/support/forums.html