It’s Only Software

Since I spend a lot of time working with Spring, one of the many blogs in my daily read list is the SpringSource Team Blog, both articles and comments. I have gotten really tired, however, of the constant SEO spammers hitting the SpringSource blog.

It’s unfortunate that with SpringSource’s multi-million dollar funding rounds ($15M raised this summer, and $10M previously raised), they can’t find the resources to upgrade their very dated WordPress install with one that is more spam resistant, nor has anyone from the company even responded publicly to the many calls for fixing this issue.

A heads up in case anyone is thinking about using these together. Currently (Aug 18, 2008), the release version of Hibernate IDE (aka the Hibernate Eclipse plugin) does not work with Eclipse 3.4 (“Ganymede”) without one of 2 things:

• Unjarring, copying, and rejarring a file from Eclipse 3.3
• Using the Hibernate IDE Nightly Update Site

Discussion for this is covered in the Hibernate Forums and in HBX-1068 in Hibernate JIRA.

Since it’s already fixed in the nightlies, your best bet is to hit the nightly build site for the tools. If you’re afraid of the nightlies and/or the harder install process and want to pull the missing class (“org/eclipse/ui/internal/util/SWTResourceUtil”) from Eclipse 3.3, do this:

• Copy the “org.eclipse.ui.workbench” jar from your Eclipse 3.3 install/plugins directory to a temp directory (say, c:\temp). Mine was called “org.eclipse.ui.workbench_3.3.1.M20070921-1200.jar”
• Extract the missing class file: jar xvf org.eclipse.ui.workbench_3.3.1.M20070921-1200.jar org/eclipse/ui/internal/util/SWTResourceUtil.class
• Copy the “org.eclipse.ui.workbench” jar from your Eclipse 3.4 install/plugins directory to the same directory. Mine was called “org.eclipse.ui.workbench_3.4.0.I20080606-1300.jar”
• Update the JAR file: jar uvf org.eclipse.ui.workbench_3.4.0.I20080606-1300.jar org/eclipse/ui/internal/util/SWTResourceUtil.class
• Copy the Eclipse 3.4 JAR file back to your Eclipse 3.4 install/plugins directory (overwriting the original).

That should do it! Note that this information is only correct until the next version of the Hibernate IDE tools are make into a formal release. The last release date listed on the site was April 9, 2008, so I would guess a new release would occur soon.

Update! May 31, 2010: I have published a new book, Spring Security 3, covering many aspects of Spring Security from top to bottom. The book is targeted both at novices and intermediate to advanced users. I’d encourage you to read my blog post of the announcement, and visit the book’s web site, to determine if you think it will help you.

Although I’ve used Acegi Security in the past, I hadn’t tried it since it was renamed Spring Security and folded into the Spring Portfolio. I decided to approach its integration into a typical Spring web application with the eyes of a new user and write up my notes as a 5 minute guide to Spring Security.

Pretending to be a new user, I found the suggested steps a bit bewildering. Let’s take these one at a time, and I’ll try to help you out where the instructions are unclear:

1. First of all, deploy the “Tutorial Sample”, which is included in the main distribution ZIP file.

Aside from the weird packaging of Spring Security, it’s not clear which file this is. You should be deploying spring-security-samples-tutorial-2.0.x.war to your servlet container in the usual fashion. In the case of Tomcat, for example, use the deployment tool or drop this into your webapps directory. You should see the tutorial application in your browser. Let’s move to step 2…

2. Next, follow the Petclinic Tutorial , which covers how to add Spring Security to the commonly-used Petclinic sample application that ships with Spring.

This is pretty straightforward. The only error I found was that there is a reference to %spring-sec-tutorial%\WEB-INF\applicationContext-security-ns.xml. This should be applicationContext-security.xml instead. Note that I didn’t actually try this part of the tutorial with the Petclinic application, since I had my own test app I wanted to integrate with.

And here’s where the fun starts. Once you get past the convention over configuration convenience, you will need to customize Spring Security. One of the first things I looked for in the documentation was what all the bits in the XML namespace did. When this product was Acegi security, you could be pretty sure of looking at the Javadoc and getting documentation. Not so with XML configuration! While the Spring Framework documentation includes an excellent appendix with a reasonable level of detail on each of the namespaced XML declarations, Spring Security has nothing like this.

With convention over configuration, good documentation of the defaults becomes especially important, and it’s unfortunate the documentation isn’t really adequate in this area.

That said, I’ll try to cover a basic scenario here where we integrate Spring Security, using database-backed authentication, into an existing Spring web application. Here’s what I wanted for my example:

• Database-backed authentication
• Users have a single “role” – either plain user, or admin
• Customized login page

It’s a bit hard to cover this in 5 minutes, so I have skipped some of the stuff I hope you know already, such as use of Spring XML namespaces, and configuring simple JDBC DataSources. Please let me know if you miss this stuff!

Getting Started

I would suggest getting started with the applicationContext-security.xml that is found in the tutorial sample, and trimming it down a bit. Here’s what I got when I trimmed it down:

<?xml version="1.0" encoding="UTF-8"?>
 
<!--
  - Sample namespace-based configuration
  -
  - $Id: applicationContext-security.xml 3019 2008-05-01 17:51:48Z luke_t $
  -->
 
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
                         http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security
                         http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
 
	<global-method-security secured-annotations="enabled">
	</global-method-security>
 
    <http auto-config="true">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </http>
 
    <!--
    Usernames/Passwords are
        rod/koala
        dianne/emu
        scott/wombat
        peter/opal
    -->
    <authentication-provider>
        <password-encoder hash="md5"/>
        <user-service>
            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
            <user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
            <user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
            <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
	    </user-service>
	</authentication-provider>
</beans:beans>

This makes a good baseline for the modifications we’re going to make. But first…

Mapping XML Elements to Java Code

I found it very helpful at this point, before messing with the XML, to know where the Java code was that corresponded to the available XML elements. The basic class that Spring Security uses for mapping XML elements to beans is SecurityNamespaceHandler. The code in this class simply delegates XML elements to bean definition parsers. It’s easy to follow along and map XML elements to Java code in this way. Unfortunately, don’t expect extensive commenting in the Java code to help you

web.xml Changes

I agree with the Spring Security documentation and found it easier to extract the security-related stuff into its own XML configuration file. This allows you to play XML tricks and not require namespace-tagging for the security elements. First off, you have to include a reference to applicationContext-security.xml in your [Spring] initialization parameters in your web.xml file:

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/spring-app-servlet.xml
			/WEB-INF/applicationContext-security.xml
		</param-value>
	</context-param>

Next, as instructed by the Spring Security getting started guide, you need to add the filter mapping. In my case, this went right after the <context-param> end tag, since I didn’t have any other filters:

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
 
    <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

This default mapping will run all requests to your application through Spring Security. Now we’re done with web.xml, and we move on to…

Database-Backed Authentication

In my case, my application was already configured to use a JDBC DataSource, so pointing Spring Security at my JDBC data source was as easy as modifying the authentication-provider element to reference my already configured Spring bean:

    <authentication-provider>
	    <jdbc-user-service data-source-ref="dataSource"/>
    </authentication-provider>

Now, the immediate question I asked is – OK, what does the convention over configuration assume my database tables look like? If you look at the documentation of the JDBC authentication provider, you would expect to see that information there, but you’d be wrong.

Instead, you have to look at the SQL queries that are hard-coded in the JdbcDaoImpl class and infer the schema structure for yourself. This article has a graphical depiction of the basic schema down in section 5.4.

If you want to configure the queries that are used, simply match the available attributes on the jdbc-user-service element to the SQL queries in the Java class I referenced above. In my example, I wanted to simplify my schema by adding the user’s role directly to the user table. So I modified the XML configuration slightly as follows:

  <jdbc-user-service data-source-ref="dataSource" 
    authorities-by-username-query="select username,authority from users where username=?"/>

This allowed me to put values in the ‘authority’ column like ‘ROLE_ADMIN’ or ‘ROLE_USER’, which translate directly into Spring Security roles!

Configuring URL authorization

Mapping URLs to roles is really easy. In your http element, simply put successive elements like this:

        <intercept-url pattern="/admin/*.do" access="ROLE_ADMIN"  />
        <intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN"  />

Note here that the ‘access’ attribute values directly correspond to the values returned by the second column of the authorities-by-username-query. The ‘.do’ mapping is what I arbitrarily chose for my application – you may have to adjust depending on what your application’s Spring-managed URLs look like.

Configuring and Branding Spring Security-managed Pages

Finally, I wanted to figure out where the pages related to Spring Security should be configured, so that I could modify them if I needed to. Somewhat oddly, Spring Security ships with a default login page whose HTML markup is located in a class file – DefaultLoginPageGeneratingFilter. We would (obviously) like to replace this with our own custom page. Since we are authenticating everything passing through the Spring servlet, we must use a JSP for this.

Add the following to the http tag in the security configuration file:

<form-login login-page="/login.jsp" />

Now you need to put the login.jsp page in your web application (generally in the WEB-INF directory). The basic structure of the page you’re creating will look like this:

<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %>
<%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %>
<%@ page import="org.springframework.security.AuthenticationException" %>
 
...
<form action="j_spring_security_check">
	<label for="j_username">Username</label>
	<input type="text" name="j_username" id="j_username" <c:if test="${not empty param.login_error}">value='<%= session.getAttribute(AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY) %>'</c:if>/>
	<br/>
	<label for="j_password">Password</label>
	<input type="password" name="j_password" id="j_password"/>
	<br/>
	<input type='checkbox' name='_spring_security_remember_me'/> Remember me on this computer.
	<br/>
	<input type="submit" value="Login"/>
</form>

The names of the form elements and form action must match what is shown here otherwise your login form will not work!

Note also that this is a plain ol’ JSP page, and not under Spring control. It is likely that you could play with the servlet filter patterns in web.xml to bring these pages under Spring control, but that is a topic outside the scope of this brief tutorial.

There are a couple other pages you will want to configure.

Access Denied: This is the page the user will see if they are denied access to the site due to lack of authorization (i.e. tried to hit a page that they didn’t have access to hit, even though they were authenticated properly). This is configured as follows:

    <http ... access-denied-page="/accessDenied.jsp">
     ...
    </http>

Default Target URL: This is where the user will be redirected upon successful login. This can (and probably should) be a page located under Spring control. Configured as follows:

    <http ... >
    ...
        <form-login ... default-target-url="/home.do"/>
    ...
    </http>

Logout URL: The page where the user is redirected upon a successful logout. This can be a page located under Spring control too (provided that it allows anonymous access):

    <http ... >
    ...
    	<logout logout-success-url="/home.do"/>
    ...
    </http>

Login Failure URL: Where the user will be sent if there was an authentication failure. Typically this is back to the login form, with a URL parameter, such as:

    <http ... >
    ...
        <form-login ... authentication-failure-url="/login.jsp?login_error=1"/>
    ...
    </http>

Putting it Together

Here’s what my whole sample Spring security configuration looked like when I was done:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
 
	<global-method-security secured-annotations="enabled">
		<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
		<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
		-->
	</global-method-security>
 
    <http auto-config="true" access-denied-page="/accessDenied.jsp">
        <intercept-url pattern="/login.jsp*" filters="none"/>  
        <intercept-url pattern="/admin/editUser.do" access="ROLE_ADMIN"  />
        <intercept-url pattern="/admin/searchUsers.do" access="ROLE_ADMIN"  />
        <intercept-url pattern="/**.do" access="ROLE_USER,ROLE_ADMIN"  />
    	<form-login authentication-failure-url="/login.jsp?login_error=1" default-target-url="/home.do"/>
    	<logout logout-success-url="/home.do"/>
    </http>
 
    <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource" authorities-by-username-query="select username,authority from users where username=?"/>
    </authentication-provider>
 
</beans:beans>

Wrap-Up

Ironically, just as I was drafting this article, a smart colleague of mine happened to come to me telling me about all the problems he was having getting started with Spring Security. He complained about the lack of detailed documentation on the XML, and the fact that the getting started documentation really wasn’t comprehensive (both complains that I had as well). Note that this colleague also happened to be responsible for implementing Acegi Security with Spring in a prior project that we worked on together – so he was intimately familiar with the underlying technology. He ended up going back to the Java-based configuration mechanism in frustration!

Hope this helps you out and I always appreciate hearing your comments and questions.

Related Articles

• Juggling Java has a very brief article on customizing Spring Security.
• Bart van Riel has a great tutorial on Acegi Security, which has some relevant bits around the database schema that you might find interesting.

Displaytag supports easy display of formatted number columns using the format attribute on <display:column> – however, it’s not really well documented on the Displaytag site. Here’s how to do simple number formatting without requiring a decorator class:

<displaytag:column property="amount" title="$ Amount" format="{0,number,#.##}"/>

This will display a decimal formatted to a maximum of 2 decimal places!

This simple change in Spring 2.5.2 and above lets you remove boilerplate code that you have probably written for simple JDBC queries performed with the generics-aware SimpleJdbcTemplate (read my earlier 5 Minute Guide to… if you don’t know what this is). Change this:

new ParameterizedRowMapper<String>() {
			@Override
			public String mapRow(ResultSet rs, int rowNum) throws SQLException {
				return rs.getString("State");
			}
		}

Into this:

new ParameterizedSingleColumnRowMapper<String>()

The fully qualified class name is org.springframework.jdbc.core.simple.ParameterizedSingleColumnRowMapper. Neat! If you’re interested in where this came from, you can have a look at the JIRA issue SPR-4320.

If you have done Websphere Portal 5.1 development, you have probably seen this error (among many others) at some point in your development lifecycle:

EJPPG0003E: ServletContext lookup for /.MyPortalApp returned the portal context. It has to be a different one.

Let me tell you that this error can be caused by about a hundred different things. If the issue is actually a context issue, you can follow Jamie Mcllroy’s great instructions to try to resolve context root-type problems.

But let’s say you do that, and you’re still getting the error – what then? (I’m assuming, by the way, that you are running inside RAD with the Websphere Portal UTE.)

As near as I can figure out, this error is thrown when you try to access a portlet and the backing application (usually a WAR within an EAR) doesn’t initialize itself properly. If you read into this, it basically means this error can be caused by a wide variety of issues with the underlying application.

First, make sure that you have console logging enabled in your server configuration. To do this, open your server configuration, click on the “Portal” tab (far right), and ensure the “Enable console logging” box is checked.

Next, when you attempt to access your portlet, you should (hopefully!) see an error appear in the console log. If you do, have a look at it, and hopefully it will be obvious what’s wrong.

If it’s not obvious, or if you get the infamous PortletExeption, you may have to enlist the help of a debugger. I would suggest the following steps:

1. Restart the server in Debug mode
2. When the server starts up, set a Java Exception Breakpoint for Throwable
3. Attempt to hit the offending servlet or portlet

If the servlet is throwing an error that ends up being reported as EJPPG0003E, you’ll see the debugger stop at the exception in question. I personally have seen this error caused by various JSF configuration errors (with portlets using JSF), and classloader issues (missing MANIFEST.MF entries, classloader configuration issues, PARENT_LAST vs PARENT_FIRST, etc).

Hope this helps someone! If you have any other suggestions for diagnosing this error, please share!

As a frequent contributor to the Spring Framework user forums, I have noticed a common trend among people new to Spring MVC – they really don’t understand how to use JSTL and EL in their Spring-driven JSPs.

Although Spring MVC supports flexibility in choosing a view technology, in my [back of the napkin] estimate, at least 80% of the time it is paired with JSP and JSTL. Unfortunately, since JSP was pushed out about 4-5 years ago, a lot of the information that you find on the web is extremely dated, often going back to JSTL 1.0 syntax (or, gasp, using scriptlets!). In this article I’ll clear up the confusion around how to use JSTL with various app servers and webapp versions.
Continue reading “How to Reference and Use JSTL in your Web Application”

August 15, 2009: Important update to this article: Amazon now requires signed SOAP requests, which are not supported by the (now defunct) AmazonA2SClient library. Please see my updated article on using the Amazon AWS API (now Product Advertising API) with Java and Apache Axis2. Thanks!

On a side project recently, I decided to try out the Amazon Associates Web Service API, a Java library provided by Amazon which wraps the Amazon Associates Web Service calls with a friendly Java API.

For those who are considering integration with Amazon Associates Web Services (used for things as item search, item detail retrieval, and cart manipulation), this API provides a very deep and rich integration with Amazon, with a relatively shallow learning curve. I’ll provide a simple example here of doing an item lookup by ASIN (Amazon’s unique product IDs), and point you around some of the data structures you’ll encounter when dealing with ASINs.

Continue reading “5 Minute Guide to the Java Amazon Associates Web Service API”

This is a bit of a different subject matter than I usually cover, so I apologize in advance. I was recently working on a project involving many, many remote web services. We were running into issues with some services being sporadically unavailable, and wanted to gather data on their uptime. One interesting twist was that all the services were protected by NTLM authentication, which severely limited the number of choices I could find easily.

I came across a Perl-based tool called WebInject. With some slight tweaking, it does support NTLM authentication, and it also supports POST body content, which I needed to be able to POST SOAP requests.

Here’s how to set it up on a Windows platform and implement NTLM support.

• First, download the WebInject distribution. Unzip to a folder (say, c:\webinject).
• Next, download and install ActivePerl 5.8 (latest) from here.
• Once you install ActivePerl, you’ll need to install some Perl packages:

The following packages are required:

ppm install Error
ppm install Tk::ProgressBar::Mac
ppm install Authen::NTLM

WebInject comes with an executable which wraps up a Perl interpreter and all the packages you need. However, it doesn’t include the package with NTLM support. So we are setting things up so that our external Perl interpreter (ActivePerl) has all the dependencies it needs in order to run WebInject as a Perl script.

Once you’ve installed the packages listed above, you should be able to run WebInject as a Perl script:

perl webinjectgui.pl

You will need to make a minor change to the webinject.pl script to enable HTTP keepalives (these are required for NTLM authentication). Look for the LWP::UserAgent->new line and modify as such:

    $useragent = LWP::UserAgent->new(keep_alive=>1);

This will allow WebInject to communicate with an NTLM web service. Set up authentication as documented in the WebInject documentation. Of course, after I went through this, another colleague suggested trying out SoapUI, which also supports some types of NTLM authentication. I’ll try to write up that tool later on – first impressions look really good (certainly much more sophisticated than WebInject).

Related Reading:
http://www.goldb.org/goldblog/2007/05/16/WebInjectOpenSourceWebServiceTestingToolGetsHighMarks.aspx
http://www.infoworld.com/article/07/05/11/19TCwebservicetest_5.html
http://www.webinject.org/cgi-bin/forums/YaBB.cgi?board=Development;action=display;num=1185818423

One of the most irritating limitations of plain JDBC is that queries with a variable number of parameters are notoriously painful to deal with. The most common case of this is with the IN clause, which by definition is intended to accept a variable length argument list. JDBC, for those who don’t know, does not allow variable-length bound parameters.

Having worked with Spring’s Hibernate abstraction (HibernateTemplate) for some time, I have gotten used to Spring’s value-added feature of expanding Collections bound to HQL parameters (it’s a shame that Hibernate doesn’t natively support this, AFAIK). I was pleasantly surprised to find out that Spring offers JDBC support for this feature as well. Here’s a simple set of examples…

Continue reading “Auto-Expanding Collections as JDBC Parameters with Spring SimpleJdbcTemplate”