Seam Identity Management

During a recent coding getaway to Maine (see my post on the 2011 HackFestaThon) I decided to write a basic Seam project as a starting point for my future Seam based web applications.  The idea is to provide common features such as Login, Logout, Registration, Forgot Password, User Management, Audit Logging, Image Upload Handling, Video Upload Handling, etc… so next time I have an idea that I want to hack together I won’t have to re-write or copy-paste in basic functionality like that.

I spent about a day working on things before I discovered that I really should be using the Seam framework’s Identity Management feature.  So I threw out everything I’d done, and started by re-reading the docs, and went from there.  Seam’s Identity Management framework is VERY powerful, but is also a little complicated to get going and in many cases it seems like it would easier to just write stuff from scratch.  I’m banking on the powerful stuff being worth the initial learning curve and a little extra pain.

When I get the starter project in a more complete state I will be open sourcing the whole thing to help others along, but I wanted to share a few things I’ve learned so far:

In order to use the Email address as the login instead of a username, you need to remove the username property from your UserAccount entity and annotate the Email address property like so:

@NotNull
@UserPrincipal
@Email
public String getEmail() {
    return email;
}

Actions like Registration need a RunAsOperation inner class to handle the fine grained security controls that the Identity Management framework enforces:

    public void register() {
	verified = (confirm != null && confirm.equals(password));

	if (!verified) {
	    FacesMessages.instance().addToControl("confirmPassword", "Passwords do not match");
	}
	new RunAsOperation() {
	    public void execute() {
		try {
		    // Check if email address has already been used
		    if (identityManager.userExists(getEmail())) {
			FacesMessages.instance().addToControl("email", "Email has already been used.");
			return;
		    }
		    identityManager.createUser(email, password, mFirstName, mLastName);
		} catch (IdentityManagementException e) {
		    // TODO Auto-generated catch block
		    e.printStackTrace();
		}
		identityManager.grantRole(email, "member");
	    }
	}.addRole("admin").run();

	// Login the user
	identity.getCredentials().setUsername(email);
	identity.getCredentials().setPassword(password);
	identity.login();
    }

Populating custom properties on the User during things like registration requires observing events:

    @Observer(JpaIdentityStore.EVENT_PRE_PERSIST_USER)
    public void prePersistUser(UserAccount pNewUser) {
	// Setup additional UserAccount properties before the user is created
	pNewUser.setRegistrationDate(new Date());
	pNewUser.setOptIn(isOptIn());
    }

You can log audit events with the user’s IP address by doing things like this:

@Scope(ScopeType.EVENT)
@Name("userEvents")
public class UserEvents {
    @Logger
    private Log mLog;

    @Observer(JpaIdentityStore.EVENT_USER_AUTHENTICATED)
    public void loginSuccessful(UserAccount pUser) {
	mLog.info("User logged in with email: #0", pUser.getEmail());
	pUser.setLastLoginDate(new Date());
	Contexts.getSessionContext().set("currentUser", pUser);
	AuditEvent loginEvent = new AuditEvent(((ServletRequest) FacesContext.getCurrentInstance().getExternalContext()
		.getRequest()).getRemoteAddr(), pUser.getId(), "Login Success", null);
	Events.instance().raiseEvent("auditEvent", loginEvent);
    }
}

Hopefully I’ll have the starter project ready soon and will share it with you all. In the meantime, happy hacking!

First brush with Ruby On Rails

Earlier this week I was hanging out with a friend talking about a project he was working on and I decided to poke at it a bit with him, and as such got my first hands on experience with Ruby on Rails.

Ruby on Rails or RoR obviously has huge buzz and is a very popular web application development framework lately.  Lots of people have praised it and lots of great sites have been built using it.  I’ve never bothered to learn it myself for a few reasons.  First I’m a Java guy (ATG and Seam) and have been for years.  Given limited time and limited brain capacity I’d rather learn more Java/Java Frameworks/etc… than try to learn a whole new language.  Secondly many trusted friends advised me that while RoR does somethings REALLY well and makes some things REALLY easy, once you need to try to break outside of the pre-imagined structure/features that RoR provides out of the box, things rapidly go downhill.  Those reasons aside, the high level of buzz has meant I’ve always been somewhat curious, so this opportunity to finally get my hands a little dirty with RoR was welcome.

Getting started with RoR on Mac OS X is very easy.  It’s pre-installed and works right out of the box.  However after upgrading Rails and the gems I ran into a known blocking bug which after some Googling I was able to fix by downgrading rake to 0.8.7 in the Gemfile.  So not a 100% smooth start, but not too bad.

The Rails generate scaffold commands make it very easy to create a data object, the related schema changes (managed through the rake migration mechanism), and related CRUD pages and controllers.  You can be up and running very quickly and creating, browsing, editing, and deleting records.  This can make it very easy to get a basic application laid out, and provides lots of plumbing automatically.

I didn’t get much farther than some simple controller modifications, outbound e-mail sending, etc…  so I’m far from a real RoR developer.  However I ran into enough pain points so far that I don’t think RoR is for me.  I don’t want to start any language/framework wars, but here is what I ran into:

A lot of the “magic” seems great at first, but as soon as you want go outside of the box or tweak how things are working, it becomes a massive liability.  For instance when using the generate scaffold command to create data objects you can setup relationships/foreign keys by passing in a column name that matches the form OtherClass_id:integer, which will be interpreted to be a FK association to the other class’s id column to join the objects.  This is great.  However, what if you want to add two relationships to the same Other class?  For instance an Message has a Sender and a Recipient, both of which are Users.  I can use user_id:integer for one, but how do I do the other?  How do I use column/property names that don’t fit that naming convention, for instance I’d want sender_id and recipient_id.  None of the getting started guides I was able to find covered that.  Googling for things like “scaffold multiple foreign keys” didn’t answer the question, etc…  I’m sure it’s possible, but finding out how wasn’t easy, and the default way hides and obscures the actual plumbing so it’s not easy to figure out how to make simple changes or additions.

Data object classes in the app/model area all extend ActiveRecord::Base and as generated by generate scaffold are completely empty.  There’s no clue or indication of the fields, any logic available, any relationships, property types, etc…

Emailer classes use magic mappings between method names and e-mail templates.  Because it’s “magic” I have no idea how to change a template file name if I wanted to.  App/helper classes are created, but they’re empty, so I have no idea what they are doing, or meant to do.  And so on.  If I was an expert RoR developer I’m sure I’d know, or if I read a few books I’d understand, but starting from scratch and trying to learn as I go, it proved very frustrating.

The much touted RoR Community proved to be more of a liability than an asset to me.  Especially when combined with the many, rapid, backwards incompatible, RoR releases that have come out so far.  When looking for information, guides, and answers related to RoR you end up finding things spread all over: blogs, forums, mailing lists, Ruby sites, RoR sites, groups, etc…  Most of these posts/documents refer to older versions of RoR.  Most of them don’t have dates or specify which version they are working with.  Many questions on forums are unanswered.  The end result is you find what you hope is a reasonable solution for an issue only to find that the code sample or directions are written for a previous version of RoR, and trying to follow the instructions or paste the code in the current RoR version results in weird errors or worse.

Each new version of RoR seems to massively change and/or break common APIs and change how things are supposed to be done, etc…  I ran into several situations where it seems like a method was renamed, with no backwards compatible alias left in place, for no other reason than they wanted to change the name, which breaks older code for  no real purpose.

I’m also not a fan of weakly typed languages.  Strongly typed languages provide compile time validation, IDE auto-completion, and easy to navigate API documentation.  With larger, more complex projects, or projects involving many developers, or projects utilizing many 3rd party libraries, these advantages become significant in my opinion.

So from my standpoint, JBoss Seam provides most of the advantages of RoR, including several improvements, without many of the liabilities.  Plus it’s in Java which is my strongest programming language.  I’ll stick with Seam, but I’ll still respect the creations of folks who use other tools, including RoR.

10MinuteMail and Form Submission Charsets in Seam/JSF

I launched a minor update to 10MinuteMail.com last night. It contained:

  1. Changed the mail domain to owlpic.com
  2. Updated the Russian language translation (thanks to Vladimir)
  3. Fixed a bug where replying to an e-mail using a non-latin character set would result in an unreadable e-mail (also thanks to Vladimir for pointing this out)

This last issue was an odd one to fix, so I wanted to document it here (although the same fix can be found elsewhere on the net).

10MinuteMail.com is pretty well internationalized. The site content is translated into over 30 languages and the pages are served as UTF-8. Incoming e-mails are also displayed using UTF-8 and display non-latin character sets correctly. However, until this latest release, if you replied to an e-mail using non-latin characters, the resulting e-mail contained gibberish instead of the correct characters.

I started off by adding UTF-8 as the specified character set for outgoing e-mails. That didn’t help. I added UTF-8 encoding declaration attribute to the form element. That didn’t help. Finally after some frustration, googling, and trying a ton of things, I discovered that for some reason, and I”m not sure if the bug is in JBoss, JSF, Seam, or where exactly, but you have to set the request objects character encoding programmatically for each request, otherwise it will use the wrong encoding on the form contents and you end up with gibberish. The easiest way to solve this that I’ve found so far is to create a small Servlet Filter that sets the encoding on the request, and add that filter in before your Seam filter in your web.xml. It worked for me.

The filter:

package com.digitalsanctuary.seam;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

/**
 * The Class UTF8Filter.
 */
public class UTF8Filter implements Filter {

    /** The Constant UTF_8. */
    private static final String UTF_8 = "UTF-8";

    /**
     * Destroy.
     *
     * @see javax.servlet.Filter#destroy()
     */
    public void destroy() {
    }

    /**
     * Do filter.
     *
     * @param pRequest
     *            the request
     * @param pResponse
     *            the response
     * @param pChain
     *            the chain
     * @throws IOException
     *             Signals that an I/O exception has occurred.
     * @throws ServletException
     *             the servlet exception
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse,
     *      javax.servlet.FilterChain)
     */
    public void doFilter(ServletRequest pRequest, ServletResponse pResponse, FilterChain pChain) throws IOException,
	    ServletException {
	pRequest.setCharacterEncoding(UTF_8);
	pChain.doFilter(pRequest, pResponse);
    }

    /**
     * Inits the.
     *
     * @param arg0
     *            the arg0
     * @throws ServletException
     *             the servlet exception
     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
     */
    public void init(FilterConfig arg0) throws ServletException {
    }

}

An excerpt of web.xml:

....
	<filter>
		<filter-name>UTF8 Filter</filter-name>
		<filter-class>com.digitalsanctuary.seam.UTF8Filter</filter-class>
	</filter>
	
	<filter-mapping>
		<filter-name>UTF8 Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter>
		<filter-name>Seam Filter</filter-name>
		<filter-class>org.jboss.seam.servlet.SeamFilter</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>Seam Filter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
....

Does anyone have a better fix or know exactly why this happens?

Make Google Ignore JSESSIONID

Search engines like Google will often index content with params like JSESSIONID and other session or conversation scope params. This causes two problems: first the links returned in the Google search results can have these parameters in them, resulting in “session not found” or other incompatible session state issues. Secondly it can cause a single page of content, to be indexed multiple times (with differing parameters) this diluting your page’s rank.

I’ve posted two solutions to this issue in the past: Using Apache to ReWrite URLs to remove JSESSIONID and a more advanced solution of using a Servlet Filter to avoid adding JSESSIONID for GoogleBot Requests.

Now there’s an even better way to handle this. Google has added an amazing new feature to their Webmaster Tools which allows you to specify how the GoogleBot indexer should handle various parameters. You can ignore certain parameters such as JSESSIONID, cid, and others, and also specifically not ignore other parameters such as productId, skuId, etc…

Log into your Google Webmaster Tools, and select the site you wish to work with. Under “Site Configuration” -> “Settings” there is a new section at the bottom called “Parameter handling”. Click on “adjust parameter settings” to expand the parameter handling configuration for your site. Sometimes Google will suggest various parameters it has discovered while crawling your site, and other times you just enter the parameters you want Google to ignore or pay attention to.

Google Webmaster Tools Parameter Handling Interface

This is a much more elegant solution to the JSESSIONID problem, and also allows you to easily handle other parameters your site may use for either session state or dynamic content generation correctly. The only downside is that this only impacts Google, whereas with the correct configuration my older two solutions can handle any Search Engine Bot. Maybe other search providers will or do provide a similar feature.

Seam 2.x Web Development

Seam 2.x Web Development by David Salter

Seam 2.x Web Development by David Salter

Packt Publishing just sent me a copy of their new Seam book entitled Seam 2.x Web Development. Authored by David Salter, it seems to be a well laid out practical guide to building web apps with Seam 2. I’ve only skimmed it so far, but will be posting an in-depth review once I’m able to read through it.

It’s great to have a book that covers the new features of Seam 2 and provides examples of common Web 2.0 requirements such as OpenID integration, AJAX/RIA interfaces, and multi-tabbed browsing support using conversation scoped components. Personally I’m interested in reading about the new(ish) Identity Manager API (which I haven’t played with yet) and trying to add OpenID support for the application I am currently building.

You can read the second chapter online here: Chapter 2: Developing Seam Applications and let me know what you think of it!