Phoenix Tips and Tricks
From Matt Croydon:
The Phoenix Tips and Tricks site is a must-visit if you're running Phoenix. The page rendering speedup makes zippy Phoenix even zippier.
I'll visit when I have more time, looks cool!
The Angular Mini-Book is a
guide to getting started with Angular. You'll learn how to develop a bare-bones application, test it, and
deploy it. Then you'll move on to adding Bootstrap, Angular Material, continuous integration, and authentication.
Spring Boot is a popular framework for building REST APIs. You'll learn how to integrate Angular with Spring Boot and use security best practices like HTTPS and a content security policy.
For book updates, follow @angular_book on Twitter.
The JHipster Mini-Book is a
guide to getting started with hip technologies today: Angular, Bootstrap, and Spring
Boot. All of these frameworks are wrapped up in an easy-to-use project called JHipster.
This book shows you how to build an app with JHipster, and guides you through the plethora of tools, techniques and options you can use. Furthermore, it explains the UI and API building blocks so you understand the underpinnings of your great application.
For book updates, follow @jhipster-book on Twitter.
10+ YEARS
Over 10 years ago, I wrote my first blog post. Since then, I've authored books, had kids, traveled the world, found Trish and blogged about it all.
RECENT ENTRIES
- Farewell to the 2024-2025 Ski Season
- Paradise in Puerto Rico
- 2024 - A Year in Review
- Life Update: New Job, Same House, and Same Awesome Family!
- Happy Birthday, Abbie!
- Happy Birthday, Jack!
- Farewell to the 2023-2024 Ski Season
- My Marvelous Road Trip to the Utah JUG
- A Delightful Trip to Devnexus
- Funemployment 2024
You searched this site for "matt".
1,142 entries found.
You can also try this same search on Google.
Using JAAS and making it switchable
Erik Hatcher has convinced me that I need to give more coverage to JAAS in my chapter on Security. To quote his comment from yesterday's JAAS post:
I think you are underestimating the value of JAAS a fair bit. Suppose you want to authenticate your users against a database table of users/passwords. Without JAAS this is container-specific (sure it works nice in Tomcat, but would you be able to do FORM authentication in WebSphere easily?). We use JAAS in the big application I'm developing and it gives us the freedom to more easily port our application to other containers. What if your application needed to authenticate users (suppose for a portal, not that far fetched, eh?) where each "portlet" had a different authentication scheme: LDAP, Windows NT, database, etc. JAAS is the way to go.
While I can see Erik's point, I think that if the app servers follow the Servlet spec, implementing form-based authentication on any J2EE-compliant server should be easy. After all, Tomcat is the Reference Implementation. At the same time, the bit about the portles is a whole other can of worms - I can see what he's getting at, and I guess I need to figure out an easy way to demonstrate using JAAS. From what I understand, you do have to call the authenticate() in a servlet or filter. Hopefully, I can use a little Ant/XDoclet magic to create a sample that can switch b/w form-based, container-managed authentication and JAAS. Tell me what you think of this idea:
- Use Ant and a task that runs if ${enable.jaas} is true
- This task (i.e. jaas) will add a JAAS policy file to the webapp, maybe in the WEB-INF/classes directory so it's in the classpath
- The jaas task will do some token replacement in login.jsp to change the form's action from j_security_check to something else. Ideally, I wouldn't have to do this.
- The webdoclet task with not merge the web-security.xml file into web.xml
- The ActionFilter, which I currently use to retrieve the user's information, will call the authenticate method and route appropriately if JAAS is enabled.
One thing I really like about form-based authentication (besides the ease of setup and no required programming) is that it allows users to bookmark pages in your app. When they select that bookmark again after logging out, they are prompted for a login and routed to the bookmark upon successful authentication. I hope JAAS can do this too.
JAAS vs. Container-Managed Security
I'm digging into JAAS this afternoon as I enjoy the vacancy of the Winter Break at DU's Penrose Library. Man, what a great school - I used to love it when we'd get off 6 weeks for Christmas Break - from Thanksgiving through January - how sweet is that!?
The reason I'm writing on this cold (32°F) afternon is to get some thoughts on JAAS in web applications. I'm giving it about a paragraph of coverage, explaining that it's mainly for declaring authentication and authorization in policy files. Furthermore, it's only invoked when running your application (or Tomcat) with a security manager. However, it's not really needed in web applications because 1) container-managed/web.xml is good enough, and 2) authentication mechanisms never really need to be that fine-grained. Whaddya think? Am I wrong, does it deserve more coverage? Don't most app servers use JAAS under the covers?
Best OSS License?
I've gotten approval from Wrox to use struts-xdoclet as my sample app for my chapters on Security and Struts. I've also received committer rights from Ted Husted on the Struts project at SourceForge. I haven't checked anything in yet, because I still don't have a good name. While I think struts-xdoclet is a good descriptive name, it doesn't have the pizzazz I'm looking for. So the naming discussion continues. I'm thinking of actually leaving "Struts" out of the name as it seems to make other names more difficult when combined. I like the idea of kindling, which we use to start fires at the cabin, but I don't know if that makes a good app name.
Back to the point of this post, what are your recommendations for a good open source license? I don't really care how people use struts-xdoclet, so do I even need to license it? What happens if I don't include a license?
Struts WML Tag Library
A Struts WML Tag Library has been posted to the struts-dev mailing list. It's a "pre-release", which means the project is probably not stable, but I'm guessing the technology and tags are.
Struts-wml taglib, 'raw prerelease' is available here:
http://sourceforge.net/projects/struts-wml/
Here's the release notes:
This is a fully functional 'prerelease' which includes source code, sample
application, documentation, binary and libraries. It's still somewhat
unpolished (therefore raw prerelease). If you're willing to hack arround
with it a little bit, you're welcome to download it. Please don't forget to
contribute your changes back to the project! [Full Post]
Now it's your responsibility to get a WML project that you can implement this on!
Form-Based Authentication
I posted the following message to the tomcat-user group yesterday:
On Tomcat 4/5, I am able to use the following configuration in myweb.xml: <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp?error=true</form-error-page> </form-login-config> </login-config> However, I know that there are app servers out there that do not support this - the form-error-page MUST be a different JSP. So I'm wondering, is there a value I can grab in my login.jsp that tells me the URL of the protected resource the user is trying to get to? I tried<%=request.getRequestURL()%>, but that gives me .../login.jsp - and I am expecting welcome.do. I know iPlanet used to set a cookie and I could use that as described here. Thanks, Matt
Craig McClanahan responded with the following answer - which was just the information I was looking for:
There is no portable mechanism to acquire the request URL that was originally requested, nor any guarantee that this is even possible. All you know is that the container has detected that a protected URL was requested, and that there was no currently authenticated user.
So the lesson learned is that if you want to make your webapp portable across different app servers, use two separate pages for the login and login-error pages.
Struts-XDoclet 0.1
I did a bunch of work today to get struts-xdoclet off the ground. Basically, all that exists write now is the generation of struts-config.xml and web.xml from xml files in a merge directory. There are no .java files in this project yet.
I'm posting this to you in hopes of getting some validation of the directory structure and Ant-based build/deploy process. The deploy task originally worked as Erik Hatcher suggests in his book, but whenever I tried to redeploy, it would give me errors when trying to remove a .jar file - so I resorted back to a simple copy to $CATALINA_HOME/webapps. The build.xml file I put together is based on what I found in struts-blank.war (for 1.1), roller's build process, my own experience and good ideas from the Ant book.
I've also configured form-based authentication and I plan to add a bunch of optional modules (i.e. SSLExt for SSL Switching, password encryption) to the mix.
I'm still searching for a sample-app idea for the persistence layer (i.e. authors and books). I'd like to do something that folks can use, so I'd definitely like to include an admin section for administering user's and their properties. Maybe even offer features such as registration (might be a bit difficult using tomcat-users.xml, but not so bad with JDBCRealm or an LDAP server), and password recovery.
You can download the first cut of this - which should build and allow you to login - at http://www.raibledesigns.com/struts/.
Next steps include the security modules I mentioned above, and generating validation.xml and persistence classes from a POJO. I'm still undecided on using Castor or Hibernate for the persistence layer. Dave (Johnson) seems to think Hibernate has some great stuff, and he's used Castor for a while, so that's probably the direction I'm leaning towards. It would be great do be able to do both.
Writing a Technical Book
Graham Glass offers some great suggestions on how he writes a book (tip of the hat to Matt Croydon). This is extremely valuable information for me, as I will be writing a couple chapters over the next few weeks. If I can follow in his footsteps, I'll be set!
A typical chapter takes me 3 or 4 days to write, including the source code for the examples, which I think is pretty fast. In addition, the high level book structure takes about a day.
The thing I'm struggling with right now is what persistence layer to use on my example Struts application. I'd like to use either Hibernate or Castor, but since I've never implemented either from scratch, I don't want to spend more time learning than implementing. And I'd like to generate the entire persistence layer - which seems possible with both. I'd like to use Middlegen, but then I'll have to use JDO or EJB's for my persistence layer. While JDO might be appropriate, EJBs are probably over-kill for an example app. The nice thing about Middlegen is that it will generate the JSP and Struts classes for me too.
Tomcat 5
It sure would be nice to have a binary version of Tomcat 5. I tried building it this morning, and the process is still going - you have to download about 5 different libraries (so far) just to get it to build! I find this is typical with Jakarta project. Hopefully there will be one soon. I'll try to document the process so others don't have to experience my pain.
Later: Lance provides a link to the nightly build - exactly what I was looking for!
1 Hour Later: Tomcat 5 throws all kinds of errors when starting and doesn't load jsp-examples or servlet-examples correctly. For error details, check out my posting to the tomcat-dev mailing list.
JSP's Evolution
There's another interesting discussion taking place over on the struts-dev list again. Man, I'm glad I subscribed (again) to this list last week! It started out as a discussion of JSP vs. Velocity and Craig (McClanahan) provided an interesting evolution of JSP (and comparison to Velocity).
Velocity:
========
(Note -- it's assumed that the Customer collection has been stored in the
VelocityContext by some preceding business logic.)
\#foreach $result in $results {
<tr>
<td>$result.ID</td>
<td>$result.Name</td>
</tr>
}
JSP 1.1 (with Scriptlets):
=========================
<%
Customer custs = ...;
for (int i=0; i < custs.length; i++) {
%>
<tr>
<td><%= custs[i].getId() %></td>
<td><%= custs[i].getName() %></td>
</tr>
<%
}
%>
JSP 1.1 (with custom tags):
==========================
(Note -- it is assumed here and in the following examples that the
Customer collection has been stored by some preceding business logic.)
<logic:iterate id="cust" name="custs">
<tr>
<td><jsp:getProperty name="cust" property="id"/></td>
<td><jsp:getProperty name="cust" property="name"/></td>
</tr>
</logic:iterate>
JSP 1.2 + JSTL 1.0:
==================
<c:forEach var="cust" items="${custs}">
<tr>
<td><c:out value="${cust.id}"/></td>
<td><c:out value="${cust.name}"/></td>
</tr>
</c:forEach>
JSP 2.0 + JSTL 1.0:
==================
<c:forEach var="cust" items="${custs}">
<tr>
<td>${cust.id}</td>
<td>${cust.name}</td>
</tr>
</c:forEach>
</pre>
I can't wait for JSP 2.0 - it's going to make everything so much easier. Once again, we have exciting times for the Java world. With the power of JSP 2.0 and XDoclet, deadlines should be a non-issue. Now we just have to figure out the best way to use them, and the fastest way to pump out a Struts project. Wouldn't it be awesome if you you could add a new column to a table, build your project using Ant and XDoclet and whalla, all your classes are updated! That would be cool - and I think it's possible. Now I just have to figure out how - and fast!