Raible Designs

The headache that won't end

I've had a headache ever since I had the stomach flu last week. It's pretty bad in the mornings - almost a migrane/throbbing type of headache. Of course, it could be due to stress from writing these chapters, or from staring at the computer screen too long. BUT, Julie's mom, who also got sick, has been experiencing the same never-ending headache. I can't help but wonder if this is something related to the war on terrorism - did I catch some type of virus that is going to kill me in a month?! Julie thinks I'm full of it - she doesn't have a headache. I wonder if I should go to the doctor or just quite staring at this damn screen.

J2EE 1.4 as Open Source!

Erik gave me the link to this article from The Register. This sounds like big news to me.

Marc Fleury, Atlanta-based JBoss' founder, told ComputerWire yesterday the company has finished its implementation of Java 2 Enterprise Edition (J2EE) version 1.4. J2EE 1.4 is due for official publication by the Java Community Process (JCP) in the first quarter of 2003.

Fleury said JBoss would now seek standards certification for its implementation. JBoss stands to become the first open source group to deliver a version of J2EE 1.4 under the revised JCP.

JBoss received the green light last week, after Sun told ComputerWire that it would allow all of the APIs contained in J2EE 1.4 to be open sourced. Fleury had expressed concern that certain critical APIs, including Enterprise Java Beans (EJB) 2.1, would be not be made available to open source organizations.

That reminds me that Marc Fluery will be speaking at the next Denver JUG meeting. That's Wednesday of this week. The Basic Concepts preso is covering Ant. I could probably skip this as these are usually pretty basic, but I'm expecting the place to be packed so I'd better get there early. Now I just have to see if I can get a few friends to buck up and go. I know a fair amount of developers that don't use Ant - how bad would that suck?!

Form-based auth - getting the original URL

Lance suggested a while back that I try Roller's BreadCrumbFilter to get the originally requested URL for form-based authentication. The idea is that if you can get this URL, you can use it to login again on your form-login-error page. So I added BreadCrumbFilter.java to my security project and mapped it to /*. The value I'm hoping to grab is a URL to welcome.do, since that is where I route users when the hit the welcome page. I found that this filter never gives me welcome.do, but that request.getHeader("referer"); gives it to me just fine - but only in IE. Yeck. I guess Craig was right when he said that you can't reliably get the original URL. I guess you can always just hard-code the action in your form-error-page to go to your main menu. That is, if your app server doesn't support the same page thing.

512MB CompactFlash Cards for $132

Gizmodo tells us about another sweet deal today.

Viking 512MB CompactFlash memory cards are now just $131.44 after rebate at Amazon. Remember when these used to cost hundreds and hundreds of dollars?

What a bargain! Why would you shop anywhere else when Amazon has all these sweet deals lately!? The best part is I'm actually in the market for a new CF card. Our Canon PowerShot G2 (which I highly recommend) came with a 32MB card, which holds about 26 photos or so. With a 512MB card, you could probably take ~400 photos - now that's a role of film! We're hoping to get a Photo Printer soon (I've been looking at Canon's s900), then we'll never have to get our film developed again!

Abbie is now 1 month old!

I posted some new pictures on our photo album site this evening. These are from the last couple of weeks when we've had a whole slew of family and friends drop in to see us. Our little girl is growing up rather quickly, and still cute as a button!

East Coast Storms

Man, the East Coast is getting dumped on! You folks probably won't believe this, but I AM SO JEALOUS!! I love the snow, the more the better. But at the same time, growing up in Montana and living in Colorado for the last 10 years, my environment/state has always been prepared for it. The worst (or best storms, depending on how you look at them) storms I've ever been in are:

• Montana 1989: -80 degrees (F) in Missoula when I was a freshman at Big Sky high school (my mom was completing her Masters in Forestry at UM and Kalin and I decided to experience big city life).
• Denver, November 1992: 3 feet of snow in 8 hours when I was a freshman at DU. I stayed up all night studying for a final, and took the final at 9:00 a.m. that morning. The snow was blowing so hard that I had to walk back to my dorm backwards. When I got there I learned that the rest of Finals Week was cancelled. It was the first day and I only had to take 1 final! The City of Denver, including the Airport, was shut down for 3 days.

So sad as it may sound, I actually envy you guys.

Using one JSP for form-based authentication

I'm writing about how to use the same login/error page with form-based authentication. Does anyone know which servlet containers this fails on? I guess it wouldn't hurt to know which ones it works on too. You can use this security.war (1.7MB) file to test. Since it's testing the failure page, you don't need to setup a user - but if you want, the role is tomcat. I know this works on Tomcat, so no need to test it.

Bluetooth-enabled T68i for $25

Damn! My phone, the Sony-Ericsson, just got a whole lot cheaper (I paid $180). From Gizmodo:

Sony Ericsson's T68i cellphone, which has a color screen, Bluetooth, and uses GPRS for surfing the Web and sending emails, text messages, and multimedia messages, is just $24.99 with new service activation over at Amazon.

If you're in the market for a new phone, I highly recommend this one - even for the $180 I paid. It's nice to use iSync and have all my contacts synchronized with no wires. It's also great for checking my e-mail (IMAP or POP), and I can even use Yahoo Messenger on it! My favorite feature though is the ability to find the closest movie times or restaurants - I just have to tell it to auto-locate me. I think most of these features are mMode features though, not just for the phone.

Using JAAS and making it switchable

Erik Hatcher has convinced me that I need to give more coverage to JAAS in my chapter on Security. To quote his comment from yesterday's JAAS post:

I think you are underestimating the value of JAAS a fair bit. Suppose you want to authenticate your users against a database table of users/passwords. Without JAAS this is container-specific (sure it works nice in Tomcat, but would you be able to do FORM authentication in WebSphere easily?). We use JAAS in the big application I'm developing and it gives us the freedom to more easily port our application to other containers. What if your application needed to authenticate users (suppose for a portal, not that far fetched, eh?) where each "portlet" had a different authentication scheme: LDAP, Windows NT, database, etc. JAAS is the way to go.

While I can see Erik's point, I think that if the app servers follow the Servlet spec, implementing form-based authentication on any J2EE-compliant server should be easy. After all, Tomcat is the Reference Implementation. At the same time, the bit about the portles is a whole other can of worms - I can see what he's getting at, and I guess I need to figure out an easy way to demonstrate using JAAS. From what I understand, you do have to call the authenticate() in a servlet or filter. Hopefully, I can use a little Ant/XDoclet magic to create a sample that can switch b/w form-based, container-managed authentication and JAAS. Tell me what you think of this idea:

• Use Ant and a task that runs if ${enable.jaas} is true
• This task (i.e. jaas) will add a JAAS policy file to the webapp, maybe in the WEB-INF/classes directory so it's in the classpath
• The jaas task will do some token replacement in login.jsp to change the form's action from j_security_check to something else. Ideally, I wouldn't have to do this.
• The webdoclet task with not merge the web-security.xml file into web.xml
• The ActionFilter, which I currently use to retrieve the user's information, will call the authenticate method and route appropriately if JAAS is enabled.

One thing I really like about form-based authentication (besides the ease of setup and no required programming) is that it allows users to bookmark pages in your app. When they select that bookmark again after logging out, they are prompted for a login and routed to the bookmark upon successful authentication. I hope JAAS can do this too.

JAAS vs. Container-Managed Security

I'm digging into JAAS this afternoon as I enjoy the vacancy of the Winter Break at DU's Penrose Library. Man, what a great school - I used to love it when we'd get off 6 weeks for Christmas Break - from Thanksgiving through January - how sweet is that!?

The reason I'm writing on this cold (32°F) afternon is to get some thoughts on JAAS in web applications. I'm giving it about a paragraph of coverage, explaining that it's mainly for declaring authentication and authorization in policy files. Furthermore, it's only invoked when running your application (or Tomcat) with a security manager. However, it's not really needed in web applications because 1) container-managed/web.xml is good enough, and 2) authentication mechanisms never really need to be that fine-grained. Whaddya think? Am I wrong, does it deserve more coverage? Don't most app servers use JAAS under the covers?