Johannes Neubauer's Technical Blog

Moving to http://www.kingsware.de

johannesneubauer — Tue, 02 Feb 2010 13:37:37 +0000

This blog has moved to http://www.kingsware.de.

Multiple one phase resources in jBoss-5.1.0.GA

johannesneubauer — Tue, 27 Oct 2009 22:19:04 +0000

In jBoss-5.0.1.GA there was the configuration file ${JBOSS_HOME}/${SERVER_CONFIG}/conf/jbossjta-properties.xml. In order to enable distributed transactions for multiple local resources (non-XA) the following option had to be inserted into this file:

In jBoss-5.1.0.GA this config file has been replaced by ${JBOSS_HOME}/${SERVER_CONFIG}/conf/jbossts-properties.xml. So you have to add the same line into the xml-element with name properties and attributes depends with value “arjuna” and name with value “jta”:

SVN branching & merging

johannesneubauer — Mon, 14 Sep 2009 14:11:19 +0000

This post describes some branch & merge scenarios for subversion repositories. For more info have a look at the svn book.

Reintegrate a branch to trunk

Check, where the branch started:

 $ pwd
 branch_xy/
 $  svn log --verbose --stop-on-copy .
 ------------------------------------------------------------------------
 r2664 | bob | 2009-09-08 10:32:03 +0200 (Di, 08. Sep 2009) | 2 Zeilen
 Geänderte Pfade:
    A /branches/branch_xy (von /trunk:2663)

Clean up your working copy of the trunk:

$ pwd
trunk/
$ svn status
$ svn up
Revision 2695.

So no changes are in your working copy and the head is revision r2695. Now merge:

$ pwd
trunk/
$ svn merge -r 2664:2695 https://repo.org/svn/myrepo/branches/branch_xy .
U ...
A ...
...

Then check, build, test your merged working copy. Afterwards checkin your changes:

$ pwd
trunk/
$ svn ci

Synchronize a branch with the trunk

If this is the first sync command use the branch revision like in the chapter before. Otherwise use the revision of the last sync.

$ pwd
branch_xy/
$ svn merge -r last_sync_or_branch_copy_rev:HEAD https://repo.org/svn/myrepo/trunk .

Afterwards you have synched your branch with the trunk and can commit the changes to your branch. This way reintegration of the branch to the trunk will be easier.

Reintegrate a Synchronized branch to the trunk

$ pwd
trunk/
$ svn merge -r last_sync:HEAD https://repo.org/svn/myrepo/branch_xy

Further thoughts

You can always execute a merge command and check the changes with svn diff. If the result does not match your wishes you can revert your changes with svn revert -R ..

Preventing a bad color representation in acroread for LaTeX documents

johannesneubauer — Thu, 03 Sep 2009 09:20:59 +0000

Using pdftex to generate a PDF document from LaTeX source shows up to look ugly in acroread due to color model and transparency settings. The following LaTeX commando hacks this behavior:\pdfpageattr {/Group << /S /Transparency /I true /CS /DeviceRGB>>}

Using JAAS login modules from jBoss in Tomcat

johannesneubauer — Fri, 26 Jun 2009 13:28:59 +0000

A jboss login module (like the LdapExtLoginModule in jbosssx.jar shipped with jboss-5.0.1.GA) returns a
Group array with one SimpleGroup named “Roles” as its role set.
The parent class AbstractServerLoginModule combines this with the Principal
object representing the user. So the set of principals consists of two entries acting as the
user and his roles. These are added to the principals of the Subject instance, which
has been given to the login module when LoginModule#initialize(Subject, javax.security.auth.callback.CallbackHandler, java.util.Map, java.util.Map)
is called.

The tomcat realm JAASRealm (provided by catalina.jar shipped with tomcat 6.0.20) has two
input parameters depicting the user and role class names. After LoginContext#login()
was succesfully invoked (LoginModule#login() and LoginModule#commit() were successful
for all login modules being required) the subject mentioned earlier is retrieved and a new principal
is created from it. In this process the set of principals (Subject#getPrincipals()) will
be iterated. The first principal in the set fullfilling the following condition is used as the
user:

userClassNames.contains(principal.getClass().getName())

Afterwards, the list of other principals is compared with the group class name mentioned earlier.
Matching principal objects are used to create the roles using the name of the principal, only. There
is no recursive search in the groups. So the newly created principal gets only
one role called “Roles” instead of the roles being held in the SimpleGroup “Roles”.

Therefore using such a login module in tomcat requires creating a sub class, which searches
the SimpleGroup roles and adds them seperately to the role set. This way the login module
can be used to authenticate against a LDAP server in tomcat using the JAASRealm.

Here is an example implementation of the respective method:

@Override
protected Group[] getRoleSets() throws LoginException {
	List groups = new LinkedList();
	Enumeration roles = super.getRoleSets()[0].members();
	while(roles.hasMoreElements()) {
		groups.add(new SimpleGroup(roles.nextElement().getName()));
	}
	return groups.toArray(new Group[0]);
}

Standalone Tomcat with jBoss plus authentication against LDAP

johannesneubauer — Sat, 13 Jun 2009 15:48:15 +0000

This tutorial desribes, how to install and configure a standalone Tomcat, so that a deployed webapp can authenticate against LDAP and connect to a jBoss passing the credentials in every call of an EJB via remote interface , so that the business application can authenticate against the same LDAP, too. The configuration of the jBoss seems to be a more common and better documented task and will be covered in another tutorial, which I will link here later, as soon as I have written it.

WARNING: Please don’t use this solution in a productive system, but for testing purpose only. The custom LdapExtLoginModule presented here exposes the credentials of all online users to all classes using the same class loader! I will add a blog post, as I find a solution for production systems.

The tutorial has been successfully tested with the following versions of third party libraries:

Tomcat 6.0.20
jBoss 5.0.1.GA

The following steps are sufficient advices for the impatient reader, in order to run the tomcat standalone with a connection to jboss. A more detailed description about what is going on here can be found in using JAAS login modules from jboss in tomcat. Here are the instructions:

download tomcat:

http://www.internet.bs/apache.org/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz

decompress the file
edit $CATALINA_HOME/bin/catalina.sh:

export JAVA_OPTS="$JAVA_OPTS -Djava.security.auth.login.config=$CATALINA_HOME/conf/jaas.config
    -Djava.naming.provider.url=localhost:1399"

We’re using JAAS for authentication. We declare two login modules. The ClientLoginModule builds the security context for EJB calls, so that the application server gets the credentials for authentication. The LdapExtLoginModule authenticates the user with LDAP and builds the subject for Tomcat. In order to configure JAAS create/edit the file $CATALINA_HOME/conf/jaas.config:

someapp {
 // create security context for jboss
 org.jboss.security.ClientLoginModule required;
     multi-threaded="true";
 // Login module for tomcat
 org.someorg.security.LdapExtLoginModule required
     java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
     java.naming.security.authentication="simple"
     java.naming.provider.url="ldap://:"
     //We use anonymous authentication to our LDAP here
     bindDN=""
     bindCredential=""
     // Base DN, where we search our users
     baseCtxDN="ou=people,dc=someorg,dc=org"
     // Our users log in via uid
     baseFilter="(uid={0})"
     // Our roles are situated in the following subtree
     rolesCtxDN="ou=Roles,dc=someorg,dc=org"
     // A member of a group is identified/referenced by its full DN here
     roleFilter="(member={1})"
     roleAttributeID="cn"
     // We assume flat roles
     roleRecursion="-1";
};

edit $CATALINA_HOME/conf/server.xml:
- comment out all existing -tags
- add the following block:

Above we used a class called org.someorg.security.LdapExtLoginModule. This class must be on the class path of tomcat and jboss ($CATALINA_HOME/lib and $JBOSS_SERVER_CONFIG_HOME/lib). Here is an implementation of the class:

package org.someorg.security;
public class LdapExtLoginModule
        extends org.jboss.security.auth.spi.LdapExtLoginModule {
 private String credential;
 private Principal identity;
 private static Map credentials = new HashMap();

 public static Object getCredential(String username) {
   return credentials.get(username);
 }

 @Override
 protected Group[] getRoleSets() throws LoginException {
     List groups = new LinkedList();
     Enumeration roles = super.getRoleSets()[0].members();
     while(roles.hasMoreElements()) {
     groups.add(new SimpleGroup(roles.nextElement().getName()));
   }
   return groups.toArray(new Group[0]);
 }

 @Override
 @SuppressWarnings("unchecked")
 public boolean login() throws LoginException {
   // See if shared credentials exist
   if( super.login() == true ) {
     String[] info = getUsernameAndPassword();
     this.identity = new SimplePrincipal(info[0]);
     this.credential = info[1];
     return true;
   }
   return false;
 }

 @Override
 public boolean commit() throws LoginException {
   // SecurityAssociationActions.setPrincipalInfo(identity, credential);
   boolean success = super.commit();
   if(success) {
     credentials.put(identity.getName(), credential);
   }
   return success;
 }

 @Override
 public boolean logout() throws LoginException {
   credentials.remove(identity.getName());
 }
}

We can load a session bean in a servlet like this (the login has to be done at least once per request, because a new request might run in another thread, so a call to a session bean would be done with the user anonymous):

String user = httpRequest.getRemoteUser();
String credential = (String)LdapExtLoginModule.getCredential(user);
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
env.setProperty(Context.SECURITY_PRINCIPAL, user);
env.setProperty(Context.SECURITY_CREDENTIALS, credential);
env.setProperty("java.naming.factory.url.pkgs","org.jboss.naming:org.jnp.interfaces");
InitialContext ctx = new InitialContext(env);
MySessionBean sb = (MySessionBean)ctx.lookup("myapp/MySessionBean/remote");
...

In order to get everything running jbosssx.jar and jbossall-client.jar (part of the jboss package) has to be on the classpath. So get it and put it into the $CATALINA_HOME/lib folder.