-
1. Re: Security "how to" doc
juha Sep 14, 2003 1:23 AM (in response to lucrussell)Please post this to the FAQ forum where it will be better preserved.
-- Juha -
2. Re: Security "how to" doc
pgmjsd Sep 14, 2003 1:10 PM (in response to lucrussell)I found the example useful. A few relatively minor comments:
* First, the whole thing is well documented and easy to navigate. WELL DONE!
* There is a dependency (static linkage) between DAOFactory and LdapDAOFactory. It might be cleaner to replace that with a dynamic linkage.
* The password encryption seems like a one way hash (not decryptable), yet the names of the class that does this is EncryptUtils which implies that this is somehow reversable. Does your example indicate this somewhere? Maybe I missed it.
* Are the *TO objects implementing the value object J2EE pattern? If so, why are they called 'TO' rather than say, 'VO'?
* The EJB implementation declares a Log4J logger, yet it uses System.out.println(). Why? -
3. Re: Security "how to" doc
lucrussell Sep 16, 2003 6:05 AM (in response to lucrussell)Thanks very much for these comments, I'm glad you found the article useful...
* It would be better to replace the static linkage between the factory classes with some kind of dynamic lookup, maybe from a properties file or something - I think I might have mentioned this in the text of the article somewhere.
* You are correct, the password encryption here is a one-way hash - the main reason for naming this class EncryptUtils was to allow adding other methods such as encryptMD5, etc.
* The more recent J2EE patterns documentation refers to a Transfer Objects pattern rather than the previous Value Object pattern, hence the *TO designation (http://java.sun.com/blueprints/corej2eepatterns/Patterns/TransferObject.html)
* Silly mistake :)
cheers
Luc -
4. Re: Security "how to" doc
pgmjsd Sep 16, 2003 6:19 PM (in response to lucrussell)I am considering making a similar "how to" doc for RDBMS based security, and your example has given me some great ideas.
* I think the 'Abstract Factory' pattern is what could be used for the dynamic lookup. Although I might not have gotten the name of it exactly right (see rant).
* Transfer Objects. Wow, okay... I had not heard of that. Thanks for the info!
Makes you wonder whether they are just renaming things to make it seem like this is all something new. The Sun J2EE patterns are starting to resemble technology made by commercial software companies (that I used to work for, who shall remain nameless), which consisted purely of renaming things in a confusing manner.
public class FlyweightMemoValueTransferSerializeableBeanThingamajig implements ....
:) -
5. Re: Security "how to" doc
sysuser1 Sep 17, 2003 11:26 AM (in response to lucrussell)Luc,
Thanks for the excellent docs. I was able to get it working in jboss 3.2, with one exception:
After a successful authentication by "lrussell" , I get a page which has two links, "list users" and "secret..". When I click on "list users" I get a Null Pointer exception.
Looking under the hood, I find that the username/principal being passed to the EJBs is null, even though I have a valid session in the "web" layer.
So how do you make the username propogate from the "web" layer to the "ejbs" ?
Thanks
--
Sanjay -
6. Re: Security "how to" doc
pgmjsd Sep 17, 2003 7:28 PM (in response to lucrussell)> So how do you make the username propogate from the "web" layer to the "ejbs" ?
This happens because the same JAAS security context is being used by both "layers" (see JBoss docos for a more detailed explanation). -
7. Re: Security "how to" doc
lucrussell Sep 18, 2003 3:57 AM (in response to lucrussell)> This happens because the same JAAS security context is being used by both "layers"
Yes, so it might be worth checking that you have a line like this in both your jboss-web.xml and jboss.xml files:
<security-domain>java:/jaas/security-example</security-domain> -
8. Re: Security "how to" doc
juha Sep 20, 2003 11:27 AM (in response to lucrussell)Now accessible through the FAQ forum.
-- Juha