Friday, June 1, 2007

Authentication using JAAS and Kerberos


A lot of Organizations tend to use Kerberos for authentication and JAAS does support Kerberos for authenticating users. Well here is a step-by-step approach to Kerberos authentication with JAAS. I am not going to talk about Kerberos server or the installation. It is all about authentication. Please see the list of issues below.

-Djava.security.krb5.conf=krb5.conf
-Djava.security.auth.login.config=$FILE-PATH\kerberoscontext.conf -Djava.security.krb5.realm=ABC.NET
-Djava.security.krb5.kdc=ABC.XYZ.NET

The above configurations are required and I will explain each one of them.

1. Create a file krb5.conf and here are the contents of the file.
Place this file in JAVA_HOME/jre/lib/security. This is required by this configuration here -Djava.security.krb5.conf=krb5.conf. No need of file path.

[libdefaults]
default_realm = ABC.NET
dns_lookup_kdc = true

[domain_realm]
.abc.net = ABC.NET

You need to get this information from the Organization's Kerberos management team or administrators. You need to know Kerberos REALM and Kerberos KDC.

2. Create a Kerberos login module configuration file (kerberoscontext.conf). Place this file anywhere you like, but you need to mention the absolute file path within this configuration parameter : -Djava.security.auth.login.config=$FILE-PATH>\kerberoscontext.conf . This file is a JAAS requirement.

Kerberos5LoginModule {
com.sun.security.auth.module.Krb5LoginModule required debug="true"
};

One can add more parameters depending upon the needs. This is the minimum requirements.

3. Now you need to develop a Security Service or Manager which can authenticate based on the user input (user & password). You can find the complete code here AuthenticationService.

4. You also need to develop a Login Module Adapter. This makes the Authentication Service decoupled from the type of Authentication(Kerberos, NT, AD, Unix etc.). This is very important even if you know what type of authentication you are going to use. This type of Design is very important when you are involved in Agile development. Agile Development warrants a developer with adding code incrementally and adding functionality incrementally. Adding functionality will certainly add code, but adding code might not add functionality to the application. Check the code for Login Module Adapter. KerberosLoginModuleAdapter.


5. AuthenticationService is an implementation of IAuthenticationService. This interface has a method authenticate(user, password). This method needs to be implemented. Once the user is authenticated , the necessary data is captured within A User object (for e.g IUser). This object can be used within the application as per the needs.

6. Develop a test program to test authentication. Pass the above -D parameters as VM parameters to the test program.

References:
JAAS API
Kerberos reference.

Posted by at
Labels:

Display Tag and External Pagination with Spring and Hibernate

Display tag is a very handy tag for displaying data in a tabular format.
I had to design and implement external pagination making use of the provided PaginatedList interface. What does it take to make it work:

Display tag requires an object of type PaginatedList. PaginatedList is an Interface as provided by Display Tag. The Web page (a jsp in this case required an object of type PaginatedList).
So I defined an Interface IExtendedPaginatedList which extended PaginatedList and added a few more methods that were required.

Here is the implementation for IExtendedPaginatedList PaginatedListImpl.

One of the JSP page is paginatedList.jsp which was included in those other jsp pages which required pagination. This page was included using jsp:include page="/paginatedList.jsp"

paginatedList.jsp snippet:

<%      IExtendedPaginatedList paginatedList = null;          if(request.getAttribute("PAGINATED_LIST") != null){         paginatedList  =(IExtendedPaginatedList)request.getAttribute("PAGINATED_LIST");         request.setAttribute("paginatedList", paginatedList );        } %>

The display tag was used in a different jsp page displayUserList.jsp:
<display:table name="paginatedList" sort="list"  requestURI="/searchUserAction.do?isPagination=yes">

     <display:column property="firstName" title="First Name"  sortable="false" headerClass="sortable"/>

<display:column property="lastName" title="Last Name" sortable="false" headerClass="sortable"/>
<display:column property="login" title="User Name" sortable="false" headerClass="sortable"/>

<display:column property="group.groupName" title="Group" sortable="false" headerClass="sortable"/>
<display:column property="location" title="Location" sortable="false" headerClass="sortable"/>

</display:table>


Both of these jsp pages are included within a main jsp page (for e.g searchUsers.jsp ).

The Controller or the Action class is responsible for creating this object and getting back the data from the Data Access Layer(DAO). I had developed this PaginatedDAO so that the rest of the team can make use of this DAO. Much of the responsibility lies with this DAO. This DAO class could be extended by other DAOs to make use of the pagination. Here is the code for the interface IPaginatedDAO and the implementation PaginatedDAO. This DAO at this point of time is using Spring framework and Hibernate and you can do it without Spring too. The PaginatedDAO has methods which provides different parameters and are for convenience for different usage. One method uses Hibernate Criteria and others accept a SQL Query string. In order for the pagination to work you need to execute two methods from this DAO. 1. getPaginatedListBy.....(.....) and 2. getTotalCountOfRowsBy....(...). Both of them are required. One can combine both as well.

In the action or controllers you will need this code to create an instance of IExtendedPaginatedList :


    public IExtendedPaginatedList getPaginatedListFromRequest(HttpServletRequest request){     
        
        IExtendedPaginatedList paginatedList = new PaginatedListImpl();
        String sortCriterion = request.getParameter(IExtendedPaginatedList.IRequestParameters.SORT);       
        paginatedList.setSortDirection(IExtendedPaginatedList.IRequestParameters.DESC.equals(request.getParameter(IExtendedPaginatedList.IRequestParameters.DIRECTION))? SortOrderEnum.DESCENDING : SortOrderEnum.ASCENDING);
        paginatedList.setSortCriterion(sortCriterion);
        int pageSize = 25; // Rows per page
        paginatedList.setPageSize(pageSize);
        String thePage = request.getParameter(IExtendedPaginatedList.IRequestParameters.PAGE);    
        if(thePage != null){
           int index = paginatedList == null? 0 : Integer.parseInt(thePage) - 1;
           paginatedList.setIndex(index);
        }else{
         paginatedList.setIndex(0);
        }
       
        return paginatedList;
    }



This is all is required for pagination. It is easy and simple with Display Tag.

click here to get all the code:
References:
Display Tag
Display Tag Examples



Posted by at
Labels:

Wednesday, March 14, 2007

Power Jython : Extend and Customize a Product using Jython: Part-1

Working for one of the Start ups, I came across a way to extend and customize the Product Functionality.
It was a very elegant way of doing it. Extremely neat and powerful.
The Product was used to manage the IT infrastructure and Software configurations.
The so called 'Product' was completely developed in Java, Jython et al. Yes, Jython was used in a very elegant manner for the end users , Professional services group and other vendors to provide a way for the product to be customized as per the end-user needs. Instead, technically speaking, we had a core product plus the customization features.The additional features were customized on top of the base functionality, where the product users could add and enhance the product functionality using Jython scripting.

TechNikes:
1. Core Product had to communicate with the extended and customized functionality using a standard API. This standard API was developed using Jython scripting. Technically, it is the Facade to the Extension Points. Facade typically like a 'Framework' is well managed and maintained by Facade developer. Each 'Extension Point' adds up and typically resolves in a complete customized product.

What is an Extension Point ?
2. A number of jython scripts executed to accomplish certain specific task. These scripts bundled together is an Extension Point. One can drop in as many Extension Points as possible. The core product picks up a particular 'Extension point' and executes these scripts. Jython provides a Java Interpreter which was embedded within the core product for the scripts to be executed and accomplish a task. So, an Extension Point in other words is a bundled jar of Jython scripts and XML files.


How did it work ?
3. Each Extension Point was developed and bundled as a jar file. The jar file had Jython scripts and a XML configuration file. This XML file provided information about the scripts ( meta data , isn't it ?).

The core product could pick up this bundled jar file , explode it and load the 'meta data' into the
core product. this way end-user of the product can make use of this meta data to execute the scripts. The core product would come to know about the 'Extension Point' through the 'script configuration XML file within the jar. The Core product would pick up the Jar file , read the XML file to get the knowledge of the scripts.

What is the content of the XML file ?
1. Name of the jython script.
2. Location.
3. Display Name of the script - that needs to be displayed within the scripts menu on the core product UI.

Isn't it powerful ?

Usage examples:
  • Execute certain Policies. Policies that keep changing. Jython scripts can add value.
  • Execute certain 'Rules'. Rules that can be customized.
  • Execute any other Jython scripts to manage configuration data.
  • Execute reports with additional jython functionality.
  • Manage application configuration data.
  • Provision files to different nodes (machines) from a single location using SSH or FTP
  • Execute Unix commands or Shell scripts remotely using SSH.
These Jython scripts could enhance additional functionality, like adding encryption/decryption and checksum techniques on top of the existing ones.

"Significant advantage of such a mechanism comes from the fact that these scripts can be modified or added
without any complex deployments or compilation of the application or product".

What did I do with such a framework ?
I developed certain scripts to accomplish this:
Discover WebSphere Application server ports within each node for a given cell. This meant that the core product was not aware of WebSphere or Weblogic. Jython scripts specific to WebSphere application server configuration automation made the product customized to fit to be used for WebSphere Administration purposes. Meaning , the product was customized for WebSphere App server needs. Similarly, customized the same product to execute certain tasks to achieve some configuration changes for Weblogic Application server. All this was done by developing the jython scripts independent of the core product and then the bundled jar of scripts were dropped in a location for the core product to pick and act.
Note: I am going to add some java code and jython scripts to demonstrate the above explanation in my next series of Power Jython.

Keep reading Power Jython series......
** End **
Posted by at
Labels:
Subscribe to: Posts (Atom)