Gridshore software engineering weblog - acegi

Last entry ...

nospam@example.com (Jettro Coenradie) — Sat, 19 Jan 2008 20:58:56 +0100

Welcome to the last entry of this blog. No I am not quitting, I am just moving. I just installed a new blog software framework. I was starting to dislike the way to interact and I wanted something that contained more out of the box. I am in the middle of moving to wordpress software. There is a very good reason to do this. I had found a great tool on the mac called MarsEdit. And again this could not be used with serendipity. I hope I did make a good choice. Since there is a lot of information in the old blog, I did not take this blog offline. It will stay to exist, but I will not make changes there anymore.

I hope to see you at the new version of the blog (check the page at http://www.gridshore.nl). You can attach you feedreader to the following url: feed://www.gridshore.nl/feed/

Creating a maven archetype for acegi and springframework

nospam@example.com (Jettro Coenradie) — Thu, 31 Aug 2006 20:51:15 +0200

I have created a lot of small applications that include spring and acegi. Most of the time I copy most of the resources from another project. Some time ago I learned about the maven archetypes. An easy way to create the project structure. That was the time I decided that I wanted to have my acegi springframework archetype. Last weeks I found some time to create this archetype. You can download the files here:
http://code.google.com/p/gridshore/
And the generated maven site here:
http://www.gridshore.nl/projects/springframeworkarchetype/index.html
Ofcourse there is also a maven website about creating an archetype, this is not a very extensive website. In this blog item I will explain more about the archetype I created.

First thing to know, well surprise, the archetype is just a maven project. You can start you new archetype by using a maven archetype:
mvn archetype:create
-DgroupId=nl.gridshore.samples.archetype
-DartifactId=SpringframeworkArchetype
-DarchetypeArtifactId=maven-archetype-quickstart
Have a look at the pom for the other properties; scm, distributionManagement, etc.

The project itself contains an src\main\resources\META-INF\maven\archetype.xml file that defines all the resources that need to be copied.



<archetype>

  <id>SpringframeworkArchetype</id>

  <sources>

    <source>src/main/java/App.java</source>

  </sources>

  <testSources>

    <source>src/test/java/AppTest.java</source>

  </testSources>

  <resources>

      <resource>src/main/webapp/index.jsp</resource>

      <resource>src/main/webapp/WEB-INF/web.xml</resource>

      <resource>src/main/webapp/WEB-INF/action-servlet.xml</resource>

      <resource>src/main/webapp/WEB-INF/jsps/welcome.jsp</resource>

      <resource>src/main/webapp/WEB-INF/jsps/adminwelcome.jsp</resource>

      <resource>src/main/webapp/WEB-INF/jsps/accessdenied.jsp</resource>

      <resource>src/main/webapp/WEB-INF/jsps/login.jsp</resource>

      <resource>src/main/webapp/WEB-INF/jsps/loginerror.jsp</resource>

      <resource>src/main/resources/security-springConfig.xml</resource>

      <resource>src/main/resources/views.properties</resource>

      <resource>src/main/resources/errormessages.properties</resource>

      <resource>src/main/resources/sitetext.properties</resource>

      <resource>src/main/resources/log4j.dtd</resource>

      <resource>src/main/resources/log4j.xml</resource>

  </resources>

</archetype>

The structure is pretty easy, you can find all the resources under the directory:
src\main\resources\archetype-resources

You can use the following parameters in your file as placeholders:
http://maven.apache.org/plugins/maven-archetype-plugin/create-mojo.html. Have a look at the src\main\resources\archetype-resources\pom.xml for an example:



  <groupId>$groupId</groupId>

  <artifactId>$artifactId</artifactId>

  <version>$version</version>

Hope that helps you on your way to your own archetype. If you just want to use mine:



mvn install

mvn archetype:create

	-DgroupId=your.groupid

	-DartifactId=your.artifactId

	-DarchetypeArtifactId=SpringframeworkArchetype

	-DarchetypeGroupId=nl.gridshore.samples.archetype

	-DarchetypeVersion=1.0.0-SNAPSHOT

Updated the sample to acegi version 1.0.0 RC1

nospam@example.com (Jettro Coenradie) — Mon, 05 Dec 2005 20:28:59 +0100

Today I upgraded the acegi library to version 1.0.0 RC1. It was a quick process, but you do need to make a few changes. The complete package structure is changed, JdbcDaoImpl class has been moved and some other changes as well. Have a look at the release notes in the downloaded acegi package. There was a nice addentum on the spring forum that you need to change the inclusion of the taglibrary as well.

<%@ taglib uri="http://acegisecurity.org/authz" prefix="authz" %>

Have fun, I will start documening the sample within a few weeks now.

problems while upgrading sample from acegi 0.8.3 to 0.9.0

nospam@example.com (Jettro Coenradie) — Mon, 21 Nov 2005 22:40:11 +0100

Today I did an upgrade of acegi for my sample application. Ofcourse there are a lot of resources about upgrading. There is an entry on the homepage of acegi and the blog from Matt Raible. These are my findings.

I have a CustomJdbcDaoImpl class, I used to obtain the granted authorities with the following lines of code:

PersonDetails person = (PersonDetails) users.get(0);
List dbAuths = getAuthoritiesByUsernameMapping().execute(person.getUsername());
if (dbAuths.size() == 0) {
throw new UsernameNotFoundException("User has no GrantedAuthority");
}
GrantedAuthority[] arrayAuths = {};
addCustomAuthorities(person.getUsername(), dbAuths);

There is however a problem with the method ' getAuthoritiesByUsernameMapping()', this does not exist anymore in the 0.9.0 acegi version.
To be continued

The following change is getting a secure context. With the new version we use the following code to obtain a secure context:
SecurityContextHolder.getContext()

There is an issue with the events as well, there are now two main events, one for authentication and one for authorization:

<bean id="authenticationLoggerListener" class="net.sf.acegisecurity.event.authentication.LoggerListener"/>
<bean id="authorizationLoggerListener" class="net.sf.acegisecurity.event.authorization.LoggerListener"/>

I also had to change my SecurityEventListener, the names of the events are changed, the code now looks like this:
public void onApplicationEvent(ApplicationEvent event) {
if (event instanceof AuthenticationFailureBadCredentialsEvent) {
AuthenticationFailureBadCredentialsEvent authEvent = (AuthenticationFailureBadCredentialsEvent) event;
securityManager.disablePerson(((User)authEvent.getAuthentication().getPrincipal()).getUsername());
}
if (event instanceof AuthenticationSuccessEvent) {
AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent) event;
securityManager.savePersonLastLoggedOn(((User)authEvent.getAuthentication().getPrincipal()).getUsername());
}
}

And finally, since my tag for authentication is now within the project I removed all the customized code for my custom taglibrary. See earliar posts if you want to know what I am talking about.

taglibrary auth in acegi 0.9

nospam@example.com (Jettro Coenradie) — Fri, 04 Nov 2005 00:17:58 +0100

I have created a taglibrary for acegi, well not really created, more extended. In an earlier post you can see what I have created. I have also created a unit test and now my source is contributed to the framework. So the 0.9 release will contain my extensions to the tag library. I think that is pretty cool.

acegi security sourceforge page

Acegi authentication tag library

nospam@example.com (Jettro Coenradie) — Wed, 26 Oct 2005 20:49:05 +0200

I am creating a sample application with the springframework. I use Acegi or Spring security as the security framework. On this blog I have multiple items that relate to acegi. I think more will come. This one is about a tag library I created. I wanted to be able to print more details from the UserDetails object that resides in the SecureContext. There are multiple ways to realize this. The most obvious is using a scriptled.

<%=((PersonDetails)((SecureContext)net.sf.acegisecurity.context.ContextHolder.getContext())
.getAuthentication().getPrincipal()).getFirstName()%>

But if you want to show multiple properties this is not very nice and I like to minimize the amount of scriptlets in jsp code. Therefore I wanted to use a tag library. You can ofcourse use the standard tag library from acegi

<authz:authentication operation="principal"/>

This can only show the username. But the concept is good, and ready for extending. Therefore I created an extended version of the tag library. I introduced a second property called "prefix" and now you can call any "get*" method or "is*" method. If you want to call other methods as well, it is very easy to change the current implementation.

Time to have a look at some parts of the code, I present the doStartTag method:

1. public int doStartTag() throws JspException {
2.   if ((null == operation) || "".equals(operation)) {
3.     return Tag.SKIP_BODY;
4.   }
5.
6.   validateArguments();
7.
8.   if ((ContextHolder.getContext() == null)
9.       || !(ContextHolder.getContext() instanceof SecureContext)
10.      || (((SecureContext) ContextHolder.getContext()).getAuthentication() == null)) {
11.    return Tag.SKIP_BODY;
12.  }
13.
14.  Authentication auth = ((SecureContext) ContextHolder.getContext()).getAuthentication();
15.
16.  if (auth.getPrincipal() == null) {
17.    return Tag.SKIP_BODY;
18.  } else if (auth.getPrincipal() instanceof UserDetails) {
19.    writeMessage(invokeOperation(auth.getPrincipal()));
20.
21.    return Tag.SKIP_BODY;
22.  } else {
23.    writeMessage(auth.getPrincipal().toString());
24.
25.    return Tag.SKIP_BODY;
26.  }
27.}

Lines 1-12 are validation code, just trying your tag not to throw an unexpected exception. Line 14 obtains the Authentication object from the SecureContext. This object contains the principal which we are after. If the Principal is of type UserDetails (the interface your custom implementation should implement), we call the invokeOperation method.

1. private String invokeOperation(Object obj) throws JspException {
2.   Class clazz = obj.getClass();
3.   String methodToInvoke = getOperation();
4.   StringBuffer methodName = new StringBuffer();
5.   methodName.append(getMethodPrefix());
6.   methodName.append(methodToInvoke.substring(0,1).toUpperCase());
7.   methodName.append(methodToInvoke.substring(1));
8.
9.   Method method = null;
10.  try {
11.    method = clazz.getDeclaredMethod(methodName.toString(),null);
12.  } catch (SecurityException se) {
13.    throw new JspException(se);
14.  } catch (NoSuchMethodException nsme) {
15.    throw new JspException(nsme);
16.  }
17.  Object retVal =null;
18.
19.  try {
20.    retVal = method.invoke(obj,null);
21.  } catch (IllegalArgumentException iae) {
22.    throw new JspException(iae);
23.  } catch (IllegalAccessException iae) {
24.    throw new JspException(iae);
25.  } catch (InvocationTargetException ite) {
26.    throw new JspException(ite);
27.  }
28.  if (retVal == null) {
29.    retVal = "";
30.  }
31.  return retVal.toString();
32.}

lines 3-7 create the name of the method to call
lines 9 -16 create the Method instance to be invoked
lines 19-27 do the real invocation of the method.

As you can see it is faily easy to create the extende taglib by using reflection to call the right methods on the UserDetails implementation. I have used this file and the tld file in my sample that can be found on javaforge. You can also have a look at the files from this website, but then there is no working sample.

AuthenticationTag.java
CustomAuthenticationTag.tld

References
Acegi security

Springframework Acegi principal customization and events

nospam@example.com (Jettro Coenradie) — Fri, 07 Oct 2005 20:41:00 +0200

Acegi is the security component for springframework. Since Acegi works with interfaces, extending the framework is easy. There are some good abstract classes you can extend as well. Todays blog deals with customizing the UserDetails class. This is an interface with the following methods:

public interface UserDetails {
  public boolean isAccountNonExpired();
  public boolean isAccountNonLocked();
  public GrantedAuthority[] getAuthorities();
  public boolean isCredentialsNonExpired();
  public boolean isEnabled();
  public String getPassword();
  public String getUsername();
}

If you want a custom UserDetails implementation you need to implement this interface. I added two methods to the implementation:

public String getFullname();
public Date getLastLoggedIn();

I take it the names of the methods are self documenting. What other components do we need? We need a custom jdbcDaoImpl that has a mapper to map the query to the PersonDetails object. We also have to change the configuration of this custom component so that the custom properties are also loaded. Lets have a look at the xml part of the configuration first. Pay special attention to the queries.

<bean id="jdbcDaoImpl" class="org.appfuse.security.CustomJdbcDaoImpl">
  <property name="dataSource"><ref bean="dataSource"/></property>
  <property name="usersByUsernameQuery">
    <value>select username,password,fullname,last_logged_in,enabled from person where username=?</value>
  </property>
  <property name="authoritiesByUsernameQuery">
    <value>select p.username,r.name as rolename from person p, role r, authority a where a.person_id = p.id AND a.role_id = r.id AND p.username=?</value>
  </property>
</bean>

Now we implement the CustomJdbcDaoImpl class. This class is a subclass of the JdbcDaoImpl class. We override the loadByUsername method. An innerclass is created as a mapper between the sql statement and the PersonDetails object.

public class CustomJdbcDaoImpl extends JdbcDaoImpl {
  public UserDetails loadUserByUsername(String username)
      throws UsernameNotFoundException, DataAccessException {
    List users = (new PersonsByUsernameMapping(getDataSource())).execute(username);

    if (users.size() == 0) {
      throw new UsernameNotFoundException("User not found");
    }

    PersonDetails person = (PersonDetails) users.get(0);
    List dbAuths = getAuthoritiesByUsernameMapping().execute(person.getUsername());

    if (dbAuths.size() == 0) {
      throw new UsernameNotFoundException("User has no GrantedAuthority");
    }

    GrantedAuthority[] arrayAuths = {};

    addCustomAuthorities(person.getUsername(), dbAuths);

    arrayAuths = (GrantedAuthority[]) dbAuths.toArray(arrayAuths);

    return new PersonDetails(person.getUsername(), person.getFullname(),
      person.getPassword(),person.getLastLoggedIn(),person.isEnabled(),
      true, true, true,arrayAuths);
  }

  protected class PersonsByUsernameMapping extends MappingSqlQuery {

    protected PersonsByUsernameMapping(DataSource ds) {
      super(ds, getUsersByUsernameQuery());
      declareParameter(new SqlParameter(Types.VARCHAR));
      compile();
    }

    protected Object mapRow(ResultSet rs, int rowNum) throws SQLException {
      String username = rs.getString(1);
      String password = rs.getString(2);
      String fullname = rs.getString(3);
      Date lastLoggedIn = rs.getDate(4);
      boolean enabled = rs.getBoolean(5);

      PersonDetails person = new PersonDetails(
        username, fullname, password, lastLoggedIn, enabled, true, true, true,
        new GrantedAuthority[] { new GrantedAuthorityImpl("HOLDER") });
      return person;
    }
  }
}

Actually this is all there is to it. But why all this trouble? We added two properties, the fullname and LastLoggedIn. Fullname is a value the user enters when he registers for the website. We want to show this property on the page to see who is logged on. What about the second property? We want to show what the last time was that a used logged in to the application. Showing the data is not that hard, but how can we plugin to the acegi framework to get information about who logged in when. The answer is [b]events[/b].

Spring uses a very simple event mechanism that is used by acegi to provide you with information. You need to create a bean that implements the ApplicationListener interface, then simply configure the bean in the spring config file.

  <bean id="wrongPasswordListener" class="org.appfuse.security.AuthenticationFailurePasswordEventListener">
    <property name="personManager" ref="personManager"/>
  </bean>

The code for the bean looks like this:

  public void onApplicationEvent(ApplicationEvent event) {
    if (event instanceof AuthenticationFailurePasswordEvent) {
      AuthenticationFailurePasswordEvent authEvent = (AuthenticationFailurePasswordEvent) event;
      personManager.disablePerson(authEvent.getUser().getUsername());
    }
    if (event instanceof AuthenticationSuccessEvent) {
      AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent) event;
      personManager.saveLoggedOnPerson(authEvent.getUser().getUsername());
    }
  }

So we respond to two types of events, one that is raised in case of entering a wrong password, the other if a user successfully logged on. With these events we can lock an account if a user enters a wrong password more then three times and we can store the lastLoggedIn time if a user successfully logges in.

The last part is showing the fullname and the lastloggedin property in the jsp page.

<fmt:message key="general.welcome">
<fmt:param><%=((PersonDetails) ((SecureContext)ContextHolder.getContext()).getAuthentication().getPrincipal()).getFullname()%></fmt:param>
</fmt:message>
<fmt:message key="general.lastlogin">
<fmt:param><fmt:formatDate pattern="dd/MM/yyyy" value="<%=((PersonDetails) ((SecureContext)ContextHolder.getContext()).getAuthentication().getPrincipal()).getLastLoggedIn()%>"/></fmt:param>
</fmt:message--%>

Hope this can help you if you want to create your own custom authentication principal. If you want to have a look at the complete code, have a look at the javaforge project I created.
http://javaforge.com/proj/forum.do?proj_id=71