It’s Only Software

I write this announcement with a lot of excitement and a great sigh of relief. It was about a year ago when I was approached by Packt Publishing, who was interested in my introduction to Spring Security, and somehow got the idea that I could write. They recognized that there was no published book focusing on Spring Security (as I have often noted myself), and wondered if I would be interested in writing a book on the subject. For me, the idea really clicked, and I jumped on the opportunity to write a book about a subject that I had already had some significant exposure to, and a desire to explore further.

Fast-forward one year, and the final 400+ page book is now available on Amazon or from other online sources, as both a printed book and eBook (eBook available from Packt). I’ve put together a web site with more information about the book at www.springsecuritybook.com – there, you’ll find a rough idea of what the book covers, what it is (and isn’t), and where you can buy it or get more information.

This has been an enormously interesting research project for me, and the culmination of hundreds (probably thousands) of hours of night and weekend work, completed in addition to a demanding full-time job and family.

In a quick list of bullet points, we cover:

• Overall Spring Security architecture, at both a high and low level
• Implementation of all major Spring Security features, including:
  • JDBC-backed authentication
  • Method security with annotations and pointcuts
  • Session fixation protection
  • Concurrent session control
  • Password hashing
  • Access control lists (ACLs)
• Integration of Spring Security with external authentication providers, including:
  • OpenID
  • LDAP
  • CAS
  • Client certificates (X.509)
  • Kerberos
  • Microsoft Active Directory
• Full configuration of Spring Security using explicit Spring Bean declarations
• Many custom coding samples, including custom servlet filters, custom AuthenticationProviders, exception handlers, and much more.

All of these topics are covered both at a high level (how and why do they work), and a low level (how to configure, how to code, how to implement). It’s a great mix of theory and practice that I hope will be very effective for readers looking to implement Spring Security, or those who are already using it, but might not understand how it works.

I’m very excited to see the book in print, and believe it will have a big impact on the ability of users new to Spring Security to approach the framework with a better understanding of how it works. Additionally, for those users who will be doing sophisticated integrations or customizations based on the framework, there’s enough undocumented material and nuts-and-bolts discussions in the book to make it interesting for you as well.

Since most of my readers are techies, I hope to post interesting quantiative bits that I’ve been tracking along the way as I’ve coded, researched, diagrammed, revised, and all out slogged my way through gobs of code. More to come on this topic!

Please contact me if you have questions, comments, suggestions, or just congratulations

Book Info

Title: Spring Security 3

Publisher: Packt Publishing

Publication Date: May 29, 2010

Web Sites:

• http://www.springsecuritybook.com (My Personal Site)
• https://www.packtpub.com/spring-security-3/book (Official Site)

Pages: 420

ISBN: 978-1847199744

For those who don’t already have this bookmarked, you can use the Flash Player settings manager movie on the Adobe Support Web site to adjust the following:

• Website privacy and storage settings (did you know that Flash keeps a list of all sites you’ve visited with Flash movies?)
• Global security settings (setting trusted locations, etc.)

Also, remember there’s a separate global security settings panel for content creators (i.e. running Flash in debug mode). Personally, it seems kind of odd that Flash itself doesn’t have this functionality within the player, but it is what it is.

Basically, I’m just writing this so I don’t forget where it is next time I’m doing Flash development.

TinyURL is a service that has been around for a while, but recently regained popularity due to its widespread use on Twitter.

Recently, I poked around and wrote up a simple Java method to, given a URL (TinyURL supports only GET requests), generate a TinyURL from it in Java. This is really the only “API” supported by the TinyURL service, but it’s a handy one!

You’ll need Apache HttpClient 3.1 for this.

Without further ado, here’s the code:

import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpException;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.NameValuePair;
import org.apache.commons.httpclient.methods.GetMethod;
 
public abstract class TinyURLUtils {
	public static String getTinyUrl(String fullUrl) throws HttpException, IOException {
		HttpClient httpclient = new HttpClient();
 
		// Prepare a request object
		HttpMethod method = new GetMethod("http://tinyurl.com/api-create.php"); 
		method.setQueryString(new NameValuePair[]{new NameValuePair("url",fullUrl)});
		httpclient.executeMethod(method);
		String tinyUrl = method.getResponseBodyAsString();
		method.releaseConnection();
		return tinyUrl;
	}
}

Then you’d call the method as follows:

String tinyUrl = TinyURLUtils.getTinyUrl("http://www.mularien.com/blog/");
System.out.println(tinyUrl); // --> http://tinyurl.com/5cporq

You’re welcome to use / improve this code in any way (obviously, I didn’t consider or care about proper exception handling), ideally linking to my blog as the source.

Enjoy!

Note that this makes an HTTP request directly, so this will require some modification if you’re making the call from behind a proxy server. If there’s a need, I can post a follow-up entry on how to set up a proxy server with Apache HTTP Client.

Cross-posting in case readers here are interested.

Building a Collaborative Enterprise: Twitter (Part 1)

Cross-posting here in case any of my regular readers are interested. I made my first post to the Edgewater Corporate Blog on the subject of moving legacy applications to the web. It’s not really technical, but gives more of a high level view of some of the (many) considerations I (and others) have run into. I’d love to hear what you think of it!

“Why and How to Bring Legacy Applications to the Web”

Straightforward explanation and solution of the IE checkbox bug here.

Just ran into this goofy issue recently. So, if you set the ‘checked’ attribute on a checkbox before it’s part of the DOM, in IE 6, the checkbox will not actually be checked. Brilliant!

Solution:

• Set the checked attribute after adding the node to the DOM
• Set the defaultChecked attribute to true prior to adding the node to the DOM

An example of this with Prototype (using solution #2, above) is:

        anElem.appendChild(new Element("input", 
                {'type':'checkbox','name':'mycb','checked':'checked','defaultChecked':'true'}));

Don’t forget to keep the ‘checked’ attribute in there so it works with other (good) browsers!

(For the overly literal among you, that isn’t really a bug number, it’s sarcasm.)

Displaytag supports easy display of formatted number columns using the format attribute on <display:column> – however, it’s not really well documented on the Displaytag site. Here’s how to do simple number formatting without requiring a decorator class:

<displaytag:column property="amount" title="$ Amount" format="{0,number,#.##}"/>

This will display a decimal formatted to a maximum of 2 decimal places!

I was recently checking out the sample applications that ship with Spring Web Flow 2.0. In order to build the examples, you have to run an ant build that involves the Ivy Dependency Manager.

I was doing this behind a proxy server which requires username/password authentication, which unfortunately isn’t documented in the Ivy FAQ.

In case anyone runs into this particular problem, here’s how I solved it. Set the following environment variable (note this is all on a single line – I’ve added line breaks for readability):

set ANT_OPTS=-Dhttp.proxyHost=myproxyhost -Dhttp.proxyPort=8080 -Dhttp.proxyUserName=myproxyusername -Dhttp.proxyPassword=myproxypassword -Dhttps.proxyHost=myproxyhost -Dhttps.proxyPort=8080

Replace as appropriate for your environment.

Got this from an old post on css-d, and adapted it because it was bothering me that it was hard to find.

To simulate CELLSPACING=0, set this CSS on your table element:
border-spacing: 0px; border-collapse: collapse;

Yes, yes, I know. You see the word “table” in the post title, and you’re ready to run away yelling about Web 2.0, CSS, semantic HTML, and the overuse of tables for layout.

Don’t worry – I’m with you on that. However, the fact is that tables are still useful in Web 2.0 days for – get this – displaying tabular data.

I know that’s a little revolutionary, so I’ll let in sink in.

In the meantime, bear with me while I illustrate a little technique that allows you to show and hide columns in a table with only dead-simple CSS manipulation. While techniques exist for hiding/showing columns using relatively trivial Javascript, there’s a certain appeal to executing a visualization technique with only CSS.

I’ve tested this with the major browsers, namely Firefox 1.5 and 2, IE 6, Opera 9, and Safari 2.x, and amazingly, they all function properly (although we do use the star-html hack for IE).

Here’s a page showing the basic table: link.

Note that there’s some basic CSS in there just to style the table, and the table markup itself is a standard, run of the mill, table.

We’d like to have the “category” column shown only when the user takes an action, for example clicking an expand button. First, we annotate the th and td elements with the class “moreDetail”, e.g.:
<td class="moreDetail">Vegetable</td>

We’ll amend the CSS so that th and td elements with the class of “moreDetail” are not displayed by default:
th.moreDetail { display: none; } td.moreDetail { display: none; }

This leads us to the page seen in step 2: link.

Now, here’s the tricky bit. We will “show” the column not by manipulating the visibility of the individual cells (through the use of the display attribute), but instead by taking advantage of the way in which CSS rules are interpreted. We will apply a CSS class to the table itself, and take advantage of CSS descendant selectors to change the styling of the “moreDetail” class we’ve added to the table cells.

The CSS looks something like this:
table.showDetail th.moreDetail { display: table-cell; background-color: #E4E4A2; } table.showDetail td.moreDetail { display: table-cell; background-color: #E4E4A2; }

For illustrative purposes, we add the “showDetail” class to the table and see the result in step 3: link. Note that the category column has reappeared because we’ve added the “showDetail” class to the table element.

Of course, IE does not support display: table-cell – fortunately table cells display just fine using display: block, so we add a * html rule to enforce this for IE 6 only, which brings us to step 3a:link. In other browsers, display:block is not a rule you want to put on a table cell (exercise to the reader: try it and see what happens!).

Now to tie it all together, we add two simple buttons that use Javascript to add and remove the “moreDetail” class on the top-level table element. You can see with this simple manipulation, we can show and hide any number of table columns. The final effect is seen in step 4: link.

Once again, IE 6 eludes us. Remember that the CSS classes provided worked fine in IE in step 3a, but for some reason IE 6 will not redraw the table when we simply change the table’s className property. The only way I was able to work around this was to “tickle” the class of one of the table cells (the first TH element) by simply setting its display property to block (which it already was). This is the only difference between step 4 and step 5, seen here: link.

So with step 5, we have a simple way to show and hide table columns using CSS and basic Javascript CSS class manipulation, which is compatible with all major, modern browsers.

HTML purists will note that another effective way to do this is by taking advantage of the <col> element. I’ll explore this technique in combination with the <col> element in a later post. Enjoy! Please send comments/questions/feedback my way.