Matt RaibleMatt Raible is a writer with a passion for software. Connect with him on LinkedIn.

The Angular Mini-Book The Angular Mini-Book is a guide to getting started with Angular. You'll learn how to develop a bare-bones application, test it, and deploy it. Then you'll move on to adding Bootstrap, Angular Material, continuous integration, and authentication.

Spring Boot is a popular framework for building REST APIs. You'll learn how to integrate Angular with Spring Boot and use security best practices like HTTPS and a content security policy.

For book updates, follow @angular_book on Twitter.

The JHipster Mini-Book The JHipster Mini-Book is a guide to getting started with hip technologies today: Angular, Bootstrap, and Spring Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.

This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.

For book updates, follow @jhipster-book on Twitter.

10+ YEARS


Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.

RECENT ENTRIES


Tag Cloud


abbie appfuse birthday denver family grails gwt jack java javascript jhipster jsf maven montana roller skiing softwaresummit spring springmvc struts2 travel trish vacation webframeworks wicket
« Previous page | Main | Next page »
Thursday December 05, 2002

Using JAAS and making it switchable

Erik Hatcher has convinced me that I need to give more coverage to JAAS in my chapter on Security. To quote his comment from yesterday's JAAS post:

I think you are underestimating the value of JAAS a fair bit. Suppose you want to authenticate your users against a database table of users/passwords. Without JAAS this is container-specific (sure it works nice in Tomcat, but would you be able to do FORM authentication in WebSphere easily?). We use JAAS in the big application I'm developing and it gives us the freedom to more easily port our application to other containers. What if your application needed to authenticate users (suppose for a portal, not that far fetched, eh?) where each "portlet" had a different authentication scheme: LDAP, Windows NT, database, etc. JAAS is the way to go.

While I can see Erik's point, I think that if the app servers follow the Servlet spec, implementing form-based authentication on any J2EE-compliant server should be easy. After all, Tomcat is the Reference Implementation. At the same time, the bit about the portles is a whole other can of worms - I can see what he's getting at, and I guess I need to figure out an easy way to demonstrate using JAAS. From what I understand, you do have to call the authenticate() in a servlet or filter. Hopefully, I can use a little Ant/XDoclet magic to create a sample that can switch b/w form-based, container-managed authentication and JAAS. Tell me what you think of this idea:

  • Use Ant and a task that runs if ${enable.jaas} is true
  • This task (i.e. jaas) will add a JAAS policy file to the webapp, maybe in the WEB-INF/classes directory so it's in the classpath
  • The jaas task will do some token replacement in login.jsp to change the form's action from j_security_check to something else. Ideally, I wouldn't have to do this.
  • The webdoclet task with not merge the web-security.xml file into web.xml
  • The ActionFilter, which I currently use to retrieve the user's information, will call the authenticate method and route appropriately if JAAS is enabled.

One thing I really like about form-based authentication (besides the ease of setup and no required programming) is that it allows users to bookmark pages in your app. When they select that bookmark again after logging out, they are prompted for a login and routed to the bookmark upon successful authentication. I hope JAAS can do this too.

Posted in General at Dec 05 2002, 04:22:22 AM MST 5 Comments
Wednesday December 04, 2002

Day 2 of Writing: Security Chapter

I need a good article or book to quote regarding HTTPS versus HTTP performance. I know that HTTPS is slower than HTTP, but I'd like some hard numbers if any of your fellas know of any. Today's been interesting, I feel like I've been writing all day, but I've only managed to get about 3-4 pages done. Damn...

The frustrating part is that I have to qualify everything and remember back to when I first started messing with security in web applications, when I first configured SSL in Tomcat, when I first tried to get form-based authentication on iPlanet (what a CF that was)! I'm hoping the audience for this book is fairly J2EE-fluent, but I feel that there are probably going to be a fair amount of newbies as well. It'd be interesting to write a book for the java.bloggers community. I could skip half the fluff and get right to the stuff - the actual code!

Oh well, tomorrow should be better, I'll be adding/verifying code examples, and divulging all the cool tricks I've learned over the years. I've been doing all this authoring on OS X, and I have to say it's been an enjoyable experience. iTunes cranked, a set of nice Sony (MDR-V600) headphones and enough caffeine (not to mention deadline-adrenaline) to stunt Abbie's growth.

Posted in The Web at Dec 04 2002, 01:29:08 PM MST Add a Comment

JAAS vs. Container-Managed Security

I'm digging into JAAS this afternoon as I enjoy the vacancy of the Winter Break at DU's Penrose Library. Man, what a great school - I used to love it when we'd get off 6 weeks for Christmas Break - from Thanksgiving through January - how sweet is that!?

The reason I'm writing on this cold (32°F) afternon is to get some thoughts on JAAS in web applications. I'm giving it about a paragraph of coverage, explaining that it's mainly for declaring authentication and authorization in policy files. Furthermore, it's only invoked when running your application (or Tomcat) with a security manager. However, it's not really needed in web applications because 1) container-managed/web.xml is good enough, and 2) authentication mechanisms never really need to be that fine-grained. Whaddya think? Am I wrong, does it deserve more coverage? Don't most app servers use JAAS under the covers?

Posted in General at Dec 04 2002, 10:19:06 AM MST 8 Comments

Symlinking now works in Tomcat 4.1.16!

The Tomcat developers turned off the ability to create symbolic links (symlinks) in 4.1.x. This really threw a wrench in my ability to upgrade as I use symlinks to point to resources outside my webapp all the time. I don't do it for jars, but for common image or documentation directories. In Tomcat 4.1.12 (the latest release), you were supposed to be able to turn symlinks back on by adding the following to your app's context:

<Resources
  className="org.apache.naming.resources.FileDirContext"
  allowLinking="true" caseSensitive="false" />

The bad news? This didn't work! I'm happy to report that with the lastest 4.1.16 beta, this does work! So, for instance, if you want to turn on symlinks in the ROOT context, add the following to your server.xml: 

<Context path="" docBase="ROOT" debug="0">
  <Resources
    className="org.apache.naming.resources.FileDirContext"
    allowLinking="true" caseSensitive="false" />
</Context>

Posted in General at Dec 04 2002, 09:10:54 AM MST 2 Comments

Best OSS License?

I've gotten approval from Wrox to use struts-xdoclet as my sample app for my chapters on Security and Struts. I've also received committer rights from Ted Husted on the Struts project at SourceForge. I haven't checked anything in yet, because I still don't have a good name. While I think struts-xdoclet is a good descriptive name, it doesn't have the pizzazz I'm looking for. So the naming discussion continues. I'm thinking of actually leaving "Struts" out of the name as it seems to make other names more difficult when combined. I like the idea of kindling, which we use to start fires at the cabin, but I don't know if that makes a good app name.

Back to the point of this post, what are your recommendations for a good open source license? I don't really care how people use struts-xdoclet, so do I even need to license it? What happens if I don't include a license?

Posted in Java at Dec 04 2002, 08:29:12 AM MST 5 Comments

Struts WML Tag Library

A Struts WML Tag Library has been posted to the struts-dev mailing list. It's a "pre-release", which means the project is probably not stable, but I'm guessing the technology and tags are.

Struts-wml taglib, 'raw prerelease' is available here:

http://sourceforge.net/projects/struts-wml/

Here's the release notes:

This is a fully functional 'prerelease' which includes source code, sample application, documentation, binary and libraries. It's still somewhat unpolished (therefore raw prerelease). If you're willing to hack arround with it a little bit, you're welcome to download it. Please don't forget to contribute your changes back to the project! [Full Post]

Now it's your responsibility to get a WML project that you can implement this on!

Posted in Java at Dec 04 2002, 01:14:42 AM MST 1 Comment
Tuesday December 03, 2002

News Nuggets from Today

We skied this run! The skiing was great at Vail today! I might not be able to walk tomorrow, but so goes the first day of the season.

There was all kinds of good info from the java.blogs community, and so I re-emphasize, for the heck of it. My favorites (thanks Erik and Dave):

Posted in General at Dec 03 2002, 03:59:45 PM MST 1 Comment
Monday December 02, 2002

Change Tomcat's Timezone

Did you know that you can change Tomcat's timezone? I didn't, but I learned how to today from Dave. Just create an environment variable, CATALINA_OPTS and add a value similar to the following:

CATALINA_OPTS=-Duser.timezone=America/Denver

BTW, the values in CATALINA_OPTS should be separated by spaces. Here is a list of possible timezones.

Posted in Roller at Dec 02 2002, 05:21:24 PM MST 3 Comments

Day 1 of Writing

I spent most of the day today in the library, pounding away on my keyboard trying to get a good start on my first chapter, Security in Web Applications. I put together suggested outlines for my two chapters over the weekend, and I'm posting them here for your review. I tried to convert them to PDF, but then decided to leave them as Word documents so you can 1) see the outline view, and 2) comment in-line if you'd like. I'll also post the PDF version (thanks to FastPDF).

It was difficult getting started today, but once I got moving, I found that the words just kinda flowed out and it was rather enjoyable. The bad news is that I have until Friday to complete some 40-odd pages and I'm going skiing tomorrow with Julie's uncle, Chris Voda. Actually, the skiing is the good part, it'll clear my head and get me ready to write like a coder in the zone.

Posted in Java at Dec 02 2002, 05:12:29 PM MST 4 Comments

Phoenix gets faster

Brett hooked me up with this:

Make Phoenix Even Faster. Gleemed from the Phoenix forum again, comes this tip from mfk: Adding the line: user_pref("nglayout.initialpaint.delay", 0); to your user.js file makes Phoenix render pages very fast. Try it out. It's kinda eerie seeing Mozilla go this fast. laszlo provides the explanation of why in this post: Gecko normally delays the... [Blogzilla - a blog about Mozilla]

On my system, it's named prefs.js and it's located in

{user.home}\Application Data\Phoenix\Profiles\{user.name}\{random-text}.slt\.

Now Phoenix is faster to open than IE on my XP box!

Posted in The Web at Dec 02 2002, 07:47:08 AM MST 1 Comment