Raible Designs

Form-Based Authentication

I posted the following message to the tomcat-user group yesterday:

On Tomcat 4/5, I am able to use the following configuration in my 
web.xml:

<login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
    <form-login-page>/login.jsp</form-login-page>
    <form-error-page>/login.jsp?error=true</form-error-page>
  </form-login-config>
</login-config>

However, I know that there are app servers out there that do not support
this - the form-error-page MUST be a different JSP.  So I'm wondering,
is there a value I can grab in my login.jsp that tells me the URL of the
protected resource the user is trying to get to?

I tried <%=request.getRequestURL()%>, but that gives me .../login.jsp -
and I am expecting welcome.do.

I know iPlanet used to set a cookie and I could use that as described
here.

Thanks,

Matt

Craig McClanahan responded with the following answer - which was just the information I was looking for:

There is no portable mechanism to acquire the request URL that was originally requested, nor any guarantee that this is even possible. All you know is that the container has detected that a protected URL was requested, and that there was no currently authenticated user.

So the lesson learned is that if you want to make your webapp portable across different app servers, use two separate pages for the login and login-error pages.

Struts-XDoclet 0.1

I did a bunch of work today to get struts-xdoclet off the ground. Basically, all that exists write now is the generation of struts-config.xml and web.xml from xml files in a merge directory. There are no .java files in this project yet.

I'm posting this to you in hopes of getting some validation of the directory structure and Ant-based build/deploy process. The deploy task originally worked as Erik Hatcher suggests in his book, but whenever I tried to redeploy, it would give me errors when trying to remove a .jar file - so I resorted back to a simple copy to $CATALINA_HOME/webapps. The build.xml file I put together is based on what I found in struts-blank.war (for 1.1), roller's build process, my own experience and good ideas from the Ant book.

I've also configured form-based authentication and I plan to add a bunch of optional modules (i.e. SSLExt for SSL Switching, password encryption) to the mix.

I'm still searching for a sample-app idea for the persistence layer (i.e. authors and books). I'd like to do something that folks can use, so I'd definitely like to include an admin section for administering user's and their properties. Maybe even offer features such as registration (might be a bit difficult using tomcat-users.xml, but not so bad with JDBCRealm or an LDAP server), and password recovery.

You can download the first cut of this - which should build and allow you to login - at http://www.raibledesigns.com/struts/.

Next steps include the security modules I mentioned above, and generating validation.xml and persistence classes from a POJO. I'm still undecided on using Castor or Hibernate for the persistence layer. Dave (Johnson) seems to think Hibernate has some great stuff, and he's used Castor for a while, so that's probably the direction I'm leaning towards. It would be great do be able to do both.

Running Tomcat 5

I've gotten a little closer to using and running Tomcat 5. My last post on the subject pointed out an error I received about comments in XML (org.xml.sax.SAXParseException: The string "--" is not permitted within comments). Well, this turned out to be a Xerces issue and has already been reported. So, like a good little programmer, I downloaded the nightly build of Xerces, and replaced xercesImpl.jar and xmlParseAPIs.jar in common/endorsed. Now, I can view the jsp-examples and servlet-examples applications, but I get this error on startup.

JSP's Evolution

There's another interesting discussion taking place over on the struts-dev list again. Man, I'm glad I subscribed (again) to this list last week! It started out as a discussion of JSP vs. Velocity and Craig (McClanahan) provided an interesting evolution of JSP (and comparison to Velocity).

Velocity:
========

(Note -- it's assumed that the Customer collection has been stored in the
VelocityContext by some preceding business logic.)

  \#foreach $result in $results {
    <tr>
      <td>$result.ID</td>
      <td>$result.Name</td>
    </tr>
  }

JSP 1.1 (with Scriptlets):
=========================

  <%
    Customer custs = ...;
    for (int i=0; i < custs.length; i++) {
  %>
    <tr>
      <td><%= custs[i].getId() %></td>
      <td><%= custs[i].getName() %></td>
    </tr>
  <%
    }
  %>

JSP 1.1 (with custom tags):
==========================
(Note -- it is assumed here and in the following examples that the Customer collection has been stored by some preceding business logic.)

  <logic:iterate id="cust" name="custs">
    <tr>
      <td><jsp:getProperty name="cust" property="id"/></td>
      <td><jsp:getProperty name="cust" property="name"/></td>
    </tr>
  </logic:iterate>

JSP 1.2 + JSTL 1.0:
==================

  <c:forEach var="cust" items="${custs}">
    <tr>
      <td><c:out value="${cust.id}"/></td>
      <td><c:out value="${cust.name}"/></td>
    </tr>
  </c:forEach>

JSP 2.0 + JSTL 1.0:
==================

  <c:forEach var="cust" items="${custs}">
    <tr>
      <td>${cust.id}</td>
      <td>${cust.name}</td>
    </tr>
  </c:forEach>
</pre>

I can't wait for JSP 2.0 - it's going to make everything so much easier. Once again, we have exciting times for the Java world. With the power of JSP 2.0 and XDoclet, deadlines should be a non-issue. Now we just have to figure out the best way to use them, and the fastest way to pump out a Struts project. Wouldn't it be awesome if you you could add a new column to a table, build your project using Ant and XDoclet and whalla, all your classes are updated! That would be cool - and I think it's possible. Now I just have to figure out how - and fast!

Struts Logo Needed

Any of your designer-types want to contribute a logo candidate for Struts? They're looking for one!

JSP 2.0, Struts and Security

I've been asked to write some chapters in an upcoming JSP book that covers JSP 2.0 (JSR 152) and Servlets 2.4 (JSR 154). I'm thinking of doing a chapter on Struts and a chapter on Security. In the Struts chapter, I'd like to cover developing a Struts application using Ant, XDoclet and Middlegen - but I don't know if Middlegen supports Struts 1.1, nor if the generated JSPs can be modified to use JSP 2.0 syntax. I'd hate to spend a lot of time contributing to these projects to make my struts-based app work. So I'm asking you (the developers) what kind of app you'd like to see me develop?

For the Security chapter, I was thinking of developing an app that has form-based authentication, a Filter to look up the user's information, password encryption and an SSL login.

For the Struts chapter, I want to develop an app that developers can use to 1) learn about Struts and JSP 2.0 and 2) also has code they can use in their own projects. I'm torn because I really want to redo this photo album software (the site doesn't appear to be rendering images right now), but I want it to be useful. Hopefully by using XDoclet extensively, it doesn't matter what I write - the build and generation process will be useful.

My biggest hurdle to overcome in all this - it's due in 3 weeks! That should be a nice ball of stress that will keep me from sleeping night after night. Any advice or suggestions are welcome.

To see what JSP 2.0 is all about, check out the JSP 2.0 Early Access Release and here is a short and sweet article of changes.

The Future of Struts

There's an interesting discussion taking place on the struts-dev mailing list right now. Here's a couple excerpts:

I'd be really interested in your thoughts on the XDoclet work I've done, especially in the Struts Validator realm. I'm generating validation.xml completely, and also all the form bean definitions in our system. I also use XDoclet to process form beans for a one-time starter code generation of a JSP page (templated to our specific look and feel) for a specified form bean, as well as the resource properties that can be used as a starting point for the application resource properties for the field labels. Its amazing amount of generation just on the Struts-side of things, but we use XDoclet for even more than that too. [ Erik Hatcher ]
...
I think it is time to start packaging tools and generators with Struts to help the developer -- either as standalone packages included for convenience, or integrated into the architecture of the package. It would be interesting to explore how XDoclet fits in to this vision. [ Craig McClanahan ]

What exciting times! I can't wait to use XDoclet to generate the validation.xml file for Roller - should be a great learning experience. I don't plan on writing a Struts ActionForm again now that we have XDoclet. Also, I have an update on Roller and XDoclet: Dave found this problem with XDoclet and Castor. It will be fixed in XDoclet 1.2 beta 3. So we wait...

XHTML Strict and Forms

Did you know that with XHTML Strict, a <form> element can't have a name attribute? Actually, the only required attribute is action. But, if you do want to identify your form, then you have to use the id attribute. The problem with this is that many of us web developers are used to referencing a form (with Javascript) with document.formName. So as a service to my readers, if you do decide to XHTML 1.0 Strict, you will need to reference your forms (in Javascript) using one of the following syntaxes. For the sake of this example, pretend our form is named "webForm":

document.getElementById("webForm);
// assuming it's the first form on the page.
document.forms[0]; 
document.getElementsByTagName("form").item(0);

Of course, if you're trying to get the value <input> tag within your form, and that input has an id attribute, you can just get that using document.getElementById("inputId");.

You ask - what insired you to post this? Well, the Struts enhancement to produce XHTML-compliant code from the tag libraries. It was closed yesterday, and they seemed to have missed this - in other words, the <form> still has a name attribute. It'll be interesting to see how they resolve this. I'm hoping that Struts is not tied to the name attribute at all, and the fix just requires a bunch of fixes to Javascript that is written (by the tags).

BasicPortal

Dave mentions BasicPortal today. I've kept watch of this project, and I can't comment on it because I haven't downloaded and looked at the source. However, I do know that the original author of it, Vic Cekvenich of BaseBeans Engineering wrote the first Struts book. I was subscribed to the struts-user mailing list at the time, and this book got horrible reviews and a lot of do not buy warnings from developers. I have seem Vic advertising many mini-training sessions across the country re: Struts and BasicPortal though, and apparently those have been really good. He was probably just rushing his book to market too fast and you know what happens when you rush a product and it needs further development.

MiddleGen

I read about Middlegen in the Ant book I just finished. It sounded pretty cool, and now I've been encouraged to look at their site. It claims to generate EJB (CMP 2.0), JDO (1.0), or JSP/Struts (1.0) code and config files from a database. Too bad it doesn't generate Struts 1.1 code - maybe soon. It does have a GUI, but can also be run just using Ant. There are samples in the book that is oh so good. Too see it in action, check out this good ol' viewlet.