Hi, I´ve been for a long time a JBoss AS Community user, and I´ve built several applications on top of it and haven´t payed a dime for it! This is incredible.
I think it´s time for me to start contributing to the platform since I have been using the server with no cost for 4 years and intend to keep doing so.
This is amazing. Kudos to the community and red hat this is awesome.
sorry for the intro, but it was my first post here so I wanted to acknowledge the effort of the members.
I wanted to share a couple of thoughts on two points that I have struggled with and discuss whether those have been improved in latter versions.
1) JAAS - Login Module Customization and Extensions
- JBoss AS7, as far as I understand, uses picketbox as its security provider. Well, one could leverage other frameworks like spring security if wanted, but I always try to use the vanilla modules of the app server version before extending or replacing. Problem is that nowadays, web application have changed, I haven't had one single project that did not request me to customize the login module within JBoss AS7.
The most common requests I've got in the past were:
- Send j_username + j_password to j_security_check with an encoding such as Base64 so that credentials don't transit in clear text. (Fair enough, but not really a security concern, several login modules like gmail, facebook, twitter, send the credentials in clear text to their login endpoints, but it would be nice to include such feature in j_security_check)
- Allow only one session per user simultaneously. This is really a nice feature that I always have to implement for enterprise projects. Usually it is required that we show a page with a message "There is already another session for this user and they would you like to disconnect the others and proceed?"
- Save IP address of users while logging them in.
- Block user after 3 failed password attempts by setting a flag (BLOCKED=TRUE or ACTIVE=false) within database.
- And the last is to have an anti-robot mecanism such as recaptcha validate user credentials.
- Why isn't it possible to directly execute a POST or GET request to j_security_servlet as our team has been receiving a time_allowed for login exceeded even if the request is done programatically within another servlet call? (This is more of a doubt than a suggestion)
Some of those functionalities could easily be achieved by implementing a Login Filter and plugging it into the filter chain of the project but the first requirement of sending credentials in an unencrypted manner as far as I understand has to be written within the servlet implementation.
2) JAXB and JPA 2 - Sharing entity models and jaxb annotations (mess)
Another thing that really bugged me in the past was when our team tried to expose a DAO service layer through a WSDL in order to be able to scale up the application stack. Basically the idea was to separate the DAO pattern related beans and JSF managed beans in order to be able to decouple the layers and hence be able to scale each layer according to its memory, processor and bandwidth consumption.
We tried an approach of adding JAXB annotations to Hibernate Entities in order to be able to marshal and unmarshal then in SOAP webservices. This turned out to be a complete mess! Hibernate was delivering Proxy instances to the JAXB marshaller and lazy elements were trying to be accessed while they were not loaded yet, and relationships were sometimes treated like cyclic references (@XmlTransient needed to solve the problem). Anyway, a complete mess. So the way we solved it was to create two separate model layers one with all of our entities from Hibernate and another with only JAXB annotations. The thing is that this was not sustainable, we had 90 entities in the app and we had to add another layer of conversion between those models. It would be awesome if we could leverage some type of metamodel interpreter for the JAXB implementation within JBoss and even write a custom marshaller or accessor to deal with Hibernate Lazy relationships so that users of the application server (like myself) could expose their entities through webservices more easily.
Do you guys know if any of those improvements have been implemented in latter versions of Wildfly and such?
Have you had similar experiences with those features (JAAS, JAXB, JPA) in JBoss as well or was it just me?
I would be down for helping in the development of those customizations and joining the community in a more active manner.