Main | Next day (Dec 6, 2002) »
20021205 Thursday December 05, 2002

Abbie is now 1 month old! I posted some new pictures on our photo album site this evening. These are from the last couple of weeks when we've had a whole slew of family and friends drop in to see us. Our little girl is growing up rather quickly, and still cute as a button!

Baby Abbie

Posted in General at Dec 05 2002, 07:58:12 PM MST 1 Comment

East Coast Storms this guy has the right idea Man, the East Coast is getting dumped on! You folks probably won't believe this, but I AM SO JEALOUS!! I love the snow, the more the better. But at the same time, growing up in Montana and living in Colorado for the last 10 years, my environment/state has always been prepared for it. The worst (or best storms, depending on how you look at them) storms I've ever been in are:

  • Montana 1989: -80 degrees (F) in Missoula when I was a freshman at Big Sky high school (my mom was completing her Masters in Forestry at UM and Kalin and I decided to experience big city life).
  • Denver, November 1992: 3 feet of snow in 8 hours when I was a freshman at DU. I stayed up all night studying for a final, and took the final at 9:00 a.m. that morning. The snow was blowing so hard that I had to walk back to my dorm backwards. When I got there I learned that the rest of Finals Week was cancelled. It was the first day and I only had to take 1 final! The City of Denver, including the Airport, was shut down for 3 days.

So sad as it may sound, I actually envy you guys. Posted in General at Dec 05 2002, 04:48:48 PM MST Add a Comment

Using one JSP for form-based authentication I'm writing about how to use the same login/error page with form-based authentication. Does anyone know which servlet containers this fails on? I guess it wouldn't hurt to know which ones it works on too. You can use this security.war (1.7MB) file to test. Since it's testing the failure page, you don't need to setup a user - but if you want, the role is tomcat. I know this works on Tomcat, so no need to test it. Posted in General at Dec 05 2002, 10:27:20 AM MST 6 Comments

Bluetooth-enabled T68i for $25 a sweet phone Damn! My phone, the Sony-Ericsson, just got a whole lot cheaper (I paid $180). From Gizmodo:

Sony Ericsson's T68i cellphone, which has a color screen, Bluetooth, and uses GPRS for surfing the Web and sending emails, text messages, and multimedia messages, is just $24.99 with new service activation over at Amazon.

If you're in the market for a new phone, I highly recommend this one - even for the $180 I paid. It's nice to use iSync and have all my contacts synchronized with no wires. It's also great for checking my e-mail (IMAP or POP), and I can even use Yahoo Messenger on it! My favorite feature though is the ability to find the closest movie times or restaurants - I just have to tell it to auto-locate me. I think most of these features are mMode features though, not just for the phone. Posted in General at Dec 05 2002, 06:30:45 AM MST Add a Comment

Using JAAS and making it switchable Erik Hatcher has convinced me that I need to give more coverage to JAAS in my chapter on Security. To quote his comment from yesterday's JAAS post:

I think you are underestimating the value of JAAS a fair bit. Suppose you want to authenticate your users against a database table of users/passwords. Without JAAS this is container-specific (sure it works nice in Tomcat, but would you be able to do FORM authentication in WebSphere easily?). We use JAAS in the big application I'm developing and it gives us the freedom to more easily port our application to other containers. What if your application needed to authenticate users (suppose for a portal, not that far fetched, eh?) where each "portlet" had a different authentication scheme: LDAP, Windows NT, database, etc. JAAS is the way to go.

While I can see Erik's point, I think that if the app servers follow the Servlet spec, implementing form-based authentication on any J2EE-compliant server should be easy. After all, Tomcat is the Reference Implementation. At the same time, the bit about the portles is a whole other can of worms - I can see what he's getting at, and I guess I need to figure out an easy way to demonstrate using JAAS. From what I understand, you do have to call the authenticate() in a servlet or filter. Hopefully, I can use a little Ant/XDoclet magic to create a sample that can switch b/w form-based, container-managed authentication and JAAS. Tell me what you think of this idea:

  • Use Ant and a task that runs if ${enable.jaas} is true
  • This task (i.e. jaas) will add a JAAS policy file to the webapp, maybe in the WEB-INF/classes directory so it's in the classpath
  • The jaas task will do some token replacement in login.jsp to change the form's action from j_security_check to something else. Ideally, I wouldn't have to do this.
  • The webdoclet task with not merge the web-security.xml file into web.xml
  • The ActionFilter, which I currently use to retrieve the user's information, will call the authenticate method and route appropriately if JAAS is enabled.

One thing I really like about form-based authentication (besides the ease of setup and no required programming) is that it allows users to bookmark pages in your app. When they select that bookmark again after logging out, they are prompted for a login and routed to the bookmark upon successful authentication. I hope JAAS can do this too. Posted in General at Dec 05 2002, 04:22:22 AM MST 5 Comments